Governance, Risk and Compliance still sounds very defensive. The leading edge of risk management is looking for ways to use risk to secure competitive advantage, either through cost leadership or differentiation. Thus, I can’t image GRC being much more than another acronym for more of the same.

Whether the name “GRC” takes hold or not, the activity itself is still essential, and the need for it by whatever name, is being recognized more and more.

Consider S&P’s announcement in January that they are going to be implementing an ERM inquiry as part of their rating investigations for all companies, not just financial firms (since 2004) and energy companies (started last year with a 12-company pilot). Now that all companies’ leadership teams face having their credit rating and cost of capital on the line, I can only believe that their hands will get a little tighter on the reins of governance and risk and compliance.

A ratings hit is about the most public rebuke they can take short of an indictment, and will make GRC failures more visible than they’ve ever been before.

I accept Scott Randall’s point about the problem of any organization being over defensive and the risk management function really being the “risk police.” The essential key, as in so much of personal and professional life, is to strike the right balance. I outlined this is some detail back in 2001. (See: http://www3.sungard.com/SunGardFinancial/menus/documents/risk_managers/200110%20organizational%20balance.pdf )

After a solid risk culture that is established at the top of an organization, I believe the next essential requirement of good risk management is reliable, accessible and useful risk information. This requires summary measures such as the much maligned Value-at-Risk AND the ability to drill down into relevant details when issues arise.

Rich Peterson’s point stems from the basic insight that risk is fundamentally a portfolio concept and can only be assessed meaningfully in this context. Attempting to evaluate risk piecemeal at the micro level will never be adequate. This is the essential rationale behind enterprise risk management and other efforts such as Governance, Risk and Compliance, to achieve greater integration across areas of risk. Nothing in this integration necessarily makes it a purely defensive effort, although it is all too easy to fall into that trap. If I have any fear about GRC, it is that compliance tends to be a one-sided issue. Obeying the law should not be optional and there should be no question that rigid compliance is the only accepted benchmark. In contrast, market and credit risk are necessary aspects of running a profitable business. Gauging how much risk is involved and whether there is sufficient market compensation to make taking such risk worthwhile is an essential aspect of its proper management. Zero risk is simply not an option.

If GRC leads to confusing compliance, where uncompromising control is necessary, with forms of risk that are appropriately managed and balanced against expected and unexpected returns, it could be a step in the wrong direction. Nevertheless, if the necessary distinctions are clearly maintained, a more integrated administration of all the related forms of risk should improve overall performance.

What is needed is a good taxonomy of GRC. The lack of a classification scheme reflects the confused lines of authority of GRC initiatives in most organizations, and the lack of leverage of GRC investments. Until this happens the chances of effectively moving from a defensive to offensive risk management/GRC regime are slim indeed.

The possibilities are of course there for all to see - from leveraging and de-duplicating policies and controls (effecting cost reduction as well as enhancing control) to rationalizing and reusing immense spends on technology. All this can happen only in the context of an effective framework for GRC which needs to include things like SOX, AML, fraud as well as traditional risk management into a coherent whole.

To pick up on Dilip’s comment about the need for a taxonomy-perhaps we shouldn’t try to re-invent things here. If we start with the STEEP (Social, Technological, Economic, Environmental, Political) taxonomy common among strategic planners and “environmental scanners” this puts the effort on the right track-i.e. (opportunities and threats) and it is something people are accustomed to seeing. It is also easy to remember!

I accept Scott Randall’s point. I hope my previous comment did not imply that we need to build all the needed tools from scratch. In fact, I have repeatedly emphasized that the financial sector has a great deal to learn from the manufacturing sector and their significant strides in total quality management. I think that there should be greater emphasis on what I call Detailed Risk Indicators (DRIs) and not just Key Risk Indicators. That said, more monitoring of detailed risk indicators will only make practical sense if linked to the type of automated screening tools used in statistical process control. (See: http://www3.sungard.com/SunGardFinancial/menus/documents/risk_managers/200310%20statistical%20process%20control.pdf )

After years of careful attention to risk and control self-assessment and monitoring operational risk indicators as well as losses, we may eventually have sufficient data to link this dimension of operational risk management to the probability distribution of losses. Even before then, however, applying the lessons of statistical process control should help to reduce errors in execution and limit the number and impact of operational failures.

