The complexity of the business and regulatory landscape is increasing dramatically. Companies are navigating a proliferation of new regulatory requirements and stakeholder expectations, and are challenged to do so in a way that supports performance objectives, sustains value and protects the brand. Critical compliance and regulatory issues include.Equally, non-compliance with the host of new regulations covering all aspects of financial services has become a serious risk for firms. The price of getting compliance wrong is getting larger as headline-grabbing fines in both the United States and UK recently have demonstrated. Surely firms want to avoid being hit with fines One way to manage that is to treat compliance issues as a risk category just like credit or market risk, for example. Chief risk officers need to understand the risk of non-compliance and assess their firms’ performance in compliance as part of the bigger risk management picture.
Nelsestuen said: “The bottom line for me is it is time to start bringing risk and compliance closer together. What I’ve seen is non-compliance is in itself a risk. Risk managers are trying to understand compliance issues not because they want to run compliance, but they want to understand what risks they’re taking. If you look at Credit Suisse which had a $500 million fine for AML infractions and HSBC … non-compliance is a huge risk.”
:Regulators’ rising interest in risk management combined with a long trail of big fines for compliance failures has some consultants and industry leaders wondering whether it is time for the two disciplines to come closer together if not merge completely.
More than ever there are areas of overlap between risk and compliance. Risk management is now hardwired into more rules and regulations since the beginning of the financial crisis. In the UK, for example, the Financial Services Authority (FSA) hasincreased its fines for risk management failures . The U.S.’s Securities and Exchange Commission (SEC) has also indicated that it intends to take risk management as well as other governance and compliance issues even more seriously than in the past.Rodney Nelsestuen, senior research director at the CEB TowerGroup, told Thomson Reuters: “What’s changed is with Solvency II and Basel III and those types of rule changes since the crisis is we’ve gone from being a backward-looking regulatory environment to saying we need more capital, better liquidity. The regulators are redefining all these things. So risk has been built into the regulation at a much stronger level than it ever was.”Nelsestuen said: “The bottom line for me is it is time to start bringing risk and compliance closer together. What I’ve seen is non-compliance is in itself a risk. Risk managers are trying to understand compliance issues not because they want to run compliance, but they want to understand what risks they’re taking. If you look at Credit Suisse which had a $500 million fine for AML infractions and HSBC … non-compliance is a huge risk.”
Credit Suisse in 2009 agreed to pay $536 million for failing to comply with U.S. laws, including Iran sanctions violations, as part of a deferred prosecution agreement with the U.S. Justice Department. U.S. law enforcement officials have been investigating HSBC’s money laundering controls in a widening probe, and there is speculation it could face a large fine, although the probe is not complete.
MOVING GRC BEYOND JUST ‘C’
Governance, risk and compliance (GRC) is a concept that has been around for a while. The term GRC suggests a certain amount of joined up thinking and cross pollination between the three disciplines. The reality however is that the term really only covers one of those disciplines: compliance.
Paul Saunders, at Sapient Global Markets, told Thomson Reuters: “GRC is a concept in the market, but I’m not sure everyone’s using it yet. It is looking at how those three factors should come together and maximise the impact and the surface area that those types of functions have on a business as a whole. Opposed to having duplication across the functions, there’s a greater impact on the business by coordination and collaboration.”
How many firms are taking the bold step of bringing together risk management and compliance or going further to implement a formal GRC strategy is difficult to quantify. Whether risk departments and compliance departments are even communicating with each other is equally hard to gauge. But at a recent conference TSAM Europe 2012, a panel of five risk managers offered their views on merging risk and compliance.
Himanshu Patel, head of investment risk at Northern Trust Global Investments, reported that his firm had moved compliance to be part of the risk function. Northern Trust took that step roughly a year ago, because it believed compliance has a lot to do with risk. “The decision was to have cross-training between people on the team. Regulatory compliance is more than ticking a box. It’s also an advisory function,” he said.
Northern Trust was held the minority view on the panel. Other speakers argued that risk management was just too fundamentally different a discipline to merge with compliance.
