Governance, Risk and Compliance (GRC) is a multibillion-dollar industry worldwide and signs are that it’s growing. A 2009 AMR Research Inc. study found that US companies were expected to spend $29.8 billion on GRC across software ($9.2bn), external services ($6.6bn) and internal efforts ($14.0bn). Risk management followed by regulatory compliance was sighted as the key driver for the expenditure. Despite the significant level of investment, apart from pockets of excellence, few financial services firms seem to have benefited significantly. More than five years after the financial crisis, spurred by a massive failure in risk management, it appears that lessons have not been learnt. In a 2012 study, the Chartered Institute of Internal Auditors (CIIA) found that 60% of fines levies by FSA in 2011 were down to weaknesses in risk management systems. A significant transformation is needed in the way organisations assess and manager risks. They need to realise for themselves that risk management matters, and not let regulators dictate the risk agenda. On a positive front however, there is growing evidence that firms see effective risk management as a means to enhanced reputation, greater competitiveness and market share. RIsk management and strong ethical behaviour is key to winning over consumer confidence in the financial services sector. This does however mean that risk management organisations need to reassess and realign strategies, processes and infrastructure to deliver value at reduce costs, thereby enhancing return on investment. As a start to the debate, and by way of examples, this paper explores five strategies that will help organisations gain more commercial value from their risk management efforts (across all lines of defence), whilst improving process efficiencies and reducing costs.

1.
Achieving
Risk
Mastery
5
Key
Strategies
to
an
efficient,
cost
effective
and
value
adding
Risk
Function
BUSINESS & RISK CONSULTING

2. Contents
Risk
Management
in
the
Spotlight
`
3
Risk
&
Compliance
Functions
Under
Increasing
Pressure
4
10
Questions
Boards
should
be
asking
themselves
5
Risk
Mastery
-­‐
Key
Strategies
for
Risk
Transformation
6
7
8
10
11
12
13
1.
2.
3.
4.
5.
2
Realigning
to
the
New
Normal
Reducing
Costs
Enhancing
Operational
Efficiencies
Enhancing
value
added
by
the
Risk
Function
Taming
the
Regulatory
Tsunami
–
Proactive
Compliance
What
are
the
Next
Steps

3. 2
1
Risk
Management
in
the
Spotlight
A
need
for
transformation
Risk
&
Regulatory
Management
in
the
Despite
the
significant
level
of
investment,
apart
from
Spotlight
pockets
of
excellence,
few
financial
services
firms
seem
to
have
benefited
significantly.
In
a
2012
study,
the
Chartered
Governance,
Risk
and
Compliance
(GRC)
is
a
multibillion-­‐
Institute
of
Internal
Auditors
(CIIA)
found
that
60%
of
fines
dollar
industry
worldwide
and
signs
are
that
it’s
growing.
levies
by
FSA
in
2011
were
down
to
weaknesses
in
risk
A
2009
AMR
Research
Inc.
study
found
that
US
companies
management
systems.
were
expected
to
spend
$29.8
billion
on
GRC
across
software
($9.2bn),
external
services
($6.6bn)
and
internal
efforts
($14.0bn).
Risk
management
followed
by
regulatory
compliance
was
sighted
as
the
key
driver
for
the
expenditure.
“It
takes
20
years
to
build
a
reputation
and
5
minutes
to
ruin
it
and
if
you
understand
this
you
will
do
things
differently”
Warren
Buffet
Europe
would
be
expending
around
the
same
level
investment
to
deal
with
risks
and
meet
regulatory
requirements.
Indeed,
just
for
Solvency
II
alone,
the
Financial
Services
Authority
estimated
that
UK
insurers
would
be
spending
£3bn
on
implementation
alone,
over
and
above
ongoing
costs
of
between
£200
million
and
£400million
annually.
3
In
light
of
the
current
economic
environment,
Boards
are
putting
significant
pressure
on
risk
managers
to
show
measurable
return
on
investment.
No
longer
can
risk
functions
justify
their
existence
by
simply
preventing
losses
and
”keeping
regulators
at
bay”.
On
a
positive
front,
there
is
growing
evidence
that
firms
see
effective
risk
management
as
a
means
to
enhanced
reputation,
greater
competitiveness
and
market
share.
This
does
however
mean
that
risk
management
organisations
need
to
reassess
and
realign
strategies,
processes
and
infrastructure
to
deliver
value
at
reduce
costs,
thereby
enhancing
return
on
investment.

