The age of compliance Preparing for a riskier and more regulated world A report from the Economist Intelligence Unit The age of compliance Preparing for a riskier and more regulated world Preface The age of compliance: Preparing for a riskier and more regulated world is an Economist Intelligence Unit briefing paper sponsored by SAP The Economist Intelligence Unit bears sole responsibility for this research Our findings drew on desk research and in-depth interviews with executives familiar with risk and compliance within their organisations The findings and views expressed in this report not necessarily reflect those of the sponsor Rob Mitchell was the author of the report and Dan Armstrong was the editor August 2010 © The Economist Intelligence Unit Limited 2010 The age of compliance Preparing for a riskier and more regulated world The age of compliance: Preparing for a riskier and more regulated world “Things like risk appetite statements, scenario planning and responses to regulatory changes require an enterprise view.” Bruce Munro, Group Chief Risk Officer, National Australia Bank http://www.nytimes com/2008/11/23/ business/23citi.html?_ r=1&hp=&pagewanted=all Based on testimony by Richard Bowen, a former chief underwriter at Citibank, at the Financial Crisis Inquiry Commission, April 7th, 2010: http://www.fcic gov/hearings/ pdfs/2010-0407-Transcript.pdf http://www.ft.com/cms/ s/0/095cc462-79f5-11df-987100144feabdc0.html I n September 2007, senior executives at Citibank gathered at the company’s New York headquarters to discuss a sudden spike in the number of mortgage defaults among sub-prime borrowers in the US It was at this meeting that Chuck Prince, then CEO of the bank, was told for the first time that Citibank owned mortgage-related assets worth about US$43bn.1 Thomas Maheras, who oversaw trading at the bank, reassured Mr Prince that everything was fine, but within weeks Citi nursed losses on the assets that ran into billions of dollars The bank’s risk management was shown to have severe deficiencies: accepting ratings agency opinions in lieu of independent reviews; relying on brittle financial models; and, according to subsequent congressional testimony, violating internal credit policies.2 Within two months, Mr Prince was out of a job Other industries, such as the energy sector, can face equally disastrous risks At a US Congressional hearing in June 2010, Tony Hayward, CEO of BP, told members that he had “no prior knowledge” of the drilling of Deepwater Horizon, the Gulf of Mexico oil well that exploded in April with the loss of 11 lives and devastating environmental consequences.3 Members criticised Mr Hayward for the evasiveness of his answers and accused him of putting profit ahead of safety Mr Hayward stepped down as CEO in July These two examples, while different in their origins and consequences, illustrate the challenge of managing risk and compliance across large and complex organisations Even medium-sized companies rely on a network of suppliers and partners, and have employees, functions and divisions scattered around the world It is therefore unsurprising that despite years of investment in risk management tools and processes, a clear view of the risks accompanying key decisions remains elusive for many senior executives Events such as the financial crisis and the Gulf oil spill have provided fresh impetus for efforts to gain better oversight and co-ordination across risk and compliance functions The terms enterprise risk management (ERM) and governance, risk and compliance (GRC), both in circulation for over a decade, have taken on fresh significance, and a growing number of companies are redoubling their efforts to coordinate—and ideally integrate—their various sources of assurance “You get to the point where you recognise that things like risk appetite statements, scenario planning and responses to regulatory changes require an enterprise view,” says Bruce Munro, group chief risk officer of National Australia Bank “It’s difficult to ask people in their particular areas of risk expertise to that, so you’ve got to invest in people that can it on a full-time basis.” In many companies, compliance and risk activities remain highly fragmented and scattered around the © The Economist Intelligence Unit Limited 2010 The age of compliance Preparing for a riskier and more regulated world The exponential growth of US financial services regulation Number of pages of legislation 2010 Dodd Frank Wall Street Reform Act 2,319 pages 2,500 2,000 1,500 1,000 500 1913 Federal Reserve Act 31 pages 1933 Glass Steagall 37 pages 1966 Interstate Banking Efficiency Act 51 pages 1999 2002 Graham Leach Bliley Sarbanes 145 pages Oxley 66 pages Source: Economist Intelligence Unit, 2010 enterprise The professionals charged with ensuring compliance with Sarbanes-Oxley, for example, are likely to use a different framework and standards than those managing health and safety compliance And in risk management, teams looking after the credit of customers to whom the business provides financing will be in a separate department from those that look at operational risk Each risk and compliance activity is often built up separately, frequently in response to a major event or new compliance obligation This fragmentation is costly because there is duplication of effort It leads to complexity because there is no common approach And when compliance activities are splintered, business risks