Implementing an enterprise-wide governance, risk & compliance strategy


By Peter White –

Companies across the globe and across a wide range of industries are applying increased efforts towards the goal of achieving proper enterprise-wide governance, risk & compliance. Organisations across various sectors are in various stages of implementation, with the banking sector making the most changes and stringent developments. There is, however, broad agreement on the critical steps that need to be taken on the path toward enterprise-wide risk governance.

Despite the various levels of progress made between companies and industry sectors there is a general consensus that a number of fundamental foundation steps are central to an effective enterprise-wide risk governance, risk and compliance program.

The first step in developing a successful enterprise-wide governance, risk and compliance program is to fully understand and map out the current state of the framework in place in the corporation. From this the next step can take place – the determination of an enterprise-wide set of objectives and a vision of how this will be executed in reality. The second stage of setting up an effective enterprise-wide risk governance, risk and compliance program is to redefine the risk ownership roles within all levels of the company. The economic climate following the financial crisis has led to the importance of well-defined risk ownership roles and responsibilities being placed as a major priority in an effective compliance framework. Consensus is growing that the CEO is ultimately responsible for risk in their enterprises and there is wide agreement that the CEO should be charged with ensuring that the company makes critical decisions regarding risk in an appropriate, informed and timely manner. However, thorough top-down oversight and bottom-up involvement are also important parts of governance and should be incorporated properly into the framework. The board and the CEO may be responsible for creating the governance framework but the Chief Risk Officer (CRO) and Chief Financial Officer (CFO) will need to be responsible for assessing and reporting on risk. Leadership should also foster a culture and attitude throughout the company that works towards ensuring compliance across the business.

Risk responsibilities and accountability are and should be combined more than ever before and this should be at the heart of the governance program. All stakeholders and related parties from board members to division heads and their team members must be actively committed to identifying and mitigating risks and taking accountability on their failings. A number of corporations are restructuring their risk frameworks starting at the board level by forming new risk committees, reorganising board oversight abilities and amending board structures. Another idea has been to operate joint discussions of committees such as risk and audit to broaden the scope and depth of risk management functions.

A further key stage to setting up an enterprise-wide governance, risk and compliance program is to redefine the risk management related decision-making processes within the company. The events of the financial crisis propelled many companies to thoroughly reassess their risk decision-making structures and to make substantial changes to these areas. Some companies have been focused on fine tuning and making small changes while others have been reviewing their risk-management infrastructures from a complete overhaul perspective – examining all measurement tools, policies, limits, controls, and methods in place from top to bottom. A number of companies have now progressed well beyond the stages of review and are beginning to make significant structural stages which can include increasing the authority of various risk teams substantially.

A further stage of developing a successful governance program is to standardise certain risk processes within the corporation.  Standardised terminology, methodologies, performance measures and testing procedures help the enterprise-wide risk management functions and personnel to run smoothly – leading to less frictions, miscommunications and disconnections across the firm. However, progress to date in this area has been weak and uneven across all industry sectors.

The next stage in developing a stable firm wide risk and governance framework is to streamline and aggregate risk reporting and also streamline technology towards support efficiencies in the risk management process. From this point it is important that corporations work towards devising proper predictive tools and formalising forecasting methodologies for potential risks to the company.

These steps will aid the company in developing an enterprise-wide view of risk which should then by applied iteratively towards further enhancing the risk and governance procedures in place.