The terms enterprise risk management ERM and governance, risk and compliance GRC, both in circulation for over a decade, have taken on fresh signifi cance, and a growing number of compani
Trang 1regulated world
A report from
the Economist Intelligence Unit
Trang 2The age of compliance: Preparing for a riskier and more regulated world is an Economist Intelligence
Unit briefi ng paper sponsored by SAP The Economist Intelligence Unit bears sole responsibility for
this research Our fi ndings drew on desk research and in-depth interviews with executives familiar with
risk and compliance within their organisations The fi ndings and views expressed in this report do not
necessarily refl ect those of the sponsor Rob Mitchell was the author of the report and Dan Armstrong was
the editor
August 2010
Trang 3The age of compliance: Preparing for a riskier and more regulated world
In September 2007, senior executives at Citibank gathered at the company’s New York headquarters
to discuss a sudden spike in the number of mortgage defaults among sub-prime borrowers in the US
It was at this meeting that Chuck Prince, then CEO of the bank, was told for the fi rst time that Citibank owned mortgage-related assets worth about US$43bn.1 Thomas Maheras, who oversaw trading at the bank, reassured Mr Prince that everything was fi ne, but within weeks Citi nursed losses on the assets that ran into billions of dollars The bank’s risk management was shown to have severe defi ciencies: accepting ratings agency opinions in lieu of independent reviews; relying on brittle fi nancial models; and, according
to subsequent congressional testimony, violating internal credit policies.2 Within two months, Mr Prince was out of a job
Other industries, such as the energy sector, can face equally disastrous risks At a US Congressional hearing in June 2010, Tony Hayward, CEO of BP, told members that he had “no prior knowledge” of the drilling of Deepwater Horizon, the Gulf of Mexico oil well that exploded in April with the loss of 11 lives and devastating environmental consequences.3 Members criticised Mr Hayward for the evasiveness of his answers and accused him of putting profi t ahead of safety Mr Hayward stepped down as CEO in July These two examples, while different in their origins and consequences, illustrate the challenge of managing risk and compliance across large and complex organisations Even medium-sized companies rely on a network of suppliers and partners, and have employees, functions and divisions scattered around the world It is therefore unsurprising that despite years of investment in risk management tools and processes, a clear view of the risks accompanying key decisions remains elusive for many senior executives
Events such as the fi nancial crisis and the Gulf oil spill have provided fresh impetus for efforts to gain better oversight and co-ordination across risk and compliance functions The terms enterprise risk management (ERM) and governance, risk and compliance (GRC), both in circulation for over a decade, have taken on fresh signifi cance, and a growing number of companies are redoubling their efforts to co-ordinate—and ideally integrate—their various sources of assurance
“You get to the point where you recognise that things like risk appetite statements, scenario planning and responses to regulatory changes require an enterprise view,” says Bruce Munro, group chief risk offi cer of National Australia Bank “It’s diffi cult to ask people in their particular areas of risk expertise to
do that, so you’ve got to invest in people that can do it on a full-time basis.”
In many companies, compliance and risk activities remain highly fragmented and scattered around the
1 http://www.nytimes.
com/2008/11/23/
business/23citi.html?_
r=1&hp=&pagewanted=all
2 Based on testimony by
Richard Bowen, a former chief
underwriter at Citibank, at
the Financial Crisis Inquiry
Commission, April 7th, 2010:
http://www.fcic gov/hearings/
pdfs/2010-0407-Transcript.pdf
3 http://www.ft.com/cms/
s/0/095cc462-79f5-11df-9871-00144feabdc0.html
“Things like
risk appetite
statements,
scenario planning
and responses
to regulatory
changes require an
enterprise view.”