4. The
Risk
and
Compliance
Functions
are
under
Risk
&
Compliance
Functions
Under
Increasing
Pressure
4.
Coping
with
Regulatory
Tsunami.
In
significant
pressure
from
various
stakeholders,
response
to
the
financial
crisis,
the
volume
of
including
the
Board,
Business
Unit
Customers,
regulation
and
regulatory
guidance
(including
Insurer’s
Customers
and
Regulators:
speeches
and
announcements)
has
increased
1.
exponentially.
Firms
are
finding
it
s
great
Transforming
to
the
changing
risk
and
challenge
just
to
keep
on
top
of
regulatory
regulatory
landscape.
Financial
services
firms
developments,
let
alone
ensure
compliance
are
having
to
deal
with
the
“new
normal”;
new
emerging
risks,
new
scenarios
previously
5.
Awakening
to
the
implication
of
more
considered
implausible
(including
sovereign
Senior
management
and
regulators
demand
UK,
for
example
the
creation
of
PRA
and
FCA)
greater
level
of
reporting
to
enhance
and
regulation.
The
Risk
&
Compliance
transparency
in
the
hope
that
any
impending
Function
also
has
a
role
to
play
in
winning
over
danger
is
highlighted
early
and
mitigation
customer
confidence
in
financial
services
firms.
2.
frequent
and
resource
intensive
reporting.
failure),
and
a
constantly
evolving
regulator
(in
actions
taken
before
risks
materialize.
Solvency
Pressure
to
add
more
value.
Risk
and
Compliance
Functions
are
under
significant
pressure
to
enhance
return
on
investments,
and
adding
demonstrable
value
to
overall
business
performance
–
or
optimizing
Risk/Return
to
enhance
balance
sheet
performance.
No
longer
is
the
Board
and
the
business
content
with
the
Risk
Function
II
for
example
requires
an
annual
Solvency
and
Financial
Condition
Report
(SFCR),
quarterly
Returns
to
Supervisors
(RTS),
and
Own
Risk
and
Solvency
Assessment
Reports
(internally
and
to
the
regulator),
and
specific
reports
on
an
ad-­‐
hoc
basis
following
a
material
event.
The
level
and
frequency
of
reporting
puts
added
pressure
on
the
Risk
&
Compliance
Function.
keeping
the
regulators
at
bay
and
preventing
down
side
risk
only.
3.
The
changing
economic
and
regulatory
landscape
coupled
with
the
internal
pressures
being
places
on
Lean
Risk
&
Compliance
Functions.
As
Risk
&
Compliance
Functions
reach
maturity,
performance
improvement
and
cost
containment
become
key
priorities,
whilst
ensuring
value
built
thus
far
is
not
diluted.
These
Functions
are
looking
for
new
ways
to
streamline
and
integrating
process,
leverage
automation,
embed
risk
management
into
business
process
and
explore
new
sourcing
4
options
to
leverage
economies
of
scale.
the
Risk
&
Compliance
Functions,
requires
them
to
transform
and
adapt
to
the
new
normal.
Transformation
will
follow
a
journey
of
continuous
improvement
as
these
Functions
evolve
into
a
critical
business
enhancing
functions
that
financial
services
firms
cannot
do
without.
.

5. 2
1
10
Questions
Boards
should
be
Asking
Themselves
1.
What
does
risk
management
mean
to
us
as
a
Board?
2.
6.
Are
we
as
a
Board
and
collectively
as
a
company
effective
in
identifying,
What
are
my
key
risks?
How
can
I
be
assured
that
there
are
no
unknown
or
ignored
risks
lurking
in
my
organization?
measuring
and
managing
risks?
3.
7.
Are
we
taking
the
right
amount
of
risks?
Do
we
know
what
value
we
get
out
of
our
risk
management
organisation?
8.
Are
people
in
our
organization
risk
aware?
Do
we
encourage
the
right
risk
What
value
should
we
be
getting
and
how
does
it
compare
with
our
peers?
4.
Is
my
Risk
Function
effective
in
helping
us
stay
on
top
of
risks?
5.
What
is
my
total
cost
of
risk?
What
is
the
optimal
cost
of
risk
as
a
percentage
of
gross
revenue?
Where
do
we
stack
up
against
our
competitors?