Romain Berry, head of cross-product margining for EMEA and APAC at Citigroup, told the TSAM conference: “When I was EMEA Co-Head of Performance and Risk Measurement at JPMorgan, we briefly explored the possibility in late 2009 to merge my team with our Compliance Reporting Services team on a global scale – mainly to match upcoming UCITS IV regulations and potentially to save cost. But we quickly came to the conclusion that both teams were using separate systems that could not been integrated and staff had quite different skill sets that could negatively impact on the quality of our services to clients. I personally did not believe we could successfully run in the long term a team of “hybrid” analysts who would possess expertise in both fields for risk measurement and management have become a much more quantitative space over the last 10-15 years. We also considered outsourcing some basic operational processes (like data collection and filtering or report generation) to India. But the difficulty to manage a high turnover of team members in India as its economy continued to blossom and concerns about losing control over inputs into our models could not justify in our minds a cheaper operating cost.”
IT’S A DEBATE THAT SHOULD BE HAD
When talking about risk management consultants and practitioners often refer to the three lines of defence. Briefly, these lines are:
on the front-line business taking responsibility for risk management and internal controls;
the risk management and compliance functions; and
internal audit.
There is often a blurring of the lines as to how the different functions that make up the three lines of defence operate within a firm. Some firms might prefer to keep the functions separate, because they want risk management to be more strategic. In addition, the compliance function might require different resource and technical knowledge that is better managed separately.
Moreover, different kinds of financial services firms — fund managers, retailing banks, insurance and investment banks — use the risk management approaches that best suit their business-type and function. Where appropriate, however, firms should be at least considering whether a risk and compliance merger could benefit them.
Saunders said: “There isn’t one purist view. But [whether to merge risk and compliance] is a debate that should be had. In the past, the compliance department was focussed solely on making sure regulation was monitored and tracked and the impact was understood in the organisation and it then adapted and remained compliant. Now more regulation is biting on how an organisation risk manages and is trying to bring more transparency. That transparency piece should drive a need for organisations to look a bit more acutely across what are essentially control domains.”
Should risk management and compliance be joined up? The answer is absolutely yes, according to Ian Peters, chief executive of the Chartered Institute of Internal Auditors.
Peters told Thomson Reuters: “In terms of the relationship between the two, I would see compliance as being an aspect of risk management. Certainly they should be joined up to be able to understand each other. There’s a certain logic to have them managed within the same division, but it depends on the organisation. The critical thing is that they are talking to each other and understanding each other. Often in an organisation it may be appropriate for them to be together. Certainly they are two aspects of the second line of defence I see no problem in them being together and I can see potential benefits. But each organization needs to make its own decisions.”
Peters, however, emphasized the need for the internal audit function to remain separate and maintain its independence. “What you don’t want to do is merge together your three lines of defence which is less effective, then you just have one line of defence,” he said.
(Note: an earlier version of this story had the following quote from Berry, which did not make clear this issue was considered while he was working for JPMorgan: ”We did consider merging the teams and were considering outsourcing the teams to India. We did realize though that compliance and risk are different functions. We thought it would be difficult to merge two different skill sets.”
Risk management professionals constantly preach that risk management is not compliance. Risk managers help set strategy.
After their colleagues ask “what can we do to make money and how?,” risk managers then ask “what risks will we be taking, how can we manage them and is it worth it?” This is very different from traditional compliance, the discipline of ensuring an organization is acting according to a set of predetermined rules.
At the same time, compliance is clearly an essential element of doing business. In an age of “bubbles” and regulations that are continuously augmented in an attempt to make people “do the right thing,” companies are in jeopardy if they do not have an effective internal compliance function.
Despite the desire of risk management professionals to distance themselves from the “C” word, they remain inextricably linked. It is critical for all organizations, big and small, for- and non-profit, across industries, to understand the distinct disciplines and the relationship between the two.
Regulated Risk Thinking. Risk management has come a long way. Prior to the 1980s, it was associated predominantly with the use of market insurance to protect companies from various accident-related losses. Then, with a new focus on the international regulation of risk, the financial industry began to develop internal risk management functions. However, it is only during the last several years that the discipline has become more directly regulated. In the wake of various scandals and bankruptcies resulting from poor risk management, the Sarbanes-Oxley Act of 2002 and the stock exchanges stipulated governance rules in order to require risk thinking in the boardroom and C-suite. Finally, the 2010 Dodd-Frank Wall Street Reform and Consumer Protection Act, which addresses, among other things, risk management oversight concerns from a macro perspective (the financial system) and a micro perspective (within companies), was a response to the failed application and enforcement of risk management processes and procedures.
This transformation from a good business practice to a legal requirement has blurred the lines between risk management and compliance. When the failure to take a thoughtful approach to managing risk is illegal, don’t we have a compliance issue? Yes and no. When the board and C-suite entertain moving in a new strategic direction, it is the function of risk management to assemble relevant information regarding the risks of that new direction and provide that information to the company’s leadership in a way that aids them in making their final determination. At the same time, applicable laws and regulations (depending on the industry in which the organization belongs, whether public or private, etc.) may require that risk information be collected, processed and provided in a certain way or that the process be disclosed to a government agency or the public. Those requirements may help shape the risk management process, but the organization’s business and culture drive it.
The Risk of Non-Compliance. In essence, noncompliance is a type of risk. Like other significant risks, it can result in a multitude of bad outcomes for an organization (e.g., loss of brand reputation, fines and penalties, business disruption). However, entities often confuse having robust compliance functions with having a developed risk management program. As one of many risks, compliance risk is part of the larger slate of operational, strategic, financial and market risks.
To further complicate matters, compliance efforts often fail because leaders do not anticipate future risk. For instance, a company may expand into a foreign market without properly assessing the risks associated with that expansion, including the difficulty of operating within a culture in which bribery is pervasive. Because proper risk thinking drives strategy, including the allocation of resources, the company also would likely fail to add an appropriate anti-bribery component to its compliance function.
The recent compliance issues that have plagued JP Morgan are another good example. A large portion of the mega-bank’s rap sheet relates to activities outside traditional commercial banking. And now, JP Morgan plans to spend an additional $4 billion on and commit an extra 5,000 employees to the compliance function. Perhaps those functions would have been augmented appropriately after the bank entered into non-traditional banking businesses (like student-loan origination and the physical commodities sales and trading business) if they had identified the compliance risks of entering into those spaces and established the proper compliance infrastructure to mitigate those risks.
Another source of confusion lies in the norms established by various governmental agencies, including that require companies to have “effective compliance and ethics programs.” These are a coordinated and comprehensive set of policies, procedures, roles and responsibilities structured to prevent and detect misconduct and promote an organizational culture that encourages ethical conduct and commitment to compliance with the law. Although the ultimate goal of effective risk management (which is to identify and prioritize risks and then to deploy resources accordingly) is distinct from that of an effective compliance and ethics program, they often are confused because both require (1) discussion with leadership about interrelated topics, (2) inventory of business activities and their supporting mechanisms within the organization, and (3) monitoring of overlapping metrics. While an organization’s risk management initiatives may overlap significantly with the implementation of its compliance plans, the former is a strategic focus while the latter serves a more operational purpose.
Separate, But Together. There are two key takeaways that should play over and over again in the minds of organizational leadership:
Risk management and compliance are separate disciplines and should be implemented accordinglya strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio.” In order for business propositions to succeed, strategic planning must be imbued with methodical risk thinking.
Jthat compliance is really about “a management commitment to do the right thing, and effective management steps to make that happen[;] about making sure that all those who work for the company know what to do, and believe that the company is serious about acting legally and ethically.” In other words, compliance is an enterprise-wide commitment to acting within pre-determined norms that enable the organization to act legally and ethically. Whether the same or different individuals are owners of the risk and compliance functions at an organization, these different purposes must be kept in mind when folding both concepts into an organization’s infrastructure.
Risk management and compliance are interrelated and must also be considered together. While risk management and compliance are often appropriately handled by two separate groups within an organization, the pitfall is that this separation can lead to a fragmented approach whereby compliance risk is isolated from other enterprise risks. Risk professionals must understand the risk of non-compliance equally as well as other organizational risks in order to properly shape enterprise strategy.