inevitably grow For instance, the lack of a comprehensive and integrated approach to IT compliance can lead to security breaches or data losses Fragmented financial compliance can open the door to fraud or restatements Compliance is often thought of as separate from risk But in fact the two functions are tightly bound, since an ad hoc approach to compliance leads to higher levels of risk Efforts to boost visibility into risk exposures across the enterprise, or to achieve a more holistic and consistent approach to compliance, are nothing new Over the past decade, many executives have experienced initiatives designed to aggregate risk management across the company’s divisions, functions and risk silos Few can say with confidence that these initiatives were successful GRC holds the promise of taking this process of integration a step further by integrating ERM and compliance activities within a broader governance framework Dating from the Sarbanes-Oxley Act of 2002, when listed US companies faced complex and costly obligations under Section 404 of the Act, GRC emerged as a set of tools to help companies manage risk, track compliance and monitor internal controls Since then the scope of this discipline has broadened Although definitions vary, it now refers to © The Economist Intelligence Unit Limited 2010 The age of compliance Preparing for a riskier and more regulated world an enterprise-wide framework that companies use to manage risk and compliance within established corporate governance parameters “The point of governance and compliance is to ensure transparency,” says Mr Munro “Compliance plays an important role in providing assurance for people like me and the Principal Board that we’re actually doing what we say we’re doing Beginning with the high-level risk appetite, and cascading through the layers of the business, there needs to be a mechanism to ensure that when there are issues, they are discovered, escalated, dealt with and the lessons learned.” This paper examines how the integrated management of risk and compliance has developed among corporates in multiple countries and industries It is based on a series of interviews with chief risk officers and other high-level risk professionals from large multinationals around the world These interviews, conducted in June and July 2010, reveal a number of common themes The Principal Board refers to the Principal Board Audit Committee (PBAC), formed by NAB in 2003 to discuss and investigate any high risk issues raised by internal or external auditors © The Economist Intelligence Unit Limited 2010 The age of compliance Preparing for a riskier and more regulated world Pressure builds for a consistent approach T he three themes of governance, risk and compliance have been central to the management agenda for a decade But whereas five years ago it would have been the “C” in GRC that was most likely to keep executives awake at night (and indeed was the impetus behind the development of GRC in the first place), in the post-crisis world it is the “R” that has risen to the top of the agenda “The whole environment over the past 18 months has been the facilitator of much broader thinking about risk management,” says Mark Krakowiak, chief risk officer of GE, the industrials and financial services group The reasons for this laser-like focus on risk are well understood The financial crisis has highlighted the interdependencies between different divisions of the organisation—and between the enterprise as a whole and the external environment Under pressure from legislators and investors, boards are becoming more demanding In one sector, financial services, regulators are stipulating that institutions form risk committees And the role of chief risk officer, once confined to banking and insurance, has spread across the corporate world But the management of risk—however broadly it is framed—is just one piece of the puzzle Companies also face an increasingly complex and rigorous regulatory compliance burden that has become both costly and risky, should the company fail to meet its obligations In June 2010, for example, the UK Financial Services Authority fined JP Morgan, an investment bank, £33m (US$50m) for failing to comply with a regulation requiring it to segregate client assets from its own funds,6 while the US transport regulators fined Toyota US$16.4m in April for failing to notify them sooner about defects in its cars.7 “The whole environment over the past 18 months has been the facilitator of much broader thinking about risk management” Mark Krakowiak, Chief Risk Officer, GE http://www.complianceweek com/s/documents/AMR-GRC-in2010.pdf http://www.ft.com/cms/ s/0/9e66733e-6ef4-11df-a2f700144feabdc0.html http://www.ft.com/cms/ s/0/6053df1c-4106-11df-94c200144feabdc0.html © The Economist Intelligence Unit Limited 2010 The age of compliance Preparing for a riskier and more regulated world Setting effective guidelines I nterviews with risk and compliance professionals within corporations yield a consistent set of guidelines to manage this set of disciplines effectively They are guidelines, not rules, because they require judgment and nuance in organisations already laden with policies and procedures Buy-in requires ownership; ownership seldom results when senior management simply issues a dictum All managers are familiar with processes which, however well intentioned originally, have become checklists devoid of meaning As has been