5
taking
behaviours?
9.
Is
risk
management
integrated
naturally
into
our
business
or
is
the
framework
divorced
from
how
risks
are
actually
dealt
with
at
the
cold
face
10. Are
we
receiving
the
right
risk
information
in
a
timely
fashion?

6. Risk
Mastery
Key
Strategies
for
Risk
Transformation
Achieving
Risk
and
Compliance
mastery
has
to
be
the
To
improve
return
on
investment
in
risk
and
compliance
5
Key
Strategies
are
explored
to
enhance
value,
improve
prime
goal
for
orgnaisations
that
want
demonstrable
initiatives
require:
process
efficiency
and
reduce
costs:
commercial
value
from
their
Risk
and
Compliance
Functions,
at
reduced
cost
and
with
enhanced
process
•
•
•
capital;
and
and
impending
events
that
could
dilute
risk
reputational
value;
•
An
aggregate
risk
view
highlighting
specific
areas
where
greater
risk
taking
could
maximize
upside
by
stopping
unnecessary
value
leak;
•
Controls
automatically
embedded
into
the
most
detailed
level
processes
greatly
minimizing
errors
leading
to
losses,
customer
redress
issues
or
regulatory
fines;
and
•
Regulatory
developments
are
automatically
tracked
and
mapped
processes
enables
quick
planning
and
execution
of
regulatory
change.
6
Adding
more
value
through
greater
risk
taking
and
thereby
enhancing
risk
adjusted
return
on
Anticipation
and
proactive
management
of
new
adjusted
return
on
capital,
profitability
and
1.
•
Reducing
the
total
cost
of
risk
management
by
reducing
unit
cost
of
the
Risk
and
Compliance
Function,
and
reducing
losses
incurred
from
known
and
unknown
risks.
Costs
and
process
efficiencies
are
easier
to
quantify
and
should
be
the
natural
starting
point,
exploiting
as
many
“low
hanging
fruits”
as
possible.
Value
generated
by
risk
and
compliance
is
sometimes
harder
to
quantify,
although
clear
examples
will
be
presented
in
this
paper.
Enhancing
value
is
often
a
medium
term
goal
achieved
over
time.
Realigning
to
the
new
normal
and
tighten
up
risk
management
same
cost
base;
efficiency.
For
organisations
achieving
risk
mastery,
the
benefits
could
be
significant.
Some
example
include:
Adding
more
value
or
achieving
more
with
the
2.
Reducing
costs
3.
Enhancing
process
efficiency
through
systems
integration
4.
Enhancing
value
added
by
the
Risk
Function
5.
Taming
the
Regulatory
Tsunami
–
proactive
compliance

7. 2
1
1.
Realigning
to
the
“New
Normal”
and
Tightening
Up
Risk
Management
Effort
Top
10
Risks
1.
Economic
Slowdown
/
Slow
Recovery
2.
Regulatory
/
Legislative
Change
3.
Increasing
Competition
4.
Damage
to
Reputation
/
Brand
5.
Failure
to
attract
and
retain
top
talent
6.
Failure
to
innovate
/
meet
customer
need
7.
Business
Interruptions
8.
Commodity
Price
Risk
9.
Cash
flow
/
Liquidity
Risk
10.
Political
Risks
/
Uncertainties
AON
Global
Risk
Management
Survey
2013
The
world
is
constantly
evolving
and
so
are
risks
and
opportunities
confronting
financial
services
orgnaisations.
Leading
ones
are
nimble,
can
foresee
and
understand
impact
of
new
emerging
risks
and
re-­‐aligning
to
ensure
that
priority
is
given
to
the
right
risks
and
blind
spots
/
unknown
risks
are
avoided.
If
successfully
achieved,
this
can
add
significant
value.
Enron,
Lehman,
BP,
Blackberry
and
Arthur
Andersons
are
only
a
few
example
of
how
undiscovered
or
un-­‐managed
risks
can
either
wipe
out
an
entire
organisation
(no
matter
its
size)
or
significantly
erode
market
value
(e.g.
Blackberry).
The
risk
landscape
is
changing.
Already
as
early
as
2007,
in
a
study
carried
out
by
the
Economist
Intelligence
Unit,
(involving
a
survey
of
200
major
orgnaisations)
participants
indicated
that
risks
related
to
human
capital,
reputation
and
regulatory
compliance
were
most
threatening,
while
traditional
quantifiable
risks,
such
as
financial
risk,
credit
risk
and
foreign
exchange
risk
as
least
threatening
3
Key
Strategies
to
Aligning
Risk
Management
1.
