Regulatory compliance may cost you time and money, but it can provide opportunities too, says Brian Cleary

Every company is exposed to risk, but only a few have developed a risk-aware culture that can identify, document and standardise the organisation's risk tolerance so that it can be consistently managed. Surprises often result from the risk gap that exists between upper management's intuitive sense of what is acceptable and the reality of line managers' day-to-day operations.

Many companies coming to grips with today's intense regulatory environment and its emphasis on risk management are finding that it creates an opportunity to pull together diverse elements within the organisation and forge an improved governance process that provides clear visibility into the risks to business operations. With such insight comes the ability to reduce unexpected outcomes and strengthen overall performance.

Nobody likes the costs and burdens of compliance and never will. But somewhere along the path to grudging compliance, some savvy companies have discovered that the new regulatory requirements for greater risk management have spawned greater insight into their operations. A more practical, cross-regulatory approach to managing compliance alleviates the increasing burden while providing risk professionals and executive management with insight into risks to key business processes that could affect corporate performance. It is also likely to drive up the perceived value of the business, as, according to an Ernst & Young survey, 82% of institutional investors ‘are willing to pay more for companies that manage risk well.’

Organisations that are able to leverage their investments in new compliance tools and processes are gaining greater visibility into the true extent of the operational, financial and compliance risks they are managing. As a result, they are able to better manage that risk, minimise surprise losses, and reap the rewards of improved capital management.

Carnival Corporation & plc, for example, is one of the world's largest vacation enterprises, with 12 cruise brands and two tour companies. At any given time, more than 200,000 people are sailing aboard the company's fleet of 80 ships to a wide variety of foreign ports, all subject to regulations and risks. From the beginning, the key to Carnival's approach to auditing risk was the conceptualisation of each of its brands as a set of business processes. The full model contains risks that are categorised as financial, operational, or compliance-related (approximately 1,200 for each major cruise brand), and uses a common analytical framework to ensure global consistency in tracking processes and monitoring risks.

The process yielded benefits from the beginning. “Our process-based approach to monitoring risk was an effective internal tool that gave us the assurance of a comprehensive, consistent view of risk factors across all our various brands,” says Richard Brilliant, vice president and chief audit executive of audit services for Carnival. “It was a great way to conceptualise our business.”

Risk and reward

Risk and compliance officers in all industries are struggling to deal with regulatory requirements coming from multiple directions. All companies publicly traded on the US stock exchanges – and many of their partners, both domestic and foreign – are under strict mandates from Sarbanes-Oxley; banking organisations are under the gun to comply with the capital requirements of Basel II; insurance companies face their own capital requirements under Solvency II; retailers and card payment processors are facing mandates for security under PCI and government mandates for privacy and reporting of breached customer information.

In recent months, we have seen utilities struggle over the uncertainties regarding increasing support for action against global warming; produce companies and pet food suppliers dealing with contaminated product; retailers facing consumer and bank lawsuits over purloined credit and debit card information; bankruptcies in the sub-prime mortgage industry; resignations over stock option backdating; and the list goes on and on. These situations all have elements of risk that could have and should have been better managed.

But, as many organisations have found, their actual insight into and control over risk is relatively limited. Common problems include:

• Lack of visibility and control regarding the state of operations and the risks that can impact critical business processes

• No insight into, or understanding of, the interdependencies and interrelationship of risk across business operating units

• Inability to see dynamic changes in risk profiles throughout the organisation, ensure that risk remediation plans are being executed or to see new emerging risk areas to enable process improvement

• Directors have no system of records to enable their oversight function to operate effectively.

Risk officers are often disconnected from the business and from one another. They are typically reliant on individual spreadsheets and word processing documents to track information. Their efforts produce a risk profile that may reflect the business that existed six months or a year ago at best. At worst, the information represents a silo approach to business, providing an incomplete and inaccurate picture to executive management and the board of directors.

Frequently, the risk policies and procedures mandated by top management are not optimal and often are inconsistently applied. Such fragmentation in the face of severe penalties for non-compliance and weak operational performance is both costly and creates layers of complexity.

