The age of complicance: Preparing for a riskier and more regulated world


Published on

More than ever, boards and senior management want to understand overall risk exposures, and be provided with clear, consistent information in a timely manner. With corporate governance legislation increasingly stressing the importance of personal liability and accountability for executives and non-executives, companies cannot afford to be in the dark about their risk position.

The age of compliance: Preparing for a riskier and more regulated world is an Economist IntelligenceUnit briefing paper sponsored by SAP. The Economist Intelligence Unit bears sole responsibility forthis research. Our findings drew on desk research and in-depth interviews with executives familiar withrisk and compliance within their organisations. The findings and views expressed in this report do not necessarily reflect those of the sponsor. Rob Mitchell was the author of the report and Dan Armstrong was the editor.

Published in: Business, Economy & Finance
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

The age of complicance: Preparing for a riskier and more regulated world

  1. 1. The age of compliancePreparing for a riskier and moreregulated worldA report fromthe Economist Intelligence Unit
  2. 2. The age of compliance Preparing for a riskier and more regulated worldPrefaceThe age of compliance: Preparing for a riskier and more regulated world is an Economist IntelligenceUnit briefing paper sponsored by SAP. The Economist Intelligence Unit bears sole responsibility forthis research. Our findings drew on desk research and in-depth interviews with executives familiar withrisk and compliance within their organisations. The findings and views expressed in this report do notnecessarily reflect those of the sponsor. Rob Mitchell was the author of the report and Dan Armstrong wasthe editor.August 2010© The Economist Intelligence Unit Limited 2010 1
  3. 3. The age of compliance Preparing for a riskier and more regulated world The age of compliance: Preparing for a riskier and more regulated world“Things likerisk appetite I n September 2007, senior executives at Citibank gathered at the company’s New York headquarters to discuss a sudden spike in the number of mortgage defaults among sub-prime borrowers in the US.statements, It was at this meeting that Chuck Prince, then CEO of the bank, was told for the first time that Citibankscenario planning owned mortgage-related assets worth about US$43bn.1 Thomas Maheras, who oversaw trading at theand responses bank, reassured Mr Prince that everything was fine, but within weeks Citi nursed losses on the assets thatto regulatory ran into billions of dollars. The bank’s risk management was shown to have severe deficiencies: acceptingchanges require an ratings agency opinions in lieu of independent reviews; relying on brittle financial models; and, accordingenterprise view.” to subsequent congressional testimony, violating internal credit policies.2 Within two months, Mr PrinceBruce Munro, Group Chief Risk was out of a job.Officer, National AustraliaBank Other industries, such as the energy sector, can face equally disastrous risks. At a US Congressional hearing in June 2010, Tony Hayward, CEO of BP, told members that he had “no prior knowledge” of the drilling of Deepwater Horizon, the Gulf of Mexico oil well that exploded in April with the loss of 11 lives and devastating environmental consequences.3 Members criticised Mr Hayward for the evasiveness of his answers and accused him of putting profit ahead of safety. Mr Hayward stepped down as CEO in July. These two examples, while different in their origins and consequences, illustrate the challenge of managing risk and compliance across large and complex organisations. Even medium-sized companies rely on a network of suppliers and partners, and have employees, functions and divisions scattered around the world. It is therefore unsurprising that despite years of investment in risk management tools and processes, a clear view of the risks accompanying key decisions remains elusive for many senior executives. Events such as the financial crisis and the Gulf oil spill have provided fresh impetus for efforts to gain better oversight and co-ordination across risk and compliance functions. The terms enterprise risk1 management (ERM) and governance, risk and compliance (GRC), both in circulation for over a decade,business/23citi.html?_r=1&hp=&pagewanted=all have taken on fresh significance, and a growing number of companies are redoubling their efforts to co-2 Based on testimony by ordinate—and ideally integrate—their various sources of assurance.Richard Bowen, a former chiefunderwriter at Citibank, at “You get to the point where you recognise that things like risk appetite statements, scenario planningthe Financial Crisis InquiryCommission, April 7th, 2010: and responses to regulatory changes require an enterprise view,” says Bruce Munro, group chief riskhttp://www.fcic. gov/hearings/pdfs/2010-0407-Transcript.pdf officer of National Australia Bank. “It’s difficult to ask people in their particular areas of risk expertise to3 do that, so you’ve got to invest in people that can do it on a full-time basis.”s/0/095cc462-79f5-11df-9871-00144feabdc0.html In many companies, compliance and risk activities remain highly fragmented and scattered around the2 © The Economist Intelligence Unit Limited 2010
