© The Financial Times Ltd 2015 FT and 'Financial Times' are trademarks of The Financial Times Ltd.
March 26, 2013 11:18 pm
Risk management and compliance are growing burdens. According to one industry statistic, a new regulation is published every 22 days.
For businesses trying to operate globally while streamlining their systems and improving efficiency, this can amount to a significant challenge. The need to comply with myriad and sometimes widely differing laws and financial regulations can go against efficiency measures, such as an integrated supply chain or even a single financial record system.
Since the financial crisis, however, companies have also increased their own scrutiny of financial compliance and risk management.
John Smart, head of the fraud investigation and disputes services team at Ernst & Young, says: “Questions about risk are coming from two directions: external environments and internal audit committees.”
This, he says, means companies are spending more time and money on compliance. And, even where firms have good systems in place, compliance can pull in the opposite direction to good business practice.
“You can end up with a conflict between the operational part and risk management part of the business,” says Mr Smart.
Avoiding these consequences means the chief financial officer not only has to run a tight ship – with automated risk management tools playing an increasingly important role – but he or she has to take a wider view of risk than pure financial compliance.
Recent events in the UK, where several multinational companies came under scrutiny for their tax practices, show a business can be legally compliant but act in a way that creates real reputational risk. Businesses are also looking at non-financial risks, especially in the supply chain.
The chief financial officer will usually have to take responsibility for the company’s overall approach to risk, even if the risks themselves are managed by other business units.
“The chief finance officer is the originator of reporting and management information,” says Tim Thompson, a partner in risk and regulatory analytics at Deloitte. “It is the finance director who is telling the board what has happened.”
The finance or risk management department will need to pick through rules and regulations to establish what is likely to affect the business.
If a regulation is published you need to abide by it, but the effect on the business might be minor, says Loren Padelford, executive vice-president at Active Risk, a risk management tools supplier.
“The emphasis is shifting from risk management and compliance to understanding what the real risk is.”
This shift also needs to be made with care. Mr Smart says that, in some recent cases, businesses actually identified the risks correctly but failed to act to prevent the damage.
Sometimes this is a result of a lack of resources, a lack of automation, or too much focus on the minutiae of regulations, with executives losing sight of the big picture.
“We coach clients to take a broader, risk-based approach,” says John Wheeler, a research director at industry analyst Gartner. “You have to have a single governance, risk and compliance system and a single system of record. Once they have that [companies] can better understand their risk profile [and] make sure they operate within their risk appetite.”
Bob Stark, vice-president for strategy at Kyriba, which supplies treasury services and technology, says: “Teams are spending too much time on manual tasks and not enough time improving visibility of risk exposure.”
This is understandable as businesses have faced a wave of regulation, including Sarbanes-Oxley, Dodd-Frank and measures such as Basel II and III. Often the only practical short-term solution is to throw people at the problem.
But finance directors do not always go back later to see if tasks can be automated. Also, some compliance measures, whether automated or manual, can stifle legitimate activities.
“Compliance can over-control,” says Richard Hunt, managing director of Turnkey Consulting, which specialises in risk management based on technology from the company SAP.
“You can put your business operations at risk by adding unnecessary compliance activity. But, [in] a lot of cases, there is now an automatic control option that there wasn’t [before].”
The good news is more of these tools are available within, or as add-ons, to large enterprise resource planning and financial software applications, and they have matured during the past few years.
Please don't cut articles from FT.com and redistribute by email or post to the web.