Key pillars of risk management

The key to achieving full business governance is dependent on managing risk across four key pillars:

Compliance risk the risk of legal or regulatory sanctions, financial loss, or reputation loss, due to a failure to comply with laws, regulations, standards or codes of conduct

Operational risk the risk of loss due to inadequate or failed processes, people, systems, or from external events

Technology risk the risk of loss associated with failed, compromised or inadequate information technology upon which the business depends and which can further expose an organisation to additional legal, regulatory, reputational, or revenue risk

Strategic risk the risk of loss arising from adverse business decisions that are poorly aligned to strategic goals, failed execution of the policies and processes designed to meet those goals, and inability to respond to macro-economic and industry dynamics.

The core requirement for managing risk for any of the four pillars is a system that provides visibility, monitoring, measurement and an automated response system for mitigation or process improvement. Organisations approach achieving business governance from different starting points, depending on where they perceive their most pressing challenge to be. As an organisation matures in its risk management capabilities, it will organically extend the capability of the compliance management risk and control framework into other areas of the organisation.

Reducing complexity and cost while improving business process

With assets exceeding $180bn and more than $124bn in deposits as of June 30 2006, SunTrust Banks, Inc. is one of the largest US banking organisations, serving a broad range of consumer, commercial, corporate and institutional clients. Like most banks, SunTrust understood the value of managing risk, but it needed a sustained approach to managing compliance risk. “We realised that to maintain robust management oversight of financial operations we had to reduce the number of controls we had,” says John Wheeler, senior vice president of SunTrust's financial reporting risk management group. The number of controls for its 28 banks had grown to 12,000, requiring 35 full time employees to maintain the documentation, and costing around $3.5m. Besides the high costs, says Wheeler, “like all manual processes, this approach was subject to human error and the possibility of data corruption – a limitation that exposed us to consequent risks.”

SunTrust undertook an effort to consolidate controls enterprise-wide to fewer than 1,000, and at the same time sought an automated solution that would give management an effective way to store, manage, securely and selectively distribute, and track those controls. Wheeler was guided by a commitment to a sustained compliance platform that enables continuous business improvement. “Sustained compliance,” he says, “means building a better, more embedded, compliance infrastructure as well as a spirit of ethics and integrity into business processes. This environment should not require heroic exertion and can only be achieved with a compliance program, not episodic compliance projects.”

Managing risk versus reward

More mature organisations that have installed a full enterprise risk management solution will be able to leverage all their operational performance risk information to model against different business plan scenarios. This provides managers with decision support over which direction the company should move on an issue, based on understanding the historical performance and the ability to develop a risk versus reward scenario plan.

Insurer AIG, for example, recently announced that it confidently expects to free up $15bn to $20bn in excess capital by implementing an organisation-wide economic capital model based largely on managing a consistent model for evaluating risk across different business units. By gaining greater visibility into actual risks throughout its far-flung, diversified empire, the company is better able to manage the reserves it needs to cover those risks. That new found capital will allow the company to reward shareholders with higher dividends and stock buybacks, and fund mergers and acquisitions that create new business opportunities.

In order to be able to leverage risk to make strategic decisions, an organisation needs a framework for managing process and the associated policies, risks and controls. One central management system can bring together the diverse elements in a business governance ecosystem: enterprise resource planning and consolidation tools for materiality-based scoping; capital allocation calculation engines and loss databases; audit tools; continuous controls monitoring and testing; archival storage and e-records management, and others.

Building block approach

It is crucial in moving to an enterprise risk management approach to identify a key champion with sufficient clout in the organisation to both gain visibility for the effort and deal with the political issues. Without doubt, there will be cultural challenges that must be overcome in moving to a new risk and compliance management system. Even in smaller organisations, different people may have very different understandings of what the organisation's risk profile should be, and the goal is to build a consistent view across the organisation.

It would be overwhelming and self-defeating to try and do everything in one fell swoop. Pick a project that can create immediate value – whether that is getting a handle on operational losses, or accomplishing a financial or IT compliance challenge. But it is important to go into that first project with a clear vision of where the organisation needs to go and to take a building block approach where each success creates increased buy-in and builds knowledge and skills for the next step.

The pay off

The well-governed business can identify and remediate threats to the business quickly, while improving company operations. Business processes and policies can be proactively managed by gaining insight into known and unknown risk, which can improve the performance of the organisation by reducing and better managing operational, credit and legal losses that effect profitability. The net result is that the organisation can drive better top line performance by ensuring better performance on business processes that generate revenue, improve bottom line results and create better valuation for shareholders.

Brian Cleary is vice president of marketing, OpenPages, www.openpages.com

Topics