An argument for unification: why risk and compliance should be joined

How many firms are taking the bold step of bringing together risk management and compliance or going further to implement a formal GRC strategy
— Rachel Wolcott, "Time to merge risk management and compliance?" Reuters Financial Regulatory Forum, 5 April 2012

The financial services industry presents itself as innovative, agile and responsive. Unfortunately, the Banking Royal Commission exposed the industry as conservative, lumbering and reactionary.

If you had any doubts, consider the ‘innovative’ way those licensees approached breach reporting, remediation and risk management.

Unfortunately, this conservatism is also reflected in most Licensees’ unwillingness to effectively integrate compliance and risk management.

The reasons vary, but can be distilled to the ‘popular view’ that these two “sustainability functions” are too fundamentally different to merge.

The reasons are obvious.

Regulatory compliance is basic, preventive and bureaucratic.

Risk management is sophisticated, predictive and quantitative.

With respect, this view is ludicrous, premised as it is on biases and assumptions that are more aspirational than actual.

Strategic. Anticipatory. Qualitative.

Compliance is, as we’ve consistently argued, a strategic management discipline.

It’s an advisory function focused on identifying, controlling and mitigating conduct, reputation and regulatory risks.

Done effectively, and it’s often not, compliance provides a forward-looking perspective that is strategic, qualitative and predictive.

If you consider compliance to be the ‘box ticking’ approach adopted by many of those called to appear before the Royal Commission, it’s easy to dismiss it as prescription. It provides some value, obviously, by mitigating the costs of non-compliance but it lacks the transformative capability that risks offers.

Compliance ensures that Licensees operate within clearly defined and formally defined parameters but risk management, they argue, forecasts risks and generates new and innovative approaches.

While it’s dangerous to challenge orthodoxies, this view misrepresents both the role of compliance and the expectations of regulators.

I’d concede that identifying and managing credit, liquidity or market risks, for example, may require a quantitative focus not typical for compliance functions, but it’s important to recognise that compliance is embracing quantitative measures with the same vigour they embraced qualitative ones.

Is closer collaboration and coordination possible?

The bottom line for me is it is time to start bringing risk and compliance closer together. What I’ve seen is non-compliance is in itself a risk.
— Rodney Nelsestuen, senior research director at the CEB TowerGroup

While it may be more difficult to achieve in larger vertically-integrated financial services groups, the reality is that fear and a lack of imaginations holds most licensees back.

In my view, licensees too readily accept the difficulty of merging ‘different’ skill sets to avoid questioning the need for defined demarcation between complementary functions.

The functions have different skills, techniques and approaches but this, to my mind, is the reason to combine them.

Cross-training and cross-pollinisation are two invaluable benefits of combining the functions.

Integration might also produce reduced operating costs, but the improved controls and the function’s greater effectiveness should contribute to the business’ sustainability far more than any notional resource savings.

A new approach. A new language.

risk and uncertainty.png

The Compliance and Risk Management functions, although committed to a common purpose, in my view lack both empathy and a common language.

Leadership can resolve both deficits and it’s past time to bring together risk and compliance.

Both ASIC and the Royal Commission have highlighted the urgent need for Licensees to take risk management and compliance more seriously than they have historically.

The best way to manage these increasing regulatory expectations, is to adopt an inclusive and integrated CGRM framework.

Perhaps start by reconciling your risk appetite with your compliance plan and risk management framework.

Consider each compliance obligation - such as your obligation to monitor and supervise - as a distinct risk that needs to be managed.

  • What are your tolerance levels for errors and omissions?

  • What controls can you impose to manage the risk?

  • How will you test the effectiveness of the controls?

  • How frequently?

  • What residual risk remains even after the implementation of effective controls?

  • Is that within your appetite?

You may consider that ‘compliance issues’ and license conditions are unsuited to a risk framework because they are static requirements.

They are not.

Licensees aspire to comply with the financial services laws and implement arrangements to assist them to do so, but no Licensee can always, and completely, comply with the laws.

The law is flexible and principles-based.

It neither demands nor expects absolute compliance but simply requires Licensees to take ‘reasonable steps’ to comply.

ASIC has repeatedly confirmed that your CGRM arrangements will depend on the ‘nature, scale and complexity’ of your business.

Whether your controls are designed to address a Risk or an Obligation, the approach is similar enough to suggest a more collaborative and coordinated approach.

I appreciate change is hard, but unless you are a multi-national vertically integrated licensee, unifying risk and compliance may be far simpler than you imagine.

It’s important to acknowledge that your success in integrating these functions depends as much on your leadership as your technology. Without a platform to connect, analyse and visualise data, you’ll struggle to optimise your capacity to manage compliance risks and seize the opportunities that present themselves.