Risk & Compliance functions have enjoyed unprecedented levels of investment over the past decade but for what
benefit? Increased spending has made little perceptible difference for many high-profile businesses, who
continue to weather public whistleblowing and other brand-damaging incidents. Broader growth and modernisation
initiatives, spurred by recent digital advances and working practices forever changed by COVID, now provide an
important lever for change.
A career in Risk & Compliance over the past 20 years has been one abundant with opportunity. Going back as far
as the corporate scandals of the early 2000s, the ensuing Sarbanes-Oxley act, the financial crisis of 2008,
followed by an intensive period of regulatory activity that’s only starting to level off now, there’s been no
shortage of market activity to compel organisations to divert more spend into risk and compliance activities to
tackle these demands.
But, fairly or not, risk and compliance functions are still seen as an overhead and, like any overhead, some
measurable benefits are expected in return for spend increase. Therein lies the problem – despite intensive
investment, there’s been no decline in regulatory fines (across corporate and financial services, they’re on
the up) and, amongst many organisations we speak with, there’s been no reduction in whistleblowing or
improvement in stakeholder confidence (the reverse, in fact). So costs are increasing and, in many cases,
there are few clear benefits to speak of.
These problems haven’t arisen overnight, but what’s triggered this article is that there’s now a growing number
of organisations embarking on transformation programs to redress this. Similar exercises have been attempted
before but, as evidenced above, with mixed success. It’s worth seeing what’s different in approach this time,
what lessons of the past need to be applied and, most importantly, what capabilities exist now that, properly
applied, will make a real difference.
Firstly, though, what gave rise to the escalating costs and questionable returns of previous investments in
governance, risk and compliance (GRC) and broader Lines of Defence activities?
Old GRC — Cost savings that couldn’t be delivered, people strategies that didn’t
work
When evaluating the effectiveness of previous GRC programs, it’s worth considering cost and benefits separately.
On the cost side, it’s easier to understand what happened:
-
Regulatory activity was greater than anticipated — Higher levels of regulation over the
past decade were always going to lead to greater costs, but the extent of regulatory growth has, if anything,
been even greater than the forecasts made immediately after the financial crisis. Moreover, a change in
regulatory style has required compliance effort to become more ingrained into front-line business. So there’s
been the creation of discrete compliance functions at the coalface, rather than expansion of existing
back-office compliance functions. Naturally, a more fragmented model, while beneficial in some ways, costs more
to build and maintain.
-
Cost saving programs didn’t deliver — While greater regulation made growth in compliance
staffing inevitable, offsets were anticipated in the form of Lines of Defence rationalisation programs. However,
the majority of such programs generated only a fraction of the savings expected. Initiatives that proved
problematic included:
-
Controls rationalisation – Many organisations set about consolidating their
previously isolated compliance programs, the expectation being that net compliance effort could be reduced
since many regulations have overlapping requirements. What quickly became apparent was that for savings to
take place, control redesign and sometimes even process redesign, would be necessary. This added complexity,
allied with a lack of sponsorship to make the necessary changes, meant that many of these initiatives never
progressed very far.
-
Compliance automation – While technology that facilitates risk and compliance work
has provided some efficiency savings, this has largely been limited to automating workflow between otherwise
manual processes. Much greater savings would be possible by using fully automated controls monitoring. This
has been successful in pockets, particularly in managing cyber and IT risk. However, broader controls
monitoring capabilities have proved much harder to leverage. It does (or did) necessitate a high degree of
control standardisation which, as above, proved problematic.
Notwithstanding the above challenges, previous investments did change how many organisations manage risk and
regulatory obligations. However, it’s difficult to arrive at a conclusive assessment on what level of benefit has
or hasn’t materialised from these changes. In isolation, static or increasingly level of fines and whistleblowing
may be seen as a failure. But against a backdrop of significantly increased risk exposure, if levels of fines and
incidents remained broadly constant, then this could be seen as a partial success.
Irrespective, internal stakeholders are calling out those areas where earlier GRC programs didn’t address what
matters most and/or have evolved in a way that requires fresh attention.
Most noteworthy:
-
Effectiveness of front-line compliance is mixed: Front Line (line 1A) functions have grown
significantly in the past decade to address specific regulations or to provide more specialised monitoring,
closer to the business. In many cases, they have proven insufficiently effective in calling out and addressing
risk and compliance issues or are simply too costly to run. These are contentious points that not everyone would
agree with, but it’s notable that amongst organisations looking to make significant change to Line of Defence
activities, senior direction has been for Line 1A to be dissolved into central (Line 2) functions, not vice
versa.
-
Predictive/early warning capabilities required improvement Many previous programs were
successful in taking cost and bureaucracy out of static/as-is control and compliance monitoring programs over
business-as-usual risks and established regulations. Less effective were procedures and technologies for
identifying emerging risks. This is now more pertinent as organisations are compelled to move into new markets
and launch new products at a faster rate to remain competitive.
Digital commerce and off-shoring provide a catalyst for change
While rising costs and question marks over GRC effectiveness require attention, these challenges have often been
going unchecked. In some instances, a highly public event, that put corporate governance in the spotlight, was
needed for action to take place.
Meanwhile, other organisations are revisiting GRC from a more opportunistic perspective. Digital is transforming
how business and its customers interact. The more customer activity moves on-line, the easier it is to monitor,
both from a customer experience and risk management perspective. With the right design, new customer facing
systems can, for example, ensure a more frictionless experience for the ‘right’ customers whilst keeping out
potential fraudsters, which in turn, negates the need for downstream, and less effective, risk and control
procedures.
Then, from an operational perspective, organisations continue to look for cost savings through centralisation and
off-shore of business-as-usual processes, with digital advances increasing the extent to which off-shoring can be
a reality. Logically, a similar shift should take place with GRC.
Being part of these much broader transformation programs ensures risk, compliance and audit activities become
embedded in the business rather than remaining as an overlay. It also provides the sponsorship and impetus needed
to revisit challenges of the past:
-
Controls rationalisation and monitoring — Centralising and off-shoring finance and
operation processes provides the foundations for controls rationalisation. As noted earlier, previous attempts
to optimise and rationalise controls became unstuck when it was clear this could only work if there’s
willingness to look at process redesign too. Finance/process off-shore provides the best opportunity for this to
happen. This in turn provides the opportunity to revisit the use of fully automated controls monitoring.
-
Roles, responsibilities and staff deployment — Centralisation drives a need to revisit
the use of locally deployed staff for controls monitoring. Many organisations are now centralising this (Line
1A) resource. In addition, previous attempts to better align Line 2 + 3 activities (Risk, Compliance and Audit)
fell away due to operational challenges. Centralisation compels the board, and GRC leaders to re-examine the
extent to which these functions should be integrated and/or how their activities can be better coordinated. This
is the best opportunity to make necessary change.
-
Supporting technology — Existing use of GRC technology to support Lines of Defence
activities is being revisited with many legacy deployments serving as little more than a controls database. In
some instances, these transformation programs include wholesale replacement of legacy GRC technology.
Affecting change
In previous attempts to affect change, the biggest blocker has been ownership. The overarching challenge is this
— robust governance typically requires a degree of independence between risk, compliance and audit
functions, but this independence then makes it harder to drive change across the combined lines of defence.
To the extent a pattern can be seen amongst a limited set of transformation programs the following can be noted:
-
Where the need for change has become critical, then reporting lines are being consolidated to allow one person
to drive transformation, build common working practices, rationalise reporting and reduce costs.
-
Once the rationalisation exercise is complete, some organisations are then dis-aggregating these reporting lines
to restore ongoing independence.
Getting it right this time
The premise of this article is that GRC as a discipline has enjoyed a long spell of healthy investment but spend
will diminish unless its worth can be more tangibly demonstrated. Previous programs for improving ROI had mixed
success, so it’s imperative that lessons are learned from this.
As described above, broader, digitally-enabled transformation projects provide fresh impetus to try again.
Bootstrapping GRC initiatives to broader digital transformation and off-shore programs makes sense as it is then
easier to make changes in system, process and control design that are vital, but were unassailable when attempted
before.
But simply rectifying known problems from previous programs won’t be enough. What else is needed?
-
Forward looking risk management… : Previous GRC transformation programs focused on
better alignment of risk, compliance and audit work. Hence significant effort was put into defining common risk
and control frameworks to which each function could map its assurance activities. Such an approach could be used
for backward or forward looking risk management but, for whatever reason, tended to focus on the former. This
was perhaps in part down to system limitations. Technology and data services have advanced significantly in the
past five years to predict emerging risks with internal activities and to scan market data and risks. These
capabilities must be understood and capitalised upon. Businesses move much quicker now, so forward looking risk
management is critical to survival.
-
…embedded in the front line : Up until now, GRC has largely operated as an overlay to
established business practices that were developed by line management who were often resistant to change. As
such, GRC activities were often perceived as administrative and provided limited value. Digital transformation
of customer-facing systems provides the best opportunity for designing preventative controls into these systems,
thereby minimising more disruptive and less helpful detective controls. Risk professionals need to be engaged in
new system development while ensuring the right balance is struck between opportunity creation and value
protection.
-
…that finally allows opportunity and risk to be considered in unison : This feels like a
cliché, because it’s been talked about for years, but rarely happens. Digital provides the opportunity to
redress this. As an illustration, technology vendors are using the same customer monitoring capabilities to sell
market intelligence solutions and fraud prevention/anti-money laundering solutions. So one technology for growth
and protection… except the vendors market and sell these as entirely separate solutions, as there
continue to be separate buyers of commercial and risk systems. Technology can facilitate a combined
commercial+risk approach to business planning, but it will require organisation change for this to be put to
use.
-
Adaptable MI : Previous generation programs worked largely on the premise that Risk &
Compliance functions would draw information from the front line, process it and report both to the board and
back to the front line. Hence, line management remained generally hands off. Regulation seeks to redress this
but, irrespective, line management would more likely be engaged if they saw value in the outputs. Improved risk
intelligence capabilities will help redress this but, to really make a difference, line managers need the tools
and data to furnish their own MI requirements that change from one day to the next.
-
Optimised technology : Most in-flight transformation programs include wholesale replacement of
ageing and incumbent GRC technology. Simply replacing one GRC technology with another is unlikely to bring much
benefit. This is a confused market right now with a new ‘Integrated Risk Management’ (IRM) label being applied
to what, in some cases, is genuinely new technology but, in other cases, is re-badged, old GRC technology.
Moreover, GRC/IRM only addresses part of what’s needed here. As set out above, truly transformative risk
monitoring requires embedded digital solutions and, however it may be marketed, this is not something that
GRC/IRM technology can provide on its own. A combination of technologies is required.
Let's connect
Does this strike a chord? If you are embarking on a Governance, Risk and Compliance journey and are interested in
considerations to maximise return please contact us. We provide
impartial advice, untainted by reseller agreements or any other direct or indirect incentivisation, ensuring our
objectivity.