demonstrated over the past few years, risk and compliance are too important to suffer this fate Commitment must come from the top Those who best understand the risks embedded in a business process are people who are closest to it: the business owners and process owners At the same time, senior management and the board play a crucial role in raising the profile of risk management and ensuring that the organisation has a consistent methodology for dealing with it “The more involvement the board has in risk matters, the better the organisation is,” says Mr Munro “If you don’t have your board onside and you don’t have agreement between the board and management about the appropriate level of risk-taking, then you’re setting yourself up for trouble I’d much rather have an active and engaged board than not.” Any investment in enterprise-wide risk and compliance framework must have absolute commitment from the top of the organisation “You need buy-in from both the senior management team and the board,” says Mark Newlands, head of risk at Anglo American “They need to be convinced that what you are suggesting will add value.” From the board’s perspective, GRC can provide assurance that risks are being identified and that information about them is being passed to the right people at the right time A more consistent approach to reporting also makes it easier to evaluate and compare risk exposures “What we’re trying to is present a picture to management and the audit committee of what the risk profiles for each of our businesses looks like, and what the risk profile of the group as a whole looks like,” says Mr Newlands Standardised processes are an important first step Building an enterprise-wide layer for risk and compliance on top of existing processes can seem like a daunting task With individual sources of assurance and compliance activities run separately and rarely interfacing—either personally or by means of risk systems and IT infrastructure—the time and resources © The Economist Intelligence Unit Limited 2010 The age of compliance Preparing for a riskier and more regulated world necessary to achieve successful integration can be considerable According to Mr Krakowiak, much depends on the extent to which existing risk processes have already been standardised Nine months ago, GE took the step of creating a single framework for risk management across its entire enterprise, spanning both the financial and industrial businesses Mr Krakowiak believes that the company’s longstanding commitment to the standardisation of business processes made this a more straightforward task than it might otherwise have been “We already had a very process-oriented approach to the operational side of our business,” he explains “For example, we have a standard review process for our compliance and we use standard processes for budget planning and strategy planning So we already had a pretty good framework that we could take up a level in terms of looking at enterprise risk.” For companies that not know where to begin, a first step may be mapping to existing standards like ISO 31000 ISO 31000 (2009) provides principles and guidelines on risk management covering a wide range of business activities, including strategies and decisions, operations, processes, functions, projects, products, services and assets Adopting a standard such as ISO 31000 helps to move companies beyond ad hoc collections of controls towards a unified framework Balancing autonomy and control A successful enterprise-wide view of risk and compliance depends on managing the opposing requirements for centralisation and decentralisation On the one hand, there needs to be a central function that can aggregate risk and compliance information from the business Without it, senior executives cannot effectively make business decisions regarding how to manage risk and take advantage of new potential business opportunities Yet at the same time, risk needs to be owned by the business, within an established framework “It’s really important to have risk people close to the business so that they can help managers with a specific set of risks that need to be managed,” notes Mr Munro “But you’ve also got to have an enterprise-wide view You need to walk that fine line between collaboration and independence.” An important part of this balance is deciding which risks need to be defined within a centralised framework and which can be determined by the business “You need to understand the roles and responsibilities of different functions and units,” says Harri Spolander, chief risk officer of Fortum, an energy company headquartered in Finland “While it is conceptually a good idea to centralise risk management and have a co-ordinated approach, you need to decide and define explicitly which risks should be managed centrally and which should be devolved to the business If you are not clear about that, you are in a situation where no one really knows who is responsible for what.” In the energy industry, for example, one might choose to centralise the management of risks associated with currencies, interest rates and commodity positions—and hedge them appropriately But while overall policies for risks such as environmental risk can be determined centrally, the management of those risks must always happen locally “Naturally compliance is an important housekeeping thing and also a best practice to certain extent but not the main driver for our risk management,” says