Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Thoughts on Bridging the Gap From Compliance to ERM

Matt Kelly | September 21, 2015

Last week I had the privilege of hosting another Compliance Week executive roundtable, this time to talk about moving from a compliance program to a broader enterprise risk management program: how you decide on an ERM structure, how you it that from clever idea to working program, and how you convince others at your company to go along with this latest request from those whacky folks in compliance and internal audit.

The conversation was excellent, and we will have in-depth coverage of the discussion in our Sept. 29 newsletter. For now, let me recap a few of the main points here.

ERM is already here. We had 10 compliance and audit executives from a wide range of industries at our roundtable, and almost all of them said their businesses were trying enterprise risk management to some degree. Most added that they weren’t too far along in their quest to implement ERM, and plenty of hurdles remain. (We’ll get to those momentarily.) But the reality—for them and most other businesses, I suspect—is that enterprise risk management is already here.

Lots of that preliminary effort can trace back to Sarbanes-Oxley compliance and basic internal auditing principles. After all, a good internal audit department conducts its own enterprise-wide risk assessment every year. SOX compliance sparked a new era of attention to internal controls—yes, starting only with internal control over financial reporting, but by now that renewed interest has spread to matters such as anti-corruption, product quality, cybersecurity, and more.

Boards also pay much more attention to ERM these days. Several roundtable participants said their audit committees or other board directors specifically directed them to assess the state of enterprise risk management at their businesses. Others said their CFOs were big supporters of ERM because those CFOs served on boards elsewhere, where ERM is a hot topic.

And let’s not forget that more broadly, the nature of corporate transactions today makes ERM a better idea. Forty years ago, the vast amount of assets a company owned were tangible: factories, inventory, real estate, and so forth. The risks inherent in those assets were fewer, and could be managed individually. Now the majority of your assets are intangible: customer data, patents, IT systems, and the like. To extract value from assets like that, you need to coordinate them more intricately and more skillfully—and if you don’t, more can go wrong more quickly. You need orchestration, and that’s what enterprise risk management is.

As always, data is the challenge. Numerous roundtable participants said the pace of merger activity at their companies is too fast; they cannot collect and rationalize data quickly enough to stay atop of all risks efficiently. (I hear that complaint about M&A a lot, actually, about everything from managing third parties to financial reporting.) As one person at the table put it, “I know what our risks are. I just can’t get the data to tell me how those risks are going.”

A data warehouse is a good idea, but a warehouse only works when people bother to make deliveries into it—and that’s where compliance officers need some sharp inter-personal skills, to convince others to share their data.

One thing that struck me about difficulty with data, however, is how closely that ties into difficulty with human beings at your organization. We talked for a while about the need for data warehouses: one central repository where all information about your company and its risks can be stored, and then analyzed by the audit or compliance officer. A good idea unto itself, but a warehouse only works when people bother to make deliveries into it—and that’s where compliance officers need some sharp inter-personal skills, to convince others to share their data.

This might be one area where you could deputize your friends in internal audit and IT, to examine your business processes and determine the least painful way they might need to change for the sake of ERM. The ideal is that the owners of those business processes (in sales, marketing, IT, product development, and so forth) have a process where they “own the risk,” but also own the control, and generate the data you need in some automated fashion that goes straight into your warehouse.

I’m not saying that’s easy to engineer. It’s just the goal you want to achieve.

Don’t forget your board. We spent a fair bit of time talking about boards and their attention to ERM, and which committee on the board should take the lead on ERM issues. Naturally the audit committee was mentioned quite a bit, and it certainly is a plausible candidate—but even if the audit committee is the best choice you have, that doesn’t mean it’s the right choice.

My co-host for the roundtable, Mike Rost, vice president of strategy at Workiva, made this excellent point: that by their nature, audit committees tend to look backward at events that have already happened (investigations into misconduct, audits of last year’s financials, and so forth). Savvy risk management, in contrast, is about looking forward, to outcomes and challenges that might happen. That means the best committee to tackle ERM really is a dedicated risk committee, a group that can look for “ignition sources,” as Rost put it, whether they are igniting growth or igniting a crisis.

Good advice to close out a roundtable, and a column.

Comment on this post on LinkedIn