Amid a sharpening focus on risk assessment and mitigation, big-picture questions emerge. Among them: Can integrated risk management create business value?
Experts at the recent Compliance Week 2017 conference in Washington D.C. stressed that it is possible to quantify the business value potential of compliance and risk management decisions. An evolution is underway that promises to transform those efforts and functions from necessary costs to sources of competitive advantage.
Regulatory demands for risk management are hardly new, said Sam Abadir, director of product management for LockPath, a provider of corporate governance, risk management, regulatory compliance, and information security software.
Government oversight started with the Food and Drug Administration in 1906, as legislators responded to consumer frustration over the quality and safety of products, he explained. Mandated ethics programs emerged with the Foreign Corrupt Practices Act in 1977. In 2005, the international Basel banking accords established the need for risk management, managing internal risks, and preparing for external risk events.
Despite that long history of prescriptive demands, or maybe even because of it, compliance and risk are still not integrated in all the ways they should be.
Prior to 2007, for example, Lehman Brothers had a reputation as a place for moneymaking geniuses. The firm’s historic downfall was, in large part, due to its failure to see mortgage foreclosure trends as a direct risk.
By the time it divested of mortgage companies, it was too little, too late. “They were not managing external risk events, the external risk events were managing them,” Abadir said. “Bubbles should have been on risk managers’ minds, but they were not looking at compliance from a risk management perspective.”
More recent data breaches at retail giants Target and Niemen Marcus, also illustrate the common disconnect between compliance and risk management, Abadir explained. Both learned the hard way that Payment Card Industry Data Security Standard compliance was meant to curb the fraudulent use of credit cards, “not to prevent huge breaches.” Strict adherence to rules missed the bigger risk picture.
Abadir advocates for integrating risk and compliance with business performance, a mindset still slowly catching on at corporations. Only about two-thirds of organizations have a dedicated chief compliance officer and even fewer have a chief risk officer, he said.
The good news is that integrating risk and compliance across the organization is finally gaining traction. Most organizations, however, still approach risk and compliance in business silos.
Abadir’s advice is to adopt an approach to compliance that is “business first.” It should be a key partner in efforts to achieve strategic goals, focus on customers, and maintain best practices.
“It used to be, and we still see it in a lot of organizations, ‘the compliance guy said no,’ or ‘the risk guy said no.’ Sometimes they have to say no, and there may never be a way to completely get around that.”
Sam Abadir, Director of Product Management, LockPath
The confluence of compliance and risk management must be able to manage and correlate vast quantities of changing data; promote collaboration and communication; manage compliance mandates from all sources; and provide decision support to individuals in context to their roles.
Risk management, he added, must be driven by business insight and unify people, processes, and technology.
The big change afoot is that risk and compliance experts in an organization are working with the business owners and their processes “so they can provide decision support” instead of making decisions for them, Abadir said. “It used to be, and we still see it in a lot of organizations, ‘the compliance guy said no,’ or ‘the risk guy said no.’ Sometimes they have to say no, and there may never be a way to completely get around that.”
Increasingly, however, risk and the compliance is focusing on presenting business units with the risk-weighted scenarios they need to best manage their operations.
Joe Filer is chief information security officer for Harland Clarke, a leading provider of integrated payment solutions and integrated marketing services. He used the world of information technology to illustrate the changing world of risk management.
“The notion that information security is a part of IT is becoming less and less a reality,” he said. The responsibility is best viewed as shared throughout the organization. IT needs to work with management, and not just talk to senior leadership when something is broken.
“That’s not where you want to be,” Filer said. “They need to get on the same page and speak the same language. IT and security must be focused on risk using terms that the business understands.”
“The establishment of a common lexicon that starts to spread across the business is not only for conversations with IT and security, but also legal, HR, and others because, as you focus on risk management, they all need to be part of any conversation about risk exposure, vulnerabilities, and potential impact,” he added. Among the important questions to ask: “What happens if we don’t address this?”
How does compliance and a company’s risk function move away from the “office of no” to helping support and empower business decisions?
Documentation is important. “It is really valuable when you can put together a risk position for the business that says, ‘here is where we are and here is what our recommendation is as related to risk.’ It is amazing how executives respond when you document something,” Filer said. “Formalization and documentation can be very powerful tools for setting the expectations for periodic conversations.”
