The urge to converge
Convergence is a clear goal for many in the industry, but uniform implementation is proving tricky, finds the latest survey from OpRisk & Compliance and Ernst & Young
The risk and compliance industry is practically unanimous – 91.3% of respondents to the most recent OpRisk & Compliance Intelligence survey say they believe it is important for their own firm to converge or better co-ordinate risk and control activities.
However, results from the new survey, sponsored by consulting firm Ernst & Young, show that executives are struggling with the implementation of this improved convergence because of existing silos of activity and of budgets.
Chris Richardson, a consultant in the risk advisory services group at Ernst & Young in New York, says the need for convergence now does not mean risk and compliance programmes were poorly implemented to begin with. "It is more a question of timing," he says. "I think the volume of regulation has slowed down slightly over the past six to 12 months, and consequently people have been able to sit back a little bit and see what they have ended up with."
Richardson says the people in the industry he is speaking with are also moving beyond just trying to bring together their Sarbanes-Oxley and operational risk programmes – integrating the risk control self assessments of these two initiatives was at the forefront of the convergence trend. In fact, Richardson says his consultants have gone into firms where there has been a range of between 20 and 50 different risk control self assessment programmes operating simultaneously.
"People are taking a bigger step back now, and saying it's not actually just operational risk and Sarbanes-Oxley where there is maybe some duplication of effort or overlap in the framework," says Richardson. "It's broader than that, maybe we need to converge some of these risk management activities to become better providers of quality risk information, and at the same time become more efficient where we can."
Indeed, some 50% of respondents to the survey indicated that one of the main challenges their organisation is facing within its risk management and regulatory compliance programme is "growing risk management process fatigue, expending significant time and cost to comply with risk requirements". And 52.2% say the "desire to properly align risk metrics", including definitions, measurements and reporting, is a challenge within their firm.
However, financial considerations are also driving the need to slim and focus risk and compliance initiatives. Nearly 57% cited the "increasing need to drive hard business benefits from the significant investment in regulatory projects" as a challenge facing their firm. Meanwhile, nearly 56% said the increasing costs of systems, processes, and staff to manage and report risk was a challenge for their firms.
But whatever the reason, convergence seems to be in the air at the moment. "There seems to be a drive to get people to collaborate a little bit more across the traditional risk and control silos, so we are seeing in a number of institutions a desire to bring compliance, operational risk, Sox, audit, and information security people into a room together and actually be very open about how they do things, where they are doing it, and trying to identify the overlap," says Richardson. "There seems to be a spirit of this in the industry."
But actually implementing a convergence programme is not easy. Almost 40% say the absence of executive sponsorship makes implementing a convergence programme a "challenge" or "very challenging". Indeed, nearly 28% said a convergence programme in their organisation is likely to be sponsored by the chief risk officer – who while a part of the senior management team, isn't able to give the broad mandate a chief executive officer or the board of directors can give. The survey showed that some 16% of firms would have the CEO as the sponsor, while another 16% would have the board of directors as the sponsor.
Connected to this is the fact that nearly 60% said the need for joint development and buy-in from all affected lines of business was a challenge or very challenging at their firm. Without the "tone from the top", firmwide programmes such as convergence are much more difficult to implement.
Communication is also a problem, with some 51.1% saying there is a need for improved communication and clear messages about their firm's convergence programme. Other key problems include the lack of flexibility in organisations and their resistance to change. "When you look at the survey, people are saying it's difficult to communicate a clear message to internal sponsors and stakeholders," says Richardson. "I think part of the problem is that only part of the solution is being communicated at any one time. People haven't taken that big step back and tried to embrace the true principle and the opportunity. There is too much ownership of the current process. People are reluctant or fearful of what might happen to their world, and without the sponsorship from the top it makes it difficult to convince everyone that this is a beneficial play for them."
Respondents certainly see the potential benefit of a convergence programme. Some 73.6% say they believe that an improved quality of risk information will be one positive outcome of a successfully implemented risk convergence programme. And nearly 62% say they would expect to see a more comprehensive, enterprise-wide view once a convergence programme is in place.
But many firms are not very far along in implementing their convergence programmes. At nearly one-quarter of firms, only ad-hoc discussions have taken place. However, nearly 16% of firms were able to report that work on a convergence programme is taking place firm-wide, while at 13.3% of firms, work is in progress within specific areas.
Richardson says that in some cases it might make sense to use existing business process improvement frameworks to drive forward the convergence programme. "In operational risk, six sigma is a phrase that is being bandied about at the moment. I don't think it is too big of a stretch to consider that there are some techniques within Lean or Six Sigma or something like that, which can help an institution gather some factual information – some kind of measure around a risk process and a common hierarchy of risk measures that brings it all together and enables you to articulate a benefit in the long term."
Incorporating a risk convergence philosophy into an organisation clearly continues to be a challenge, but it's clear that firms are buying into the value that such a programme could create.
Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.
To access these options, along with all other subscription benefits, please contact info@risk.net or view our subscription options here: http://subscriptions.risk.net/subscribe
You are currently unable to print this content. Please contact info@risk.net to find out more.
You are currently unable to copy this content. Please contact info@risk.net to find out more.
Copyright Infopro Digital Limited. All rights reserved.
As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (point 2.4), printing is limited to a single copy.
If you would like to purchase additional rights please email info@risk.net
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (clause 2.4), an Authorised User may only make one copy of the materials for their own personal use. You must also comply with the restrictions in clause 2.5.
If you would like to purchase additional rights please email info@risk.net
More on Operational risk
Integrated GRC solutions 2024: market update and vendor landscape
In the face of persistent digitisation challenges and the attendant transformation in business practices, many firms have been struggling to maintain governance and business continuity
Vendor spotlight: Dixtior AML transaction monitoring solutions
The Chartis Research report, AML transaction monitoring solutions, considers how, by working together, financial institutions, vendors and regulators can create more effective anti-money laundering (AML) systems.
Financial crime and compliance50 2024
The detailed analysis for the Financial crime and compliance50 considers firms’ technological advances and strategic direction to provide a complete view of how market leaders are driving transformation in this sector
Automating regulatory compliance and reporting
Flaws in the regulation of the banking sector have been addressed initially by Basel III, implemented last year. Financial institutions can comply with capital and liquidity requirements in a natively integrated yet modular environment by utilising…
Investment banks: the future of risk control
This Risk.net survey report explores the current state of risk controls in investment banks, the challenges of effective engagement across the three lines of defence, and the opportunity to develop a more dynamic approach to first-line risk control
Op risk outlook 2022: the legal perspective
Christoph Kurth, partner of the global financial institutions leadership team at Baker McKenzie, discusses the key themes emerging from Risk.net’s Top 10 op risks 2022 survey and how financial firms can better manage and mitigate the impact of…
Emerging trends in op risk
Karen Man, partner and member of the global financial institutions leadership team at Baker McKenzie, discusses emerging op risks in the wake of the Covid‑19 pandemic, a rise in cyber attacks, concerns around conduct and culture, and the complexities of…
Moving targets: the new rules of conduct risk
How are capital markets firms adapting their approaches to monitoring and managing conduct risk following the Covid‑19 pandemic? In a Risk.net webinar in association with NICE Actimize, the panel discusses changing regulatory requirements, the essentials…