Time to merge risk management and compliance?
By Rachel Wolcott
LONDON/NEW YORK, April 5 (Thomson Reuters Accelus) – Regulators’ rising interest in risk management combined with a long trail of big fines for compliance failures has some consultants and industry leaders wondering whether it is time for the two disciplines to come closer together if not merge completely.
More than ever there are areas of overlap between risk and compliance. Risk management is now hardwired into more rules and regulations since the beginning of the financial crisis. In the UK, for example, the Financial Services Authority (FSA) hasincreased its fines for risk management failures . The U.S.’s Securities and Exchange Commission (SEC) has also indicated that it intends to take risk management as well as other governance and compliance issues even more seriously than in the past.Rodney Nelsestuen, senior research director at the CEB TowerGroup, told Thomson Reuters: “What’s changed is with Solvency II and Basel III and those types of rule changes since the crisis is we’ve gone from being a backward-looking regulatory environment to saying we need more capital, better liquidity. The regulators are redefining all these things. So risk has been built into the regulation at a much stronger level than it ever was.”
NON-COMPLIANCE IS A RISK
Equally, non-compliance with the host of new regulations covering all aspects of financial services has become a serious risk for firms. The price of getting compliance wrong is getting larger as headline-grabbing fines in both the United States and UK recently have demonstrated. Surely firms want to avoid being hit with fines such as ones handed to the likes of Coutts, Credit Suisse, and Greenlight Capital.
One way to manage that is to treat compliance issues as a risk category just like credit or market risk, for example. Chief risk officers need to understand the risk of non-compliance and assess their firms’ performance in compliance as part of the bigger risk management picture.
Nelsestuen said: “The bottom line for me is it is time to start bringing risk and compliance closer together. What I’ve seen is non-compliance is in itself a risk. Risk managers are trying to understand compliance issues not because they want to run compliance, but they want to understand what risks they’re taking. If you look at Credit Suisse which had a $500 million fine for AML infractions and HSBC … non-compliance is a huge risk.”
Credit Suisse in 2009 agreed to pay $536 million for failing to comply with U.S. laws, including Iran sanctions violations, as part of a deferred prosecution agreement with the U.S. Justice Department. U.S. law enforcement officials have been investigating HSBC’s money laundering controls in a widening probe, and there is speculation it could face a large fine, although the probe is not complete.
MOVING GRC BEYOND JUST ‘C’
Governance, risk and compliance (GRC) is a concept that has been around for a while. The term GRC suggests a certain amount of joined up thinking and cross pollination between the three disciplines. The reality however is that the term really only covers one of those disciplines: compliance.
Paul Saunders, at Sapient Global Markets, told Thomson Reuters: “GRC is a concept in the market, but I’m not sure everyone’s using it yet. It is looking at how those three factors should come together and maximise the impact and the surface area that those types of functions have on a business as a whole. Opposed to having duplication across the functions, there’s a greater impact on the business by coordination and collaboration.”
How many firms are taking the bold step of bringing together risk management and compliance or going further to implement a formal GRC strategy is difficult to quantify. Whether risk departments and compliance departments are even communicating with each other is equally hard to gauge. But at a recent conference TSAM Europe 2012, a panel of five risk managers offered their views on merging risk and compliance.
Himanshu Patel, head of investment risk at Northern Trust Global Investments, reported that his firm had moved compliance to be part of the risk function. Northern Trust took that step roughly a year ago, because it believed compliance has a lot to do with risk. “The decision was to have cross-training between people on the team. Regulatory compliance is more than ticking a box. It’s also an advisory function,” he said.
Northern Trust was held the minority view on the panel. Other speakers argued that risk management was just too fundamentally different a discipline to merge with compliance.
Romain Berry, head of cross-product margining for EMEA and APAC at Citigroup, told the TSAM conference: “When I was EMEA Co-Head of Performance and Risk Measurement at JPMorgan, we briefly explored the possibility in late 2009 to merge my team with our Compliance Reporting Services team on a global scale – mainly to match upcoming UCITS IV regulations and potentially to save cost. But we quickly came to the conclusion that both teams were using separate systems that could not been integrated and staff had quite different skill sets that could negatively impact on the quality of our services to clients. I personally did not believe we could successfully run in the long term a team of “hybrid” analysts who would possess expertise in both fields for risk measurement and management have become a much more quantitative space over the last 10-15 years. We also considered outsourcing some basic operational processes (like data collection and filtering or report generation) to India. But the difficulty to manage a high turnover of team members in India as its economy continued to blossom and concerns about losing control over inputs into our models could not justify in our minds a cheaper operating cost.”
IT’S A DEBATE THAT SHOULD BE HAD
When talking about risk management consultants and practitioners often refer to the three lines of defence. Briefly, these lines are:
- on the front-line business taking responsibility for risk management and internal controls;
- the risk management and compliance functions; and
- internal audit.
There is often a blurring of the lines as to how the different functions that make up the three lines of defence operate within a firm. Some firms might prefer to keep the functions separate, because they want risk management to be more strategic. In addition, the compliance function might require different resource and technical knowledge that is better managed separately.
Moreover, different kinds of financial services firms — fund managers, retailing banks, insurance and investment banks — use the risk management approaches that best suit their business-type and function. Where appropriate, however, firms should be at least considering whether a risk and compliance merger could benefit them.
Saunders said: “There isn’t one purist view. But [whether to merge risk and compliance] is a debate that should be had. In the past, the compliance department was focussed solely on making sure regulation was monitored and tracked and the impact was understood in the organisation and it then adapted and remained compliant. Now more regulation is biting on how an organisation risk manages and is trying to bring more transparency. That transparency piece should drive a need for organisations to look a bit more acutely across what are essentially control domains.”
Should risk management and compliance be joined up? The answer is absolutely yes, according to Ian Peters, chief executive of the Chartered Institute of Internal Auditors.
Peters told Thomson Reuters: “In terms of the relationship between the two, I would see compliance as being an aspect of risk management. Certainly they should be joined up to be able to understand each other. There’s a certain logic to have them managed within the same division, but it depends on the organisation. The critical thing is that they are talking to each other and understanding each other. Often in an organisation it may be appropriate for them to be together. Certainly they are two aspects of the second line of defence I see no problem in them being together and I can see potential benefits. But each organization needs to make its own decisions.”
Peters, however, emphasized the need for the internal audit function to remain separate and maintain its independence. “What you don’t want to do is merge together your three lines of defence which is less effective, then you just have one line of defence,” he said.
(Note: an earlier version of this story had the following quote from Berry, which did not make clear this issue was considered while he was working for JPMorgan: ”We did consider merging the teams and were considering outsourcing the teams to India. We did realize though that compliance and risk are different functions. We thought it would be difficult to merge two different skill sets.”_
(This article was produced by the Compliance Complete service of Thomson Reuters Accelus. Compliance Complete (http://accelus.thomsonreuters.com/solut ions/regulatory-intelligence/compliance- complete/) provides a single source for regulatory news, analysis, rules and developments, with global coverage of more than 230 regulators and exchanges.)