Mr Spolander “It really must be the responsibility of every operational unit because leakages, for example, not happen in the central corporate unit, they take place in the power plant,” says Mr Spolander © The Economist Intelligence Unit Limited 2010 “You need to decide and define explicitly which risks should be managed centrally and which should be devolved to the business.” Harri Spolander, Chief Risk Officer, Fortum The age of compliance Preparing for a riskier and more regulated world A constant dialogue between risk functions and the businesses Frequent dialogue between risk functions and the business is essential The relationship should be symbiotic: managers should be confident that the risk management process adds value to their role, while risk professionals should be able to use their dialogue with business leaders to gain a better picture of overall enterprise risk “Getting everyone on the same page at all organisational levels about what it is we’re trying to achieve, and making the accountability stick is key to both the effectiveness and efficiency of the regime,” says Ed Popplewell, head of risk & internal control at Siemens plc and North West Europe In some firms, this requires a shift in perceptions of the risk function Rather than being seen as a “preventer” of business whose role is to impose limits and controls, it needs to be perceived as an “enabler” that can offer valuable advice To gain the confidence of business managers, risk professionals should demonstrate commercial understanding and a willingness to provide constructive input to help managers meet their objectives “We have consciously evolved our response from waving a red flag and walking out to waving a red flag and working with the business teams on mitigation plans,” says Alexis Samuel, chief risk officer at Wipro, an Indian business process outsourcing and technology company A key metric for the success of this dialogue is the extent to which heads of business units and business managers proactively seek out the risk function to engage them in discussion about their plans “People are now willing to accept us as an enabling function and reach out to us, but we have to constantly reassure our teams that we are not just red flag wavers and will go beyond, roll up our sleeves and work with them to mitigate their risks,” says Mr Samuel Dialogue between the risk function and the business can also help to create a more consistent view of the risks of a particular project that is in line with the enterprise’s overall risk tolerance “The intention is to make the management team collectively aware of the risks that are going to prevent them from being successful in whatever it is they are trying to achieve,” says Mr Newlands “The owner of a particular project may have a view on the risks, but his or her colleagues may have a completely different view Unless you get around a table and discuss them through a structured process, you can end up with completely divergent views.” In 2006, Anglo American brought in what it calls an “integrated risk management” approach that was designed to improve on the previous system by being more relevant to business divisions The key to its success, according to Mr Newlands, has been the introduction of facilitated discussions with managers in the business “Rather than having a one-size-fits-all, paper-based approach where managers filled in forms against a standard matrix, we have moved to a system that is much more aligned with their business processes,” he explains “We now look at risks that are relevant to each business and prioritise them according to a matrix that is also customised to their circumstances.” A more systematic understanding of the risks When risk is managed in silos, it provides a good measure of each specific area of exposure, but there is no bird’s-eye view of the company’s overall risk position A silo-based approach also means that certain risks can fall between the cracks During the financial crisis, for example, many banks lacked understanding of the risk associated with certain assets because credit risk departments thought they were market risk © The Economist Intelligence Unit Limited 2010 The age of compliance Preparing for a riskier and more regulated world Steps towards integration at Siemens The industrials group Siemens is one large multinational that has adopted an enterprise-wide approach to risk and compliance Following a series of well-publicised compliance failures in the late 1990s and early 2000s, senior management overhauled the company’s compliance processes by combining its entire assurance activities-including ethics, codes of conduct and relationships with business partners worldwide-within one function “At a global level Siemens identified that the existing risk management process was a little narrow and financially oriented, and needed to be much more forward-looking and focused on strategic and operational risk over the medium term,” says Ed Popplewell, head of risk & internal control at Siemens plc and North West Europe The new framework sees risk management, and compliance with internal controls and guidelines, as two sides of the same coin “We need to respond to the risks in our business by ensuring that we’ve got sound internal controls in place,” notes Mr Popplewell “Equally, things that my internal control practitioners find through our assurance programmes tell us a lot about whether our risk