  4. 4. The age of compliance Preparing for a riskier and more regulated worldThe exponential growth of US financial services regulationNumber of pages of legislation 20102,500 Dodd Frank Wall Street Reform Act 2,319 pages2,0001,5001,000 1966 1999 500 1913 1933 Interstate Graham 2002 Federal Glass Banking Leach Bliley Sarbanes Reserve Act Steagall Efficiency Act 145 pages Oxley 31 pages 37 pages 51 pages 66 pages 0 Source: Economist Intelligence Unit, 2010.enterprise. The professionals charged with ensuring compliance with Sarbanes-Oxley, for example, arelikely to use a different framework and standards than those managing health and safety compliance. Andin risk management, teams looking after the credit of customers to whom the business provides financingwill be in a separate department from those that look at operational risk. Each risk and compliance activityis often built up separately, frequently in response to a major event or new compliance obligation. This fragmentation is costly because there is duplication of effort. It leads to complexity because thereis no common approach. And when compliance activities are splintered, business risks inevitably grow.For instance, the lack of a comprehensive and integrated approach to IT compliance can lead to securitybreaches or data losses. Fragmented financial compliance can open the door to fraud or restatements.Compliance is often thought of as separate from risk. But in fact the two functions are tightly bound, sincean ad hoc approach to compliance leads to higher levels of risk. Efforts to boost visibility into risk exposures across the enterprise, or to achieve a more holistic andconsistent approach to compliance, are nothing new. Over the past decade, many executives haveexperienced initiatives designed to aggregate risk management across the company’s divisions, functionsand risk silos. Few can say with confidence that these initiatives were successful. GRC holds the promise of taking this process of integration a step further by integrating ERM andcompliance activities within a broader governance framework. Dating from the Sarbanes-Oxley Act of2002, when listed US companies faced complex and costly obligations under Section 404 of the Act, GRCemerged as a set of tools to help companies manage risk, track compliance and monitor internal controls. Since then the scope of this discipline has broadened. Although definitions vary, it now refers to© The Economist Intelligence Unit Limited 2010 3
  5. 5. The age of compliance Preparing for a riskier and more regulated world an enterprise-wide framework that companies use to manage risk and compliance within established corporate governance parameters. “The point of governance and compliance is to ensure transparency,” says Mr Munro. “Compliance plays an important role in providing assurance for people like me and the Principal Board that we’re actually doing what we say we’re doing. Beginning with the high-level risk appetite, and cascading through the layers of the business, there needs to be a mechanism to ensure that when there are issues, they are discovered, escalated, dealt with and the lessons learned.” 4 This paper examines how the integrated management of risk and compliance has developed among corporates in multiple countries and industries. It is based on a series of interviews with chief risk officers and other high-level risk professionals from large multinationals around the world. These interviews, conducted in June and July 2010, reveal a number of common themes.4 The Principal Board refers to thePrincipal Board Audit Committee(PBAC), formed by NAB in 2003to discuss and investigate anyhigh risk issues raised by internalor external auditors.4 © The Economist Intelligence Unit Limited 2010
  6. 6. The age of compliance Preparing for a riskier and more regulated worldPressure builds for a consistent approachT he three themes of governance, risk and compliance have been central to the management agenda for a decade. But whereas five years ago it would have been the “C” in GRC that was most likely to keep “The whole environmentexecutives awake at night (and indeed was the impetus behind the development of GRC in the first place), over the past 18in the post-crisis world it is the “R” that has risen to the top of the agenda. “The whole environment over months has beenthe past 18 months has been the facilitator of much broader thinking about risk management,” says Mark the facilitator ofKrakowiak, chief risk officer of GE, the industrials and financial services group. much broader The reasons for this laser-like focus on risk