by Kenneth Hardin
The seemingly obvious idea that risk management and compliance should be tightly conjoined — perhaps even under a central Governance, Risk and Compliance (GRC) office — never quite goes away. It never quite gains complete traction, either.
An expansive overview piece from Thomson Reuters interviews numerous compliance and risk specialists about how the two disciplines have moved closer in the wake of the global financial crisis. The article, created for the news bureau’s Compliance Complete subscription service, includes numerous anecdotes, like the story of Northern Trust Global Investments, which about a year ago moved compliance into its risk division. Himanshu Patel, head of investment risk for the firm, is quoted as saying:
“The decision was to have cross-training between people on the team. Regulatory compliance is more than ticking a box. It’s also an advisory function.”
OK, makes sense. In the post-crisis financial sector, the potential for crippling fines and jail terms has elevated the risk of non-compliance to a criticality that dictates risk managers be completely in step with the experts who deeply understand the complexities that define that risk.
So, why did most panelists at the recent TSAM Europe 2012 conference, where Patel spoke, not agree with his position, according to the Thomson Reuters piece? In fact, the article explicitly makes the point that it’s hard to tell these days how many financial companies are moving toward an integrated GRC operation.
The resistance can be attributed to a variety of factors, amongst them institutional inertia and the general wisdom that you don’t want the police (risk management) making the laws (compliance and governance). And outside the financial sector, the discipline of risk management extends more fully to non-compliance issues, like manufacturing tolerances.
In a large bricks-and-mortar enterprise, executives are faced with the option of creating separate risk management ops for its distinct units, which is obviously wasteful, or really getting behind central best-practices governance, which may be viewed as gelding the self-direction of the distinct business units. A post from last fall at Inside GRC suggests that the very idea of “risk” needs to be expanded beyond specific things that can go wrong to include overall business performance. Many line managers are not going to warm up to that.
So, where does risk management best fit in your organization? It’s hard to pinpoint structurally, and risk management is a specific job — it’s more than just a mindset. The big enterprise software players, not surprisingly, are totally behind the centralized GRC approach. The GRC software market is estimated at $32 billion in this post for an academic GRC conference.
At the very least, the recent tumult in the financial sector has highlighted the need for transparency and open operations — not simply identifying risks and then monitoring them clandestinely with the hope that nothing actually goes wrong. That requires a culture of communication, and there is no software package that can quickly impose that.