management processes are robust So the two activities feed off each other.” issues, and market risk departments believed they were the responsibility of credit risk managers As a result, companies are increasingly focusing not only on risk management within their organisation, but on interdependencies with other companies within their network as well as the broader economy “Companies are finally realising that there is a need to determine how an organisation can look at its risks from a holistic perspective and figure out how those can be managed and monitored,” says Richard Apostolik, chief executive officer of the Global Association of Risk Managers By aggregating risks at an enterprise level, a company has a much better understanding of potential threats that could cause serious financial or reputational damage GE’s new enterprise-wide risk approach is a good illustration “We wanted to make sure that when we looked across the entire portfolio, we understood clearly the key things that could potentially put the franchise at risk,” reports Mr Krakowiak “To get high returns, you have to take a certain level of risk, and we just wanted to make sure that we understood completely the risk we were taking, what some of the external factors were that could impact us, and what could prevent us from achieving our strategic objectives.” For any large company, the list of potential threats that could have an adverse impact on the business is huge Careful prioritisation is therefore needed to prevent management paralysis “We are trying to focus on the four or five big things that could have a systemic risk problem for the company, while continuing to ensure that businesses manage their own risks within each function,” says Mr Krakowiak A consistent approach to risk and compliance across the enterprise depends on creating a standard language around risk that can be understood by business owners across functions and locations At GE, for example, one key challenge in creating an enterprise-wide approach was forming a bridge in understanding between the financial services and industrial businesses—which inherently have very different requirements in terms of risk and compliance “What we try to is come up with a common set of definitions and terminologies, or what we call a taxonomy,” adds Mr Krakowiak “This can be used by both sides of the house We have also tried to interconnect the risk appetite statement for the financial © The Economist Intelligence Unit Limited 2010 The age of compliance Preparing for a riskier and more regulated world services business with that over the overall company.” Aggregation of risk and compliance at the enterprise level also provides senior executives with the oversight they need to assess interdependencies and correlations across the business, and make adjustments accordingly “You might find that you want to put in different limits or constraints, or adjust your capital allocation because what looks okay in one silo doesn’t necessarily look the same once you aggregate it at the enterprise level,” argues Mr Munro A single risk appetite may not fit the entire enterprise “Boards need to define what their risk culture is and define what their organisation’s risk appetite is.” Richard Apostolik, Chief Executive Officer, Global Association of Risk Managers Although much is said about the need to build an enterprise-wide risk culture, it is down to boards and executive management to define what it is “Boards need to define what their risk culture is and from there they need to define what the organisation’s risk appetite is,” says Mr Apostolik “Then they have to ensure that the rest of the organisation works within the definitions that they have come up with.” In general, a risk appetite should be a clear articulation, approved by the board, of the institution’s risk tolerance and limits across its full range of businesses Once this has been set at the enterprise level, it can be cascaded down through the various divisions and regions to the ultimate risk owners “We set a risk appetite at enterprise level, then each of the business units takes that and applies it and forms their own risk appetite based on those overall settings for their line of business,” explains Mr Munro “So you start to get commonality, a common approach and a common language Properly done, the risk appetite statement becomes a cornerstone and becomes part of the language of enterprise risk.” In other industries, it may be difficult to set an overall risk appetite because individual operations or change projects vary so widely in terms of their perceived risk Mining is a case in point: with operations in locations that are subject to widely differing levels of political and business risk, no two investments are alike “I don’t think there’s ever a situation where you can say that our risk appetite is ‘X’ and will remain ‘X’ for the rest of the year,” says Mr Newlands “It’s not a number It’s about taking each individual proposition for change, or each operation, and determining whether that is something that the organisation is willing to accept or not.” Overcoming resistance One barrier to implementing an enterprise view is resistance from people in long-established silos One example would be a division that has invested heavily, and successfully, in China However, upon assuming an enterprise-wide view of its risks, the company may decide that it is over-exposed to business in China and that each division needs to cut back its investment For divisions used to running their own P&L and managing risks within a silo, this can be a difficult decision to swallow It can take time and effort to educate managers in the need to make sacrifices in order to gain a more balanced enterprise-wide risk exposure Some managers may think that an enterprise approach will penalise business units viewed as deficient in terms of risk management But as Mr Newlands explains, the goal is not to create competition “It’s not a question of one business unit’s performance against another,” he says “What we’re interested in is each unit’s risk profile, what they’re doing to mitigate those risks and how it all fits together at the enterprise level.” 