are well understood. The financial crisis has highlighted thinking about riskthe interdependencies between different divisions of the organisation—and between the enterprise as a management”whole and the external environment. Under pressure from legislators and investors, boards are becoming Mark Krakowiak, Chief Risk Officer, GEmore demanding. In one sector, financial services, regulators are stipulating that institutions form riskcommittees. And the role of chief risk officer, once confined to banking and insurance, has spread acrossthe corporate world. But the management of risk—however broadly it is framed—is just one piece of the puzzle. Companiesalso face an increasingly complex and rigorous regulatory compliance burden that has become bothcostly and risky, should the company fail to meet its obligations. In June 2010, for example, the UKFinancial Services Authority fined JP Morgan, an investment bank, £33m (US$50m) for failing to complywith a regulation requiring it to segregate client assets from its own funds,6 while the US transportregulators fined Toyota US$16.4m in April for failing to notify them sooner about defects in its cars.7 5 http://www.complianceweek. com/s/documents/AMR-GRC-in- 2010.pdf 6 s/0/9e66733e-6ef4-11df-a2f7- 00144feabdc0.html 7 s/0/6053df1c-4106-11df-94c2- 00144feabdc0.html© The Economist Intelligence Unit Limited 2010 5
  7. 7. The age of compliance Preparing for a riskier and more regulated world Setting effective guidelines I nterviews with risk and compliance professionals within corporations yield a consistent set of guidelines to manage this set of disciplines effectively. They are guidelines, not rules, because they require judgment and nuance in organisations already laden with policies and procedures. Buy-in requires ownership; ownership seldom results when senior management simply issues a dictum. All managers are familiar with processes which, however well intentioned originally, have become checklists devoid of meaning. As has been demonstrated over the past few years, risk and compliance are too important to suffer this fate. Commitment must come from the top Those who best understand the risks embedded in a business process are people who are closest to it: the business owners and process owners. At the same time, senior management and the board play a crucial role in raising the profile of risk management and ensuring that the organisation has a consistent methodology for dealing with it. “The more involvement the board has in risk matters, the better the organisation is,” says Mr Munro. “If you don’t have your board onside and you don’t have agreement between the board and management about the appropriate level of risk-taking, then you’re setting yourself up for trouble. I’d much rather have an active and engaged board than not.” Any investment in enterprise-wide risk and compliance framework must have absolute commitment from the top of the organisation. “You need buy-in from both the senior management team and the board,” says Mark Newlands, head of risk at Anglo American. “They need to be convinced that what you are suggesting will add value.” From the board’s perspective, GRC can provide assurance that risks are being identified and that information about them is being passed to the right people at the right time. A more consistent approach to reporting also makes it easier to evaluate and compare risk exposures. “What we’re trying to do is present a picture to management and the audit committee of what the risk profiles for each of our businesses looks like, and what the risk profile of the group as a whole looks like,” says Mr Newlands. Standardised processes are an important first step Building an enterprise-wide layer for risk and compliance on top of existing processes can seem like a daunting task. With individual sources of assurance and compliance activities run separately and rarely interfacing—either personally or by means of risk systems and IT infrastructure—the time and resources6 © The Economist Intelligence Unit Limited 2010
  8. 8. The age of compliance Preparing for a riskier and more regulated worldnecessary to achieve successful integration can be considerable. According to Mr Krakowiak, much depends on the extent to which existing risk processes have alreadybeen standardised. Nine months ago, GE took the step of creating a single framework for risk managementacross its entire enterprise, spanning both the financial and industrial businesses. Mr Krakowiak believesthat the company’s longstanding commitment to the standardisation of business processes made this amore straightforward task than it might otherwise have been. “We already had a very process-orientedapproach to the operational side of our business,” he explains. “For example, we have a standard reviewprocess for our compliance and we use standard processes for budget planning and strategy planning. Sowe already had a pretty good framework that we could take up a level in terms of looking at enterprise risk.” For