Home > Risk > Economist Intelligence Unit report on the maturity of risk and compliance

Economist Intelligence Unit report on the maturity of risk and compliance

Before saying too much about this report, Ascending the maturity curve: Effective management of enterprise risk and compliance, I have to make a couple of preliminary remarks:

  • The report is sponsored by SAP (my employer) but the EIU has sole responsibility for the work
  • I have contributed, as an interviewee, to other EIU research

I have major problems with the way that the report mixes up and thoroughly (IMHO) messes up the discussion of risk management, compliance, and GRC. But that is another blog, for another time. What I want to do here is highlight some of their findings which relate to risk management that I believe are interesting and worth thinking about. (The square brackets indicate text I would remove, and the underlining is my way of highlighting key sections.)

  • Despite recognising the benefits of an integrated approach, few organisations manage risk [and compliance] activities consistently and efficiently. One reason is the apparent cost and complexity of an enterprise-wide risk [and compliance] implementation. In most organisations, risk responsibilities span a wide range of activities, from health and safety and IT security to financial reporting and credit risk exposure. This dispersal of risk responsibilities inevitably leads to a disconnected approach, with different departments setting their own policies and operating their own processes. Integrating these activities to permit an enterprise-wide view can seem like a Herculean task.

Comment: it may be Herculean, but organizations will be at high risk until they have effective, enterprise-wide risk management in place.

  • Companies may be underestimating the extent of risk and compliance failures in their organisation. Just over one-third of respondents say that their organisation has suffered from one or more significant risk or compliance failures in the past three years. But this proportion is most likely owing to the fact that most respondents come from the finance function, where awareness of failures is relatively low. Among the four functions surveyed—finance, legal, risk and compliance—respondents from outside finance estimate significantly higher levels of risk and compliance failures. This suggests not only that the finance function is underestimating the level of failures, but that knowledge about risk failures is not being widely disseminated in order to improve practices and tighten policies.

Comment: this is pretty much inevitable when you have fragmented risk management, and it is ‘shaming’ for executives to admit adverse incidents.

  • Risk and compliance management processes may appear to work well —until something goes wrong. Unsurprisingly, respondents who say that they have experienced failures are far less likely to consider that their risk and compliance are consistent with best practice in their industry. Respondents who have experienced failures are also more likely to admit that they do not have a consistent set of principles and policies governing business practices. In other words, companies may make the assumption that their approach is working well, until a major risk event reveals shortcomings that need to be addressed.

Comment: this is revealing. Internal audit can help through objective assessments of these processes.

  • Companies may not be learning the broader lessons from risk failures. Almost three-quarters of respondents say that their organisation deals with risk failures by tightening up policies and procedures to reduce the chances of a similar mishap. But not all companies adopt this approach. The majority of risk failures take place at the business unit level, which can lead to a tendency to address issues in isolation. More than one-quarter of respondents say that they fix the problem within the unit, outside the oversight of the wider organisation and of superiors. This suggests that a significant proportion of companies are not doing enough to share risk information and learn the broader lessons from risk failures.

Comment: see earlier comments.

  • High-performing companies are more likely to have a consistent risk appetite across the organisation. The survey reveals that most companies have a broad range of risk tolerances within the organisation. Sales and marketing functions have the greatest tolerance for risk, while finance and legal have the lowest. But what is more striking is the extent to which high-performing companies (those in the top 20% of their industry in terms of revenue growth) tend to be more consistent in their risk tolerance. Among that group, 48% say that their risk tolerance is consistent across functions, while just 29% of those in the lower-performing group (those in the bottom 60% of their industry) offer the same assessment.

Comment: this is a little facile. Obviously, people in some jobs have a greater desire to pursue risk than others, different risk tendencies, especially when there is greater upside (bonus) than downside (no bonus). They should not have different risk appetites, as those should be set by senior management, approved by the board, and communicated to all to observe. If that doesn’t happen, it would look like multiple risk appetites when, in truth, no risk appetite has been set and people are following their ‘best judgment’.

