articles

Risk & Compliance functions have enjoyed unprecedented levels of investment over the past decade but for what benefit? Increased spending has made little perceptible difference for many high-profile businesses, who continue to weather public whistleblowing and other brand-damaging incidents. Broader growth and modernisation initiatives, spurred by recent digital advances and working practices forever changed by COVID, now provide an important lever for change.

A career in Risk & Compliance over the past 20 years has been one abundant with opportunity. Going back as far as the corporate scandals of the early 2000s, the ensuing Sarbanes-Oxley act, the financial crisis of 2008, followed by an intensive period of regulatory activity that’s only starting to level off now, there’s been no shortage of market activity to compel organisations to divert more spend into risk and compliance activities to tackle these demands.

But, fairly or not, risk and compliance functions are still seen as an overhead and, like any overhead, some measurable benefits are expected in return for spend increase. Therein lies the problem – despite intensive investment, there’s been no decline in regulatory fines (across corporate and financial services, they’re on the up) and, amongst many organisations we speak with, there’s been no reduction in whistleblowing or improvement in stakeholder confidence (the reverse, in fact). So costs are increasing and, in many cases, there are few clear benefits to speak of.

These problems haven’t arisen overnight, but what’s triggered this article is that there’s now a growing number of organisations embarking on transformation programs to redress this. Similar exercises have been attempted before but, as evidenced above, with mixed success. It’s worth seeing what’s different in approach this time, what lessons of the past need to be applied and, most importantly, what capabilities exist now that, properly applied, will make a real difference.

Firstly, though, what gave rise to the escalating costs and questionable returns of previous investments in governance, risk and compliance (GRC) and broader Lines of Defence activities?

Old GRC — Cost savings that couldn’t be delivered, people strategies that didn’t work

When evaluating the effectiveness of previous GRC programs, it’s worth considering cost and benefits separately. On the cost side, it’s easier to understand what happened:

Regulatory activity was greater than anticipated — Higher levels of regulation over the past decade were always going to lead to greater costs, but the extent of regulatory growth has, if anything, been even greater than the forecasts made immediately after the financial crisis. Moreover, a change in regulatory style has required compliance effort to become more ingrained into front-line business. So there’s been the creation of discrete compliance functions at the coalface, rather than expansion of existing back-office compliance functions. Naturally, a more fragmented model, while beneficial in some ways, costs more to build and maintain.
Cost saving programs didn’t deliver — While greater regulation made growth in compliance staffing inevitable, offsets were anticipated in the form of Lines of Defence rationalisation programs. However, the majority of such programs generated only a fraction of the savings expected. Initiatives that proved problematic included:
- Controls rationalisation – Many organisations set about consolidating their previously isolated compliance programs, the expectation being that net compliance effort could be reduced since many regulations have overlapping requirements. What quickly became apparent was that for savings to take place, control redesign and sometimes even process redesign, would be necessary. This added complexity, allied with a lack of sponsorship to make the necessary changes, meant that many of these initiatives never progressed very far.
- Compliance automation – While technology that facilitates risk and compliance work has provided some efficiency savings, this has largely been limited to automating workflow between otherwise manual processes. Much greater savings would be possible by using fully automated controls monitoring. This has been successful in pockets, particularly in managing cyber and IT risk. However, broader controls monitoring capabilities have proved much harder to leverage. It does (or did) necessitate a high degree of control standardisation which, as above, proved problematic.

Notwithstanding the above challenges, previous investments did change how many organisations manage risk and regulatory obligations. However, it’s difficult to arrive at a conclusive assessment on what level of benefit has or hasn’t materialised from these changes. In isolation, static or increasingly level of fines and whistleblowing may be seen as a failure. But against a backdrop of significantly increased risk exposure, if levels of fines and incidents remained broadly constant, then this could be seen as a partial success. Irrespective, internal stakeholders are calling out those areas where earlier GRC programs didn’t address what matters most and/or have evolved in a way that requires fresh attention.

Most noteworthy:

Effectiveness of front-line compliance is mixed: Front Line (line 1A) functions have grown significantly in the past decade to address specific regulations or to provide more specialised monitoring, closer to the business. In many cases, they have proven insufficiently effective in calling out and addressing risk and compliance issues or are simply too costly to run. These are contentious points that not everyone would agree with, but it’s notable that amongst organisations looking to make significant change to Line of Defence activities, senior direction has been for Line 1A to be dissolved into central (Line 2) functions, not vice versa.
Predictive/early warning capabilities required improvement Many previous programs were successful in taking cost and bureaucracy out of static/as-is control and compliance monitoring programs over business-as-usual risks and established regulations. Less effective were procedures and technologies for identifying emerging risks. This is now more pertinent as organisations are compelled to move into new markets and launch new products at a faster rate to remain competitive.

Digital commerce and off-shoring provide a catalyst for change

While rising costs and question marks over GRC effectiveness require attention, these challenges have often been going unchecked. In some instances, a highly public event, that put corporate governance in the spotlight, was needed for action to take place.

Meanwhile, other organisations are revisiting GRC from a more opportunistic perspective. Digital is transforming how business and its customers interact. The more customer activity moves on-line, the easier it is to monitor, both from a customer experience and risk management perspective. With the right design, new customer facing systems can, for example, ensure a more frictionless experience for the ‘right’ customers whilst keeping out potential fraudsters, which in turn, negates the need for downstream, and less effective, risk and control procedures.

