Is regulation a burden or a blessing? Lindsay Cox says that enterprise risk management can turn compliance requirements into a valuable business performance management capability.

Regulations come with masses of detailed requirements, but the underlying purpose is to have well governed, risk-controlled companies that provide shareholders and stakeholders with confidence in their executive management.

The business world, and the financial markets that support it, are now an intricate framework of interconnected and interdependent organisations, trends, impacts and consequences. Corporate failures, investor fears and capital restrictions cannot be regarded as isolated and containable issues. We live in a fragile infrastructure and a sneeze in China can close a company in Milwaukee. These global influences have brought about a situation where the old ways, the ability to stay just within the law, are no longer acceptable or feasible.

We must adapt to the demands of this new world. Boards of directors must demonstrate that they are both capable and competent to run their companies. Management must show that it is managing its risk strategies if the company is to satisfy investors. Companies have to comply with complex and demanding regulations, both in their own jurisdictions and those of countries where they wish to do business. The successful CEO needs corporate governance processes supported by effective enterprise information to satisfy these demands.

The regulatory drivers

Today's boards and senior management are driven by three major criteria:

- securing the top and bottom line through driving up sales and revenues and driving down costs

- complying with the standard legal conditions - the legality, fitness for purpose and safety of their product

- conforming to the twin demands of compliance with relevant risk-based regulations, and the assurance of sound corporate governance standards.

Currently there are three common types of regulation which affect companies to varying degrees on a world-wide basis. These are:

- those that ensure that excessive risks are not taken with investors' shareholdings and, in the case of financial institutions, depositors of funds, such as the New Basel Accord, or Basel II

- those that demand veracity in the companies' disclosures, for example the Sarbanes-Oxley Act (SOX)

- those that ensure fairness of practices vis-a-vis the consumer, for example the Trade Descriptions Act; the Markets in Financial Directives (MiFD), or the insurance selling rules in the UK's Financial Services Authority's Handbook.

All these regulations affect corporate governance. Good governance is firmly built around the two pillars of enterprise information and risk management. It requires a well informed and well managed company operating with sufficient transparency to allow investors and public bodies to understand its strategy and any associated risks. Objectives need to be stated and the likelihood of achieving them understood. The public, primarily investors, needs to be assured that the company is progressive, that its initiatives have a fair chance of achieving fruition, that business disruption is minimised and the share price and dividends protected, and that there is no infringement of relevant regulations.

A look at the regulations

The two regulations that arguably can be considered as the standard bearers of modern risk management and corporate governance are Basel II and SOX. They were both created as a result of different incidents and for different purposes. Basel II came in the wake of bank failures, notably Barings. Its purpose was to have banks maintain capital levels to cover their risks and so avoid failures which could potentially lead to knock-on failures in other banks, the so-called systemic failure. SOX was driven by high profile corporate failures in the USA, where investors lost out because of misrepresentative company reports.

However, both regulations have widened their scope and include requirements concerning corporate governance, risk management, controls and disclosure. Basel II is quite specific as to what a company board must do; SOX is clearer on what they may not do. Basel II requires a corporate risk framework and effective risk management processes; SOX requires the assessment of risk on any process which may affect the accounts and the placing of controls. Both involve risk cultures, risk appetites and risk policies and the public disclosure of many aspects of them.

Basel II has been adopted by the European Union as a standard for all regulated financial institutions and the Basel II format with its three pillars will be the format for the forthcoming insurance capital requirements directive, Solvency 2. The EU has also included risk management requirements in MiFID, the investment banking directive, and the rest of the world has adopted Basel II, albeit with some local variations, for their banking communities.

In all cases, the end-game of the regulators is to see well governed, risk controlled (and profitable) companies. The rules are there as incentives and barriers to drive companies to achieve these good corporate governance objectives.

Top-down or bottom-up?

The problem with corporate governance being driven by regulations is that the regulations are detailed and are effectively bottom-up solutions. The high level objective of the regulatory draughtsmen may have been good corporate governance, but the impact of the highly detailed regulations has been to force the focus onto compliance details. This has created an attitude amongst those responsible for implementation best stated as 'never mind the underlying reason for the rule, just ensure we can tick the box'

This approach has been particularly apparent with SOX compliance, perhaps intensified by the fact that all companies are dependent on their auditors for compliance sign-off. Although Basel II defines high-level board behaviour in its pillar requirements, recent surveys indicate that this is taking a back seat while implementation teams concentrate on the requirements of pillar 1, the collection of risk data and the calculation of regulatory capital requirements.

The detailed approach to compliance has also been accentuated by the fact that most companies have taken a silo approach to implementation (figure 1). This is understandable, given the urgency to complete implementation - there has been too much work to allow companies to plan a holistic and integrated development - but the result has been a lack of integrated compliance frameworks within companies. Risk and event data are collected, and detailed analytic enquiries carried out, but straightforward management overviews are limited, and indications of growing threats can be hidden in volumes of risk statistics. The data can itself be accurate but, if not collated across the enterprise to give a single view with clear messages, key risks and trends will be missed and senior management will not be effective. This must change.