2.
In
AON’s
annual
Global
Risk
Management
Survey
2013,
(involving
more
than
1,400
respondents)
top
risks
included
economic
slowdown/slow
recovery,
regulatory
&
legislative
Change,
and
Damage
to
Reputation
and
Brand.
Counterparty
credit
risk
was
ranked
20th
and
Interest
rate
fluctuations
ranked
31st.
AON
felt
that
computer
crimes/viruses/malicious
hacking
(ranked
18th),
social
media
(ranked
40th)
and
pension
risk
funding
(ranked
47th)
were
potentially
underestimated
as
they
all
had
a
potential
for
significant
concern.
“When
you
change
the
way
you
look
at
things,
the
things
you
look
at
change”
Wayne
Dyer
Martin
Wheatley,
Head
of
Financial
Conduct
Authority
in
the
UK,
in
a
recent
speech
stated
that
they
would
be
focusing
on
Behavioural
Economics,
taking
consideration
of
the
human
element
of
risk
management
both
on
the
part
of
the
financial
services
firm
and
their
customers.
Without
the
realignment,
the
organisation
is
increasingly
exposed
to
new
and
unmanaged
threats,
while
the
opportunity
to
optimize
cost
of
well-­‐managed
risks
is
lost.
7
3.
Get
a
comprehensive
understanding
of
risks
Review
the
risk
universe
regularly
to
unearth
unmanaged
and
unknown
risks.
Using
this
same
exercise,
also
identify
risks
that
are
well
managed.
This
exercise
will
help
to
realign
resources,
present
areas
where
cost
savings
can
be
made,
and
highlight
areas
where
new
capabilities
need
to
be
developed.
In
practice,
successfully
executing
such
strategies
require
a
comprehensive
and
well
coordinated
approach
across
all
areas
and
levels
of
the
organisation,
supportive
information
technology,
an
embedded
risk
culture
and
cohesion
between
functions
(breaking
down
existing
silos).
New
Risks
require
New
Alliances
The
benefits
of
Risk
and
Finance
integration
are
well
known
and
much
activity
directed
at
driving
efficiencies
and
synergies
between
these
two
areas.
New
emerging
risks
around
people
and
reputation
require
new
collaborative
activity
between
the
Risk
and
Compliance
Function
and
Human
Resources
as
well
as
Corporate
Communications,
for
example.
Closer
link
with
the
Strategy
Department
is
also
paramount
given
the
strategic
nature
of
emerging
risks,
which
if
materialized,
could
shake
the
very
existence
of
the
organisation
regardless
of
size
/.
Regulatory
Engagement
UK
firms
need
to
develop
a
new
engagement
model
to
respond
to
the
“Twin
Peaks”
model
involving
the
Financial
Conduct
Authority
(FCA)
and
Prudential
Regulatory
Authority
(PRA).
A
proactive
and
active
engagement
model
will
help
build
the
regulator’s
trust
resulting
in
a
hopefully
less
intrusive
approach.
This
could
lower
regulatory
risk
management
costs
and
minimize
disruptions
caused
by
regulatory
interventions.

8. 2.
Reducing
Costs
What
does
risk
and
management
of
these
risks
cost
my
organization?
Often,
a
question
that
most
organisations
would
find
difficult
to
answer.
Measuring
this
cost
would
3
Key
Cost
Reduction
Strategies
1.
Reducing
losses.
This
is
a
key
responsibility
of
the
Risk
Function
help
to
assess
return
on
investment
and
support
efforts
to
anyway
and
TCOR
is
a
great
measure
of
its
introduce
cost
efficiencies.
How
is
cost
measured?
effectiveness.
Firms
will
need
to
get
a
good
handle
Expanding
on
AON’s
concept
of
Total
Cost
of
Risk
(TCOR),
on
pinpointing
areas
where
losses
have
occurred
and
costs
can
be
quantified
by
adding:
are
likely
to
occur.
regulatory
fines
for
compliance
breeches
can
be
minimized
by
embedding,
where
possible,
automated
are
insured
or
hedged
-­‐
reputational
risk
and
controls
deeply
within
processes.
