Governance, Risk and Compliance - GRC
“It's
not the things you are afraid of that will kill you” - Mark Twain.
I
have fielded a number of calls this week from recruiters looking for
someone to implement a GRC process for some company. Before I can ask
about firm's board governance towards risk management and
accountability, the questions turn to SQL, Java and, well you get the
idea. If a firm does not set its overall risk tolerance, understand
its risk profile and empower managers who take risk to manage the
risk, software isn't going to improve anything.
Whether
one calls it GRC, Governance, Risk and Compliance, ERM, Enterprise
Risk Management, ERP, Enterprise Risk Planning, or OR, Operational
Risk, understanding and managing the sources of risk created within
an enterprise is a human endeavor requiring judgment. This first
requires a strong tone from the top and board engagement. Management
must be empowered and incentivized to continuously focus on direct
and indirect sources of risk. They need to be able to articulate it to the board
and proactively mitigate unproductive and unnecessary risk. Risk
taken on to further value creation must be evaluated, balanced with
other priorities and monitored. This requires motivation, expertise
and persistence.
Risk
Management systems are useful but limited to its internal algorithms
and the the data it can analyze. Computers are great for alerting
people to quantitative risk metrics but not so good at identifying or
evaluating qualitative risk discussions. It is these unstructured
risks that have the greatest likelihood of destroying an enterprise's
value. Often events that have never happened before or last occurred
before the collective memory of the programmers are the ones we
really care about.
Quantitative
Metrics are appropriate for managing many types of risk such as
credit risk, market risk and weather. Unfortunately, rare events, the
identification of bubbles, binary events, and any discussion that
follows the words “assuming a normal distribution” can not be
properly quantified. It's human nature to tend to ignore that which can not be
neatly defined or measured.
Qualitative
risk discussions and evaluations are at least an equal partner with
quantitative tools. Quantitative methods work well with describable
probability distributions such as stock prices, interest rates or
hurricane prediction. Companies often embrace quantitative
measurements of risk for a number of reasons.
First
they can be seductively simple. Isn't it nice if management can be
presented with one or a few numbers that will tell them how much risk
they are taking on to produce the performance measurements listed in
the same report?
Second,
employing even state of the art quantitative tools can be handed off
to a committee, subordinates or a contractor. Meaningful qualitative
analysis requires extensive and continuing input from management and
the board. Outside contractors sell comprehensive risk management tools that
primarily collect and evaluate quantitative risks. If this is what
they sell, the reasoning goes, this must be what we need.
Third,
the government employs quantitative measurements almost exclusively.
This is not because regulators don't understand holistic risk
practices and the value of qualitative tools. Rather, compliance is a
legal and administrative process. In order to enforce a rule on
anyone, it must be written, consistent, testable and audit-able.
Unstructured risk discussions and evaluations do not easily fit
within the regulatory structure. I think the best efforts to mandate qualitative risk reporting are the
requirements for form 10K which includes 3.1.2 Item 1A – Risk
Factors and 3.1.8 Item 7 – Management's Discussion and Analysis.
While very useful to investors, these reports can be vague, irrelevant or difficult to compare across organizations. There is simply too much
leeway in their preparation and a lack of timely updates on what should be
included going forward.
Governance,
Risk and Compliance begins with Governance. It requires the right
tone from the top, engaged (incentivized) management and a cultural
shift to risk being understood as a necessary but controllable input
to value creation. Without this one is left with being legally
compliant but not risk intelligent.
Richard Ellis, PMP PRM
![View Richard Ellis86 [ richardellis86@gmail.com ]'s profile on LinkedIn](http://www.linkedin.com/img/webpromo/btn_viewmy_160x33.gif){kind=small}
3 comments:
Great post, great Twain Quote and the little boy, I really should have received royalties for the photo, I was too young too realize! :)
Richard, thank you for the interesting post. It nicely summarizes the limitations of quantitative metrics. I would like to add that these limitations are valid also when you look types of risk such as credit risk, market and weather.
Phrases like “our Value-at-Risk measure is supplemented with stress testing” is familiar from the risk management policy reports of multiple financial institutions. There is a perception that stress testing allows for the analysis of extreme events that the quantitative risk measurement model didn’t address. This perception is wrong.
Maybe you will find my blog post under http://universalowner.com/do-future-oriented-stess-tests/ in this respect interesting.
Richard,very smart piece. It is the unknown risk that always causes the extreme damage. that is not meant to say that you regulate an industry into bankruptcy, but many industries still have that shadow-risk. For example: RMBS did not cause the credit freeze during 2008. This segment was the qualifying factor that led to the lock-up, but the shadow risk of synthetic swaps and the inability to even guestimate counter-party exposure led to the unwind. Private capital expansion must be regulated to the extent that a trading market provides the disclosure necessary to see the the elements behind the vehicle or instrument itself. This wa sa well balanced observation, and if the proverbial powers that would be; would find and impose similar structures to regulation we would all know what to truly be afraid of.
Post a Comment