Enterprise governance

Successful, compliant and effective governance requires a holistic, enterprise-wide and top-down approach to managing all information, including risk data. It is essential that a governance, risk management and compliance (GRC) framework be put together in such a way that management derives maximum benefits. Compliance on its own is not enough.

The key requirement is that data must be integrated and that there be 'one view' of any situation. This does not mean the construction of a single, complex repository of data with every risk, control or event having a many-to-many relationship with all other data elements. What is required is twofold: that data from lower level information and risk systems be collated upwards to create a repository for use by management; and that management sets its objectives and strategic risks and that these be used to govern the company and to set the high level criteria used to manage the lower level systems.

A high-level GRC, an enterprise risk management system, is more than a simple event management system coupled with management information. The emphasis must be on objectives, major change and the achievement of competitive advantages, not simply risks and risk events. There must be links to backing data, inherent knowledge, and there must be strong visual interfaces, but the emphasis needs to be on performance, not regulatory compliance, with good strategic performance measurement and return on investment facilities built in. A good governance system will involve all parts of the company as well as the board and senior management. Human resources, compliance, credit management, risk officers and internal and external audit will all play a part in creating the system, and all should be involved in assessing the results.

But even within the enterprise-wide view there are two flavours of information needs. Senior management must understand all areas of the company in a holistic view, but they need sufficient detail for day to day management. The board need a higher-level view. They are looking at long term, strategic issues, and may only assess situations on a monthly basis. They do not wish to be distracted by lower level management issues. The board is not there to do the job of management; they are there to take strategic decisions. They need information in summary - but need confidence that it is an accurate summary of component risks and issues. The ability to summarise information, but to drill down when required is a key feature of enterprise-wide risk and governance services (figure 2).

Dynamic frameworks

Article 7301 of Basel II states 'The bank's board of directors has responsibility for setting the bank's tolerance for risks. It should also ensure that management establishes a framework for assessing the various risks, develops a system to relate risk to the bank's capital level, and establishes a method for monitoring compliance with internal policies. It is likewise important that the board of directors adopts and supports strong internal controls and written policies and procedures and ensures that management effectively communicates these throughout the organisation'.

While there is an emphasis on capital levels, this is as good a definition of a strong enterprise management structure as exists.

The achievement of a successful GRC framework is not simple and is not something that is done overnight - or even in a single investment programme. GRC systems must be planned over time - there is a lot of investment in existing company information and risk management systems. This data must not be lost. The ideal would be to construct an umbrella layer which sits above the existing infrastructure and takes information from the underlying information and risk systems and processes as required.

The harder option, and that which turns the GRC framework from a passive management tool into a dynamic one, is the ability for strategic risk assessments, corporate objectives and other high-level decision data to influence the underlying systems. Base business and risk information needs to be assimilated by the enterprise layer; decisions need to be taken which reflect the corporate benefit, and these should result in variations to the lower level systems. This requires a more complex level of systems interfaces, but there is no reason why such processes cannot be set up, initially on a manual basis. Indeed, it is questionable whether automated interfaces are needed at all, as a manual intervention involves a higher level of assessment (figure 3).

An enterprise governance solution

Probably the best enterprise layer tool in existence is a chief executive walking the offices of his senior managers and business-facing representatives, asking focused questions, absorbing the answers and then giving advice and direction. Unfortunately this is not feasible in any other than the smallest, single site company.

In other circumstances a good GRC framework incorporating a high-level information and risk-fed decision tool is invaluable in facilitating good corporate governance. Benefits are:

- creation of a culture where the management of business risks becomes second nature

- the comfort that regulatory compliance - Basel II, SOX, governance, etc - is being managed

- improved business performance, predictability and agility.

Other benefits that should accrue are reduced GRC costs and better risk management and the eventual outcome should be an improvement in shareholder value.

The enterprise layer of the GRC framework should be easy to install - it must work with existing systems, not replace or replicate them, be able to operate at different levels - take an eagle-eye view, but drill down to the detail, and be able to concentrate on management issues.

This requires a risk management and enterprise information product that satisfies the requirements of both, and which also combines these with an objective-driven strategy matched to processes (as opposed to simple organisational structures). It should meet standard risk management needs, with all the necessary features to manage everything from operational risk to Basel II requirements.

It should also provide a solution to the enterprise and governance level requirements of any organisation. Objectives can be set and risk and performance information harnessed to monitor achievement of these objectives. Risks can be monitored against business functions, as well as within organisational operating units. Analyses of risk and performance by hierarchical views, against business unit action plans, and by common processes can all be used to facilitate the governance of an organisation by its senior management and board officers.

Good governance and regulatory compliance information is a necessity to the effective and profitable running of any company. The right framework, which is able to deliver usable decision support information in the right format is an essential, not a luxury.

Lindsay John Cox is managing director of Securac (Europe) Ltd, a division of Securac Holdings Inc., Canada, Tel: 020 8481 3883, E-mail: