By Shyam Moorjani, Director of MorganFranklin Consulting in London.
Risk: the most annoying and misunderstood four-letter word in the business vocabulary. No self-respecting business executive ever thinks they are risking the future of their enterprise. Yet, daily, supposedly well-run companies with highly competent executives sleepwalk into adverse conditions that damage their brand and threaten their existence.
The latest in a long line of major companies, such as HSBC, JP Morgan, and Standard Chartered, all fined for massive breaches of compliance, is the Royal Bank of Scotland, which was fined £5.6 million by the UK’s Financial Conduct Authority for its failure to report millions of pounds of transaction in the wholesale money markets.
Such breaches suggest massive levels of complacency and represent a failure that need to be tackled by robust management procedures of what is now known as GRC – Governance, Risk, and Compliance. These three mission-critical elements are now being grouped together under an over-arching structure: a single point rather than discrete silos . For example, it means that training of non-executive directors is now directly linked to the expectations of external regulators and clear definitions of the likely risks to the business.
Governance is viewed as the overall management approach through which senior executives direct and control their business enterprise, using a combination of management information and hierarchical management control. Now, more than ever, it involves insuring the chairman and board executives have a suitable relationship and that they are fully qualified to challenge the managers and fulfil the fiduciary duties to the company.
Risk is about assessing the probability of loss inherent in an organisation’s operations and environment that may impair its ability to provide returns on investment or to meet its mission, goals, objectives and overall programme performance. It is about dealing with the risks that can be dealt with directly by the business.
Compliance looks at certification or confirmation that the business meets the requirements of accepted practices, legislation, prescribed rules and regulations, specified standards or the terms of a contract. It is not about ticking boxes, it is the outcome of having satisfied legal, legislative and other operational requirements.
These are all part of a three-legged stool. In today’s business environment, they all depend on each other. So without proper management tools to deal with one, it creates danger for the others. In essence, poor compliance procedures suggest that corporate governance is not fulfilling its function, and undefined risk management processes can lead to failures in compliance.
How should companies address this changing world? Surely if major corporates are failing, then what chance do medium size enterprises have without compliance department, risk specialists or internal audit teams?
With a little help, there is a great deal companies can do using GRC. Firstly, companies must seek to embed the right culture where managers and employees at every level are expected ‘to do the right thing’. Here proper systems and procedures can ensure that governance and risk management are part of the fabric of the organisation. Using formal channels to encourage work colleagues to speak out about internal issues that are not in line with the culture is a vital part of building proper compliance. If whistle blowers inside major banks had recognised channels in place to raise concerns at board level, then much misery and destruction of value could have been prevented.
In large engineering, manufacturing and oil businesses, proper examination of ‘near-misses’ is imperative too. To ensure better governance, board members need to understand what happened, what kind of injury has been avoided, and how contracts might have been terminated or lost because of a failure of compliance.
A diagnostic approach also reduces the overlap between support and control functions, enabling the business to see processes that are redundant or poor value. This leads to vital cost savings, or the reallocation of resource to generate better value. Financial losses can be stemmed by clearly identifying where unnecessary risk is being applied to your business. It also enables the identification of opportunities, where early adopters tend to generate higher revenues.
Increasingly, Big Data, if it is properly and cogently analysed, can be used to identify fraudulent behaviour both internally and externally, which are constant risk factors. Such systems, using Cloud-based analytics, can stress-test compliance system to see if they are able to withstand cyber-attack. Big Data analytics – or ‘data-driven GRC’ – is also highly effective in determining if control procedures are working effectively and being properly managed.
Few organisations use this approach across multiple financial and operational areas as part of enterprise-wide risk management (or ERM); clearly, this needs to change. By providing executive management with timely insight into risk profiles across the entire enterprise, organisations will achieve greater value.
A proper GRC strategy has four stages: diagnosis, identification, implementation and future monitoring. A successful diagnostic approach will allow companies to identify the risks which are within their direct power to deal with, meet their objectives, implement comprehensive controls and filter the mass of digital ‘noise’ to find the appropriate points of danger and stress.
The business benefits are clear. By avoiding fines, penalties, legal fees and potential damage to reputation and brands, there is an immediate benefit to the bottom line. But better GRC means the enterprise is more able to prove its value to investment groups, leading to higher share prices, lower cost of capital and reduced insurance premiums. Less business disruption, intrusive external intervention and executive time spent in inquiries about system failure means better levels of profit. This comes with an integrated approach to GRC – and that surely makes sense to anyone in business.
Shyam Moorjani is Director of Risk & Compliance at MorganFranklin Consulting in London. He is a qualified chartered accountant, holds and MBA, and has worked at director level in the European level with numerous hedge funds and previously within the energy sector.