I don’t see that we are in much disagreement here. The question is one of implementation. Concerning tools, David says that building flexible tools is the key. I maintain that at one level we already have the basic tools if we only broaden our search beyond financial, credit and market risk management and look to operational risk management, strategic planning and the quality movement that saw its resurgence in the early ’90s. There are some excellent analytical tools, techniques and methodologies in use by our brethren in the field of quality management and yes statistical process control-things such as bow-tie diagrams, control charts and data gathering methods that we could begin to apply toward SOX and AML compliance if we care to exchange notes with them. We can then customize these tools for our specific applications and requirements in banking, finance and energy risk management.

I think Dilip Krishna and Scott Randall may be talking at cross-purposes. I agree with Scott that the STEEP taxonomy is an excellent starting point assuming that the political element is broad enough to encompass regulatory risks such as anti-money laundering violations.

If I understand Dilip’s point, there often is too much internal organizational overlap in efforts to deal with many of the components of any taxonomy defining the sources of risk. One example of this is the tendency to view meeting the Basel II operational risk requirements as a separate effort from more specific demands such as AML compliance. Most of what is needed for effective anti-money laundering efforts or SOX compliance is the assurance of consistent adherence to a well defined process. As such, these are really specific instances within generic operational risk management and control efforts. Building tools to deal with the generic OpRisk challenge that are sufficiently flexible to support SOX, AML and other efforts requiring disciplined execution makes much more sense than building customized tools for each specific requirement.

I would like to go back and dig into one of the comments made by Rich Pedersen concerning the involvement of S&P in the risk management and governance debate. If we take S&P as just one of the many stakeholders that companies must satisfy (including for example, regulators, NGOs, boards of directors, shareholder activists), could we say that an emerging and increasingly important goal of risk management is stakeholder assurance? In this post-Parmalat, Worldcom, Tyco, Shell and now Siemens and VW world, are stakeholders so skeptical of what is being said by executive management that a company that provides assurance through the process and practice of risk management could use it as a source of competitive advantage? This argument is sort of like taking reputational risk to the next level-beyond just, “trust us, we’ve always done good work” to “we always do good work, and let us show you the tools and process we have for reducing the uncertainty of our future cash flows (i.e earnings, dividend streams, valuation, etc.) Does anyone have examples of securing competitive advantage via improved stakeholder assurance of the reduction of uncertainty?

It is my general experience that establishing trust with a company’s stakeholders is an essential requirement for success. The unknown is always one of the greatest sources of fear. In stock markets it is always easy to sell now and ask questions later. When an inevitable problem arises, credibility of top management, especially the CEO and CFO, is an essential resource. The day I knew that Enron was toast was when it became public that Andrew Fastow had a stake in an off-balance sheet transaction where his personal interest was directly contrary to the company he supposedly served. From that point there was no possibility of restoring public trust in time to avoid a collapse.

To my mind, building a foundation of trust among all stakeholders is the strongest reason for companies to be forthcoming in making risk information public. If done consistently and realistically, such information can help markets evaluate adverse events more realistically instead of fearing the worst and acting accordingly.

It could be said that GRC represents a natural progression, taking the risk management concept and adding the management of governance and compliance to create a new more sophisticated model, which represents a more integrated view and results in a more effective and efficient approach. The GRC movement as a cross-functional discipline represents the first major step towards a more comprehensive cross-functional convergence in the broader area of corporate defence, if you think of corporate defence as an organisations program for self protection, with the responsibility for defending the interests of all of its stakeholders. It is only by defending the interests of all of its stakeholders (including its people) that an organisation can hope to establish a foundation of trust and develop the required top-down and bottom-up culture within the organisation. In my opinion governance, risk management and compliance represent important corporate defence components and GRC represents the first real step in the evolution towards a cross-functional convergence in the area of corporate defence. Eventually however I believe that a broader cross-functional discipline will emerge, which will involve the integration of GRC with corporate intelligence, security and resilience. This broader discipline will also need to incorporate corporate controls and assurance into its framework in order to achieve a truly integrated and holistic solution to corporate defence. This approach should address the confused lines of authority referred to earlier by addressing the responsibility and accountability for operational line management which is where ERM currently seems to fall short. This holistic approach can be achieved by not only building on existing work already in place but also by taking advantage of the advances in technology solutions now available. It is only then that real benefits of integration, rationalization and leveraging will be truly harnessed.

