Risk Convergence, the coming together of Operational Risk Management and Compliance is real, at least from an organisational perspective. Some Financial Services Organisations are bringing their Compliance department under Risk, some simply putting people with risk management experience in charge of compliance. This is driven both by regulatory pressures requiring them to take a more risk-based approach to compliance and by the need for efficiency, in the hope that duplicated actvities and systems may be avoided.
The organisational challenges of Risk Convergence should not be underestimated. Compliance departments (and individuals) are often criticised for being pedantic, rules-driven and technology averse but these are admirable qualities in their particular sphere and the attention to detail, and sheer doggedness shown by many compliance officers could be seen as characteristics that many risk officers could do with more of.
One way to help with organisational challenges is to implement a common IT infrastructure to support both functions but there is a fundamental problem here, that is born of the different ways in which risk and compliance are managed in businesses. As you would expect, Risk departments take a risk-based approach, identifying risks to achieving business objectives within their activities and processes, assessing those risks and then developing and managing mitigation strategies for them. Compliance however is much more likely to be control-based. A set of regulatory outcomes is defined, often in policy documents, controls are identified and a rolling programme of assessment, monitoring and reporting created. In one case (risk), the fundamental element is a Risk Register, underpinning a risk framework, while in the other (compliance), it is a Control Register. Similarly, reporting tends to reflect the risk- or control-based approach.
Depending on their provenance, IT solutions tend to take one approach or another. So, Operational Risk systems will be risk-based, whereas compliance systems (often SOx solutions) will be control-based. This means that attempts to implement a common it infrastructure for risk and compliance usually favours one approach to the detriment of users who want to take the opposite one. Ci3’s SWORD is, perhaps, unique in that it allows users to take view data from either perspective and we are in the process of adding a Control Register to the existing risk register. This means that an organisation can implement a single solution for risk and compliance but still allow risk and compliance professionals to manage their responsibilities as works best for them.
Mike MacDonagh