Those conversations, in turn, “add value and help executives make good risk-based decisions,” he said.
Breaking down corporate silos starts with building relationships, Filer said, advising to: “Define management perspectives, not just compliance requirements.”
A “check-the-box approach to compliance is not enough when taking a holistic view of risk management, and that can extend to third-party contract language that may be overly prescriptive. “Talk less about how and more about what,” he advises. One of the biggest failures of PCI was that there was no risk element. Either you did it or you didn’t.”
On the documentation front, Filer suggested that risk documents be kept brief and to the point. “If it is two pages, it is too long and [executives] are not reading it,” he said.
His strategy for these reports is to focus on the potential impact on the business. “That is the key piece of this,” he said. “Bold it. Highlight it so it jumps off the page.”
There should also be a risk mitigation recommendation that presents options for closing identified risk gaps.
Risk documentation is not intended to be an occasional one-off report, Filer said. Risk factors evolve as does risk appetite.
“Things change,” he said. “It is a cliché, but security is a journey, not a destination.”
Another session at the conference looked at ways to customize risk assessments. Panelists discussed ways to balance the need to reliably identify specific, objectively defensible, and actionable risk mitigation opportunities with the imperative to “not boil the ocean.”
Make it easy for all involved to prioritize risk, advised Lynn Gefen, chief compliance officer for HomeServe USA, an independent provider of home repair service plans.
Her vision is for risk assessment that is tailored to key processes on a continuous cycle. At various points on that cycle are: meeting with process owners and department heads; evaluating fraud activity; reviewing operational risk registers; implementing and tracking mitigation plans; and having compliance and audit-driven monitoring.
Gefen also relies on an “assessment template” to prioritize and categorize risks and itemize company risk tolerances. Categories of company responses include “mitigate” (with action plans, oversight by governance forums, and monitoring); “off load” (through third-party contract revisions or insurance); and “stop” (when risk falls outside of tolerance parameters).
“You have to think systematically about risk assessment,” Gefen said. “It isn’t just about having a questionnaire. There is a larger consideration of how you continually try to take in information from all sorts of sources that are relevant to your business and markets.”
Jonathan Rusch, senior VP and head of anti-bribery & corruption governance at Wells Fargo discussed the changing expectations of risk assessments.
He compared past guidance from the Securities and Exchange Commission and Department of Justice on the Foreign Corrupt Practices Act to the more recent ISO 37001.
The former was “very spare, almost cryptic, on what they were looking for in terms of risk assessment,” he said. “That’s not very helpful. Give us some idea about what the expectations are and more specifics on what you want to see in our compliance programs. What kind of risk assessment do you want us to do?”
Now, there is ISO 37001. Published by the International Organization for Standardization, it is the first internationally recognized and certifiable anti-bribery minimum standards program.
ISO 37001 builds upon many other forms of anti-bribery guidance already in place, including the U.S. Sentencing Guidelines, the FCPA Resource Guide, the U.K.’s Ministry of Justice Bribery Act Guidance, and the OECD Good Practice Guidance.
Under ISO 37001 bribery risk assessments should:
Identify “reasonably anticipated” risks based on internal and external factors;
assess and prioritize identified risks;
evaluate suitability and effectiveness of existing controls;
be reviewed on a regular basis or in the event of a change in the structure or activities of the business; and
“If you were a little dissatisfied with the level of generic guidance you got from the Justice Department and the SEC, now you have a more than 60-page document that makes you go through many different aspects of how you build out, in particular an anti-bribery management system,” Rusch said. “If you read between the lines of some of the language in the ISO document, it is also saying that, with a little bit of tweaking, you can take this approach and methodology and construct and use it to build other kinds of significant financial risk mitigation systems as well.”
The value, in large part, with standards like these is that they “force you to think about stakeholder needs and expectations,” Rusch said.
“As you will hear from regulators of all sorts: document, document, document,” he added. “You need to explain risk assessments not only to senior management, but to auditors and potentially regulators.”
Among the questions to answer: “Why does this means of implementing your risk assessment process makes sense for your business, your current and projected markets, and the prioritization of risks you face?”