Transforming Compliance to Enterprise Risk Management

by Anuradha | December 13, 2015

Early this year, the worldÂ’s largest fund company, BlackRock Inc., was penalized by the SEC to the tune of $12 million for failing to disclose a conflict of interest created by the outside business activities of one of its top-performing portfolio managers, Daniel J. Rice III.

Rice had investments in a family-owned energy sector company, Rice Energy, while also managing investments of BlackRockÂ’s energy focused funds. The conflict in interest came to the SECÂ’s notice, due to one of Rice EnergyÂ’s joint venture companies becoming the largest holding in BlackRock Energy & Resources Portfolio, a fund Rice managed.

The SEC faulted Bartholomew Battista, then Chief Compliance Officer of BlackRock Advisors, over his alleged role in contributing to these regulatory lapses and fined him $60,000 for breach of his duties.

This case serves as a forewarning to compliance officials that they can be held accountable not just for organizational level indiscrepancies but also for actions of employees that might have a negative impact on shareholder value. The compliance officer is expected to either object to such activities by acting as a whistle-blower or proactively furnish adequate information to the authorities.

Reuters also recently reported that ‘a spate of U.S. Securities and Exchange Commission enforcement cases involving several prominent financial services firms has renewed concerns that compliance officers could be blamed for violations committed by others at their companies.’

With rising technological advancements, innovative business practices and corporates going global, the possible impact of business risks on shareholder value has increased manifold. Hence today, more than ever, the role of the compliance officer is no longer limited to regulatory compliance, but also encompasses Enterprise Risk Management.

Enterprise Risk Management: A Structured Approach to Managing Risk

The basic premise of Enterprise Risk Management (ERM) is that the core responsibility of every business is to create value for its stakeholders. The business might need to take some risks in order to enhance this value, but the management should have a mechanism to identify and assess such risks before deciding to take the plunge.

Enterprise Risk Management (ERM) includes the framework and processes set up to proactively identify, assess and manage risks across the entire organization.

The ERM framework is designed to protect the organization from various kinds of risks. These could be at the strategic level (reputational risk, loss of intellectual property); operational level (disruption of services, physical property damage); compliance related (statutory laws, environmental) and/or financial (funding, financial misstatement).

In such an environment, the role of the compliance officer becomes more strategic than executive, compelling him to preempt risks and their impact while also setting up monitoring and remedial mechanisms.

So what does a typical ERM framework look like? The Committee of Sponsoring Organizations of the Treadway Commission (COSO), in their Enterprise Risk Management- Integrated Framework  lists 8 inter-related components that need to be considered based on the nature and size of the organization. These include aspects right from ERM objective setting to event identification, response, monitoring and communication.

While all of this might sound simple, let's look at why organizations struggle to implement ERM successfully.

Common ERM Challenges and Suggested Mitigation Tactics

Successful ERM implementations, like other strategic, organization-wide initiatives need a rare combination of executive leadership and organizational consensus. And while certain challenges might be specific to an industry or geography, the more challenging ones are usually consistent across the board.

1.   Unclear Ownership

The question of who should ‘own’ ERM has been known to shake up a board meeting or two, due to the tussle between the business lines and the compliance team.
Instead of seeing this as a toss-up,  a practical solution might lie in assigning responsibilities based on the type of risk to a primary owner (business or compliance) with oversight from the other. The Board and audit committees and other functions like internal audit and legal etc. also play key supporting roles in balancing ownership.

2.   Doubt over ERMÂ’s True Value

In a business environment driven by creating shareholder value, it becomes difficult sometimes to justify the investment on ERM with typical risk-reward metrics.  Being a long-term strategic investment rather than one providing short-term gains, ERM more often than not becomes a voluntary action rather than mandatory.
Compliance officers have therefore been known to take the business case route to justify the investment or suggest a pilot program to gain initial acceptance.

3.   Considerable Resource and Time Commitment

Since ERM is a strategic, organization-wide initiative, it requires active participation not just from the leadership but also from key personnel in the business lines. For a successful ERM implementation, business teams cannot be mere consumers of the framework, but need to play an active part in shaping and implementing it. This requires a fair amount of time investment.
The way to deal with this might be to identify ERM champions across the company in various business lines/teams who can provide input, work on implementation and communication within their teams.

4.   Disruption to Current Business

Implementing ERM is a bit like jumping onto a running treadmill; you have to put the framework into effect while considering current processes and ways of working to prevent company-wide disruption of productive time. At the same time, the framework should also challenge current methods and practices if they are seen to be adding additional risk to the enterprise.
A good solution might be to implement in phases, either by business verticals or by teams, providing enough breathing space in case changes need to be made along the way.

ERM is a complex, vast area and should be implemented in keeping with the organizationÂ’s business context and practices. One thing is clear though, we can no longer dismiss the need for it. Even if implemented in phases, ERM can bring significant benefits to the enterprise such as encouraging them to take a long term view of risk and proactively manage it as opposed to reacting post facto.