Bruce Munro, Group Chief Risk
Offi cer, National Australia
Bank
Trang 4enterprise The professionals charged with ensuring compliance with Sarbanes-Oxley, for example, are
likely to use a different framework and standards than those managing health and safety compliance And
in risk management, teams looking after the credit of customers to whom the business provides fi nancing
will be in a separate department from those that look at operational risk Each risk and compliance activity
is often built up separately, frequently in response to a major event or new compliance obligation
This fragmentation is costly because there is duplication of effort It leads to complexity because there
is no common approach And when compliance activities are splintered, business risks inevitably grow
For instance, the lack of a comprehensive and integrated approach to IT compliance can lead to security
breaches or data losses Fragmented fi nancial compliance can open the door to fraud or restatements
Compliance is often thought of as separate from risk But in fact the two functions are tightly bound, since
an ad hoc approach to compliance leads to higher levels of risk
Efforts to boost visibility into risk exposures across the enterprise, or to achieve a more holistic and
consistent approach to compliance, are nothing new Over the past decade, many executives have
experienced initiatives designed to aggregate risk management across the company’s divisions, functions
and risk silos Few can say with confi dence that these initiatives were successful
GRC holds the promise of taking this process of integration a step further by integrating ERM and
compliance activities within a broader governance framework Dating from the Sarbanes-Oxley Act of
2002, when listed US companies faced complex and costly obligations under Section 404 of the Act, GRC
emerged as a set of tools to help companies manage risk, track compliance and monitor internal controls
Since then the scope of this discipline has broadened Although defi nitions vary, it now refers to
0
500
1,000
1,500
2,000
2,500
The exponential growth of US financial services regulation
Number of pages of legislation
1913
Federal
Reserve Act
31 pages
1933
Glass Steagall
37 pages
1966
Interstate Banking Efficiency Act
51 pages
1999
Graham Leach Bliley
145 pages
2002
Sarbanes Oxley
66 pages
2010
Dodd Frank Wall Street Reform Act
2,319 pages
Source: Economist Intelligence Unit, 2010.
Trang 5an enterprise-wide framework that companies use to manage risk and compliance within established corporate governance parameters
“The point of governance and compliance is to ensure transparency,” says Mr Munro “Compliance plays
an important role in providing assurance for people like me and the Principal Board that we’re actually doing what we say we’re doing.Beginning with the high-level risk appetite, and cascading through the layers of the business, there needs to be a mechanism to ensure that when there are issues, they are discovered, escalated, dealt with and the lessons learned.” 4
This paper examines how the integrated management of risk and compliance has developed among corporates in multiple countries and industries It is based on a series of interviews with chief risk offi cers and other high-level risk professionals from large multinationals around the world These interviews, conducted in June and July 2010, reveal a number of common themes
4 The Principal Board refers to the
Principal Board Audit Committee
(PBAC), formed by NAB in 2003
to discuss and investigate any
high risk issues raised by internal
or external auditors.
Trang 6Pressure builds for a consistent approach
The three themes of governance, risk and compliance have been central to the management agenda
for a decade But whereas fi ve years ago it would have been the “C” in GRC that was most likely to keep
executives awake at night (and indeed was the impetus behind the development of GRC in the fi rst place),
in the post-crisis world it is the “R” that has risen to the top of the agenda “The whole environment over
the past 18 months has been the facilitator of much broader thinking about risk management,” says Mark
Krakowiak, chief risk offi cer of GE, the industrials and fi nancial services group
The reasons for this laser-like focus on risk are well understood The fi nancial crisis has highlighted
the interdependencies between different divisions of the organisation—and between the enterprise as a
whole and the external environment Under pressure from legislators and investors, boards are becoming
more demanding In one sector, fi nancial services, regulators are stipulating that institutions form risk
committees And the role of chief risk offi cer, once confi ned to banking and insurance, has spread across
the corporate world
But the management of risk—however broadly it is framed—is just one piece of the puzzle Companies
also face an increasingly complex and rigorous regulatory compliance burden that has become both
costly and risky, should the company fail to meet its obligations In June 2010, for example, the UK
Financial Services Authority fi ned JP Morgan, an investment bank, £33m (US$50m) for failing to comply
with a regulation requiring it to segregate client assets from its own funds,6 while the US transport
regulators fi ned Toyota US$16.4m in April for failing to notify them sooner about defects in its cars.7
5 http://www.complianceweek com/s/documents/AMR-GRC-in-2010.pdf
6 http://www.ft.com/cms/ s/0/9e66733e-6ef4-11df-a2f7-00144feabdc0.html
7 http://www.ft.com/cms/ s/0/6053df1c-4106-11df-94c2-00144feabdc0.html
“The whole environment over the past 18 months has been the facilitator of much broader thinking about risk management”
Mark Krakowiak, Chief Risk Offi cer, GE
Trang 7Setting effective guidelines
Interviews with risk and compliance professionals within corporations yield a consistent set of guidelines to manage this set of disciplines effectively They are guidelines, not rules, because they require judgment and nuance in organisations already laden with policies and procedures Buy-in requires ownership; ownership seldom results when senior management simply issues a dictum All managers are familiar with processes which, however well intentioned originally, have become checklists devoid
of meaning As has been demonstrated over the past few years, risk and compliance are too important to suffer this fate
Commitment must come from the top
Those who best understand the risks embedded in a business process are people who are closest to it: the business owners and process owners At the same time, senior management and the board play a crucial role in raising the profi le of risk management and ensuring that the organisation has a consistent methodology for dealing with it “The more involvement the board has in risk matters, the better the organisation is,” says Mr Munro “If you don’t have your board onside and you don’t have agreement between the board and management about the appropriate level of risk-taking, then you’re setting yourself up for trouble I’d much rather have an active and engaged board than not.”
