sponsored statement grc roundtable: getting the edge and there’s fraud and business continuity,...
TRANSCRIPT
Do you view your current governance and
reporting requirements as too complex
and, if so, what are your areas of greatest
concern?
Angela Isaac, Fannie Mae
What creates complexity is if we allow our
various areas of information gathering – compli-
ance, Sarbanes-Oxley (Sox), operational risk
and the other operational risk functions – to all
operate as independent silos. The minute we
operate independently, we create an artificial
distinction in the information we’re collecting
and reporting, and we run the risk that we’re
confusing people by virtue of cataloguing
things as compliance information versus opera-
tional risk information. What can get really diffi-
cult with operational risk information is when
we start saying there’s operational risk informa-
tion and there’s fraud and business continuity,
as though these were independent elements.
Sean Moore, Lehman Brothers
When we were setting up our operational
risk framework in a sophisticated manner,
I’m happy to admit I got it wrong. It was an
interesting lesson. We tried to set up a global
operational risk-steering committee and it
was a waste of time. It was false, it was made
up and people were pained to come along.
It seemed to have a lot of duplicity. When we
went back to the drawing board, we turned
around and looked at what corporate govern-
ance we already had in place. We already have
an operating exposures committee at the firm
that is made up of the firm’s executive, which
is the heads of each of the divisions, and the
chairman, the president, the CRO and the CFO.
Learning from that lesson, we’ve put a series
GRC Roundtable:Getting the edgeAt a recent OpRisk & Compliance roundtable, risk professionals discussed how financial institutions can gain a competitive edge by addressing governance, risk and compliance issues. Moderated by Ellen Davis
there is a fundamental understanding of the
commonality that seems to have emerged both
in the front-to-back sense and in the func-
tional silo sense. We are seeing at least three
types of overlapping capability that people
are seeking to reduce into a common set of
practices, leading to a common measurement
approach. That’s the big picture emerging in
parts of the world today. We’re seeing ambi-
tious programmes coming about in that area,
but it still doesn’t answer the key question that
you have raised, which is: ‘What are the organi-
sational arrangements required for that class of
convergence to actually come about?’ I don’t
think there is a firm answer to that at this time. I
think it’s experimentation that’s going on.
Do you feel you have an adequate level of
insight into your institution’s real corporate
risk across all operating units and, if so, why?
Is there anything you would like to add to
your discussion, given that it’s not just about
new businesses, but also about existing busi-
nesses and how you get people to commu-
nicate and understand what is going on and
driving those businesses?
Jane Carlin, Morgan Stanley
I’d have to say, without sounding too pessi-
mistic, that the short answer is no – I don’t
think we have a sufficient level of insight into
corporate risk. Part of the challenge that I’m
describing, and I remember being challenged
by this as a lawyer and I’m certainly challenged
by it in this role, is extrapolating from business
goals and budgets and ways in which the busi-
ness is looking to grow – what the corollary
involvement of risk management is or should be
in that respect.
of divisional level structures in place. Some of
those were operational risk specific, particularly
in our capital markets businesses, and our equi-
ties and fixed-income trading. Then, in some
of our other business, such as asset manage-
ment, they already had very well-established
and controlled risk committees broader than
operational risk, so we integrated ourselves
with those.
S Ramakrishnan, Reveleus
I think the opportunity to integrate through
overlapping areas of risk, the notion of
Sarbanes-Oxley and the notion of the artificial
silos are exercising the minds of many compa-
nies today. I don’t believe anybody has a firm
answer as to how all of this will be done, but
Jane Carlin, Morgan StanleyGlobal head of operational risk management, with responsibility for business continuity management, information security and risk support for operations.
sponsored statement
spon st nov.indd 22 26/10/07 10:56:57
Ramakrishnan: This is very interesting, Jane,
because we see the new business develop-
ment and, certainly, new product introduction
almost as a side activity when we introduce
new lines of business. What’s interesting is the
natural synching of the normal business plan-
ning activity with the related appetite for risk,
and the assessment of that as the business plan-
ning activity is going on. Is that something you
believe is practised or expected to be practised?
Carlin: I think it is in pockets. I think it’s person-
dependent to be perfectly honest. By the way,
I think it’s equally true for maturing businesses.
If you look at subprime as an example, this
wasn’t a new activity. This was an activity that
had begun to dominate a market. Where it had
historically been a small component, now it
was suddenly everything. I think that emphasis,
and concentration and derivation of revenue
from that space all contributed to the explosive
conclusion.
Isaac: I think we sometimes fool ourselves in
our companies that risk is managed in discreet
pockets, such as a new product approval
committee, which most of you probably have.