10 © The Economist Intelligence Unit Limited 2010 The age of compliance Preparing for a riskier and more regulated world Overcoming this resistance means that outmoded perceptions of risk functions as “business prevention units” need to be challenged “You have to demonstrate that this is something of value,” adds Mr Newlands “We have to make it clear that we are not here to stop people taking risks or to eliminate risk We are here to make sure that managers understand what it is that they are taking on.” Once managers in the business units decide on their own to make a public commitment, they will behave consistently with that commitment for as long as necessary Coercion will not work The key is to demonstrate how risk and compliance activities can help them to achieve their business goals Creating a wide awareness of risk Although controls and monitoring play an important role in the risk management toolkit, this should only be seen as one small part of the role of the risk function Rather than mandating a set of top-down rules without adequate explanation, risk professionals must work with the business in order to demonstrate both that they understand the business and that there is a rationale for the position they are taking Thus GRC is about communication and education, not the setting of rules “It’s really all about behaviour,” says Mr Popplewell “We have a culture of treating risk management and internal controls as an important source of value for our business, rather than just a kind of mindless rule set.” Formal reporting structures are important, particularly when a company is seeking to aggregate risk at an enterprise level, but the informal discussions about risk are the real bedrock of effective management “There’s a clear and detailed structure as to how we organise things, but it’s really about the conversations that happen as much as it is about what ends up in different boxes on spreadsheets,” he stresses Training and education have become an important part of the role of the risk function Wipro, for example, runs training in general risk concepts such as business ethics for all its key managers, while specific course modules have been developed for every employee in the organisation A communication plan around risk is set in advance and rolled out throughout the year “We publish news bulletins and risk circulars on a regular basis,” says Mr Samuel “We also convert some of our risky incidents or near-misses into pamphlets that we use in training and discussion in our leadership forums.” GRC is about people as well as technology Technology plays a vital role in automating the collection and analysis of data as well as the monitoring of key risk indicators When implemented properly, it can help companies assess the impact of a risk against a particular objective, and increase visibility into the effectiveness of compliance efforts That said, people are just as important in the process “We don’t want the risk function to become a team of data entry and monitoring personnel,” says Mr Samuel “It’s important to think through any technology solution and ensure that it is carefully tailored to our needs and does not just add a layer of bureaucracy.” Mr Newlands agrees and sees the risk management process as primarily a process of face-toface engagement between the risk function and business units “It is a qualitative discussion with management involving people, and technology plays only a small part,” he explains “We have some technology that helps us capture, store and analyse the output of our work, but what we don’t is get into a great deal of quantification It has its place, but by far and away the most important thing © The Economist Intelligence Unit Limited 2010 11 The age of compliance Preparing for a riskier and more regulated world is the judgment of the people who are managing risks on a day-to-day basis The danger I see with quantification is that the one thing you can guarantee is that you will be precisely wrong.” Problems with gaining access to accurate, high-quality data also hamper the quantification and analysis process “The question of appropriate data and the analysis of that data is probably the biggest issue that companies face,” says Mr Apostolik “Putting the systems in place to collect the data that you can analyse and report from is a huge undertaking.” Eli Lilly: Linking risk with strategy An enterprise-wide approach to risk and compliance brings significant benefits in terms of visibility into risk exposure and adherence, but it can be difficult to elevate the programme beyond a focus on operational processes To date, few companies have taken the next step, which involves integrating this enterprise-wide