Any investment in enterprise-wide risk and compliance framework must have absolute commitment from the top of the organisation “You need buy-in from both the senior management team and the board,” says Mark Newlands, head of risk at Anglo American “They need to be convinced that what you are suggesting will add value.”
From the board’s perspective, GRC can provide assurance that risks are being identifi ed and that information about them is being passed to the right people at the right time A more consistent approach
to reporting also makes it easier to evaluate and compare risk exposures “What we’re trying to do
is present a picture to management and the audit committee of what the risk profi les for each of our businesses looks like, and what the risk profi le of the group as a whole looks like,” says Mr Newlands
Standardised processes are an important fi rst step
Building an enterprise-wide layer for risk and compliance on top of existing processes can seem like a daunting task With individual sources of assurance and compliance activities run separately and rarely interfacing—either personally or by means of risk systems and IT infrastructure—the time and resources
Trang 8necessary to achieve successful integration can be considerable.
According to Mr Krakowiak, much depends on the extent to which existing risk processes have already
been standardised Nine months ago, GE took the step of creating a single framework for risk management
across its entire enterprise, spanning both the fi nancial and industrial businesses Mr Krakowiak believes
that the company’s longstanding commitment to the standardisation of business processes made this a
more straightforward task than it might otherwise have been “We already had a very process-oriented
approach to the operational side of our business,” he explains “For example, we have a standard review
process for our compliance and we use standard processes for budget planning and strategy planning So
we already had a pretty good framework that we could take up a level in terms of looking at enterprise risk.”
For companies that do not know where to begin, a fi rst step may be mapping to existing standards
like ISO 31000 ISO 31000 (2009) provides principles and guidelines on risk management covering a
wide range of business activities, including strategies and decisions, operations, processes, functions,
projects, products, services and assets Adopting a standard such as ISO 31000 helps to move companies
beyond ad hoc collections of controls towards a unifi ed framework
Balancing autonomy and control
A successful enterprise-wide view of risk and compliance depends on managing the opposing
requirements for centralisation and decentralisation On the one hand, there needs to be a central
function that can aggregate risk and compliance information from the business Without it, senior
executives cannot effectively make business decisions regarding how to manage risk and take advantage
of new potential business opportunities Yet at the same time, risk needs to be owned by the business,
within an established framework “It’s really important to have risk people close to the business so that
they can help managers with a specifi c set of risks that need to be managed,” notes Mr Munro “But you’ve
also got to have an enterprise-wide view You need to walk that fi ne line between collaboration and
independence.”
An important part of this balance is deciding which risks need to be defi ned within a centralised
framework and which can be determined by the business “You need to understand the roles and
responsibilities of different functions and units,” says Harri Spolander, chief risk offi cer of Fortum,
an energy company headquartered in Finland “While it is conceptually a good idea to centralise risk
management and have a co-ordinated approach, you need to decide and defi ne explicitly which risks
should be managed centrally and which should be devolved to the business If you are not clear about
that, you are in a situation where no one really knows who is responsible for what.”
In the energy industry, for example, one might choose to centralise the management of risks
associated with currencies, interest rates and commodity positions—and hedge them appropriately But
while overall policies for risks such as environmental risk can be determined centrally, the management
of those risks must always happen locally “Naturally compliance is an important housekeeping thing and
also a best practice to certain extent but not the main driver for our risk management,” says Mr Spolander
“It really must be the responsibility of every operational unit because leakages, for example, do not
happen in the central corporate unit, they take place in the power plant,” says Mr Spolander
“You need to decide and defi ne explicitly which risks should be managed centrally and which should
be devolved to the business.”
