ARCLogics Sword Blog

Shortly after writing today’s blog on the different approaches to the management of risk and of compliance (http://www.ci3.ie/blog/?p=7), I happened to visit Michael Rasmussen’s latest GRC.Pundit blog. Thinking about IT Governance, it also falls very much into the control-based category and IT standards such as COBIT and ISO17799/27001 all take a controls-based approach. I suspect that the difference between the approaches for IT Governance and Compliance, is that compliance controls tend to reference regulations, as enshrined in policies, whereas IT governance controls tend to reference processes. In an Enterprise Risk Governance environment, both should also be described and quantified (if only in a qualitiative manner) in terms of the underlying risk(s) they are controlling.

Mike MacDonagh

Risk Convergence, the coming together of Operational Risk Management and Compliance is real, at least from an organisational perspective. Some Financial Services Organisations are bringing their Compliance department under Risk, some simply putting people with risk management experience in charge of compliance. This is driven both by regulatory pressures requiring them to take a more risk-based approach to compliance and by the need for efficiency, in the hope that duplicated actvities and systems may be avoided.

The organisational challenges of Risk Convergence should not be underestimated. Compliance departments (and individuals) are often criticised for being pedantic, rules-driven and technology averse but these are admirable qualities in their particular sphere and the attention to detail, and sheer doggedness shown by many compliance officers could be seen as characteristics that many risk officers could do with more of.

One way to help with organisational challenges is to implement a common IT infrastructure to support both functions but there is a fundamental problem here, that is born of the different ways in which risk and compliance are managed in businesses. As you would expect, Risk departments take a risk-based approach, identifying risks to achieving business objectives within their activities and processes, assessing those risks and then developing and managing mitigation strategies for them. Compliance however is much more likely to be control-based. A set of regulatory outcomes is defined, often in policy documents, controls are identified and a rolling programme of assessment, monitoring and reporting created. In one case (risk), the fundamental element is a Risk Register, underpinning a risk framework, while in the other (compliance), it is a Control Register. Similarly, reporting tends to reflect the risk- or control-based approach.

Depending on their provenance, IT solutions tend to take one approach or another. So, Operational Risk systems will be risk-based, whereas compliance systems (often SOx solutions) will be control-based. This means that attempts to implement a common it infrastructure for risk and compliance usually favours one approach to the detriment of users who want to take the opposite one. Ci3’s SWORD is, perhaps, unique in that it allows users to take view data from either perspective and we are in the process of adding a Control Register to the existing risk register. This means that an organisation can implement a single solution for risk and compliance but still allow risk and compliance professionals to manage their responsibilities as works best for them.

Mike MacDonagh

In most analysis, Enterprise Risk Management has focused on creating risk frameworks based on an organisation’s business strategy and then managing the risks within the business, reporting the results back up the hierarchy to senior management. The value that ERM provides to a business is assumed but has proven hard to measure or demonstrate directly.

Governance on the other hand is predicated on the ability of senior management not just to set and monitor business strategy but to contunuously update it in response to internal and external events.

Enterprise Risk Governance takes the steering concept of Governance and applies it to Enterprise Risk Management. Management at relevant levels of the organisation can update risk appetites in line with changing business and regulatory pressures, driving and monitoring changes in risk management and mitigation further down the hierarchy. In the case of Enterprise Risk Governance, the value is more immediately apparent to senior management, directly improving their ability to manage change and dramatically increasing business agility, even in large organisations.

Mike MacDonagh