Leading on Compliance
There has been a long-standing debate about where compliance responsibilities should fall in an organization, but with the spread of enterprise risk management (ERM) in particular, corporate risk managers are increasingly being seen as the natural owners of compliance.
“I like to use an umbrella as the analogy for ERM,” said Grace Crickette, senior vice president, chief risk and compliance officer for Emeryville, Calif.-based AAA Northern California, Nevada and Utah. “Compliance comes under it because non-compliance is a risk event.”
“The focus of compliance is on governance whereas ERM looks at risk holistically as the ability of the organization to identify, manage, monitor and mitigate corporate risks,” Crickette added.
In the compliance realm, risk management can help all departments that have some compliance responsibilities on a particular regulation to coordinate with each other.
“One of the advantages risk management has over individual departments in an organization is that they have a bird’s eye view of the complete organizational structure and who is responsible for what,” said Elizabeth Carmichael, director of compliance and risk management at Five Colleges Inc. at Mount Holyoke College in South Hadley, Mass. “This approach can ensure that everyone is brought into the compliance conversation who should be there.”
David Theron Smith, divisional vice president, risk management for Charlotte, N.C.-based Family Dollar Stores Inc. sees two key types of compliance in an organization.
The first is regulatory compliance, which is, no bones about it, compliance that you’ve got to do or you’re in violation of some statute.
Then there is what he calls corporate compliance, which is not necessarily dictated by statutes but by processes or procedures in support of corporate strategic initiatives.
“Corporate compliance speaks more to making sure we are executing a strategic risk management initiative in the organization or a strategic process within a department in support of the mission,” said Smith. “Perhaps you could call this ‘corporate brand compliance.’ ”
In a mature, sophisticated organization, risk management is understood to be very strategic rather than compliance or audit driven, Smith added.
At Pleasanton, Calif.-based supermarket chain Safeway Inc., Vice President of Risk Management William Zachry sees himself and his team as “enablers” of the company’s compliance network.
“We’re working very closely with them but they have to own it,” he said. “My team’s job is to make sure we provide compliance with enough data and information so they’re able to have the right level of resources to focus in on the compliance requirements.”
Zachry said he doesn’t want to go through the field “whacking the people who are bad, I want to make sure we enable the people who are supposed to be doing it correctly to get it done properly.”
When risk management is functioning properly to solve compliance problems, one of its great advantages is its ability to quickly and smoothly form multi-program task forces to identify and mitigate compliance risks.
A Bridge Between Departments
At Rochester, N.Y.-based Paychex Inc., one of the first companies to put the compliance function under the risk function, one of the values of ERM gathering together individuals from various departments is that they share best practices, almost in peer group fashion.
“So let’s say you’ve got a credit manager, or a collections manager, or a compliance manager or an operating risk manager and if they’re working together as a team on a problem — many times, even though they come from a different risk family, the solution to go after that risk is similar,” said Frank Fiorille, senior director of risk management for the company, which provides payroll, HR and benefits outsourcing solutions.
Five Colleges’ Carmichael added that the risk management department can serve as a bridge between divisions and departments to insure that all of the compliance requirements are appropriately addressed within the institution.
“Where third-party [non-governmental or audit] complaints or claims arise from compliance failures, particularly those that involve students or visitors to the campus, one cause can be communication failures between divisions and departments,” she said.
Fiorille said that an enterprise risk management discipline that includes compliance considerations “forces you to take all these risks in a funnel per se and then they go through a pipeline and then you’re categorizing them all and you’re rating them based on impact and probability and velocity and all this other stuff so it then spits out a risk heat map, so you can see which are the big ones you want to go after versus the little ones that pose very low risk.”
Although Paychex is not as heavily regulated as a bank, its products and risk challenges are similar to a financial institution, he said.
“So it seemed logical to bring together groups that are looking at the regulatory risks to team up with folks looking at credit risk and operating risk and reputational risk and the other kinds of things we manage on a day-to-day basis,” Fiorille said.
Risk management has an advantage over compliance in two important ways: access to top management and access to money, said Glenn Klinksiek, knowledge center content manager for the Bloomington, Ind.-based University Risk Management and Insurance Association (URMIA) and former assistant vice president for risk management and audit at the University of Chicago.
“I think risk management might be better situated organizationally to advocate for more dollars to get better compliance.” — Glenn Klinksiek, knowledge center content manager, University Risk Management and Insurance Association
“Often, risk management departments have access to senior management and that’s where oftentimes improvements need to be pushed from the top down, so that’s an advantage risk management departments have,” Klinksiek said.
Also, risk management departments are more often than not involved in the financial function of an organization.
“And compliance often means increased expense for whatever fixes are necessary and so sometimes in looking at ordinary department budgets there might not be an appreciation for what the importance of the increased expense is,” Klinksiek said.
“I think risk management might be better situated organizationally to advocate for more dollars to get better compliance,” he added.
Carmichael stressed the value of an ERM-type approach in establishing clear lines of communication within an organization.
“Clear communications across the board is one of the most important things that risk management can do, to make sure that different departments are talking to each other,” she said.
Smith noted that the success of ERM depends on ERM’s broad acceptance by all business silos within the organization and the recognition of the value ERM brings to each business unit, to the corporation’s bottom line and the corporate brand.
But too many organizations still view ERM as a compliance-based, audit-based function, he noted. “It becomes a ‘check the box’ exercise, something to get through, to make internal audit and the board of directors happy rather than driving a daily way of management and business execution,” he said.
Smith added that he believed the heart of a successful ERM initiative is grounded in a collaborative relationship between risk management and internal audit, with risk management taking the leadership role because it has the overall risk management experience, resources, understanding of the financial impact of decision-making and strategic risk program development.
Managing risk on an interdepartmental basis is an important part of the job, Fiorille said.
“Risks are continuing to evolve and change and rarely, if ever, fit squarely into one discipline, so it’s critical to ensure your risk apparatus can adjust and adapt as needed,” he noted.
If you’ve got one group responsible for looking at regulatory risk and another that’s managing all the other risks working collaboratively, from a flow and synergy standpoint it just makes sense, he said.
ERM is particularly helpful because it can be applied to help a risk manager effectively manage compliance and regulatory risk on a frequent basis, which is essential given the pace of regulatory and technology change, Fiorille said.
“Compliance risks sometimes can go to the top of the list so you can shift resources or put some focus on that risk versus some of the other risks,” he noted.