When satisfactory is no longer enough for your risk, compliance, and audit functionBy Duncan Edwards
At a conference in November 2012, Thomas J. Curry, Head of US Office of the Comptroller of the Currency (OCC) said: “We are no longer willing to accept audit and risk management functions that are simply satisfactory. We are looking for excellence. Our expectation now is that large institutions will meet the standard of ‘strong’ for audit and risk management functions, and that the independent directors will take a strong hand in ensuring compliance.”
He further added that the OCC has “heightened expectations for corporate governance and oversight”1. And “strong” is exactly what Board of Directors, senior managers, and risk, compliance, and audit functions need to aspire towards.
In the OCC’s last review of internal audit, risk management and succession planning of the 19 largest US banks, not a single one met its expectations. On a separate occasion, Richard Thorpe, former Head of Accounting, Audit, and Regulatory Reporting Policy of UK’s Financial Services Authority shared similar sentiments: “I can’t point to the internal audit function of a single bank or insurer and say, with hand on heart, that that is how we envision it being done in the future.”
Clearly, there is a gap in regulator’s expectations and practices on the ground.
Interestingly, at our recent roundtable on risk culture, participants made up of executives from Asia’s financial services industry shared that “risk, compliance, and audit are the places to be nowadays. There is unprecedented demand, our jobs are safe, and our salaries are good”.
But is that really the case? The answer is maybe, if you and your function are up to scratch.
Before the risk management, compliance, and internal audit functions in financial services organisations feel too confident about the work they do, it pays to know that Mike Brosnan, who heads large bank supervision at the OCC, is targeting operational, compliance, strategic, and reputation risks. “For the first time in my life, we actually say this basket of risks is more important and more of a priority for the system to deal with than ‘asset quality, liquidity, interest rate risk, and trading activities’,” he said.
So what do financial institutions in Asia and around the world need to do to move from “satisfactory” to “strong”?
As Curry said, “…it’s important that independent directors understand the risks that their institutions take on, and that they make sure those risks are well managed. The Board therefore needs to clearly articulate its expectations and communicate to management and the business as a whole.
They must set the tone at the top in terms of strategy, culture, ethics, and risk appetite expectations. They must demand information – not data – from risk, compliance, and audit, and exercise challenge over standards and risk mitigation. They are not expected to be ‘friends’ with management.
Risk management must be embedded into the consciousness and conscience of the business. People in all aspects of the business need to understand and implement the standards set by the Board in their thoughts and actions.
As such, employees need to be measured and rewarded accordingly.
The question is whether companies actually incorporate compliance and risk management performance indicators into their annual appraisal and remuneration process for all employees.
As well, do these companies provide ethics training or explain the organisation’s risk appetite to all employees? Thus far, the signs are encouraging.
Based on observation, more companies are looking into assessing risk cultures, risk appetite, compliance monitoring, and ethics training.
The best systems and tools need the right people to use them effectively. Every function needs to critically evaluate every resource to see if they are capable of going from “satisfactory” to “strong”.
Otherwise, would additional training and experience be the solution, or do some of these resources need to be redeployed? For instance, companies can explore e-learning. The beauty of e-learning is that it can be used over and over again at little or no extra cost.
Governance, risk, and control (GRC)
Having done all the above, there is no point in having the risk, compliance, and audit teams operating as three independent functions, with differing views of the business, its risks and standards of reporting. An Audit Committee Chairman recently shared with me his “solution” was to take the audit team’s recommendations as he trusts them the most, and disregard the others.
A more effective solution is to have a GRC solution, where all three disciplines, while remaining independent, are integrated to identify the risks that matter and drive the form and structure of the business response to risk and compliance issues. Integrating these disciplines can provide the organisation with valuable recommendations on risks, controls, and costs.
Transforming risk, compliance, and audit
Getting your risk, compliance, and audit function from “satisfactory” to “strong” is a business imperative. Regulators expect it.
Further, the risk, compliance, and audit functions have the ability to contribute more significantly to an organisation’s value, strength, and resilience by transforming into truly risk-focused, value adding functions.
The key to realising these benefits is adopting a transformation model that quickly and effectively provides a balanced focus between compliance and business improvement, as well as defining and developing the additional competencies and behaviours required.
Eventually, risk, compliance, and audit will take leadership roles in the business, prompting a holistic review of the organisation’s entire control structure.
In reality, few organisations attempt all stages of transformation at once. For that reason, many companies approach transformation in a modular fashion.
The end goal of transformation is an integrated GRC model that delivers a balanced, cost-effective control environment. Investments are unavoidable but it will deliver value through an enhanced control environment and reduced cost of risk events.
1“Remarks by Thomas J. Curry”, OCC website, http://www.occ.gov/news-issuances/speeches/2012/pub-speech-2012-165.pdf, accessed 4 March 2014