At this week's conference in London, MetricStream, a Governance, Risk and Compliance IT and consultancy firm, hosted a debate about the currency that the ideas of 'GRC' are acquiring in the boardrooms of the world's largest banks. Chris Hamblin was there to hear and to talk to the participants.

At this week's conference in London, MetricStream, a Governance, Risk and Compliance IT and consultancy firm, hosted a debate about the currency that the ideas of 'GRC' are acquiring in the boardrooms of the world's largest banks. Chris Hamblin of Compliance Matters was there to hear and to talk to the participants.

Gaurav Kapoor of Metricstream asked the panel: “how do you manage reputational risk from a fraud perspective? It was generally agreed that this was a difficult problem; all it takes is one rogue trader or relationship manager and the reputation (and therefore the share price and possibly the balance sheet) of the bank in question could suffer for a long time. Lord Blair, the former head of the Metropolitan Police, said: “the key is that if one unit is outperforming everyone else, be very suspicious. I've seen police units conducting outstanding robbery investigations and one day you find that they're actually running the robberies. At Lehmann they could not understand that that level of revenue was impossible.” Other members of the panel subscribed to the view that the top management at the firms responsible for the fiddling of the London Interbank Offered Rate probably had no idea of what was going on. All panel members – and other speakers throughout the day – seemed to think that the boards of scandal-struck conglomerates were much more guilty of bad risk evaluation than of top-down collusion. Not all commentators share this generous outlook.

Toby Shore, the chief risk officer at Emirates Global Aluminium, recounted a tale that illustrated the kind of reputational vigilance that every risk manager ought to aspire to. It concerned the republic of Guinea, the epicentre of the ebola virus. His organisation was planning to fly 20 Guineans to the United Arab Emirates for training. The human resources department was excited about this exercise, which it hoped would be the first of many. However, according to Shore, “we [the risk department] realised the reputational risk of being a catalyst for bringing that into the country, so we alerted all stakeholders and the board. We said 'it'll affect tourism, banking and the whole business proposition that is the UAE.'” As a result of this, Emirates did not take the risk.

All panel members agreed that it was very difficult to quantify risk in terms of dollars and cents. In personal terms, they said, risk managers could quantify it in terms of “how many losers there are,” but this did not apply to money.

Gaurav Kapoor, the panel chairman and MetricStream's chief operating officer, mentioned the vacuum that is permeating the compliance officer job market in both the US and UK: “There's obviously a demand-supply imbalance for which compliance strategies but not the market can provide. Today, one of the big five banks in the world let thousands of people go while taking on lots of auditors. A couple of years ago, it would have been unthinkable for a bank to spend $800 million to a billion a year on compliance-related costs, but I now know of two that do it. Moreover, according to one article recently published, the direct costs of compliance [such as the compliance payroll, IT etc.] are only half of the indirect costs of compliance.”

Shore made a bold statement about how he thought compliance directors could sidestep spiralling costs: “For us in a manufacturing environment, we can't convince the board to spend large amounts on compliance staff, so we look to embed the risk culture in the organisation and share the load. I have a risk team but I also have a wider risk team. We get just as much governance and compliance without the overheads.”

Although some in the audience may have found this claim ambitious, he went on: “The cost structure from an enterprise risk management or ERM perspective is negligible. It's better than saying 'I need so many dollars for a budget.'” Shellye Archambeau, the CEO of MetricStream, said that she had seen this done as well, adding that “at board level it's trying to drive responsibility and ownership down into the organisation as low as possible instead of spending money on 'the police.'” The panel agreed that it was rare for a huge company to promote a compliance director to its main board; Shellye Archambeau said that one of her former CEOs had appointed her in that capacity with the words “I don't want to be the only one in the boardroom with responsibility for compliance!” The panel also stated that a company called Kaiser – perhaps Kaiser Permanente Ventures which has contributed to MetricStream's funding – had spent $300 million in a year on GRC-related expenses and had itself appointed a compliance director to its main board.

Getting the right man for the job

How should one inculcate the elusive 'culture of compliance' in a firm? Shore related his experience when his firm merged two businesses in the UAE (one based in Abu Dhabi, one in Dubai) after a takeover. He said that he vested responsibility for the culture of compliance at corporate/board level, but the job of execution went to the lower units. He also said it was important to “engage the stakeholders right from the get-go.” He added that his firm was using technology “as an enabler” to communicate its goals with shop floor and board alike. Kapoor noted that such an ambitious implementation programme sometimes requires a 'GRC champion.' Blair chipped in: “I introduced a change programme. I got the man who'd cracked all the great cases to be the champion. I didn't get a new man. By doing this, I was showing everyone that this was a serious effort.”

It was here that Blair said that he suspected that many board members were too detached from the granular workings of their companies, citing the directors of banks found guilty of rigging Libor. “I don't think they had any idea,” he told a bemused audience. Pressing on with his argument, he insisted that a 'GRC champion' ought to take it upon himself to say “I want to understand the business, because nobody else on the board does.” Manoj Chawla chipped in with his belief that “this thing with a champion is not an option,” meaning that it was the only option. He thought that only this could stop 'G and R and C' from staying in their customary silos and remaining detached from one another. He added: “a great joiner to all for this is technology. Values too, and the risk culture.” Shellye Archambeau agreed: “I got asked that quite a lot by CEOs – who should lead the GRC evolution? My answer was always: the leader who is most respected and who is the most passionate.” She went on to say that the idea of a run-of-the-mill 'GRC czar' was not good enough and the others agreed about her – and Blair's – insistence on getting the most authoritative person to do this multi-disciplinary job.

What are the GRC initiatives' top priorities? Shellye had an answer: “One is understanding and having a consistent view of what risk management is for their company. Your risk management system is not merely a list of the top ten risks. You can't say OK, we have these risks, we have these action plans, and that's good enough!”

She went on: “People are digging deeper into the understanding. We're seeing this play out across all industries, not just financial services.”

An audience member from the financial services sector asked whether strong risk management was a competitive advantage. One panellist replied: “It's why we see banks beefing up their compliance teams. The act of looking for 'black swan events' is helping us grow in a time when people are victimising non-income-generating departments.” Shellye agreed, repeating the old saying: “never waste a good crisis” and adding: “I do think risk and opportunity are two sides of the same coin. Managing risks in real time is really a competitive advantage. Now, 80% of our effort focuses on the rear-view mirror; when GRC is fully completed, we want to be 80% forward-looking.”

Another questioner asked how much effort was devoted to taking risks as opposed to avoiding risks. Toby Shore said: “If you can nail the discussion between risk tolerance and risk appetite, you can be more responsive to the market or trading environment you're in. It really comes down to that first discussion.” Shellye noted that business lines usually come forward with plenty of suggestions for taking risks, whereas risk managers almost never do. On the rare occasions when both line managers and risk managers come forward with proposals, however, she said that those initiatives turned out very well. She also thought that there was an increasing tendency for this to happen at financial firms: “It's the way things are going. We still don't have that yet – we're still immature.” Lord Blair added some ballast to this view, saying of regulatory risk: “if it becomes a pre-occupation of the board, the business will start to slow down. I'm all for risk mangement and compliance but...it's just something you have to do to stay afloat.”

When asked about the role of governance, Shellye said: “It's all about ensuring that the right procedures exist. Ten years ago, board members were all friends and relatives of the managing director. Now – and this is changing the dynamics – boards of directors are being held accountable.”