Is regulation driving risk management?

While more than two-thirds of respondents overall saw regulatory requirements primarily as setting the basis for best practice, 24% saw regulation as stating a required standard. So a substantial number of organisations appear to be unwilling to go beyond ticking the boxes. Did this attitude reflect that of the board? We asked respondents whether they considered their board's attention was more focused on compliance or on best practice. The result was a fairly even split, with 52% coming down on the side of best practice.

When asked whether the need to comply drives organisations' risk management initiatives, nearly one third of respondents said compliance is the main or total driver. However, with the split of respondents pretty evenly divided between industrial and service companies, it was clear that the need to comply with regulation is more of a driver in service companies. Indeed, not a single industrial company said regulation totally drove its risk management initiatives. The main consensus was that regulation was as much a factor as any other.

With so much national regulation driven by EU directives, are organisations monitoring the Brussels legislative programme or lobbying on regulation? Fifty three per cent of respondents said that they rely on a trade body to lobby for them and warn of new impending regulations; 40% (and these were overwhelmingly industrial companies) said that they rely on their service providers and advisers to let them know what was on the horizon, while 28% waited to be notified by national authorities. The 14% who retain lobbyists to actively influence the EU legislative process were mainly large global services companies.

A third of respondents said that their organisation had submitted a written response in its own right during the consultation process before new EU or national legislation, while 38% said that this had been done through their trade or industry body. The breakdown showed that industrial companies were less likely to submit a response or, if they had, to have done so through a trade association. Service companies were more than twice as likely to have submitted a response in their own right.

We then asked which two types of regulation have been the most costly for our respondents' organisations in terms of compliance. Specific industry sector regulations (such as Basel II and Solvency II in the financial sector) and national corporate governance regulations shared the honours virtually equally, but environmental regulations (26%), health and safety regulations (24%) and the Sarbanes-Oxley Act (22%) were also cited. SOX was mainly an issue for large firms – those with over 10,000 employees.

Most respondents (84%) had formal systems in place to ensure basic regulatory compliance among their employees. The figure fell to 60% when it came to ensuring key suppliers' compliance and reduced still further to 50% in respect of compliance by joint venture partners. Where the last two areas are concerned, the percentage is actually likely to be higher as some respondents admitted that they did not know what was in place here.

Strategies and processes for ensuring compliance included:

• “All applicable regulations are listed and monitored for compliance, with clear responsibilities”

• “Audit for employees, contracts with all suppliers monitored/reported regularly and weekly reporting to/from partners”

• “E learning/testing in each of the required disciplines”

• “A full compliance training module is in place for all staff, with more relevant training given to specific functions. Key suppliers undergo review by compliance department. JV partners provide compliance reporting on a standard template”

• “Intranet training programmes must be completed by all staff. Contractual terms make compliance requirements explicit”

• “Set of established corporate policies supported by training, documented audits, control surveys and senior level sign-offs”

• Without regulation, would risk management have developed to the extent that it has in different sectors? Sixty two per cent of respondents considered that the answer was no or probably not, while 26% (most of whom worked for industrial companies) considered that it would have done. The remaining 12% were uncertain. Responses included the following comments:

• “Probably yes, as many of the key risks are commercial rather than those addressed specifically by regulation”

• “Not at the same speed, but it would have developed, as we seek to develop a global business and find risk registers and an ERM approach a vital tool in monitoring trends and changes in the business”

• “No. Most well run companies had these approaches in place years before, but developed them further pending the advent of regulation. The less aware companies have moved from doing little to doing as little as they need”

• “Yes, I believe it would. Regulation does not drive risk management initiatives in our organisation”

• “Yes since it is a driver for efficiency, gaining opportunities and growth”

• “Yes, because our industry is by definition a high risk taking industry and risk management is key to success”

• “A company should develop risk management for business reasons and not compliance or because of regulation. Those companies that don't do RM do compliance and feel it's time consuming and non transparent. The major problem for multinational conglomerates is that each regulatory body wants a different solution and data”

• “In the past, risk management and compliance were mainly driven by external regulation. In recent years, we have been shifting towards a risk management driven company, staying ahead of regulation”

• “Regulation forces management to take risk management seriously, without it they would not consider it. External stakeholders ask for evidence in areas of compliance. Without the regulatory stick, business would not be obliged to comply”

•

With such a large amount and broad range of regulation, we asked respondents how confident they were that their organisation – in every discipline, department and location around the world – was 100% compliant. Only seven percent were completely confident although a reassuring 62% expressed reasonable confidence. Twelve per cent were not at all confident and 14% said that areas of non-compliance do exist. Five per cent said that they simply did not know. Overall, service firms had a higher degree of confidence in their compliance.

We asked for respondents' views on whether compliance was significantly harming their competitiveness. The general opinion seemed to be that this was not the case. One respondent bemoaned the fact that: “Europe is not a level playing field, and some countries do impose barriers to entry whether or not they admit to doing so.”

As to whether organisations are under- or over-regulated, on the whole respondents considered that the balance was about right.