It’s a continuous process. Products evolve and
management is required to make choices as
products evolve – become more successful or
are challenged in the market. I think for opera-
tional risk and compliance to be effective we
have to have an understanding at manage-
ment level of how to evaluate those risks and
not expect them to be discreet exercises. That’s
why, when I was originally asked this ques-
tion by Ellen, I had very mixed feelings about
answering it. You don’t know what you don’t
know and you can get surprised by things
that are out there. Ultimately, my question is
more: ‘Does my manager really understand the
operational risk they are taking?’ Do they feel
equipped to identify those risks? That’s very
much the role I think I have to play at the corpo-
rate level – giving them the equipment, tools,
capability, education and information that posi-
tions them to make those choices.
Is the cost of compliance, risk and surveil-
lance fully understood across all operating
units and, if so, how have you achieved this?
Isaac: Documenting it. Going through our
restatement recently, it was an important
acknowledgement of what the cost is to correct
activity and to ensure you have an effective
control framework in place. Also, building a
risk management team, and getting an under-
standing of what needs to be done with an
organisation initiating risk control self-assess-
ments and establishing incident collection.
There’s a very acknowledge awareness of
what the cost is. For me, the question is really
around: ‘Where is the value?’ When we start
focusing on the cost of introducing these kinds
of programmes, they become expense carriers
that then start being justified away, if there
really isn’t any management value that is seen
as derived from it. Part of what we do, or what
we are working towards – it’s somewhat aspi-
rational at this point – is to link more carefully
the effectiveness of a control environment, the
effectiveness of appropriate risk management
practices, to what judgement was exercised
and what benefit was gained from that, either
through loss avoidance or, not necessarily
correct, but better choices being made. One of
the things I advocate strongly is linking the risk
management function to the value creation of
the organisation and why better judgement
leads to more effective risk taking.
Moore: I think that’s interesting. I think a lot of
firms, particularly in New York, have been very
outspoken about the cost of compliance with
such things as Sarbanes-Oxley. In the opera-
tional risk space in particular, we are talking to
senior management about why, how and when
we’re doing this. I’ve never once mentioned the
advanced measurement approach to them.
They know that there’s the SEC and the FSA
that they need to be accountable to and they
will be asking questions. We are doing this as a
firm because we want to be sophisticated and
Angela Isaac, Fannie MaeSenior vice-president responsible for op risk oversight. Responsibilities include frame-work and policy development, as well as the Sarbanes-Oxley programme, business continuity, fraud, information security and vendor risk.
spon st nov.indd 23 26/10/07 10:57:14
thoughtful about this and to build a model, a
framework, around what we think is the best
practice for our firm.
Ramakrishnan: We are finding that both
compliance and operational risk are there
throughout the organisation, they are there
inside your lines of business, and especially the
enforcement aspects have to be performed in
the operational function. I guess the bigger
question is: ‘Has this all become part of our lives
so it doesn’t get called out as an incremental
expense or is just that the Sox-like incremental
regulatory burden is the most visible end of the
compliance cost or the operational risk cost?’
Where I would really like to segment this ques-
tion is: ‘Where is that visibility and pain most
manifest at this time and are people doing it
grudgingly or is it understood as best practice?’
It’s a question being answered by a question,
but I would ask the audience if they have any
thoughts around the prevalence of regulations
as a pain point driving this cost.
Has your institution taken measures to
consolidate governance risk and compliance
platforms to reduce costs and, if so, how?
Moore: Interestingly, it’s perhaps the wrong
answer or the answer people don’t want to hear.
We have spent a lot of time and energy in opera-
tional risk making sure we are a risk manage-
ment function. We’re not a compliance function
and we’re not an audit function. I think we are
very thoughtful about what internal audit and
compliance do. We absolutely use their infor-
mation. Our risk control self-assessment, for
example – my colleagues in corporate audit do
a terrific job doing their risk self-assessment. It’s
a wordy kind of process but it’s very good. We’ll
steal that; we’ll use their information when it’s
available and when we think it’s good – and it is,
so we’ll take it. But we are not trying to integrate
with them at all.
Isaac: I don’t necessarily focus on the platform
so I guess my answer is no as well. It’s more
about the information collection and it’s largely
out of respect for our business partners who
can’t afford to be hit by the same question by
five different groups. Mainly out of ensuring
that the question does get answered, that the
information is reliable, valuable and consistent,
we’ve cooperated in setting up a single risk
control self-assessment process for compliance,
operational risk and the various risk speciali-
ties, such as business continuity, that would
routinely go to the business unit to assess, for
example, the classification of its processes for
continuity purposes. We’ve rolled that into a
single exercise for the business managers, so
when that assessment is complete, they have
satisfied all of the information requirements for
compliance in the other groups.
