Why Manage Governance, Risk ,and Compliance in Silos?
An enterprise approach to risk management should be comprehensive enough to incorporate governance and compliance
The past three years should have taught us the importance of well-defined and consistently enforced governance, risk, and compliance policies. However, most firms still seem to manage these functions over many overlapping and related functions such as audit, finance, treasury (or risk management), and legal with each department being managed in a silo and reporting up to a different member of senior management.
An enterprise approach to risk management should be comprehensive enough to incorporate governance and compliance. Sources of risk to be identified, mitigated, and managed should include threats to effective governance and compliance as both if done incompetently can have meaningful impact of the financial results if not the very existence of a corporation.
The premise of an enterprise approach is that its value lies in understanding the interdependencies of all factors affecting the relevant enterprise. Failures to identify all factors that can “move the needle” hinder the efficiency of an enterprise approach that often requires a significant amount of capital investment in terms of people and technology.
It is my contention that governance, risk, and compliance should be managed via a comprehensive enterprise approach. An existing ERM program is the ideal vehicle to which to make this happen. I believe this approach will prove valuable in many levels including if and when the ratings agencies focus on ERM programs.
Comments
Company: HBFC Limited
Any resources on how to take comprehensive enterprise approach for GRC? Any specimen also of ERM providing the vehicle for such approach?
Company: NA
I do not have a template yet, but I can work to pull together a list of resources to share.
Also, I just noticed that Proformative is hosting a free seminar in NYC on April 22nd on Managing GRC across the Enterprise that I am hoping to attend which I believe would be valuable in understanding this approach.
Company: TPG Credit Management
I agree with the overall view that ERM should be centralized / ultimately managed via an enterprise approach. I have witnessed a decentralized ERM approach in the past and it did not work.
Ultimately, as we have seen in the Great Recession, when things get really bad correlation of risks / downside goes to 100%. Somebody needs to be looking at this from a top down perspective.
Company:
Risk management must be done both top-down and bottom-up, whether a company is using it in more traditional ways or in an enterprise-wide approach. The big picture issues are best identified from the top levels.
However, in my 20 years of risk management experience, some of the biggest potential "threats" come from small activities that top management is not aware of. Sometimes the employees do not recognize the exposures because they do not see how the operation (or even a single contract) differs from the company's recognized activities. Other times, it is intentionally hidden from mid and upper level management (dare I say because the reward for bringing in the revenue discourages any efforts to even calculate the associated costs).
The larger the company, the more critical it is to have someone who is in touch with as many people as possible, and who can gather accurate information about unusual activities across all operations and departments.
Software and tracking programs have their uses, but human intelligence is equally important for identifying potential threats. It also is an excellent way to identify "hidden" silos of non-communication that do not appear in organization charts.