approach with the broader strategy of the business All too often, strategy and risk assessment are only tangentially connected—chief risk officers rarely sit on executive boards and their role in terms of the broader strategic direction of the business is one of support and analysis, rather than active participation Eli Lilly, a pharmaceuticals company has run an ERM programme since 2005 However, there was a growing sense among senior management that it was not well integrated with the overall business planning and longer-term strategy Major strategic risks—or the potential impact of major external events, such as the financial crisis—were not sufficiently factored into the existing programme “When we went to the board, we found that we were talking about risk from a different perspective,” says Peter Johnson, vice-president of corporate strategic planning at Eli Lilly “That’s what drove us to say, ‘Are we asking the right questions about the risks we really face and that will make us vulnerable?’” The treatment of strategic risk is inherently different from that of operational risk, and requires a different framework for identification, assessment and mitigation “With operational risk, you can usually quantify it,” says Mr Johnson “You may run it 7,000 times and get five errors Strategic risk doesn’t work like that There are some things you can prevent and want to prevent, there are others you can only react 12 to, and there are some that you can prepare for and hope they don’t happen We’re trying to look at all these different situations as part of our management of these risks.” This more thorough risk identification process—particularly in a company as large and complex as Eli Lilly—requires careful prioritisation to ensure that the right issues are being examined “It’s very clear that you can easily get bogged down in identifying so many different risks and developing action plans that you don’t actually accomplish anything,” says Anne Nobles, chief ethics and compliance officer and senior vice-president for enterprise risk management at Eli Lilly “I think the biggest challenge is going to be to really refine the list and focus attention on areas where we need thinking and planning in order to prepare the company.” The integration of ERM and the strategy process at Eli Lilly leads to a different mode of thinking about the overall role of risk management at the company “Strategy processes tend to be opportunity-oriented and risk management ones tend to be fearbased,” says Mr Johnson “But what we’re trying to say is that they’re two sides of the same coin Once you’ve made your decisions from an opportunity perspective, you can begin to ask ‘What could go wrong with those decisions and how we manage that?’” As with any major change project, there is a risk associated with this transition that it fails to achieve its overall objective—to change people’s behaviour “There’s a danger that it can become all about the process rather than the outcome,” says Ms Nobles “If corporate staff ends up owning this rather than the business managers themselves, then we will not have been successful.” Equally, the identification and assessment of strategic risk should not lead to a kind of paralysis “You can’t remove all risk,” says Mr Johnson “If that’s the objective, we shouldn’t be in business because we take on a massive amount of risk every day here The question is, are we competent to it and are we doing it in an effective way.” © The Economist Intelligence Unit Limited 2010 The age of compliance Preparing for a riskier and more regulated world Conclusion T he concept of an integrated approach to risk and compliance is not new, but the financial crisis and major risk events have placed fresh impetus behind it More than ever, boards and senior management want to understand overall risk exposures, and be provided with clear, consistent information in a timely manner With corporate governance legislation increasingly stressing the importance of personal liability and accountability for executives and non-executives, companies cannot afford to be in the dark about their risk position As with any three-letter business acronym, GRC can elicit scepticism from the business community Many companies have attempted to implement an enterprise-wide view of risk and compliance, but have been frustrated by political resistance, a lack of board-level support or inadequate technology and infrastructure Although these problems have not gone away, companies would be wrong to give up hope of achieving a more holistic picture of their risk No major change management programme is ever easy, but with the right board-level commitment, tools and processes, integrating the management of risk and compliance across the organisation is achievable, and the potential benefits difficult to dispute Visibility into decisions taken across the enterprise will help to preserve a company’s reputation, while a more efficient approach to managing risk and compliance will help to reduce duplication of effort and streamline business processes And for senior executives who carry responsibility for corporate activities, there will be the potential for more thorough knowledge about their business and, hopefully, a less stressful work environment © The Economist Intelligence Unit Limited 2010 13 Design: Mikekenny@me.com Cover: Getty Images Whilst every effort has been made to verify the accuracy of this information, neither the Economist Intelligence Unit Ltd nor the sponsors of this report can accept any responsibility for liability for reliance by any person on this report or any other information, opinions or conclusions set out herein LONDON 26 Red Lion Square London WC1R 4HQ United Kingdom Tel: (44.20) 7576 8000 Fax: (44.20) 7576 8476 E-mail: london@eiu.com NEW YORK 750 Third Avenue 5th Floor New York, NY 10017 United States Tel: (1.212) 554 0600 Fax: (1.212) 586 0248 E-mail: newyork@eiu.com HONG KONG 6001, Central Plaza 18 Harbour Road Wanchai Hong Kong Tel: (852) 2585 3888 Fax: (852) 2802 7638 E-mail: hongkong@eiu.com GENEVA Boulevard des Tranchées 16 1206 Geneva Switzerland Tel: (41) 22 566 2470 Fax: (41) 22 346 93 47 E-mail: geneva@eiu.com [...]