This
could
for
opportunity
costs,
although
difficult,
would
be
example
be
achieved
through
a
behaviour
and
rules
worthwhile
quantifying
somehow
(even
if
based
technology
engine
through
which
process
estimated);
Business
Process
Outsourcing
Process,
systems
and
human
related
losses,
as
well
as
redress
for
example)
and
retained
risks
if
they
Knowledge
Centre
of
Excellence
Cost
of
loss,
including
regulatory
fines,
loss
caused
by
errors
(investment
loss
or
customer
•
High
Value
Support
would
need
to
pass.
If
rules
are
not
complied
with,
the
process
is
not
executed,
or
flags
up
an
approval
•
Risk
mitigation
costs
(hedging
costs
and
requirement.
Such
technology
is
in
existence
and
insurance
premiums)
•
worth
exploring.
Internal
costs
including
Risk
&
Compliance
staff
and
related
infrastructure
and
other
operational
2.
Reducing
Internal
Costs
costs
(this
would
include
costs
across
all
3
lines
The
obvious
choice
for
most
firms
is
to
reduce
of
defense)
headcount.
This
may
well
be
the
most
appropriate
In
practice,
data
limitations
and
lack
of
knowhow
and
skills
are
common
reasons
why
firms
fail
to
measure
cost
of
risk.
Significant
benefits
are
available
to
those
firms
who
are
able
to
surmount
this
challenge.
strategy,
however
if
executed
without
careful
planning,
it
could
potentially
dilute
some
of
the
value
that
a
Risk
and
Compliance
Function
would
have
built
up
within
their
organisation.
Innovative
sourcing
models,
if
implemented
effectively,
can
help
to
Although
it
may
sound
paradoxical,
reducing
cost
can
ensure
value
retention
(and
indeed
enhancement)
at
indeed
be
achieved
whilst
improving
process
efficiency
a
reduced
cost
base.
and
driving
higher
value.
Cost
reduction
is
often
a
catalyst
An
example
of
a
sourcing
model
could
involve
for
performance
improvement
and
efficiency
gains.
transfer
of
certain
Risk
and
Compliance
Function
8
personnel
into
a
third
party
service
provider.
The
deal
could
initially
guarantee
an
initial
level
of
cost
reduction
with
the
flexibility
to
flex
up
or
down.

9. To
ensure
value
is
maximized
and
operational
cost
managing
risks,
assessing
risks
of
entering
new
optimized,
we
believe
a
three-­‐tier
sourcing
model
is
markets
or
change
in
strategic
direction,
etc.
In
such
worth
exploring.
cases,
executives
want
to
ensure
that
they
get
support
from
people
who
have
relevant
practical
Business
Process
Outsourcing
as
the
base
experience,
having
actually
executed
such
projects
Routine
tasks
such
as
information
gathering,
collating
and
strategies,
rather
than
theory
based
consultants.
reporting
figures,
producing
reports
based
on
defined
templates,
are
good
examples
of
the
type
of
non-­‐core
3.
work
that
can
be
outsourced.
Reducing
cost
of
Insurance
Case
Study:
Individual
business
units
within
a
large
composite
insurer
were
allowed
to
determine
their
Knowledge
Centers
own
level
of
reinsurance
required
to
mitigate
risks.
For
more
complex
work,
knowledge
centers
staffed
The
results
on
a
group
wide
basis
was
that
these
with
skilled
personnel
can
be
utilized
effectively
and
businesses
reinsured
more
than
what
was
optimal
could
be
a
source
of
significant
cost
reduction.
from
a
risk/reward
perspective.
Their
negotiation
Examples
of
work
that
such
centers
could
deliver
reinsurance
transaction,
resulting
in
higher
prices
or
model
development,
model
validation,
data
reinsurance.
aggregation,
pricing,
product
development
support,
captive
reinsurer
and
all
Life
and
General
Insurance
High
Value
Support
reinsurance
had
to
be
placed
via
this
captive.
Governance,
risk
management
and
compliance
can
be
Results
–
On
an
aggregate
basis,
the
Group
could
a
complex
business.
Chief
Risk
Officers
now
need
to
exploit
diversification
benefits
and
retain
certain
be
skilled
in
a
multiplicity
of
very
complex
areas
in
previously
reinsured
risks,
enhancing
return
on
addition
to
having
excellent
stakeholder
management
economic
and
regulatory
capital.