I hope Sean Lyons is correct when he says, “Eventually … I believe that a broader cross-functional discipline will emerge.” Unfortunately I think it will be longer coming than many people believe. Fragmented loyalties based on specialized skills are difficult to overcome. Technology may support a more holistic approach but some aspects of technology work counter to this goal. Advances in software functionality often occur first in specialized stand-alone applications. Competitive pressures force many businesses to be early adopters. This, in turn, reinforces fragmentation of data across the enterprise. It requires tremendous discipline to maintain reliable and timely consolidation of enterprise-wide data. Self-describing messages based on XML-based conventions can help, but as long as new complex transactions continue to appear it will be hard for these conventions to remain current. Without reliable and timely data consolidation, all the technology power in the world will be of limited use.

In the end the biggest obstacle to a more holistic approach will be old fashioned organizational jealousies and battles over turf. As the old saying goes, “We have met the enemy and they are us.”

I would have to agree with David in relation to the challenges facing a holistic solution and the evolution towards cross-functional convergence, particularly in relation to the expected resistance from existing silos within an organisation. Generally speaking silo type environments are typically inefficient and often ineffective, which obviously has a negative impact on the organisation’s performance. Certainly most organisations suffer from a degree of internal politics however it is only what has been described as a dysfunctional organisation which will actually allow internal power struggles and turf wars to dictate strategy. Any organisation which allows departmental ambitions and personal interests to be put ahead of the interests of the organisation as a whole is in already in serious trouble. I believe that most progressive organisations have a low tolerance for this behaviour, however to address this issue organisations do need to have appropriate systems of checks and balances in place. Apart from external drivers such as market competition, the internal driver is the organisations corporate governance responsibility to stakeholders. I believe that progressive organisations are learning how to ensure that the importance role of specialist skills are valued and appreciated within the organisation, and that rather than giving up their turf, these specialist units can be encouraged to play a more meaningful role in the organisation, in a valued partnership with their peers. I accept that this change will not occur overnight however I am perhaps a little bit more optimistic in relation to timeframes. I believe that some of these changes are already occurring and that significant progress has already been made, GRC being a prime example. There has however been developments in other areas such as “Unified Security Management”, “Risk Intelligence”, “Business Resilience” and “Corporate Defence Management (CDM)”, to name but a few. However it is important to build on this momentum in order to avoid the creation of simply larger silos. Call me naïve but I believe that there is currently a climate developing which is less resistant to change, more acquiescent to evolving and more determined to succeed, hence in my opinion this change will occur sooner rather than later.

Lest I give the impression that I am a complete pessimist, I also think there is hope for progress. I have often said that the for-profit corporation is the closest we humans have come to creating a benevolent dictatorship. Let there be no doubt, under a strong leader a corporation is essentially a dictatorship. What keeps it reasonably benevolent is that it is an open system in which employees and shareholders have the right of exit. (This also explains why a good education and attractive skills are the surest guarantee of an individual’s personal freedom.) Competition for employees, customers and shareholders is the essential force that makes for-profit corporations more responsive than government or not-for-profit organizations.

Beyond that, for-profit corporations have a clear eyed sense of the reality of human beings as existing in a moral space somewhere between the brutes and the angles. As a result, it is universally accepted in the corporate world that everyone must be subject to oversight and independent review. Obviously this process is not 100% effective as was shown in the cases of Enron, WorldCom and Parmalat, but broad acceptance of the principle is at the heart of corporate governance.

I am not sure I would draw Sean Lyon’s distinction between external and internal drivers. In my view the need for effective corporate governance and risk management flows directly from external competition for shareholders or the self-interest of private owners. Regardless of the source, however, I agree that the importance of good governance is widely shared. Another source of pressure for more holistic risk management is a growing sense of the danger from highly unlikely events, what Nassim Nicholas Taleb calls Black Swans. The variety of potential threats, including market shocks, infrastructure failures, electronic security breaches, terrorist attacks…the list goes on, tend to push thoughtful people toward the need to marshal AND COORDINATE all available resources for effective risk management.

