The urge to converge

Convergence is a clear goal for many in the industry, but uniform implementation is proving tricky, finds the latest survey from OpRisk & Compliance and Ernst & Young

intell-a-jpg

The risk and compliance industry is practically unanimous – 91.3% of respondents to the most recent OpRisk & Compliance Intelligence survey say they believe it is important for their own firm to converge or better co-ordinate risk and control activities.

However, results from the new survey, sponsored by consulting firm Ernst & Young, show that executives are struggling with the implementation of this improved convergence because of existing silos of activity and of budgets.

Chris Richardson, a consultant in the risk advisory services group at Ernst & Young in New York, says the need for convergence now does not mean risk and compliance programmes were poorly implemented to begin with. "It is more a question of timing," he says. "I think the volume of regulation has slowed down slightly over the past six to 12 months, and consequently people have been able to sit back a little bit and see what they have ended up with."

Richardson says the people in the industry he is speaking with are also moving beyond just trying to bring together their Sarbanes-Oxley and operational risk programmes – integrating the risk control self assessments of these two initiatives was at the forefront of the convergence trend. In fact, Richardson says his consultants have gone into firms where there has been a range of between 20 and 50 different risk control self assessment programmes operating simultaneously.

"People are taking a bigger step back now, and saying it's not actually just operational risk and Sarbanes-Oxley where there is maybe some duplication of effort or overlap in the framework," says Richardson. "It's broader than that, maybe we need to converge some of these risk management activities to become better providers of quality risk information, and at the same time become more efficient where we can."

Indeed, some 50% of respondents to the survey indicated that one of the main challenges their organisation is facing within its risk management and regulatory compliance programme is "growing risk management process fatigue, expending significant time and cost to comply with risk requirements". And 52.2% say the "desire to properly align risk metrics", including definitions, measurements and reporting, is a challenge within their firm.

However, financial considerations are also driving the need to slim and focus risk and compliance initiatives. Nearly 57% cited the "increasing need to drive hard business benefits from the significant investment in regulatory projects" as a challenge facing their firm. Meanwhile, nearly 56% said the increasing costs of systems, processes, and staff to manage and report risk was a challenge for their firms.

But whatever the reason, convergence seems to be in the air at the moment. "There seems to be a drive to get people to collaborate a little bit more across the traditional risk and control silos, so we are seeing in a number of institutions a desire to bring compliance, operational risk, Sox, audit, and information security people into a room together and actually be very open about how they do things, where they are doing it, and trying to identify the overlap," says Richardson. "There seems to be a spirit of this in the industry."

But actually implementing a convergence programme is not easy. Almost 40% say the absence of executive sponsorship makes implementing a convergence programme a "challenge" or "very challenging". Indeed, nearly 28% said a convergence programme in their organisation is likely to be sponsored by the chief risk officer – who while a part of the senior management team, isn't able to give the broad mandate a chief executive officer or the board of directors can give. The survey showed that some 16% of firms would have the CEO as the sponsor, while another 16% would have the board of directors as the sponsor.

Connected to this is the fact that nearly 60% said the need for joint development and buy-in from all affected lines of business was a challenge or very challenging at their firm. Without the "tone from the top", firmwide programmes such as convergence are much more difficult to implement.

Communication is also a problem, with some 51.1% saying there is a need for improved communication and clear messages about their firm's convergence programme. Other key problems include the lack of flexibility in organisations and their resistance to change. "When you look at the survey, people are saying it's difficult to communicate a clear message to internal sponsors and stakeholders," says Richardson. "I think part of the problem is that only part of the solution is being communicated at any one time. People haven't taken that big step back and tried to embrace the true principle and the opportunity. There is too much ownership of the current process. People are reluctant or fearful of what might happen to their world, and without the sponsorship from the top it makes it difficult to convince everyone that this is a beneficial play for them."

Respondents certainly see the potential benefit of a convergence programme. Some 73.6% say they believe that an improved quality of risk information will be one positive outcome of a successfully implemented risk convergence programme. And nearly 62% say they would expect to see a more comprehensive, enterprise-wide view once a convergence programme is in place.

But many firms are not very far along in implementing their convergence programmes. At nearly one-quarter of firms, only ad-hoc discussions have taken place. However, nearly 16% of firms were able to report that work on a convergence programme is taking place firm-wide, while at 13.3% of firms, work is in progress within specific areas.

Richardson says that in some cases it might make sense to use existing business process improvement frameworks to drive forward the convergence programme. "In operational risk, six sigma is a phrase that is being bandied about at the moment. I don't think it is too big of a stretch to consider that there are some techniques within Lean or Six Sigma or something like that, which can help an institution gather some factual information – some kind of measure around a risk process and a common hierarchy of risk measures that brings it all together and enables you to articulate a benefit in the long term."

Incorporating a risk convergence philosophy into an organisation clearly continues to be a challenge, but it's clear that firms are buying into the value that such a programme could create.

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact info@risk.net or view our subscription options here: http://subscriptions.risk.net/subscribe

You are currently unable to copy this content. Please contact info@risk.net to find out more.

Financial crime and compliance50 2024

The detailed analysis for the Financial crime and compliance50 considers firms’ technological advances and strategic direction to provide a complete view of how market leaders are driving transformation in this sector

Investment banks: the future of risk control

This Risk.net survey report explores the current state of risk controls in investment banks, the challenges of effective engagement across the three lines of defence, and the opportunity to develop a more dynamic approach to first-line risk control

Op risk outlook 2022: the legal perspective

Christoph Kurth, partner of the global financial institutions leadership team at Baker McKenzie, discusses the key themes emerging from Risk.net’s Top 10 op risks 2022 survey and how financial firms can better manage and mitigate the impact of…

Emerging trends in op risk

Karen Man, partner and member of the global financial institutions leadership team at Baker McKenzie, discusses emerging op risks in the wake of the Covid‑19 pandemic, a rise in cyber attacks, concerns around conduct and culture, and the complexities of…

Moving targets: the new rules of conduct risk

How are capital markets firms adapting their approaches to monitoring and managing conduct risk following the Covid‑19 pandemic? In a Risk.net webinar in association with NICE Actimize, the panel discusses changing regulatory requirements, the essentials…

Most read articles loading...

You need to sign in to use this feature. If you don’t have a Risk.net account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here