The
Group
also
had
skills
ensuring
full
engagement
of
the
Board
and
the
power
to
negotiate
lower
price
of
reinsurance,
other
key
stakeholders.
Many
often
would
find
it
given
the
level
of
volumes
of
business.
beneficial
to
get
advice
and
guidance
from
a
peer/coach.
We
believe
executives
would
find
it
strategic
problems.
Example
of
areas
of
support
include:
dealing
with
regulatory
enforcement,
9
reviewing
effectiveness
of
Boards
in
overseeing
and
Business
Process
Outsourcing
Solution
–
The
Group
established
a
centralized
etc.
and
experienced
peers
to
help
resolve
complex
and
Knowledge
Centre
of
Excellence
power
was
also
limited
given
the
small
scale
of
each
include
actuarial
and
quantitative
processes
such
as
helpful
to
be
able
to
tap
into
a
pool
of
highly
skilled
High
Value
Support
Sourcing
or
Shared
Service
model

10. 3.
Enhancing
Operational
Efficiencies
through
Systems
Integration
Integrate
Systems
to
Drive
Lower
Costs
&
Yield
Commercial
Insights
Case
Study
-­‐
Reporting
In
the
case
of
financial
reporting,
XBRL
(eXtensible
Business
Reporting
Language)
is
an
emerging
standard
means
a
new
concept.
Many
firms
have
however
found
it
that
promises
to
preserve
data
integrity
across
variety
of
challenging
to
implement
this
in
practice.
A
multiplicity
of
systems.
XBRL
is
a
language
for
electronic
communication
systems
build
on
different
standards
often
makes
it
of
business
and
finance
data.
It
provides
benefit
in
the
challenging
for
data
to
be
transferrable
across
systems.
If
preparation,
analysis,
and
communication
of
business
data
is
indeed
transferrable,
then
data
integrity
is
often
information.
It
has
robustly
demonstrated
cost
savings,
questionable.
greater
efficiency
and
improved
accuracy
and
reliability.
Systems
integration
offers
several
business
benefits:
Reporting
Case
Study
Systems
integration
as
a
means
to
reduce
costs
is
by
no
Regulators
are
widely
adopting
and
mandating
this
•
If
data
can
be
treated
equally
across
different
systems,
this
open
up
potential
to
gain
new
insights
cross
functions
(e.g.
Risk,
Compliance,
Finance,
HR,
Products,
etc.)
or
cross
businesses.
standard
regulatory
reporting.
HMRC
in
UK
has
already
adopted
this
standard,
so
all
tax
filings
are
now
done
through
XBRL.
1
January
2013
was
set
as
the
deadline
for
banks
to
use
XBRL
to
send
data
to
their
regulator
who
in
turn
send
consolidated
information
to
the
European
If
regulators
adopt
such
a
standard,
multijurisdictional
Banking
Authority
(EBA).
EBA
has
developed
XBRL
based
regulatory
reporting
can
easily
be
centrally
processed
taxonomy
in
the
form
of
COREP
and
FINREP
reporting
with
significant
operational
efficiency
and
reduced
standards.
Similarly
the
European
Insurance
&
costs.
•
Occupational
Pensions
Authority
(EIOPA)
is
mandating
an
XBRL
reporting
framework
for
insurers
to
start
reporting
•
Accuracy
of
internal
and
external
report
would
improve,
hence
avoiding
wrong
decision
based
on
to
their
regulator
from
1
January
2014.
XBRL
adoption
will
continue
to
accelerate
given
the
benefits
it
offers.
incorrect
data
or
worse,
regulatory
censure
for
incorrect
reporting.
Market
estimates
indicate
that
if
implemented
skillfully,
and
synergies
exploited,
this
new
reporting
framework
Ability
to
easily
change
systems
or
service
provides,
could
significantly
reduce
processing
times
(up
to
70%
in
in
thereby
driving
competition
and
reducing
cost.
•
some
cases)
and
if
reporting
was
done
centrally,
reduced
costs
of
reporting
for
global
firms.
10

11. 4.
Enhancing
Value
added
by
the
Risk
Function
Baring
some
exceptions,
gone
are
the
days
when
financial
3.
Early
Warning
System
–
a
Forward
Looking
services
firms
will
incur
risk
and
compliance
cost
only
to
Approach
satisfy
regulatory
requirements
or
merely
deal
with
down
Risk
is
ideally
placed
to
co-­‐ordinate
comprehensive
side
risks.