Then, from an operational perspective, organisations continue to look for cost savings through centralisation and off-shore of business-as-usual processes, with digital advances increasing the extent to which off-shoring can be a reality. Logically, a similar shift should take place with GRC.

Being part of these much broader transformation programs ensures risk, compliance and audit activities become embedded in the business rather than remaining as an overlay. It also provides the sponsorship and impetus needed to revisit challenges of the past:

Controls rationalisation and monitoring — Centralising and off-shoring finance and operation processes provides the foundations for controls rationalisation. As noted earlier, previous attempts to optimise and rationalise controls became unstuck when it was clear this could only work if there’s willingness to look at process redesign too. Finance/process off-shore provides the best opportunity for this to happen. This in turn provides the opportunity to revisit the use of fully automated controls monitoring.
Roles, responsibilities and staff deployment — Centralisation drives a need to revisit the use of locally deployed staff for controls monitoring. Many organisations are now centralising this (Line 1A) resource. In addition, previous attempts to better align Line 2 + 3 activities (Risk, Compliance and Audit) fell away due to operational challenges. Centralisation compels the board, and GRC leaders to re-examine the extent to which these functions should be integrated and/or how their activities can be better coordinated. This is the best opportunity to make necessary change.
Supporting technology — Existing use of GRC technology to support Lines of Defence activities is being revisited with many legacy deployments serving as little more than a controls database. In some instances, these transformation programs include wholesale replacement of legacy GRC technology.

Affecting change

In previous attempts to affect change, the biggest blocker has been ownership. The overarching challenge is this — robust governance typically requires a degree of independence between risk, compliance and audit functions, but this independence then makes it harder to drive change across the combined lines of defence. To the extent a pattern can be seen amongst a limited set of transformation programs the following can be noted:

Where the need for change has become critical, then reporting lines are being consolidated to allow one person to drive transformation, build common working practices, rationalise reporting and reduce costs.
Once the rationalisation exercise is complete, some organisations are then dis-aggregating these reporting lines to restore ongoing independence.

Getting it right this time

The premise of this article is that GRC as a discipline has enjoyed a long spell of healthy investment but spend will diminish unless its worth can be more tangibly demonstrated. Previous programs for improving ROI had mixed success, so it’s imperative that lessons are learned from this.

As described above, broader, digitally-enabled transformation projects provide fresh impetus to try again. Bootstrapping GRC initiatives to broader digital transformation and off-shore programs makes sense as it is then easier to make changes in system, process and control design that are vital, but were unassailable when attempted before. But simply rectifying known problems from previous programs won’t be enough. What else is needed?

Forward looking risk management… : Previous GRC transformation programs focused on better alignment of risk, compliance and audit work. Hence significant effort was put into defining common risk and control frameworks to which each function could map its assurance activities. Such an approach could be used for backward or forward looking risk management but, for whatever reason, tended to focus on the former. This was perhaps in part down to system limitations. Technology and data services have advanced significantly in the past five years to predict emerging risks with internal activities and to scan market data and risks. These capabilities must be understood and capitalised upon. Businesses move much quicker now, so forward looking risk management is critical to survival.
…embedded in the front line : Up until now, GRC has largely operated as an overlay to established business practices that were developed by line management who were often resistant to change. As such, GRC activities were often perceived as administrative and provided limited value. Digital transformation of customer-facing systems provides the best opportunity for designing preventative controls into these systems, thereby minimising more disruptive and less helpful detective controls. Risk professionals need to be engaged in new system development while ensuring the right balance is struck between opportunity creation and value protection.
…that finally allows opportunity and risk to be considered in unison : This feels like a cliché, because it’s been talked about for years, but rarely happens. Digital provides the opportunity to redress this. As an illustration, technology vendors are using the same customer monitoring capabilities to sell market intelligence solutions and fraud prevention/anti-money laundering solutions. So one technology for growth and protection… except the vendors market and sell these as entirely separate solutions, as there continue to be separate buyers of commercial and risk systems. Technology can facilitate a combined commercial+risk approach to business planning, but it will require organisation change for this to be put to use.
Adaptable MI : Previous generation programs worked largely on the premise that Risk & Compliance functions would draw information from the front line, process it and report both to the board and back to the front line. Hence, line management remained generally hands off. Regulation seeks to redress this but, irrespective, line management would more likely be engaged if they saw value in the outputs. Improved risk intelligence capabilities will help redress this but, to really make a difference, line managers need the tools and data to furnish their own MI requirements that change from one day to the next.
Optimised technology : Most in-flight transformation programs include wholesale replacement of ageing and incumbent GRC technology. Simply replacing one GRC technology with another is unlikely to bring much benefit. This is a confused market right now with a new ‘Integrated Risk Management’ (IRM) label being applied to what, in some cases, is genuinely new technology but, in other cases, is re-badged, old GRC technology. Moreover, GRC/IRM only addresses part of what’s needed here. As set out above, truly transformative risk monitoring requires embedded digital solutions and, however it may be marketed, this is not something that GRC/IRM technology can provide on its own. A combination of technologies is required.

Let's connect

Does this strike a chord? If you are embarking on a Governance, Risk and Compliance journey and are interested in considerations to maximise return please contact us. We provide impartial advice, untainted by reseller agreements or any other direct or indirect incentivisation, ensuring our objectivity.