The interconnectedness of all things: Taking a holistic approach to Governance, Risk & Compliance
The regulatory environment, and consequently the role of compliance, has changed significantly in recent years. There has always been significant overlap between regulatory compliance and risk management; the Compliance function’s fundamental purpose after all is to manage the firm’s regulatory risk. More recently we have seen how a firm’s governance, culture and subsequent organisational behaviour are core to how all risk is managed within the firm. In a post credit crisis world it should not be surprising therefore that an integrated approach to governance, risk and compliance (GRC) has been identified by both regulators and the industry alike as a potential route to the avoidance of past mistakes.
Compliance can, and should, take a much greater role in ensuring that both risk and governance systems are not only compliant with the regulatory requirements (e.g. the Corporate Governance Code), but are also as effective as possible within their firm. In this way the Compliance function can make a significant contribution to the firm’s performance as the better a firm is run (governance) and manages risk , the more successful it will be. And despite what both regulators and sometimes even our own colleagues might seem to believe, we in the compliance profession work for commercial organisations, and we want them to be commercially successful.
‘Corporate Governance is the system by which a firm is directed and controlled.’ This is the definition of the UK’s Department of Business, Innovation and Skills (BIS). It is clear from this definition that corporate governance is simply a framework to assist senior management in running the business. Therefore I think you can clarify this definition still further: ‘Corporate Governance is the framework that allows the free and timely flow of appropriate and accurate information within the business enabling senior management to improve their decision making’. OK, I admit that this is slightly longer than the BIS definition, but I do think it makes the purpose of corporate governance much clearer.
Risk management is also a system. It is the process of identifying, and then managing, all of the risks that arise in the course of a firm’s business on an ongoing basis. What is often forgotten is that the objective of risk management is not only to mitigate risks that the firm does not what to take but has to, but also to identify and manage the risks that the firm does want to take in the course of achieving its commercial objectives.
It is only through taking risk that reward is obtained and that includes regulatory risk. By operating in a regulated market your firm is taking regulatory risk, and the better that regulatory risk is managed then the greater the potential rewards for your firm. Therefore the more effective the Compliance function can be in identifying and managing regulatory risk the more of a competitive advantage it can provide its firm over other firms operating in the same regulatory environment.
Compliance is, as already stated, effectively managing the firms’ regulatory risk. This is done through the design and application of specific systems and controls, based mainly around educational, advisory and assurance requirements. For example by identifying and informing the business of an upcoming change to a regulated process (education), being part of the project team to identify, design and implement any changes to processes required (advisory) and subsequently to check that the new processes are in place and working effectively (assurance).
So whilst the individual requirements of Governance, Risk and Compliance can be stated in quite simple terms, in practise there is considerable overlap between the three and, more significantly, the application of each can and will enhance the effectiveness of the others. Therefore when designing, implementing or simply managing either an integrated GRC system, or one individual element of it, consideration must be given to the impacts of actions within one element upon the others.
Which brings us to the conclusion that all three of these key activities should be thought of not only as complementary, but as fundamentally interdependent and critical to the overall success of the business.