companies that do not know where to begin, a first step may be mapping to existing standardslike ISO 31000. ISO 31000 (2009) provides principles and guidelines on risk management covering awide range of business activities, including strategies and decisions, operations, processes, functions,projects, products, services and assets. Adopting a standard such as ISO 31000 helps to move companiesbeyond ad hoc collections of controls towards a unified framework.Balancing autonomy and control “You need toA successful enterprise-wide view of risk and compliance depends on managing the opposing decide and definerequirements for centralisation and decentralisation. On the one hand, there needs to be a central explicitly whichfunction that can aggregate risk and compliance information from the business. Without it, senior risks should beexecutives cannot effectively make business decisions regarding how to manage risk and take advantage managed centrallyof new potential business opportunities. Yet at the same time, risk needs to be owned by the business, and which shouldwithin an established framework. “It’s really important to have risk people close to the business so that be devolved to thethey can help managers with a specific set of risks that need to be managed,” notes Mr Munro. “But you’ve business.”also got to have an enterprise-wide view. You need to walk that fine line between collaboration and Harri Spolander, Chief Riskindependence.” Officer, Fortum An important part of this balance is deciding which risks need to be defined within a centralisedframework and which can be determined by the business. “You need to understand the roles andresponsibilities of different functions and units,” says Harri Spolander, chief risk officer of Fortum,an energy company headquartered in Finland. “While it is conceptually a good idea to centralise riskmanagement and have a co-ordinated approach, you need to decide and define explicitly which risksshould be managed centrally and which should be devolved to the business. If you are not clear aboutthat, you are in a situation where no one really knows who is responsible for what.” In the energy industry, for example, one might choose to centralise the management of risksassociated with currencies, interest rates and commodity positions—and hedge them appropriately. Butwhile overall policies for risks such as environmental risk can be determined centrally, the managementof those risks must always happen locally. “Naturally compliance is an important housekeeping thing andalso a best practice to certain extent but not the main driver for our risk management,” says Mr Spolander.“It really must be the responsibility of every operational unit because leakages, for example, do nothappen in the central corporate unit, they take place in the power plant,” says Mr Spolander.© The Economist Intelligence Unit Limited 2010 7
  9. 9. The age of compliance Preparing for a riskier and more regulated world A constant dialogue between risk functions and the businesses Frequent dialogue between risk functions and the business is essential. The relationship should be symbiotic: managers should be confident that the risk management process adds value to their role, while risk professionals should be able to use their dialogue with business leaders to gain a better picture of overall enterprise risk. “Getting everyone on the same page at all organisational levels about what it is we’re trying to achieve, and making the accountability stick is key to both the effectiveness and efficiency of the regime,” says Ed Popplewell, head of risk & internal control at Siemens plc and North West Europe. In some firms, this requires a shift in perceptions of the risk function. Rather than being seen as a “preventer” of business whose role is to impose limits and controls, it needs to be perceived as an “enabler” that can offer valuable advice. To gain the confidence of business managers, risk professionals should demonstrate commercial understanding and a willingness to provide constructive input to help managers meet their objectives. “We have consciously evolved our response from waving a red flag and walking out to waving a red flag and working with the business teams on mitigation plans,” says Alexis Samuel, chief risk officer at Wipro, an Indian business process outsourcing and technology company. A key metric for the success of this dialogue is the extent to which heads of business units and business managers proactively seek out the risk function to engage them in discussion about their plans. “People are now willing to accept us as an enabling function and reach out to us, but we have to constantly reassure our teams that we are not just red flag wavers and will go beyond, roll up our sleeves and work with them to mitigate their risks,” says Mr Samuel. Dialogue between the risk function and the business can also help to create a more consistent view of the risks of a particular project that is in line with the enterprise’s overall