I do think progress will be made in this area. To show, however, that I have not lost all my cynicism, I always fall back on the sad truth that, “Experience is a harsh teacher but some will learn from no other.” The huge and highly embarrassing trading losses of the late 1980s and early 1990s gave birth to modern financial risk management as a coherent profession. September 11th suddenly concentrated people’s minds on the importance of fail-safe backup facilities. In the same fashion, I think the big push toward more integrated risk management will come on the heels of a yet unknown future disaster that either might have been prevented or the damage from which might have been minimized by having such a structure in place.

I agree completely. In my forecasting days I used to quip that I was one of those odd practitioners who believed the roots of economics were in commerce and not mathematics. Much the same can be said about risk management. For some people the temptation is great to think that enough data and sufficiently sophisticated analysis can make risk management a mechanical exercise. This totally ignores the perverse ability of human nature to generate unexpected surprises. The difficult trick is to combine a deep knowledge of the business with enough insight into the analytical methods behind statistical analysis to interpret them effectively. In essence, statistical analysis must be designed to support sound human judgment; it will never replace it. Falling into the trap of thinking statistics can supersede judgment is a very dangerous situation.

One can’t deny the importance of statistical techniques and tools in calculating the risk of a business. However, the subject knowledge to the business is critical to statistical application.

This discussion reminds me of the voluntary Thursday morning “coffee klatch” that we used to have back in the days when a few of us in corporate risk management group would get together and discuss the week’s market trends. We had the technicals guys(who did the hedging of our physical positions) and the fundamentals guy who would develop the curves off which the company would base acquisition and divestiture decisions. Every Thursday at 8:15 they would spar off in a very friendly manner for about 1/2 hour over coffee with their charts (from the technical guys) and the latest gas storage draw(from the fundamentals guy). Both talked about hurricanes of course,but interpreting the latest Gulf gusts through different eyes. As the fly on the wall hailing from the illiquid latin american power side of the business I learned a tremendous amount about the value of David Rowe’s balanced approach with real trading markets like the Nymex gas or european crude or gasoil futures.(as opposed to my simplistic spot electric power prices in Ecuador) And amazingly, there was real comaraderie there-a mutual respect and stimulating discussion for no other reason that a fascination with commodities markets. I have never seen this replicated in any environment other than the artificially hyped up “point/counterpoint” political discussions you might see on television. This blog simulates that atmosphere, but how I long for the days of the Thursday morning coffee klatch where statistics and fundamentals seemed to happily cohabit. Before the merchant power meltdown, “those were the days, oh yes, those were the days” (sorry, I’m getting choked up).

Scott Randall highlights the difference in perspective and mindset between a short-term trading environment and a long-term strategic environment. I certainly agree that much is to be gained from interaction across those involved in these often separate activities. One thing I have observed over the years is a serious lack of effective distributional analysis on the part of those in the strategic side of this divide. This arises, I suspect, from the lack of willingness to define distributions and co-variation assumptions for longer-term strategic events.

Sam Savage of Stanford University has proposed the interesting idea of appointing a Chief Probability Officer to create certified distributions for key strategic variables. (See: http://www.lionhrtpub.com/orms/orms-2-06/frprobability.html ) This would allow analysts in different areas of a company to create distribution-based analyses for their specific projects THAT COULD BE RIGOROUSLY AGGREGATED. That is possible because the underlying distributions would be scenario consistent. This would allow the corporate office to assemble a project portfolio based not just on taking the highest ROI projects first and then working down the list. They could test the risk and return tradeoffs of different portfolios.

An example Sam uses is an oil company that had, among other projects, an apparently high return investment to develop a natural gas field in Nigeria and a comparatively low return opportunity to develop an offshore gas facility in Norway. The big risk from the Nigerian project was a political crisis that could lead to complete loss of the investment. The risk on the Norwegian project was considerably less, but the return appeared to be even more modest. The key insight, however, was that a political blowup in Nigeria would cause a significant spike in European natural gas prices that would raise the return on the Norwegian project considerably. Once this was factored into the distributions, the Norwegian project was immediately recognized as an effective hedge for the risk of the Nigerian project. On a portfolio basis, undertaking the Norwegian project actually made it sensible to expand the high-expe