Harri Spolander, Chief Risk Offi cer, Fortum
Trang 9A constant dialogue between risk functions and the businesses
Frequent dialogue between risk functions and the business is essential The relationship should be symbiotic: managers should be confi dent that the risk management process adds value to their role, while risk professionals should be able to use their dialogue with business leaders to gain a better picture of overall enterprise risk “Getting everyone on the same page at all organisational levels about what it is we’re trying to achieve, and making the accountability stick is key to both the effectiveness and effi ciency
of the regime,” says Ed Popplewell, head of risk & internal control at Siemens plc and North West Europe
In some fi rms, this requires a shift in perceptions of the risk function Rather than being seen as
a “preventer” of business whose role is to impose limits and controls, it needs to be perceived as an
“enabler” that can offer valuable advice To gain the confi dence of business managers, risk professionals should demonstrate commercial understanding and a willingness to provide constructive input to help managers meet their objectives “We have consciously evolved our response from waving a red fl ag and walking out to waving a red fl ag and working with the business teams on mitigation plans,” says Alexis Samuel, chief risk offi cer at Wipro, an Indian business process outsourcing and technology company
A key metric for the success of this dialogue is the extent to which heads of business units and business managers proactively seek out the risk function to engage them in discussion about their plans “People are now willing to accept us as an enabling function and reach out to us, but we have to constantly reassure our teams that we are not just red fl ag wavers and will go beyond, roll up our sleeves and work with them to mitigate their risks,” says Mr Samuel
Dialogue between the risk function and the business can also help to create a more consistent view of the risks of a particular project that is in line with the enterprise’s overall risk tolerance “The intention is
to make the management team collectively aware of the risks that are going to prevent them from being successful in whatever it is they are trying to achieve,” says Mr Newlands “The owner of a particular project may have a view on the risks, but his or her colleagues may have a completely different view Unless you get around a table and discuss them through a structured process, you can end up with completely divergent views.”
In 2006, Anglo American brought in what it calls an “integrated risk management” approach that was designed to improve on the previous system by being more relevant to business divisions The key to its success, according to Mr Newlands, has been the introduction of facilitated discussions with managers
in the business “Rather than having a one-size-fi ts-all, paper-based approach where managers fi lled in forms against a standard matrix, we have moved to a system that is much more aligned with their business processes,” he explains “We now look at risks that are relevant to each business and prioritise them according to a matrix that is also customised to their circumstances.”
A more systematic understanding of the risks
When risk is managed in silos, it provides a good measure of each specifi c area of exposure, but there is no bird’s-eye view of the company’s overall risk position A silo-based approach also means that certain risks can fall between the cracks During the fi nancial crisis, for example, many banks lacked understanding
of the risk associated with certain assets because credit risk departments thought they were market risk
Trang 10issues, and market risk departments believed they were the responsibility of credit risk managers.
As a result, companies are increasingly focusing not only on risk management within their organisation,
but on interdependencies with other companies within their network as well as the broader economy
“Companies are fi nally realising that there is a need to determine how an organisation can look at its
risks from a holistic perspective and fi gure out how those can be managed and monitored,” says Richard
Apostolik, chief executive offi cer of the Global Association of Risk Managers
By aggregating risks at an enterprise level, a company has a much better understanding of potential
threats that could cause serious fi nancial or reputational damage GE’s new enterprise-wide risk approach
is a good illustration “We wanted to make sure that when we looked across the entire portfolio, we
understood clearly the key things that could potentially put the franchise at risk,” reports Mr Krakowiak
“To get high returns, you have to take a certain level of risk, and we just wanted to make sure that we
understood completely the risk we were taking, what some of the external factors were that could impact
us, and what could prevent us from achieving our strategic objectives.”
For any large company, the list of potential threats that could have an adverse impact on the business is
huge Careful prioritisation is therefore needed to prevent management paralysis “We are trying to focus
on the four or fi ve big things that could have a systemic risk problem for the company, while continuing to
ensure that businesses manage their own risks within each function,” says Mr Krakowiak
A consistent approach to risk and compliance across the enterprise depends on creating a standard
language around risk that can be understood by business owners across functions and locations At
GE, for example, one key challenge in creating an enterprise-wide approach was forming a bridge in
understanding between the fi nancial services and industrial businesses—which inherently have very
different requirements in terms of risk and compliance “What we try to do is come up with a common set
of defi nitions and terminologies, or what we call a taxonomy,” adds Mr Krakowiak “This can be used by
both sides of the house We have also tried to interconnect the risk appetite statement for the fi nancial
Steps towards integration at Siemens
The industrials group Siemens is one large
multinational that has adopted an enterprise-wide
approach to risk and compliance Following a series of
well-publicised compliance failures in the late 1990s
and early 2000s, senior management overhauled the
company’s compliance processes by combining its
entire assurance activities-including ethics, codes
of conduct and relationships with business partners
worldwide-within one function “At a global level
Siemens identifi ed that the existing risk management
process was a little narrow and fi nancially oriented, and needed to be much more forward-looking and focused on strategic and operational risk over the medium term,” says Ed Popplewell, head of risk &
internal control at Siemens plc and North West Europe
The new framework sees risk management, and compliance with internal controls and guidelines, as two sides of the same coin “We need to respond to the risks in our business by ensuring that we’ve got sound internal controls in place,” notes Mr Popplewell
“Equally, things that my internal control practitioners
fi nd through our assurance programmes tell us a lot about whether our risk management processes are robust So the two activities feed off each other.”