I will come back to the report another time to highlight sections that are more relevant to compliance or GRC, but I would appreciate your views on the relationship between risk and compliance.

For some time, I have been troubled when people talk about optimizing “risk and compliance” within an organization. I am not sure about the combination from a number of perspectives and would really appreciate your views:

  • I have seen compliance officers adamantly assert that you can’t take a “risk” approach to compliance
  • There is a danger of focusing on compliance risk at the expense of other forms of risk
  • It seems to me that you need different experience and knowledge to be effective
  • If you are talking systems, I think they are mostly different – a fair amount of overlap, especially in policy management and communication, maybe in monitoring
  • Isn’t it more important to focus on each separately than together?

I am leaning towards the view that there is a problem with the phrase, but perhaps you can sway me one way or the other.

Question: on a scale of 0 – 10 (where 0 indicates this is wrong and 10 says it is brilliant), should we talk about managing risk and compliance?

  1. Ck6
    August 15, 2011 at 2:14 PM

    Agree with the first three conclusions. However, one has to be careful when using one group outside of their core competency (and risk management is outside of internal audit’s core competency).

    I would say high performing companies have a knowledgeable risk profile rather than a consistent risk appetite.

    • Norman Marks
      August 16, 2011 at 6:48 AM

      Risk management may not be a core IA competency, just as employee safety and inventory management aren’t. But that doesn’t mean IA can’t audit the processes involved.

      • Ck6
        August 16, 2011 at 7:30 AM

        Employee safety and inventory management are quantifiable objective measures that internal audit or any group can measure. Effectiveness of an ERM program is more subjective than objective so non-schooled people, with all good intentions and while thinking they know what they are doing, actually do more harm than good.

        • Ck6
          August 16, 2011 at 7:39 AM

          No problem with IA auditing the process. Commenting on the effectiveness and/or results of the process is where they lose creditability.

          • Norman Marks
            August 16, 2011 at 8:21 AM

            Greg, auditing the process without some form of conclusion doesn’t add a lot of value. I have suggested (in another post) using a maturity model to supplement or replace an opinion.

  2. Ck6
    August 15, 2011 at 2:16 PM

    Forgot the Question. 8

  3. Hans Læssøe
    August 16, 2011 at 4:29 AM

    I am on a 1 or 2 at best. For some (many, small/operational) risks compliance monitoring is important to ensure the defined actions are actually adhered to and ensures the risks are managed prudently. For others – mostly teh larger, strategic risks – the handling is more defined on a “case by case” approach as you cannot use the same mitigation approach for “reduced core product demand” as for “failed merger/acquisition”. When the approach is unsystematic – compliance becomes intangible.

    So – the low grade is driven by my perception, which esserntially narrows down to “the bigger the risk, the less relevant is compliance”

  4. August 16, 2011 at 6:43 AM

    I guess I am confused…you seem to suggest that fragmentation and silos are bad, but you seem to be saying you want risk and compliance to be separated?

    While there are different missions and goals and efforts that must take place with risk and compliance, it sort of reminds me of information security and information privacy….they are different but they overlap and need to work together to deliver better results.

    Lessons learned clearly show that it is very difficult to “connect the dots” if more silos are being created.

  5. Norman Marks
    August 16, 2011 at 6:46 AM

    Rick, fair question.

    Silos and fragmentation are bad, Coordination, cooperation, and orchestration are good.

    I believe risk and compliance should be coordinated. I just don’t know that putting the two into a single phrase, ‘risk and compliance’, adds anything. It may even detract attention from each one’s individual problems.

    When the phrase ‘risk and compliance’ is used together with verbs such as improve, optimize, or references made to their maturity level, I have concerns. Yes, they should be coordinated, but should they be integrated?

    • August 17, 2011 at 2:57 PM

      Thanks for response. Definitely agree risk and compliance should be coordinated, and I can go along in theory that it may not be the best approach to integrate them.

      The problem is reality. 🙂

      Lessons learned show that most organizations are using 20th century approaches to integrate (or as I like to say ‘connect the dots’ since there are so many dots – processes, people, technology, etc.) and these 20th century approaches are creating disconnects and gaps that are leaving organizations vulnerable.