Carlin: I think our answer is yes. We have inte-
grated technology and information across
Sarbanes-Oxley, compliance, operational risk
and internal audit, and have had each of those
groups, including our group, populate central
data libraries at the firm that we find are very
helpful in horizontalising analysis, extracting
reports – so you can slice and dice much more
easily and take what you like. It’s sliced and
diced along everything from Basel risk catego-
ries, to business lines, to functional areas. We
have all the incidents in there now and, in fact,
we’re populating the action plans that corre-
spond to major remediation milestones and
such. We’re all very happy that we bit the bullet
but it took a ton of work and the technology
was the least of it. It was really the data migra-
tion, cleansing and harmonisation. It required
that we developed firm-wide vocabularies and
taxonomies around what constitutes a critical,
high, moderate and low risk and all that stuff
and getting audit to change its process, literally,
to comply with firm-wide conclusions around ‘is
it 4 by 6, or 3 by 7, or 2 by 2?’
Ramakrishnan: We are seeing the strong emer-
gence of this, especially in organisations that
have an entrenched, multiple-siloed process.
I think the common vocabulary is the primary
driver and cost is a driver. We are seeing a dupli-
sponsored statement
Sean Moore, Lehman BrothersGlobal head of operational risk management. Previously was the chief operating officer for equity trading in Europe, based in London.
spon st nov.indd 24 26/10/07 10:57:31
cation in exactly the way Angela mentioned,
which is that people are being asked to do the
same thing again and again with mildly different
shades of questioning. Because of that driver, the
next question is asked: ‘Is the technology also
duplicated?’ And then, of course, the end issues
of converged metrics and a common aggregat-
ability of numbers, which to our mind is really the
three levels of reasoning for this question. We are
seeing many organisations bite the bullet so to
speak and move this ball forward.
Is your financial institution approaching
governance risk and compliance strategi-
cally and, if so, why and how?
Ramakrishnan: This is a simple question to
the rest of the panel and to the others gath-
ered here. Are we seeing operational risk and
compliance come together organisationally to
a common head, as one mechanism for that
type of strategic convergence? From a metrics
perspective, in terms of convergence of metrics
and systems, and of people and cultures,
another area that we have discussed, is it finally
leading to any class of commonality from an
organisational, structural perspective? Or are
the lawyers running compliance and are the risk
people running ops risk?
Carlin: I see a lot more interaction, certainly,
and I see a lot more sharing of issues. I’ll give
you an example of something I’m working on
right now. I’m working on a documentation sort
of gap analysis, focused on particular credit
counterparties where there isn’t enough trans-
parency about what the agreements say, what
would happen if, and how would we proceed to
mobilise around that situation. Historically, the
firms have been very good at scanning docu-
ments but not terribly good at analysing them
in all cases. The lawyers who support the busi-
nesses and are responsible for the documents
directly are participants in that process, but I see
op risk really in a unique nexus point within the
firm because we’re talking to everyone – all the
businesses, all the support areas. We have a real
opportunity to establish ourselves as leaders
– though leaders and remediation leaders – in
a way that brings folks together, and it doesn’t
have to happen organisationally.
Moore: I’m not seeing any convergence with
compliance and operational risk and I don’t
expect that to change. I am seeing convergence
with my colleagues in market risk and credit risk,
increasingly, as we are looking at some of the
big-ticket items; the items where you can lose the
$100 million – they seem to be more collabora-
tory with my market and credit risk colleagues.
I think we’re also seeing increased alignment
with finance, particularly the product control
and financial reporting people. That’s not to
say there’s not a lot of information sharing with
compliance and audit. That’s kind of how I see us.
Carlin: Do you report to the chief risk officer?
Moore: I do.
Carlin: I do as well.
Isaac: As do I. I think it depends on the area
where there are natural opportunities when you
combine people. Integration shouldn’t be done
just to get people to report to the same indi-
vidual. To Jane’s point, the cooperation element
is probably more effective and more valuable
than jacking up the responsibilities of the chief
risk officer.
Carlin: I do think we’ve been a tremendous
influence on market risk. I really share that
comment. I had a senior market risk profes-
sional come up to me recently wanting to
talk about outstandings on complex trade
reviews. After almost fainting, I was really
struck that, two or five years ago, I don’t know
if this guy would have even known there was
a CTR process, even though he was enor-
mously dependent on that reconciliation from
a market exposure perspective. He never really
understood that. With today’s eyeglasses on,
they really get that joke. n
S Ramakrishnan, ReveleusChief executive officer for Reveleus and Mantas line of business for i-flex Solutions. i-flex is 83% owned by Oracle. Previously spent over 17 years with Citigroup in a vari-ety of operational and risk roles.
spon st nov.indd 25 26/10/07 10:57:47