risk tolerance. “The intention is to make the management team collectively aware of the risks that are going to prevent them from being successful in whatever it is they are trying to achieve,” says Mr Newlands. “The owner of a particular project may have a view on the risks, but his or her colleagues may have a completely different view. Unless you get around a table and discuss them through a structured process, you can end up with completely divergent views.” In 2006, Anglo American brought in what it calls an “integrated risk management” approach that was designed to improve on the previous system by being more relevant to business divisions. The key to its success, according to Mr Newlands, has been the introduction of facilitated discussions with managers in the business. “Rather than having a one-size-fits-all, paper-based approach where managers filled in forms against a standard matrix, we have moved to a system that is much more aligned with their business processes,” he explains. “We now look at risks that are relevant to each business and prioritise them according to a matrix that is also customised to their circumstances.” A more systematic understanding of the risks When risk is managed in silos, it provides a good measure of each specific area of exposure, but there is no bird’s-eye view of the company’s overall risk position. A silo-based approach also means that certain risks can fall between the cracks. During the financial crisis, for example, many banks lacked understanding of the risk associated with certain assets because credit risk departments thought they were market risk8 © The Economist Intelligence Unit Limited 2010
  10. 10. The age of compliance Preparing for a riskier and more regulated world Steps towards integration at Siemens process was a little narrow and financially oriented, and needed to be much more forward-looking and focused on strategic and operational risk over the medium term,” says Ed Popplewell, head of risk & The industrials group Siemens is one large internal control at Siemens plc and North West Europe. multinational that has adopted an enterprise-wide The new framework sees risk management, and approach to risk and compliance. Following a series of compliance with internal controls and guidelines, as well-publicised compliance failures in the late 1990s two sides of the same coin. “We need to respond to and early 2000s, senior management overhauled the the risks in our business by ensuring that we’ve got company’s compliance processes by combining its sound internal controls in place,” notes Mr Popplewell. entire assurance activities-including ethics, codes “Equally, things that my internal control practitioners of conduct and relationships with business partners find through our assurance programmes tell us a lot worldwide-within one function. “At a global level about whether our risk management processes are Siemens identified that the existing risk management robust. So the two activities feed off each other.”issues, and market risk departments believed they were the responsibility of credit risk managers. As a result, companies are increasingly focusing not only on risk management within their organisation,but on interdependencies with other companies within their network as well as the broader economy.“Companies are finally realising that there is a need to determine how an organisation can look at itsrisks from a holistic perspective and figure out how those can be managed and monitored,” says RichardApostolik, chief executive officer of the Global Association of Risk Managers. By aggregating risks at an enterprise level, a company has a much better understanding of potentialthreats that could cause serious financial or reputational damage. GE’s new enterprise-wide risk approachis a good illustration. “We wanted to make sure that when we looked across the entire portfolio, weunderstood clearly the key things that could potentially put the franchise at risk,” reports Mr Krakowiak.“To get high returns, you have to take a certain level of risk, and we just wanted to make sure that weunderstood completely the risk we were taking, what some of the external factors were that could impactus, and what could prevent us from achieving our strategic objectives.” For any large company, the list of potential threats that could have an adverse impact on the business ishuge. Careful prioritisation is therefore needed to prevent management paralysis. “We are trying to focuson the four or five big things that could have a systemic risk problem for the company, while continuing toensure that businesses manage their own risks within each function,” says Mr Krakowiak. A consistent approach to risk and compliance across the enterprise depends on creating a standardlanguage around risk that can be understood by business owners across functions and locations. AtGE, for example, one key challenge in creating an enterprise-wide approach was forming a bridge inunderstanding between the financial services and industrial businesses—which inherently have verydifferent requirements in terms of risk and compliance. “What we try to do is come up with a common setof definitions and terminologies, or what we call a taxonomy,” adds Mr Krakowiak. “This can be used byboth sides of the house. We have also tried to interconnect the risk appetite statement for the financial© The Economist Intelligence Unit Limited 2010 9