... wide awareness of risk Although controls and monitoring play an important role in the risk management toolkit, this should only be seen as one small part of the role of the risk function Rather than mandating a set of top-down rules without adequate explanation, risk professionals must work with the business in order to demonstrate both that they understand the business and that there is a rationale for. .. important thing © The Economist Intelligence Unit Limited 2010 11 The age of compliance Preparing for a riskier and more regulated world is the judgment of the people who are managing risks on a day-to-day basis The danger I see with quantification is that the one thing you can guarantee is that you will be precisely wrong.” Problems with gaining access to accurate, high-quality data also hamper the quantification... quantification and analysis process The question of appropriate data and the analysis of that data is probably the biggest issue that companies face,” says Mr Apostolik “Putting the systems in place to collect the data that you can analyse and report from is a huge undertaking.” Eli Lilly: Linking risk with strategy An enterprise-wide approach to risk and compliance brings significant benefits in terms of. .. primarily a process of face-toface engagement between the risk function and business units “It is a qualitative discussion with management involving people, and technology plays only a small part,” he explains “We have some technology that helps us capture, store and analyse the output of our work, but what we don’t do is get into a great deal of quantification It has its place, but by far and away the. .. terms of the broader strategic direction of the business is one of support and analysis, rather than active participation Eli Lilly, a pharmaceuticals company has run an ERM programme since 2005 However, there was a growing sense among senior management that it was not well integrated with the overall business planning and longer-term strategy Major strategic risks—or the potential impact of major external... way.” © The Economist Intelligence Unit Limited 2010 The age of compliance Preparing for a riskier and more regulated world Conclusion T he concept of an integrated approach to risk and compliance is not new, but the financial crisis and major risk events have placed fresh impetus behind it More than ever, boards and senior management want to understand overall risk exposures, and be provided with clear,... to aggregate risk at an enterprise level, but the informal discussions about risk are the real bedrock of effective management “There’s a clear and detailed structure as to how we organise things, but it’s really about the conversations that happen as much as it is about what ends up in different boxes on spreadsheets,” he stresses Training and education have become an important part of the role of the. .. effectiveness of compliance efforts That said, people are just as important in the process “We don’t want the risk function to become a team of data entry and monitoring personnel,” says Mr Samuel “It’s important to think through any technology solution and ensure that it is carefully tailored to our needs and does not just add a layer of bureaucracy.” Mr Newlands agrees and sees the risk management process as... rationale for the position they are taking Thus GRC is about communication and education, not the setting of rules “It’s really all about behaviour,” says Mr Popplewell “We have a culture of treating risk management and internal controls as an important source of value for our business, rather than just a kind of mindless rule set.” Formal reporting structures are important, particularly when a company is... can only react 12 to, and there are some that you can prepare for and hope they don’t happen We’re trying to look at all these different situations as part of our management of these risks.” This more thorough risk identification process—particularly in a company as large and complex as Eli Lilly—requires careful prioritisation to ensure that the right issues are being examined “It’s very clear that .. .The age of compliance Preparing for a riskier and more regulated world Preface The age of compliance: Preparing for a riskier and more regulated world is an Economist Intelligence... Armstrong was the editor August 2010 © The Economist Intelligence Unit Limited 2010 The age of compliance Preparing for a riskier and more regulated world The age of compliance: Preparing for a riskier. .. add a layer of bureaucracy.” Mr Newlands agrees and sees the risk management process as primarily a process of face-toface engagement between the risk function and business units “It is a qualitative