If the directors of publicly quoted companies can apparently dispense with the services of those charged with risk management at the drop of a hat what is the point of having sophisticated Governance, Risk Management and Compliance systems? Gary Simon, FSN’s managing editor considers the relevance of GRC in a world seemingly bent on breaking the rules.
Auditors know that family owned businesses, where the directors are also major shareholders can represent a significant risk to business control. Effectively, if the key decision makers in a business also own the enterprise then there is always a chance that they will overstep the mark – either wittingly or unwittingly.
But publicly listed companies are supposed to be different. Highly paid non-executive directors, compliance functions, audit committees, internal auditors and big four external auditors are just some of the measures that should be in place to curb management excesses. Added to which external regulators and supervision in regulated industries is supposed to provide an additional layer of comfort for the pension funds and individual investors that place their faith in good governance to protect their interests and ensure that companies are in good order.
Whether government, regulators, institutions charged with supervision or individual companies are to blame for the meltdown in the banking system is a debate that will run and run. But one thing is clear, that any notion of good governance in this sector and possibly others (think Satyam) is in tatters.
Central to the argument at the moment is the role of the compliance officer. HBOS and the dismissal of Paul Moore, its compliance officer has taken central stage, with the public waiting anxiously to hear what was said and reported in the period leading up to his dismissal. But if true, allegations reported in the National Press and the apparent ease with which the whistle blower’s concerns were disregarded would seem to point to fundamental flaws in our systems of governance.
The life of a compliance officer or, his ‘close cousin’ the internal auditor can be lonely. Enforcing compliance on the inside, for rules dreamt up by regulators on the outside can make the role of the compliance officer particularly unenviable. Unfortunately compliance gets in the way of business. For example, a salesman selling an expensive car doesn’t really want to carry out an anti-money laundering check and someone flagging up risk when you are trying to write new business, make new loans, complete a complex financial derivative transaction or simply underwrite an insurance policy is especially unwelcome. Compliance officers sitting within a company can quickly become isolated, regarded as an internal policeman, and regarded as holding back business development.
Norman Marks, vice president, SAP's GRC business unit has an interesting perspective on the challenges of corporate governance. Marks used to be head of internal GRC functions at Business Objects before SAP acquired the business and he moved to the GRC solutions team. As a gamekeeper turned poacher he has a unique and interesting perspective.
He told FSN, “I agree 100% that the role of the compliance officer (or risk officer or internal auditor) can be lonely. They may be perceived as barriers to bringing home the deals and achieving compensation-relevant targets. However, the right belief structure and messaging (made real through their actions) from the board on down through executive management can mitigate the situation. The compliance officer himself has to take on some of the burden, demonstrating through both words and actions that he is not a policeman but exists to protect both the organisation and the employee.”
The range and depth of compliance requirements in a multinational organisation, (private or public sector) can be truly mind boggling and in the post-Enron period, characterised by Sarbannes Oxley, a new compliance industry built around best practice governance, risk management and compliance processes and systems has mushroomed.
Typically, these systems solutions draw various compliance strands, such as checklists and specialised software around reconciliations, approvals, workflow and group reporting and present them in management dashboards that allow those charged with compliance to view outstanding tasks, look at percent completion and so forth. Such technical wizardry is helpful because it allows a joined up approach to compliance, pulling different elements together and allowing management to take a holistic view of compliance readiness.
“Providing transparency during a chaotic close period via an integrated suite of financial Governance, Risk and Compliance (GRC) software solutions is vital to ensuring that an organisation’s Corporate Reporting is accurate and compliant with regulatory standards. Dashboards or portals provide the Office of the CFO visibility to vertify that the right controls have been executed by the right people at the right time throughout the delivery process.” Tony Bethell, VP EMEA for Trintech
But for some there is the risk that automated processes encourage an unthinking approach to compliance where undue emphasis is placed on ticking the box to make the issue go away rather than using professional judgement to assess whether the spirit of compliance has been adhered to. If recent events are anything to go by then the risk of management override – effectively ignoring compliance is a much more serious threat to good governance.
SAP’s Marks disagrees that GRC applications lead to a box-ticking mindset. “I disagree with the assumption that compliance is all about “ticking the box” and completing “checklists”. It is not. Those who acquire and blindly follow “best practices” and “compliance checklists” are unlikely to be effective,” he said
“Best practice is to take a top-down and risk-based approach to compliance: understand the organization’s compliance requirements; determine risks to their achievement; ensure processes and practices are sufficient to the task (and if not, identify, assign, and monitor corrective actions); and monitor compliance effectiveness,” added Marks.
However, Marks concedes that rigid compliance needs to be supported by a healthy dose of judgement. “As a colleague recently told me and others in the course of a discussion about the apparent recent failure of risk management practices, however good your process you need to add an application of good judgment,” he told FSN.
It would of course be unfair to tar the whole of financial services industry with the same brush and the problem may turn out to be confined to a few errant directors. But the early indications are not good and there is a sense that there is more than one rotten apple in the barrel.
So what now for compliance systems? Well not everyone agrees that governance is broken.
“It is not clear that governance is broken,” says Marks. “Certainly, I think it is healthy to discuss all the various elements including both director and executive appointment and compensation; whether there are conflicts of interest affecting executive compensation, such as when the consultant advising the compensation committee also provides services to management; the compensation structure and incentives for other key figures, such as those selling the goods and services of the business; the reporting relationships of internal audit, risk, and compliance; the effectiveness of risk management practices; the quality of the information provided to the board; and, the effectiveness of the GRC applications that provide support,” he adds.
But others argue that GRC is under threat. IBM’s Laurence Trigwell told FSN, “What's clear is that there are a number of simultaneous governance and compliance challenges are emerging right now and not all solved by technology. In essence of course senior management are under enormous pressure to demonstrate rigorous and robust governance without necessarily having the control and command systems in place. Arguably that might have something to do with the 'prudential' approach regulators and financial services businesses have negotiated. Equally I don't believe that a heavily prescriptive approach would work any better either.”
Nevertheless adequate processes around GRC appear to be a long way off. Trigwell believes senior management have access to plenty of information but it is often manually created specifically for the them with the result that senior management have little confidence in the numbers, how they were created and limited understanding of the drivers beneath. “Manual creation of information creates overhead making it expensive to provide the same and more detailed business insight to lower levels of management leaving senior management powerless to ask too many what/why/how/when/where questions. Demonstrating increased governance and control seems hard to do cost effectively. Without robust, automated mechanisms to align business objectives with regulatory principles and measures at a more granular and robust level, governance rigour seems a long way off,” adds Trigwell.
But if not broken then governance appears fatally wounded – not least in the eyes of the public. Anger with executive compensation and advisor independence to name just two elements of governance has reverberated around the world. Certain banks will undoubtedly be able to point to good systems of compliance but until governance is brought to heel and shareholders are protected from management excesses, some will wonder whether “compliance” is worth the paper it’s written on.