  6. Stefan Kreil
    August 16, 2011 at 6:52 AM

    Hi Norman,
    I fully agree. No compromises when it comes to compliance AND risk taking doesn’t match. 9.

    • Norman Marks
      August 16, 2011 at 7:02 AM

      Hi Stefan. Do you mean 9, which is brilliant to combine the two?

      • Stefan Kreil
        August 24, 2011 at 3:42 AM

        Hi Norman,

        Upps. Should be 1!

  7. Alpaslan Menevse
    August 16, 2011 at 6:58 AM

    I think some people use “to comply” as synonym of “to mitigate”. Therefore when one talks about complied with some rule or regulation, automatically assumes that the risks are mitigated with zero tolarence. This perception is probably caused by using the term “risk and compliance” together. In my view the compliance is one of the risk management functions since being complied alone do not solve much problem. So, this makes 2nd and 3rd view correct. 4 is somewhat agree, overlaps are not that much I think. For 5 I agree. I know many compliance officers (usually they have 0 risk appetite) say either black or white but it comes out usually gray. For Question it would be a headache for big companies to do risk and compliance management together. So, seperating the term when possible is better.

    • Norman Marks
      August 16, 2011 at 7:04 AM

      You can be in compliance, but at high risk of non-compliance in the future. No water is leaking through the dam because the hole is plugged with chewing gum.

  8. Ck6
    August 16, 2011 at 7:34 AM

    If one isn’t in compliance and believe that they have an effective risk management program, they are in a state of denial.

  9. Felicia
    August 16, 2011 at 8:11 AM

    0. Compliance is just another business domain where risk management can be applied and a possible source for risks. An organization will not be truly effective in risk management until it recognizes that risk management it an integral part of managing the business, at every level, and in every function and program areas. It’s a key competency that provides a linkage between execution and strategy/objective.

    • Ck6
      August 16, 2011 at 8:33 AM

      Excellent reply Felicia.

  10. Ck6
    August 16, 2011 at 8:54 AM

    Norman, first of all this is a very good discussion. Perhaps my “quick” reply wasn’t clear.

    Any organization’s risk management program, like all of the organization’s activities, is governed by the authority given to management by the organization’s Board of Directors. IA is the group who is charged with ensuring that management is living within its authority, and that programs are being managed within that authority. To that end, the process of the risk management program is open to internal audit and internal audit comment.

    What isn’t open to audit are the “results” of the risk management program. As an example, that the risk management program is following the prescribed consistent identification and measurement steps across the organization as approved by the Board, is absolutely open to review and comment by IA. However, IA criticizing risk management for a ranking or choice of handling is outside of their competency. If the Board has questions about ranking or choice of handling they will need to bring in outside risk management expertise.

    • Norman Marks
      August 16, 2011 at 9:28 AM

      Ah, I see we are actually quite close on this. I believe IA can and should comment on the process, but not necessarily the product (the assessment). They should only do the latter when it is clear that the risk assessment is not valid, or was not based on good information. For example, they should not be silent when the level of risk is rated low right after a major safety incident.

      • Ck6
        August 16, 2011 at 10:11 AM

        Just because a risk is rated “low” doesn’t mean an incident (minor or major) will not occur. In fact the low probability, high loss potential exposures are the most difficult in any organization’s risk matrix.

        In practice, when something like this (and I am assuming that it is a major incident and that IA had certified the correct process had been followed) occurs, the incident and everything associated with it are re-examined to determine the cause and risk management’s assessment before and after. If changes in the process are deemed to be needed to be made, IA will vet the new process.

  11. jeff
    August 16, 2011 at 10:28 AM

    the outcome of sound risk management relating to externally imposed risks is compliance.