The
Board
and
front
line
business
demands
scenario
analysis
and
reverse
stress
testing
more
value
from
their
investment
in
the
Risk
Function.
exercises
to
help
the
organisation
become
proactive
in
anticipating
and
mitigating
risks
So
how
can
the
Risk
Function
add
more
value
to
the
before
they
have
the
chance
to
materialize.
For
business?
We
set
out
3
ways
to
greater
value
creation
2nd
Line
of
Defence
Analogy
Advisors
needs
tools,
capability,
an
intelligent
team
and
the
As
overseers,
the
Risk
Function
has
little
chance
to
bandwidth
to
anticipate
remote
and
unknown
add
real
value.
Risk
Functions
that
take
a
very
literal
risks.
Intelligent
sourcing
could
yield
this
outcome
interpretation
of
the
“2nd
line
of
defence”,
will
often
1.
Picture
the
Titanic
sailing
on
a
collision
course
with
an
iceberg.
The
Chief
Risk
Officer
is
in
the
lookout
tower
and
sees
what
is
about
to
happen.
at
lower
costs.
From
Risk
Overseers
to
Risk
be
inclined
to
restrict
themselves
“wanting
to
remain
Taking
a
pure
2nd
line
of
defence
approach,
the
CRO
thinks
to
himself
saying
By
becoming
true
advisors,
the
Risk
Function
could,
The
Titanic
sinks
and
the
CRO
(who
happened
to
survive),
reports
to
tribunal,
pointing
out
the
breach
of
policy
and
controls
–
job
done.
senior
management
and
other
stakeholders.
They
Conversely,
taking
a
risk
advisory
approach,
the
CRO
would
have
shouted
out
to
the
Captain
saying
“Ahoy
there
Captain
–
not
my
call,
but
I
think
you
should
steer
the
ship
five
degrees
to
the
left
as
an
iceberg
collision
is
imminent
if
you
stay
on
course.”
The
Captain
responds
and
steers
the
ship
away
from
the
iceberg.
All
are
saved
and
the
Captain
is
pleased
with
the
warning
given
by
the
CRO.
forgiven
for
viewing
the
Risk
Function
as
a
hindrance.
while
maintaining
independence,
help
and
guide
the
businesses
in
identifying
and
managing
risks
on
a
day-­‐
to-­‐day
basis,
and
providing
real
time
assurance
to
could
also
suggest
opportunities
for
the
business
to
take
more
risks
through
their
aggregate
risk
analysis.
2.
Benchmarking
–
Giving
Something
Back.
As
aggregators
of
information,
the
Risk
Function
is
ideally
placed
to
provide
useful
analytics
back
to
the
business.
This
data
will
allow
business
units
to
benchmark
themselves
and
strive
towards
improved
performance.
This
ought
to
help
get
greater
business
buy-­‐in
as
business
is
used
to
getting
requests
for
information
from
the
business
and
never
expecting
anything
back.
11
independent”.
Business
units
equally
would
be
“Mmmm,
I
wonder
whether
the
captain
will
steer
the
ship
to
avoid
the
iceberg.
I
will
watch
and
see
whether
he
complies
with
the
policies
and
guidelines.
I
can’t
interfere
as
I
need
to
maintain
my
independence.”
this
to
become
a
reality
though,
the
Risk
Function

12. 5.
Taming
the
Regulatory
Tsunami
–
Proactive
compliance
In
the
wake
of
the
financial
crisis,
regulators
are
stepping
up
supervisory
initiatives
and
introducing
a
raft
of
new
regulation
and
guidance.
According
to
Reuters,
in
2011,
there
were
14,215
regulatory
announcements
-­‐
60
per
day
on
average.
The
announcements
can
include
anything
“The trouble with
government regulation of
the market is that it
prohibits capitalistic acts
between consenting adults.
”
from
speeches
to
final
binding
rules.
Ironically,
the
very
regulations
aimed
at
preventing
How
are
leading
firms
dealing
with
Regulatory
Tsunami?
Leading
firms
are
taking
a
proactive
stance
by
leveraging
the
power
of
information
technology.
Although
early
days,
compliance
solutions
emerging
demonstrate
the
following
attractive
features:
•
updated
regulation
and
guidance.
The
library
another
financial
crisis
are
now
featured
in
second
position
incorporates
in
the
top
10
global
risks
in
AON’s
Global
Risk
Management
•
Powerful
analytic
systems
to
analyse
and
system
uses
existing
data,
its
rules
and
that
could
result
in
regulatory
censure
behaviours
and
information
from
experts.
(including
fines)
and
possible
reputational
damage.
The
ever-­‐changing
rules
makes
it
allowing
measure
compliance
on
a
real
time
basis.
The
increases
the
chances
of
regulatory
breeches
~ Robert Nozick
ontology
regulations.
struggling
to
comply:
The
volume
of
regulatory
change
significantly
robust
searchability
and
inter-­‐linkages
between
Survey
2013.
Although
willing,
firms
are
naturally
•
A
comprehensive
library
of
continually
•
Detailed
end-­‐to-­‐end
processed
mapped
to
extremely
challenging
for
front
line
customer
facing
personnel
to
consistently
comply
–
workflow
development
that
helps
to
capture
mistakes
are
inevitable.
•
specific
regulatory
line
item,
allowing
for
evidence
based
documentation
and
key
risk
and
performance
metrics.
The
cost
of
compliance
significantly
increases
under
the
current
regulatory
landscape
as
firms
Key
benefits
of
a
systems
based
approach
include:
are
having
to
skill
up
by
recruiting
more
compliance
professionals
and
solicit
help
from
•
Real
time
compliance
monitoring,
that
prevents
breeches
of
regulatory
rules
or
external
third
parties.
internal
policies
and
acts
as
early
warning
The
“Twin
Peaks”
approach
to
regulation
in
the
UK
adds
system
of
impending
breeches
further
complexity
and
potential
cost
as
now
financial
services
firms
face
two
regulators,
the
Prudential
•
anticipate
potential
regulatory
breeches.
Regulatory
Authority
(PRA)
and
Financial
Conduct
Authority
(FCA)
with
different
regulatory
approaches.
An
early
warning
system
allowing
firms
to
•
Documentary
evidence
tagged
to
regulation,
allowing
for
enhanced
compliance
monitoring
12
and
regulatory
interactions.

13. What
are
the
Next
Steps
This
paper
merely
explores
some
ideas
of
ways
in
which
The
transformation
journey
could
start
out
with
a
The
gaps
resulting
from
the
diagnostic
phase
would
help
the
Risk
and
Compliance
Function
could
transform
to
yield
comprehensive
diagnostic
exercise
informing
on
the
to
inform
a
detailed
implementation
plan.
Stakeholder
higher
value
at
reduced
costs
and
with
improved
process
current
state,
including
the
assessment
of
perceived
value
engagement
is
key
to
designing
and
executing
the
plan.
efficiency.
added,
quantification
of
total
costs
and
understanding
Clearly
they
may
well
not
be
appropriate
or
relevant
for
components
of
TCOR,
and
mapping
current
process.
your
particular
needs,
hopefully
though,
these
ideas
would
The
information
gathered
from
the
diagnostic
phase
could
have
stimulated
thinking
of
the
possibilities
open
to
be
benchmarked
against
the
more
sophisticated
organisation
and
their
associated
benefits.
competitors
(i.e.
best
practice)
and
regulatory
Continuous
improvement
should
be
an
ongoing
journey
expectations.
for
any
organisation
and
Risk
and
Compliance
is
by
no
If
sufficient
gaps
are
identified,
the
transformation
journey
means
an
exception.
Regular
self
assessment
and
should
begin
with
a
clear
picture
of
the
end
state,
resulting
programme
of
improvement
will
help
ensure
that
quantifying
at
a
detailed
level,
the
desired
outcomes,
for
Risk
and
Compliance
Function
remain
relevant
and
are
example
structured
to
add
value
rather
than
be
a
cost
burden
to
•
internal
costs
reduced
by
25%
•
Losses
reduced
by
10%
•
Reduction
in
error
rates
by
60%
•
Reducing
reporting
times
by
two
weeks,
•
etc
firms.
13
Relevant
third
party
partners
or
service
providers
could
support
execution.

14.
For
more
information
contact:
Jay
Tikam
Tel:
+44
(0)
203
102
6750
Mob:
+44
(0)
778
551
8471
Email:
jay.tikam@vedanvi.com
Vedanvi
Ltd
45
King
William
Street
London,
EC4R
9AN
BUSINESS & RISK CONSULTING