Trends 2005: Risk And Compliance Management

Facing increased compliance obligations, a dynamic business and IT environment, fragmented risk and compliance projects, and exposure to tort and criminal liability, organizations are seeking a formalized approach to managing enterprise risk and compliance. Some of the most frequent questions asked by clients are the following: How do we know if we are meeting compliance requirements? Is our compliance and risk management program effective? How do we identify and measure critical risks to the organization? How do we capture what we are doing about them? The resulting trends in 2005 and beyond are these: increased interest and adoption of risk management frameworks (particularly COSO); managing and measuring compliance as a process as opposed to a project; adoption of governance, risk, and compliance tools; the integration of compliance controls into the enterprise architecture; and for large critical infrastructures, appointment of a chief risk officer to manage enterprise risk and compliance.

Grasping for Control of Risk and Compliance

In an effort to measure and control risk and compliance, organizations are looking for a structured approach that lets them quantify risk, establish risk appetite/tolerance, identify and prioritize controls, and establish a system of record to meet a multitude of compliance obligations. The goals of establishing an enterprise risk and compliance management program are to:

• Improve confidence in operational and financial integrity.
• Maintain accurate and timely information that enhances visibility, measurement, management, and sharing of risk.
• Accurately measure risk through a consistent and systematic approach, as opposed to disparate views that are reactively managed.
• Measure risks not only at the system or project level, but seen from the business-process and business-unit level, as well as from the organizationwide view of risk management.
• Provide consistency in terminology, measurement, compliance, and risk tolerance.
• Quantify and justify risk decisions to support accurate response and decision making.

Key Drivers For Risk And Compliance Management

Organizations face mounting pressures that are driving them toward a structured approach to enterprise risk and compliance management:

• Multiplicity of risk. Where organizations have minimized risk and compliance management in the past, the complexity of today’s business, dependency on IT and processes, growth in business partner relationships, and increased liability and regulatory oversight has amplified risk to a point where it demands governance. Furthermore, the multiplication of compliance requirements that organizations face increases the risk of noncompliance, which has potential civil and criminal penalties.
• Increased accountability. Sarbanes-Oxley (SOX) puts executives and the board in the hot seat. While SOX is not specifically aimed at operational risk and compliance (the PCAOB has ruled very narrowly on this around GAAP), its impact has been felt throughout the organization. Faced with stiff penalties regarding the integrity of financials, executives are requiring that risk and compliance be consistently managed within defined levels of risk tolerance to control impact on the financials. The only way to combat potential litigation is through increased control and oversight.
• Fragmentation and duplication of effort. As management grapples to understand how risk and compliance are being managed in the organization, they are finding an inconsistent approach. Risk and compliance management has been fragmented throughout organizational silos, resulting in a duplication of technologies and efforts with inconsistent approaches, measurement, and reporting. The lack of central visibility and oversight has resulted in islands of information trapped in documents and individuals throughout the enterprise.

2005 Trends Affecting Risk And Compliance Management

These drivers result in the following 2005 trends in risk and compliance management as organizations begin to build their approach to risk and compliance management:

• Adoption of an enterprise risk management framework. For risk and compliance to be consistently managed, a framework is necessary. In response to SOX, most organizations have turned to the COSO Internal Control Framework to model their approach to documenting controls. Recently released, the COSO Enterprise Risk Management framework extends the Internal Control Framework to establish guidance on how to build an enterprise risk management process. The COSO ERM framework is poised to be the de facto standard of enterprise risk management.
• Managed and measured compliance. In the past, organizations approached compliance as a project as opposed to a process. In today’s business environment, this opens up significant risk to the organization. Dynamic business processes, workforces, partner relationships, and IT systems require that compliance be managed and validated on an ongoing basis. As organizations face an increasing amount of compliance obligations, the mandate will come for a formal compliance management program.
• Tool consolidation and integration. In an effort to control costs, as well as to provide a single interface into risk and compliance management, organizations will look toward tools that provide a central repository of risk and compliance management functions policies, control documentation, assessments, and metric reporting. This central risk and compliance dashboard needs to integrate with other technologies that take a more granular view in specific areas of compliance and risk (such as information security, privacy, business partner relationships, and financial systems).
• Integration into enterprise architecture. Risk and compliance cannot operate in a silo but must integrate into the business. The controls and measurement of risk and compliance require that they be integrated into an organization’s enterprise architecture. This involves integration of control into policies, operations, and technologies that support business processes.
• Establishment of a chief risk officer. If your organization fits the formula of being $1 billion-plus in revenue and is labeled a critical infrastructure (for example, finance, energy, healthcare, transportation, utility, transportation, telecommunications), odds are that you will have a chief risk officer or someone of similar responsibility aimed at managing enterprise risk and compliance. By 2007, Forrester predicts that 75 percent of large critical infrastructure organizations will have established a formal enterprise risk management office with a CRO or equivalent role.

Recommendations: Don’t jump in without testing the waters

Organizations looking at developing a formalized approach to risk and compliance management should:

• Start with one or two compliance/risk initiatives. Taking on to much at once is a recipe for disaster. Identify the hottest risk and compliance issues and let these build the foundation of your program.
• Keep the enterprise in mind. A too-narrow focus may limit what can be built on the foundation. Make sure to keep the enterprise requirements in mind.
• Introduce others over time. As you feel comfortable, integrate other areas of risk and compliance management into the program.
• Let business needs drive initiatives. Risk and compliance management needs to be driven by the business, not IT. Business managers and information owners are the ones ultimately responsible for risk acceptance and integration of controls they need to be involved and part of the process from the beginning in building out frameworks and supporting IT solutions for risk and compliance management.