Editor: What were the main findings of KPMG’s survey on risk management, and how big a survey was it?
Girgenti: We asked nearly 1,100 C-level executives around the world what issue posed the greatest threat to their industry, and in almost every sector they said the top threat was regulatory pressure, by a wide margin. One would expect executives in financial services to say so, but it was the same in every industry apart from technology and in all major regions of the world; they all face many new government rules. On top of this, government enforcement of the rules is growing stronger by the day, and government enforcement actions are increasingly coordinated on an international level. It’s not surprising that there was little difference in response by region; multinational companies need to understand the new rules not only in their own country, but in all the places in which they do business.
The sheer impact of regulation is astounding when you consider that most respondents ranked the regulatory threat higher than other risks such as reputational, credit/market/liquidity, supply chain, information protection, and disruptive technology. The Dodd-Frank Act of 2010 affected not only financial services but also a wide array of other industries, while creating new regulatory agencies and strengthening supervisory enforcement powers. Yet, despite the dramatic surge of regulatory scrutiny, the survey found that companies are struggling to improve their compliance and risk management. They know it’s important to do this, but there are significant gaps in the way that companies meet the threat in terms of compliance, controls and risk management. Too many companies are taking a reactive, piecemeal approach to the new regulations. Instead, they should be proactive about rule changes and should integrate risk and compliance into overall corporate strategies. Taking a passive approach is not an option if companies want to stay competitive.
These are strong findings given the size of the survey, which is probably one of the largest of its kind, focusing solely on C-level executives around the world. Twenty-eight percent were chief executives and 12 percent worked in risk, legal, compliance and audit combined. A quarter of respondents were from North America, and roughly the same proportions were in Europe and Asia-Pacific.
Editor: Why has regulatory risk come to the fore?
Girgenti: After the business excesses of recent years, the pendulum has swung the other way, and governments are tightening regulations in order to reduce economic risks. Regulatory pressure has been growing for the past couple of decades, but the trend accelerated after 2008 and represents a fundamental change in governments’ approach to business. The rules are becoming much stricter and are being enforced far more strongly (whistleblowers, for example, are now encouraged to report on misconduct directly to the Securities and Exchange Commission), and government agencies are cooperating more than ever before, both domestically and internationally. The SEC regularly works with Britain’s Financial Services Authority and other supervisory bodies to enforce a wide array of regulations where there are cross-border implications. It’s a brave new world in which compliance plays a bigger corporate role than ever. Companies that are slow to transform their risk and compliance management may not only become less competitive, but may also jeopardize their entire business.
Editor: Has the regulatory onslaught had much effect on the way companies manage risk?
Girgenti: Most definitely. Almost three-quarters of the survey respondents said it had caused substantial or moderate changes in the way risk is managed and reported. For example, new rules from the Federal Reserve (Y-14 and Y-15) require banks to report greatly increased amounts of information on such things as market risk exposure. For all industries, compliance has always been important, but now it is absolutely crucial. The clearest indication of this trend, according to the survey, is that companies have invested more in risk management in the past three years than they did previously and that they intend to go on investing more in the coming three years. One problem with this spending is that it is hard to measure the return on the investment. Twenty-eight percent of respondents say they have no way to measure the ROI. Despite the difficulty of measuring the benefits, companies must always carefully evaluate the business case of additional investment in risk management and assess the qualitative drivers as well as the quantitative ones.
Editor: How effectively is the risk and compliance function managing the threats posed by greater regulatory scrutiny?
Girgenti: The survey found that expectations—inside and outside companies—concerning risk management were growing but that capabilities were not keeping pace. The biggest problem is that executives struggle with assessing risks across the enterprise, and regulations cover all aspects of a company’s business, from the supply chain to corporate finance. These days, no business activity escapes regulatory scrutiny. Also, companies don’t have a consistent way of evaluating risk, and many admit they don’t aggregate a risk profile or develop a formal risk appetite. As a result, they can’t tell whether the company is taking on too much or too little risk. This could be particularly dangerous in the context of regulatory risk when executives consider government agencies’ tougher stance toward companies with lax controls.
Another issue is that there is a wide gap in terms of perceived risk-management skill among the three lines of defense. Respondents say the business units (the first line of defense) are more adept at assessing and managing risk than the compliance and risk specialists (the second line), as well as internal audit (the third). The challenge for companies is to coordinate the three lines of defense so as to ensure there are no gaps in managing priority risks nor a duplication of effort. This requires clear definitions of the roles and responsibilities of the different functions as well as cross-functional training in compliance and risk management.
Editor: What are the underlying reasons for the problems?
Girgenti: One is a lack of skills; 42 percent say that this is the main obstacle to the convergence of risk and control functions. Training can partially remedy this. But it’s a problem in other areas of the company as well. For example, large numbers of skilled compliance officers are needed to deal with the wave of new regulations, and such people can sometimes be hard to find. Survey respondents also admit they need to do more to motivate business managers to make risk-aware decisions by linking their performance in this area to compensation. Forty-three percent said there was a weak link at their companies between risk management and compensation. All employees should be motivated to make decisions fully cognizant of the regulatory risks, and they need to have the ability to weigh the risks carefully in every business decision. Too often, corporate incentives have motivated executives to take excessive risks. Performance reviews should incorporate the measurement of an employee’s ability to manage risk and to comply with regulations.
Editor: How should companies deal with the regulatory onslaught?
Girgenti: In the face of an expensive and burdensome array of new regulations, it might seem understandable if companies waited for the rules to come into effect and then deal with them one by one. But this would be a mistake. The sheer number of regulations would probably lead to confusion and duplication of effort at the very least. A clearly thought-out strategy of compliance is required to anticipate the regulatory changes and to implement a comprehensive response to them, not just in the compliance and risk functions but throughout the enterprise.
The key is to transform compliance into a source of competitive advantage and not regard the regulations simply as a burden on the company. Every competitor faces the same set of rules, but you can be sure that very few are going to take advantage of them to become more competitive. So the new regulations should be seen as an opportunity to claim industry leadership.
Editor: What does this transformation entail for the company?
Girgenti: To begin with, the chief executive has to set the appropriate tone by explaining that a business-as-usual approach won’t work and that compliance is the business of everybody in the company, not just the compliance officers. The chief executive and the board are the ones to set the policy and the strategy of compliance; the other C-level executives must then set about implementing them, guided in particular by the assessments of risk, compliance, legal and audit officers. Senior executives have to lay out a new, clear policy towards compliance that will then have to be fully integrated into new processes and into the thinking of all employees. Compliance and risk officers must work with the business units to identify key regulatory risks and how to manage them.
The compliance department itself may require a complete realignment to reflect a more strategic approach to compliance. This will require a deep understanding of how to use the company’s resources more effectively, by embedding compliance into business processes and integrating overall assurance with other risk and control functions. By working closely with business managers, compliance officers may become business enablers rather than naysayers.
Editor: This sounds difficult to implement. Is it?
Girgenti: Yes, it is, if companies are not proactive or try to do things piecemeal. Regulatory risk needs to be managed holistically throughout the company. This requires great agility from executives to understand the nature of the changes in risks, design the appropriate response to them, and alter the operations to manage the risks more effectively. The greater the agility, the higher the likely cost savings.
If the realignment of compliance is thorough enough, competitive gains will follow. The cost of compliance will fall, business processes will improve, and operations will face less disruption due to the close coordination of risk and control functions. A strong governance framework for risk and compliance will not only seek to meet the requirements of regulators but will improve a company’s reputation in the eyes of its customers. It’s about turning regulatory risk into advantage.
To read the full results of the survey, please click here.