  11. 11. The age of compliance Preparing for a riskier and more regulated world services business with that over the overall company.” Aggregation of risk and compliance at the enterprise level also provides senior executives with the oversight they need to assess interdependencies and correlations across the business, and make adjustments accordingly. “You might find that you want to put in different limits or constraints, or adjust your capital allocation because what looks okay in one silo doesn’t necessarily look the same once you aggregate it at the enterprise level,” argues Mr Munro. A single risk appetite may not fit the entire enterprise Although much is said about the need to build an enterprise-wide risk culture, it is down to boards and executive management to define what it is. “Boards need to define what their risk culture is and from there they need to define what the organisation’s risk appetite is,” says Mr Apostolik. “Then they have to ensure that the rest of the organisation works within the definitions that they have come up with.” In general, a risk appetite should be a clear articulation, approved by the board, of the institution’s risk tolerance and limits across its full range of businesses. Once this has been set at the enterprise level, it can be cascaded down through the various divisions and regions to the ultimate risk owners. “We set a risk appetite at enterprise level, then each of the business units takes that and applies it and forms their“Boards need own risk appetite based on those overall settings for their line of business,” explains Mr Munro. “So youto define what start to get commonality, a common approach and a common language. Properly done, the risk appetitetheir risk culture statement becomes a cornerstone and becomes part of the language of enterprise risk.”is and... define In other industries, it may be difficult to set an overall risk appetite because individual operations orwhat their change projects vary so widely in terms of their perceived risk. Mining is a case in point: with operationsorganisation’s risk in locations that are subject to widely differing levels of political and business risk, no two investmentsappetite is.”Richard Apostolik, Chief are alike. “I don’t think there’s ever a situation where you can say that our risk appetite is ‘X’ andExecutive Officer, Global will remain ‘X’ for the rest of the year,” says Mr Newlands. “It’s not a number. It’s about taking eachAssociation of Risk Managers individual proposition for change, or each operation, and determining whether that is something that the organisation is willing to accept or not.” Overcoming resistance One barrier to implementing an enterprise view is resistance from people in long-established silos. One example would be a division that has invested heavily, and successfully, in China. However, upon assuming an enterprise-wide view of its risks, the company may decide that it is over-exposed to business in China and that each division needs to cut back its investment. For divisions used to running their own P&L and managing risks within a silo, this can be a difficult decision to swallow. It can take time and effort to educate managers in the need to make sacrifices in order to gain a more balanced enterprise-wide risk exposure. Some managers may think that an enterprise approach will penalise business units viewed as deficient in terms of risk management. But as Mr Newlands explains, the goal is not to create competition. “It’s not a question of one business unit’s performance against another,” he says. “What we’re interested in is each unit’s risk profile, what they’re doing to mitigate those risks and how it all fits together at the enterprise level.”10 © The Economist Intelligence Unit Limited 2010
  12. 12. The age of compliance Preparing for a riskier and more regulated world Overcoming this resistance means that outmoded perceptions of risk functions as “business preventionunits” need to be challenged. “You have to demonstrate that this is something of value,” adds MrNewlands. “We have to make it clear that we are not here to stop people taking risks or to eliminate risk.We are here to make sure that managers understand what it is that they are taking on.” Once managers in the business units decide on their own to make a public commitment, they willbehave consistently with that commitment for as long as necessary. Coercion will not work. The key is todemonstrate how risk and compliance activities can help them to achieve their business goals.Creating a wide awareness of riskAlthough controls and monitoring play an important role in the risk management toolkit, this should onlybe seen as one small part of the role of the risk function. Rather than mandating a set of top-down ruleswithout adequate explanation, risk professionals must work with the business in order to demonstrateboth that they understand the business and that there is a rationale for the position they are taking. Thus GRC is about communication and education, not the setting of rules. “It’s really all aboutbehaviour,” says Mr Popplewell. “We have a culture of treating risk management and internal controls asan important source of value for our business, rather than just a kind of mindless rule set.” Formal reporting structures are important, particularly when a company is seeking to aggregate risk atan enterprise level, but the informal discussions about risk are the real bedrock of effective management.“There’s a clear and detailed structure as to how we organise things, but it’s really about the conversationsthat happen as much as it is about what ends up in different boxes on spreadsheets,” he stresses. Training and education have become an important part of the role of the risk function. Wipro, forexample, runs training in general risk concepts such as business ethics for all its key managers, whilespecific course modules have been developed for every employee in the organisation. A communicationplan around risk is set in advance and rolled out throughout the year. “We publish news bulletins and riskcirculars on a regular basis,” says Mr Samuel. “We also convert some of our risky incidents or near-missesinto pamphlets that we use in training and discussion in our leadership forums.”GRC is about people as well as technologyTechnology plays a vital role in automating the collection and analysis of data as well as the monitoring ofkey risk indicators. When implemented properly, it can help companies assess the impact of a risk againsta particular objective, and increase visibility into the effectiveness of compliance efforts. That said, peopleare just as important in the process. “We don’t want the risk function to become a team of data entry andmonitoring personnel,” says Mr Samuel. “It’s important to think through any technology solution andensure that it is carefully tailored to our needs and does not just add a layer of bureaucracy.” Mr Newlands agrees and sees the risk management process as primarily a process of face-to-face engagement between the risk function and business units. “It is a qualitative discussion withmanagement involving people, and technology plays only a small part,” he explains. “We have sometechnology that helps us capture, store and analyse the output of our work, but what we don’t do isget into a great deal of quantification. It has its place, but by far and away the most important thing© The Economist Intelligence Unit Limited 2010 11
  13. 13. The age of compliance Preparing for a riskier and more regulated world is the judgment of the people who are managing risks on a day-to-day basis. The danger I see with quantification is that the one thing you can guarantee is that you will be precisely wrong.” Problems with gaining access to accurate, high-quality data also hamper the quantification and analysis process. “The question of appropriate data and the analysis of that data is probably the biggest issue that companies face,” says Mr Apostolik. “Putting the systems in place to collect the data that you can analyse and report from is a huge undertaking.” Eli Lilly: Linking risk with strategy to, and there are some that you can prepare for and hope they don’t happen. We’re trying to look at all these different situations as part of our management of these risks.” This more thorough risk identification process—particularly in a company as large and complex as Eli Lilly—requires careful An enterprise-wide approach to risk and compliance brings significant prioritisation to ensure that the right issues are being examined. “It’s benefits in terms of visibility into risk exposure and adherence, very clear that you can easily get bogged down in identifying so many but it can be difficult to elevate the programme beyond a focus on different risks and developing action plans that you don’t actually operational processes. To date, few companies have taken the next accomplish anything,” says Anne Nobles, chief ethics and compliance step, which involves integrating this enterprise-wide approach with officer and senior vice-president for enterprise risk management at the broader strategy of the business. All too often, strategy and risk Eli Lilly. “I think the biggest challenge is going to be to really refine assessment are only tangentially connected—chief risk officers rarely the list and focus attention on areas where we need thinking and sit on executive boards and their role in terms of the broader strategic planning in order to prepare the company.” direction of the business is one of support and analysis, rather than The integration of ERM and the strategy process at Eli Lilly active participation. leads to a different mode of thinking about the overall role of Eli Lilly, a pharmaceuticals company has run an ERM programme risk management at the company. “Strategy processes tend to be since 2005. However, there was a growing sense among senior opportunity-oriented and risk management ones tend to be fear- management that it was not well integrated with the overall business based,” says Mr Johnson. “But what we’re trying to say is that they’re planning and longer-term strategy. Major strategic risks—or the two sides of the same coin. Once you’ve made your decisions from an potential impact of major external events, such as the financial opportunity perspective, you can begin to ask ‘What could go wrong crisis—were not sufficiently factored into the existing programme. with those decisions and how do we manage that?’” “When we went to the board, we found that we were talking about risk As with any major change project, there is a risk associated with from a different perspective,” says Peter Johnson, vice-president of this transition that it fails to achieve its overall objective—to change corporate strategic planning at Eli Lilly. “That’s what drove us to say, people’s behaviour. “There’s a danger that it can become all about the ‘Are we asking the right questions about the risks we really face and process rather than the outcome,” says Ms Nobles. “If corporate staff that will make us vulnerable?’” ends up owning this rather than the business managers themselves, The treatment of strategic risk is inherently different from that of then we will not have been successful.” operational risk, and requires a different framework for identification, Equally, the identification and assessment of strategic risk should assessment and mitigation. “With operational risk, you can usually not lead to a kind of paralysis. “You can’t remove all risk,” says Mr quantify it,” says Mr Johnson. “You may run it 7,000 times and get five Johnson. “If that’s the objective, we shouldn’t be in business because errors. Strategic risk doesn’t work like that. There are some things you we take on a massive amount of risk every day here. The question is, can prevent and want to prevent, there are others you can only react are we competent to do it and are we doing it in an effective way.”12 © The Economist Intelligence Unit Limited 2010
  14. 14. The age of compliance Preparing for a riskier and more regulated worldConclusionT he concept of an integrated approach to risk and compliance is not new, but the financial crisis and major risk events have placed fresh impetus behind it. More than ever, boards and senior managementwant to understand overall risk exposures, and be provided with clear, consistent information in a timelymanner. With corporate governance legislation increasingly stressing the importance of personal liabilityand accountability for executives and non-executives, companies cannot afford to be in the dark abouttheir risk position. As with any three-letter business acronym, GRC can elicit scepticism from the business community.Many companies have attempted to implement an enterprise-wide view of risk and compliance, buthave been frustrated by political resistance, a lack of board-level support or inadequate technology andinfrastructure. Although these problems have not gone away, companies would be wrong to give up hopeof achieving a more holistic picture of their risk. No major change management programme is ever easy, but with the right board-level commitment,tools and processes, integrating the management of risk and compliance across the organisation isachievable, and the potential benefits difficult to dispute. Visibility into decisions taken across theenterprise will help to preserve a company’s reputation, while a more efficient approach to managing riskand compliance will help to reduce duplication of effort and streamline business processes. And for seniorexecutives who carry responsibility for corporate activities, there will be the potential for more thoroughknowledge about their business and, hopefully, a less stressful work environment.© The Economist Intelligence Unit Limited 2010 13
  15. 15. Design: Cover: Getty Images Whilst every effort has been made to verify the accuracy of this information, neither the Economist Intelligence Unit Ltd nor the sponsors of this report can accept any responsibility for liability for reliance by any person on this report or any other information, opinions or conclusions set out herein.
  16. 16. LONDON26 Red Lion SquareLondonWC1R 4HQUnited KingdomTel: (44.20) 7576 8000Fax: (44.20) 7576 8476E-mail: london@eiu.comNEW YORK750 Third Avenue5th FloorNew York, NY 10017United StatesTel: (1.212) 554 0600Fax: (1.212) 586 0248E-mail: newyork@eiu.comHONG KONG6001, Central Plaza18 Harbour RoadWanchaiHong KongTel: (852) 2585 3888Fax: (852) 2802 7638E-mail: hongkong@eiu.comGENEVABoulevard des Tranchées 161206 GenevaSwitzerlandTel: (41) 22 566 2470Fax: (41) 22 346 93 47E-mail: