Memo #
22731

Recent Report On The State Of Integrating Governance, Risk, And Compliance Functions In Financial Services Enterprises
| Print

 

 

[22731]

 

July 24, 2008

TO: COMPLIANCE MEMBERS No. 31-08INTERNAL AUDIT ADVISORY COMMITTEE No. 2-08RISK MANAGEMENT ADVISORY COMMITTEE No. 4-08     RE: RECENT REPORT ON THE STATE OF INTEGRATING GOVERNANCE, RISK, AND COMPLIANCE FUNCTIONS IN FINANCIAL SERVICES ENTERPRISES

 

In February 2008, in the midst of the ongoing credit crisis and associated market turmoil, the Economist Intelligence Unit of The Economist conducted an online survey of 167 executives of the financial services industry worldwide[1] to find out the state of integration of their organizations’ governance, risk, and compliance functions.[2]  This online survey was supplemented by in-depth interviews of the executives.  The survey’s findings were published in June 2008.[3]

 

              The Survey found that a proper governance policy defines the organization’s risk profile, lays out a process for evaluating and prioritizing risks, and ensures that the process is followed.  The structure of the oversight appears less important to the policy’s success than the organization’s commitment to the policy through expertise, resources, and engagement.  As stated in the Survey:

 

When a schism opens between [those focused on risk and those focused on business] – and when the people running businesses have more ‘status, prestige, and pay’ than those charged with controlling risks – the stage is often set for a breakdown in the checks and balances that allow institutions to pursue new business without taking on undue risk.  It is this kind of breakdown that an integrated system of governance, risk and compliance activities is intended to avoid.[4]

 

              Overall, the Survey found that “an integrated governance, risk and compliance programme promotes a common language and understanding of risk and discourages the development of siloed oversight functions that operate in isolation from the business.”[5]  Indeed, according to the Survey, one “positive outcome” of the recent tumultuous environment “is that it has exposed weaknesses in the risk governance of financial institutions.”  The key findings of the Survey include the following:

 

  • Independent yet overlapping control functions hinder a comprehensive understanding of risks.  In the financial services industry, governance, risk, and compliance activities are often spread across multiple overlapping and related functions (e.g., audit, compliance, finance, IT, operations, and legal).  This leads to inconsistent and inefficient processes.  These inconsistencies and inefficiencies are exacerbated, and a comprehensive understanding of risk is impeded, when each silo reports to senior management independently.  The Survey notes that the problem is not that any of these singular functions is flawed; instead, it is that “different activities have grown up independently, and information gathering is not harmonized or standardized across governance, risk management, compliance and internal control systems.”  Indeed, many of the managers involved in these functions

 

. . . fail to interact with each other.  Each remains in his or her own functional silo, with its own terminology, technology, and processes.  The advantage is the efficiency within each silo; the disadvantage is duplication and inefficiency across the organization, as well as the failure of senior management to gain the comprehensive view of risk that can emerge when information is prepared and shared using a consistent methodology.[6]

 

  • Institutions that invest in governance, risk, and compliance are more likely to integrate pricing and risk.  While risk-adjusted pricing is fine in theory, in reality, the desire to win business often triumphs, even in risky and volatile markets.  The more integrated an institution’s governance, risk, and compliance functions, the more likely the institution was to have increased product prices to offset higher risk during the recent credit crisis.

 

  • Organizations that fail to integrate governance, risk, and compliance are often the ones most in need of such integration.  Firms that have not integrated their governance, risk, and compliance functions tend to be those that focus on the pursuit of new business to the exclusion of risk control.

 

  • Organizations without these functions integrated tend to exhibit other dysfunctional behavior.  Executives in organizations that have not integrated these functions were more likely to agree with statements such as “My organization’s policies and objectives exist only as a formality – they do not reflect how the organization is run in practice.”  They were also more likely to state that their firm’s risk and compliance policies are not well understood throughout the organization. 

 

Other interesting findings from the Survey include the following:

 

  • Forty-two percent (42%) of executives said their stock price had declined as a result of the recent credit crisis and associated market turmoil; 20% said their organization was not impacted by these events.  Thirty-seven percent (37%) stated that, as a result of the credit crisis and market turmoil, they have taken steps to become more proactive in risk management and 34% state they have become more risk-averse.

 

  • When asked where their organization was weakest in managing financial risks, 41% of survey participants state in risk modeling, including model validation.  The most common weakness cited in managing operational risk was risk management (35%), and for compliance risk, it was incident reporting (26%).

 

  • The three highest rated benefits of integrating governance, risk, and compliance were: better control over business processes (40%), reducing the risk of non-compliance (37%), and ability to gain a global, enterprise-wide view of risk (34%).

 

  • With respect to source of information used by organizations when making key decisions, the most common answers were: internal briefings (e.g., with management team) (62%), internal updates (e.g., management reports, finance data) from local offices (45%), conversations with colleagues (29%), corporate dashboards of operational data (29%), and external briefings (e.g., advisers, consultants) (26%).

 

  • When asked to rank how significant financial, operational, and compliance risk were expected to be to their organization over the next three years, survey participants expressed greatest concern with financial risk (41%), followed by operational risk (26%), and compliance risk (25%).

 

  • When asked which department or individual, if any, was driving the integration move within the organization, the most common response (by almost a 2 to 1 margin) was the Chief Risk Officer (30%).  Other answers included the CEO (16%), the COO or CFO (8% each), various business units (6%), the chief audit executive (7%), and the compliance officer (4%).

 

  • Twenty-seven percent (27%) of respondents are either in the final stages of integrating their governance, risk, and compliance functions or already completely integrated.  Sixty-six percent (66%) were somewhat integrated or beginning the integration process.  Firms that that were not integrated or just beginning the integration process were: twice as likely to be focused on the pursuit of new business rather than risk control; 50% more likely to say that the risk policies were a formality, not a reality; and five times as likely to say that their organization’s risk management policies were poorly or very poorly understood throughout the organization.

 

  • Firms plan to enhance their integration over the next three years, in part, through the following activities: implementing management tools and technology (29%), hiring more qualified staff (22%), making changes to the risk reporting structure (22%), bringing together stakeholders from different business units to create coordinated business planning (19%), communicating the governance/risk/compliance policy through the organization (18%), and improving communication between different security functions (13%).

 

  • Fewer than one-half of organizations believe their risk and compliance managers develop controls in a consistent way.  Of the organizations that have not integrated their governance, risk, and compliance functions, “virtually all agree that multiple concepts of risk are floating around the organization, and that risk and compliance managers communicate with management in inconsistent ways.” 

 

  • When asked about obstacles to integration, the most commonly cited obstacle is “politics” (“including perceived threats to ‘kingdoms’”)(34%).  Other cited obstacles include: the lack of links among information silos (31%), lack of perceived returns for the organization (23%), internal risk/compliance structures (23%), confusion over how to initiate integration (19%), apathy at the board level (14%), and difficulty educating senior management (12%).

 

The Survey concludes that:

 

Most experts agree that to gain a firmer understanding of risk across the enterprise, stakeholders should be drawn together from different department through workshops.  This would allow them to define the risk they face, discuss their current approaches to governance, risk and compliance and how to achieve related goals, as well as find out what is required to reach them.  Work can then start on setting up a database to analyze risk commonalities and trends within the different business units.  Insights on risk exposure will emerge that would not have done so when the information was kept in separate silos.[7]

 

Tamara K. Salmon
Senior Associate Counsel

                                                                                                                                                                                                                                                         

 

2

 

hr align="left" size="1" width="33%"

[1]  The Appendix to the survey provides more information on the location, title, and main functional role of these executives as well as on their firm’s business focus and assets.  Thirty percent (30%) of responders were in North America  and a total of 16% were in the investment banking/asset management business.

 

[2]  As defined in the Survey, these functions include risk governance; financial, operational and IT risk management; audit and control activities; compliance efforts; and all of the associated policies, processes, documentation, and IT infrastructure.

 

[3] See Governance, risk and compliance in financial services, A briefing paper from the Economist Intelligence Unit, sponsored by Oracle (June 2008) (the “Survey”), which is available online at: http://a330.g.akamai.net/7/330/25828/20080625144856/graphics.eiu.com/upload/Oracle_GRC.pdf.  The Institute has received copyright permission from the publisher to provide our members access to this article.  Some of the findings of the Survey are consistent with those in Observations on Risk Management Practices during the Recent Market Turbulence, Senior Supervisors Group (March 6, 2008), which is available at: http://www.sec.gov/news/press/2008/report030608.pdf.

 

[4]  Survey at p. 6.

 

[5]  Survey at p. 3.

 

[6]  Survey at p. 5.

[7]  Survey at p.13.