  12. Julian du Plessis
    August 16, 2011 at 10:32 PM

    I believe risk and compliance is two seperate issues, altnhough there is some overlapping from an operational risk perspective. Firstly, risk management is about achieving business objectives to make sustainable profits and growth for the organisation. Compliance on the other hand is about staying in business from a regulatory perspective i.e. a regulator can either levy penalties and fines for breaching a certain aspect of the Act an organisation must adhere to or perhaps withdraw an organisations operating licence if the regulat feels the non adherence/non-complaince by organisation on a regular basis is serious enough to withdraw its licence. I think the overlapping of comlplaince with risk will opererational because there will be someone/people failing to adhere to agreed policies and procedures wrt compliaing or an organisation failing to implement processes and systems the regulator demands, thus hence my view these failures is operational in nature. One last point the failures or non-adherence can of course is also be due to management override of controls.

  13. Ian Wood
    August 17, 2011 at 2:48 PM

    I was thinking on this a couple of weeks back, on the premise that every risk can be valued, and that we do compliance to avoid negative regulatory or customer feedback. Sure we _want_ to be thought of as honourable and doing the right thing. But not everyone actually is honourable or acts accordingly.
    When I began to consider compliance as a risk control, I started to look at my suppliers, clients and competitors to see if they are really complying or just appearing to.
    If compliance costs $2M and regulatory fine is $200k then why comply? Spending 100k on looking like they comply might be better for their company.
    Which means those advocating compliance need a better set of supporting arguements than “we are required to by law or contract”.
    An example is the speed limit when driving: I dont trust people who speed. If a person wont obey a very simple rule, then why would they obey a complex contractual arrangement?
    “News of the World” fell because ‘operational failures’ (to obey privacy law) became public, and now evidence emerges that these were policy decisions made at very senior levels.
    I therefore consider compliance to be a Control mechanism for the risk of Regulatory Intervention, and like all risk management should be driven from the top in a clear and open way. The joint term ‘risk and compliance’ suggests the opposite: that risk is separate from compliance.

  14. August 21, 2011 at 9:13 PM

    1 or 2. I think putting Risk and Compliance together takes us back to the 1990’s definition of risk (an event with a negative impact), managing this negative impact through compliance. Risk has come a long way since then. The new International Standard defines risk as “the effect of uncertainty on objectives”. Uncertainty can include both positive and negative effects. Is compliance ever a tool used to embrace risk (aka opportunities)? And equally compliance can be a lot more than just managing risk.

    Linking “compliance” with “risk” devalues the importance of both functions.

  15. August 23, 2011 at 4:23 AM

    I tend to view compliance as part of risk, not something out there that has to be looked at differently. But in reality, auditors and accountants, which don’t really understand risk, take it from the perspective of controls – COSO approach – and then, they decide whether or not an organisation complies to them! Although they have reissued COSO with an ERM type approach – including parts like risk appetite to make it sound like they got it – in fact, their training is focused on controls and the past through accounting.

    But if one takes as the ultimate beacon the forward value generated by an organization, even if is difficult to assess – could be financial value for a private firm and social value for a public entity – as the ultimate beacon to judge one’s actions and decisions, then, an organization may decide that it is worth taking some risks relative to that beacon or not..The same is true with global societal values as expressed in countrys’ constitution and the Bill of Rights.

    In the end, it is no longer just a compliance exercise – like a legal view – to it. Too much compliance and the controls that go with it just detroy value.

    Also, what I find interesting now is what goes on at the public levels. Think of CA with its ThreeStrike approach to crime – a sort of risk/compliance approach – decided at some point when CA thought they were rich to implement it. Now, with public finances being in shambles, one has to review that…so, it would be interesting to look at risk appetite/tolerance again in terms of value and also add another dimension – costs – to comply. Nowadays, I think CA would probably tolerate more crime risk than before?

  16. ISO 9001
    October 19, 2011 at 2:33 AM

    Very good post, I was really searching for this topic, as I wanted this topic to understand completely and it is also very rare in internet, that is why it was very difficult to understand.

    Thank you for sharing this.

    regards:
    ISO 9001

  17. August 21, 2013 at 8:26 AM

    I needed to thank you for this wonderful read!! I certainly loved
    every little bit of it. I have got you bookmarked to look at new
    things you post…

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: