The age of compliance
Preparing for a riskier and more
regulated world
A report from
the Economist Intelligence Unit


The age of compliance
Preparing for a riskier and more regulated world

Preface
The age of compliance: Preparing for a riskier and more regulated world is an Economist Intelligence
Unit briefing paper sponsored by SAP. The Economist Intelligence Unit bears sole responsibility for
this research. Our findings drew on desk research and in-depth interviews with executives familiar with
risk and compliance within their organisations. The findings and views expressed in this report do not
necessarily reflect those of the sponsor. Rob Mitchell was the author of the report and Dan Armstrong was
the editor.
August 2010

© The Economist Intelligence Unit Limited 2010

1


The age of compliance
Preparing for a riskier and more regulated world

The age of compliance: Preparing for a riskier
and more regulated world
“Things like
risk appetite

statements,
scenario planning
and responses
to regulatory
changes require an
enterprise view.”
Bruce Munro, Group Chief Risk
Officer, National Australia
Bank

imes.
com/2008/11/23/
business/23citi.html?_
r=1&hp=&pagewanted=all
1

Based on testimony by
Richard Bowen, a former chief
underwriter at Citibank, at
the Financial Crisis Inquiry
Commission, April 7th, 2010:
c. gov/hearings/
pdfs/2010-0407-Transcript.pdf
2

/>s/0/095cc462-79f5-11df-987100144feabdc0.html
3

2


I

n September 2007, senior executives at Citibank gathered at the company’s New York headquarters
to discuss a sudden spike in the number of mortgage defaults among sub-prime borrowers in the US.
It was at this meeting that Chuck Prince, then CEO of the bank, was told for the first time that Citibank
owned mortgage-related assets worth about US$43bn.1 Thomas Maheras, who oversaw trading at the
bank, reassured Mr Prince that everything was fine, but within weeks Citi nursed losses on the assets that
ran into billions of dollars. The bank’s risk management was shown to have severe deficiencies: accepting
ratings agency opinions in lieu of independent reviews; relying on brittle financial models; and, according
to subsequent congressional testimony, violating internal credit policies.2 Within two months, Mr Prince
was out of a job.
Other industries, such as the energy sector, can face equally disastrous risks. At a US Congressional
hearing in June 2010, Tony Hayward, CEO of BP, told members that he had “no prior knowledge” of the
drilling of Deepwater Horizon, the Gulf of Mexico oil well that exploded in April with the loss of 11 lives
and devastating environmental consequences.3 Members criticised Mr Hayward for the evasiveness of his
answers and accused him of putting profit ahead of safety. Mr Hayward stepped down as CEO in July.
These two examples, while different in their origins and consequences, illustrate the challenge of
managing risk and compliance across large and complex organisations. Even medium-sized companies
rely on a network of suppliers and partners, and have employees, functions and divisions scattered
around the world. It is therefore unsurprising that despite years of investment in risk management tools
and processes, a clear view of the risks accompanying key decisions remains elusive for many senior
executives.
Events such as the financial crisis and the Gulf oil spill have provided fresh impetus for efforts to
gain better oversight and co-ordination across risk and compliance functions. The terms enterprise risk
management (ERM) and governance, risk and compliance (GRC), both in circulation for over a decade,
have taken on fresh significance, and a growing number of companies are redoubling their efforts to coordinate—and ideally integrate—their various sources of assurance.
“You get to the point where you recognise that things like risk appetite statements, scenario planning
and responses to regulatory changes require an enterprise view,” says Bruce Munro, group chief risk
officer of National Australia Bank. “It’s difficult to ask people in their particular areas of risk expertise to
do that, so you’ve got to invest in people that can do it on a full-time basis.”

In many companies, compliance and risk activities remain highly fragmented and scattered around the
© The Economist Intelligence Unit Limited 2010


The age of compliance
Preparing for a riskier and more regulated world

The exponential growth of US financial services regulation
Number of pages of legislation

2010
Dodd Frank
Wall Street
Reform Act
2,319 pages

2,500

2,000

1,500

1,000

500

1913
Federal
Reserve Act
31 pages


1933
Glass
Steagall
37 pages

1966
Interstate
Banking
Efficiency Act
51 pages

1999
2002
Graham
Leach Bliley Sarbanes
145 pages Oxley
66 pages

0
Source: Economist Intelligence Unit, 2010.

enterprise. The professionals charged with ensuring compliance with Sarbanes-Oxley, for example, are
likely to use a different framework and standards than those managing health and safety compliance. And
in risk management, teams looking after the credit of customers to whom the business provides financing
will be in a separate department from those that look at operational risk. Each risk and compliance activity
is often built up separately, frequently in response to a major event or new compliance obligation.
This fragmentation is costly because there is duplication of effort. It leads to complexity because there
is no common approach. And when compliance activities are splintered, business risks inevitably grow.
For instance, the lack of a comprehensive and integrated approach to IT compliance can lead to security

breaches or data losses. Fragmented financial compliance can open the door to fraud or restatements.
Compliance is often thought of as separate from risk. But in fact the two functions are tightly bound, since
an ad hoc approach to compliance leads to higher levels of risk.
Efforts to boost visibility into risk exposures across the enterprise, or to achieve a more holistic and
consistent approach to compliance, are nothing new. Over the past decade, many executives have
experienced initiatives designed to aggregate risk management across the company’s divisions, functions
and risk silos. Few can say with confidence that these initiatives were successful.
GRC holds the promise of taking this process of integration a step further by integrating ERM and
compliance activities within a broader governance framework. Dating from the Sarbanes-Oxley Act of
2002, when listed US companies faced complex and costly obligations under Section 404 of the Act, GRC
emerged as a set of tools to help companies manage risk, track compliance and monitor internal controls.
Since then the scope of this discipline has broadened. Although definitions vary, it now refers to
© The Economist Intelligence Unit Limited 2010

3


The age of compliance
Preparing for a riskier and more regulated world

an enterprise-wide framework that companies use to manage risk and compliance within established
corporate governance parameters.
“The point of governance and compliance is to ensure transparency,” says Mr Munro. “Compliance plays
an important role in providing assurance for people like me and the Principal Board that we’re actually
doing what we say we’re doing. Beginning with the high-level risk appetite, and cascading through the
layers of the business, there needs to be a mechanism to ensure that when there are issues, they are
discovered, escalated, dealt with and the lessons learned.” 4
This paper examines how the integrated management of risk and compliance has developed among
corporates in multiple countries and industries. It is based on a series of interviews with chief risk officers
and other high-level risk professionals from large multinationals around the world. These interviews,

conducted in June and July 2010, reveal a number of common themes.

4
The Principal Board refers to the
Principal Board Audit Committee
(PBAC), formed by NAB in 2003
to discuss and investigate any
high risk issues raised by internal
or external auditors.

4

© The Economist Intelligence Unit Limited 2010


The age of compliance
Preparing for a riskier and more regulated world

Pressure builds for a consistent approach

T

he three themes of governance, risk and compliance have been central to the management agenda
for a decade. But whereas five years ago it would have been the “C” in GRC that was most likely to keep
executives awake at night (and indeed was the impetus behind the development of GRC in the first place),
in the post-crisis world it is the “R” that has risen to the top of the agenda. “The whole environment over
the past 18 months has been the facilitator of much broader thinking about risk management,” says Mark
Krakowiak, chief risk officer of GE, the industrials and financial services group.
The reasons for this laser-like focus on risk are well understood. The financial crisis has highlighted
the interdependencies between different divisions of the organisation—and between the enterprise as a

whole and the external environment. Under pressure from legislators and investors, boards are becoming
more demanding. In one sector, financial services, regulators are stipulating that institutions form risk
committees. And the role of chief risk officer, once confined to banking and insurance, has spread across
the corporate world.
But the management of risk—however broadly it is framed—is just one piece of the puzzle. Companies
also face an increasingly complex and rigorous regulatory compliance burden that has become both
costly and risky, should the company fail to meet its obligations. In June 2010, for example, the UK
Financial Services Authority fined JP Morgan, an investment bank, £33m (US$50m) for failing to comply
with a regulation requiring it to segregate client assets from its own funds,6 while the US transport
regulators fined Toyota US$16.4m in April for failing to notify them sooner about defects in its cars.7

“The whole
environment
over the past 18
months has been
the facilitator of
much broader
thinking about risk
management”
Mark Krakowiak, Chief Risk
Officer, GE

plianceweek.
com/s/documents/AMR-GRC-in2010.pdf

5

/>s/0/9e66733e-6ef4-11df-a2f700144feabdc0.html

6


/>s/0/6053df1c-4106-11df-94c200144feabdc0.html

7

© The Economist Intelligence Unit Limited 2010

5


The age of compliance
Preparing for a riskier and more regulated world

Setting effective guidelines

I

nterviews with risk and compliance professionals within corporations yield a consistent set of
guidelines to manage this set of disciplines effectively. They are guidelines, not rules, because they
require judgment and nuance in organisations already laden with policies and procedures. Buy-in requires
ownership; ownership seldom results when senior management simply issues a dictum. All managers
are familiar with processes which, however well intentioned originally, have become checklists devoid
of meaning. As has been demonstrated over the past few years, risk and compliance are too important to
suffer this fate.

Commitment must come from the top
Those who best understand the risks embedded in a business process are people who are closest to it:
the business owners and process owners. At the same time, senior management and the board play a
crucial role in raising the profile of risk management and ensuring that the organisation has a consistent
methodology for dealing with it. “The more involvement the board has in risk matters, the better the

organisation is,” says Mr Munro. “If you don’t have your board onside and you don’t have agreement
between the board and management about the appropriate level of risk-taking, then you’re setting
yourself up for trouble. I’d much rather have an active and engaged board than not.”
Any investment in enterprise-wide risk and compliance framework must have absolute commitment
from the top of the organisation. “You need buy-in from both the senior management team and the
board,” says Mark Newlands, head of risk at Anglo American. “They need to be convinced that what you are
suggesting will add value.”
From the board’s perspective, GRC can provide assurance that risks are being identified and that
information about them is being passed to the right people at the right time. A more consistent approach
to reporting also makes it easier to evaluate and compare risk exposures. “What we’re trying to do
is present a picture to management and the audit committee of what the risk profiles for each of our
businesses looks like, and what the risk profile of the group as a whole looks like,” says Mr Newlands.

Standardised processes are an important first step
Building an enterprise-wide layer for risk and compliance on top of existing processes can seem like a
daunting task. With individual sources of assurance and compliance activities run separately and rarely
interfacing—either personally or by means of risk systems and IT infrastructure—the time and resources
6

© The Economist Intelligence Unit Limited 2010


The age of compliance
Preparing for a riskier and more regulated world

necessary to achieve successful integration can be considerable.
According to Mr Krakowiak, much depends on the extent to which existing risk processes have already
been standardised. Nine months ago, GE took the step of creating a single framework for risk management
across its entire enterprise, spanning both the financial and industrial businesses. Mr Krakowiak believes
that the company’s longstanding commitment to the standardisation of business processes made this a

more straightforward task than it might otherwise have been. “We already had a very process-oriented
approach to the operational side of our business,” he explains. “For example, we have a standard review
process for our compliance and we use standard processes for budget planning and strategy planning. So
we already had a pretty good framework that we could take up a level in terms of looking at enterprise risk.”
For companies that do not know where to begin, a first step may be mapping to existing standards
like ISO 31000. ISO 31000 (2009) provides principles and guidelines on risk management covering a
wide range of business activities, including strategies and decisions, operations, processes, functions,
projects, products, services and assets. Adopting a standard such as ISO 31000 helps to move companies
beyond ad hoc collections of controls towards a unified framework.

Balancing autonomy and control
A successful enterprise-wide view of risk and compliance depends on managing the opposing
requirements for centralisation and decentralisation. On the one hand, there needs to be a central
function that can aggregate risk and compliance information from the business. Without it, senior
executives cannot effectively make business decisions regarding how to manage risk and take advantage
of new potential business opportunities. Yet at the same time, risk needs to be owned by the business,
within an established framework. “It’s really important to have risk people close to the business so that
they can help managers with a specific set of risks that need to be managed,” notes Mr Munro. “But you’ve
also got to have an enterprise-wide view. You need to walk that fine line between collaboration and
independence.”
An important part of this balance is deciding which risks need to be defined within a centralised
framework and which can be determined by the business. “You need to understand the roles and
responsibilities of different functions and units,” says Harri Spolander, chief risk officer of Fortum,
an energy company headquartered in Finland. “While it is conceptually a good idea to centralise risk
management and have a co-ordinated approach, you need to decide and define explicitly which risks
should be managed centrally and which should be devolved to the business. If you are not clear about
that, you are in a situation where no one really knows who is responsible for what.”
In the energy industry, for example, one might choose to centralise the management of risks
associated with currencies, interest rates and commodity positions—and hedge them appropriately. But
while overall policies for risks such as environmental risk can be determined centrally, the management

of those risks must always happen locally. “Naturally compliance is an important housekeeping thing and
also a best practice to certain extent but not the main driver for our risk management,” says Mr Spolander.
“It really must be the responsibility of every operational unit because leakages, for example, do not
happen in the central corporate unit, they take place in the power plant,” says Mr Spolander.
© The Economist Intelligence Unit Limited 2010

“You need to
decide and define
explicitly which
risks should be
managed centrally
and which should
be devolved to the
business.”
Harri Spolander, Chief Risk
Officer, Fortum

7


The age of compliance
Preparing for a riskier and more regulated world

A constant dialogue between risk functions and the businesses
Frequent dialogue between risk functions and the business is essential. The relationship should be
symbiotic: managers should be confident that the risk management process adds value to their role, while
risk professionals should be able to use their dialogue with business leaders to gain a better picture of
overall enterprise risk. “Getting everyone on the same page at all organisational levels about what it is
we’re trying to achieve, and making the accountability stick is key to both the effectiveness and efficiency
of the regime,” says Ed Popplewell, head of risk & internal control at Siemens plc and North West Europe.

In some firms, this requires a shift in perceptions of the risk function. Rather than being seen as
a “preventer” of business whose role is to impose limits and controls, it needs to be perceived as an
“enabler” that can offer valuable advice. To gain the confidence of business managers, risk professionals
should demonstrate commercial understanding and a willingness to provide constructive input to help
managers meet their objectives. “We have consciously evolved our response from waving a red flag and
walking out to waving a red flag and working with the business teams on mitigation plans,” says Alexis
Samuel, chief risk officer at Wipro, an Indian business process outsourcing and technology company.
A key metric for the success of this dialogue is the extent to which heads of business units and business
managers proactively seek out the risk function to engage them in discussion about their plans. “People
are now willing to accept us as an enabling function and reach out to us, but we have to constantly
reassure our teams that we are not just red flag wavers and will go beyond, roll up our sleeves and work
with them to mitigate their risks,” says Mr Samuel.
Dialogue between the risk function and the business can also help to create a more consistent view of
the risks of a particular project that is in line with the enterprise’s overall risk tolerance. “The intention is
to make the management team collectively aware of the risks that are going to prevent them from being
successful in whatever it is they are trying to achieve,” says Mr Newlands. “The owner of a particular
project may have a view on the risks, but his or her colleagues may have a completely different view.
Unless you get around a table and discuss them through a structured process, you can end up with
completely divergent views.”
In 2006, Anglo American brought in what it calls an “integrated risk management” approach that was
designed to improve on the previous system by being more relevant to business divisions. The key to its
success, according to Mr Newlands, has been the introduction of facilitated discussions with managers
in the business. “Rather than having a one-size-fits-all, paper-based approach where managers filled in
forms against a standard matrix, we have moved to a system that is much more aligned with their business
processes,” he explains. “We now look at risks that are relevant to each business and prioritise them
according to a matrix that is also customised to their circumstances.”

A more systematic understanding of the risks
When risk is managed in silos, it provides a good measure of each specific area of exposure, but there is no
bird’s-eye view of the company’s overall risk position. A silo-based approach also means that certain risks

can fall between the cracks. During the financial crisis, for example, many banks lacked understanding
of the risk associated with certain assets because credit risk departments thought they were market risk
8

© The Economist Intelligence Unit Limited 2010


The age of compliance
Preparing for a riskier and more regulated world

Steps towards integration at Siemens

The industrials group Siemens is one large
multinational that has adopted an enterprise-wide
approach to risk and compliance. Following a series of
well-publicised compliance failures in the late 1990s
and early 2000s, senior management overhauled the
company’s compliance processes by combining its
entire assurance activities-including ethics, codes
of conduct and relationships with business partners
worldwide-within one function. “At a global level
Siemens identified that the existing risk management

process was a little narrow and financially oriented,
and needed to be much more forward-looking and
focused on strategic and operational risk over the
medium term,” says Ed Popplewell, head of risk &
internal control at Siemens plc and North West Europe.
The new framework sees risk management, and
compliance with internal controls and guidelines, as

two sides of the same coin. “We need to respond to
the risks in our business by ensuring that we’ve got
sound internal controls in place,” notes Mr Popplewell.
“Equally, things that my internal control practitioners
find through our assurance programmes tell us a lot
about whether our risk management processes are
robust. So the two activities feed off each other.”

issues, and market risk departments believed they were the responsibility of credit risk managers.
As a result, companies are increasingly focusing not only on risk management within their organisation,
but on interdependencies with other companies within their network as well as the broader economy.
“Companies are finally realising that there is a need to determine how an organisation can look at its
risks from a holistic perspective and figure out how those can be managed and monitored,” says Richard
Apostolik, chief executive officer of the Global Association of Risk Managers.
By aggregating risks at an enterprise level, a company has a much better understanding of potential
threats that could cause serious financial or reputational damage. GE’s new enterprise-wide risk approach
is a good illustration. “We wanted to make sure that when we looked across the entire portfolio, we
understood clearly the key things that could potentially put the franchise at risk,” reports Mr Krakowiak.
“To get high returns, you have to take a certain level of risk, and we just wanted to make sure that we
understood completely the risk we were taking, what some of the external factors were that could impact
us, and what could prevent us from achieving our strategic objectives.”
For any large company, the list of potential threats that could have an adverse impact on the business is
huge. Careful prioritisation is therefore needed to prevent management paralysis. “We are trying to focus
on the four or five big things that could have a systemic risk problem for the company, while continuing to
ensure that businesses manage their own risks within each function,” says Mr Krakowiak.
A consistent approach to risk and compliance across the enterprise depends on creating a standard
language around risk that can be understood by business owners across functions and locations. At
GE, for example, one key challenge in creating an enterprise-wide approach was forming a bridge in
understanding between the financial services and industrial businesses—which inherently have very
different requirements in terms of risk and compliance. “What we try to do is come up with a common set

of definitions and terminologies, or what we call a taxonomy,” adds Mr Krakowiak. “This can be used by
both sides of the house. We have also tried to interconnect the risk appetite statement for the financial
© The Economist Intelligence Unit Limited 2010

9


The age of compliance
Preparing for a riskier and more regulated world

services business with that over the overall company.”
Aggregation of risk and compliance at the enterprise level also provides senior executives with
the oversight they need to assess interdependencies and correlations across the business, and make
adjustments accordingly. “You might find that you want to put in different limits or constraints, or adjust
your capital allocation because what looks okay in one silo doesn’t necessarily look the same once you
aggregate it at the enterprise level,” argues Mr Munro.

A single risk appetite may not fit the entire enterprise

“Boards need
to define what
their risk culture
is and... define
what their
organisation’s risk
appetite is.”
Richard Apostolik, Chief
Executive Officer, Global
Association of Risk Managers


Although much is said about the need to build an enterprise-wide risk culture, it is down to boards and
executive management to define what it is. “Boards need to define what their risk culture is and from
there they need to define what the organisation’s risk appetite is,” says Mr Apostolik. “Then they have to
ensure that the rest of the organisation works within the definitions that they have come up with.”
In general, a risk appetite should be a clear articulation, approved by the board, of the institution’s
risk tolerance and limits across its full range of businesses. Once this has been set at the enterprise level,
it can be cascaded down through the various divisions and regions to the ultimate risk owners. “We set a
risk appetite at enterprise level, then each of the business units takes that and applies it and forms their
own risk appetite based on those overall settings for their line of business,” explains Mr Munro. “So you
start to get commonality, a common approach and a common language. Properly done, the risk appetite
statement becomes a cornerstone and becomes part of the language of enterprise risk.”
In other industries, it may be difficult to set an overall risk appetite because individual operations or
change projects vary so widely in terms of their perceived risk. Mining is a case in point: with operations
in locations that are subject to widely differing levels of political and business risk, no two investments
are alike. “I don’t think there’s ever a situation where you can say that our risk appetite is ‘X’ and
will remain ‘X’ for the rest of the year,” says Mr Newlands. “It’s not a number. It’s about taking each
individual proposition for change, or each operation, and determining whether that is something that the
organisation is willing to accept or not.”

Overcoming resistance
One barrier to implementing an enterprise view is resistance from people in long-established silos. One
example would be a division that has invested heavily, and successfully, in China. However, upon assuming
an enterprise-wide view of its risks, the company may decide that it is over-exposed to business in China
and that each division needs to cut back its investment. For divisions used to running their own P&L and
managing risks within a silo, this can be a difficult decision to swallow. It can take time and effort to educate
managers in the need to make sacrifices in order to gain a more balanced enterprise-wide risk exposure.
Some managers may think that an enterprise approach will penalise business units viewed as deficient
in terms of risk management. But as Mr Newlands explains, the goal is not to create competition. “It’s
not a question of one business unit’s performance against another,” he says. “What we’re interested in
is each unit’s risk profile, what they’re doing to mitigate those risks and how it all fits together at the

enterprise level.”
10

© The Economist Intelligence Unit Limited 2010


The age of compliance
Preparing for a riskier and more regulated world

Overcoming this resistance means that outmoded perceptions of risk functions as “business prevention
units” need to be challenged. “You have to demonstrate that this is something of value,” adds Mr
Newlands. “We have to make it clear that we are not here to stop people taking risks or to eliminate risk.
We are here to make sure that managers understand what it is that they are taking on.”
Once managers in the business units decide on their own to make a public commitment, they will
behave consistently with that commitment for as long as necessary. Coercion will not work. The key is to
demonstrate how risk and compliance activities can help them to achieve their business goals.

Creating a wide awareness of risk
Although controls and monitoring play an important role in the risk management toolkit, this should only
be seen as one small part of the role of the risk function. Rather than mandating a set of top-down rules
without adequate explanation, risk professionals must work with the business in order to demonstrate
both that they understand the business and that there is a rationale for the position they are taking.
Thus GRC is about communication and education, not the setting of rules. “It’s really all about
behaviour,” says Mr Popplewell. “We have a culture of treating risk management and internal controls as
an important source of value for our business, rather than just a kind of mindless rule set.”
Formal reporting structures are important, particularly when a company is seeking to aggregate risk at
an enterprise level, but the informal discussions about risk are the real bedrock of effective management.
“There’s a clear and detailed structure as to how we organise things, but it’s really about the conversations
that happen as much as it is about what ends up in different boxes on spreadsheets,” he stresses.
Training and education have become an important part of the role of the risk function. Wipro, for

example, runs training in general risk concepts such as business ethics for all its key managers, while
specific course modules have been developed for every employee in the organisation. A communication
plan around risk is set in advance and rolled out throughout the year. “We publish news bulletins and risk
circulars on a regular basis,” says Mr Samuel. “We also convert some of our risky incidents or near-misses
into pamphlets that we use in training and discussion in our leadership forums.”

GRC is about people as well as technology
Technology plays a vital role in automating the collection and analysis of data as well as the monitoring of
key risk indicators. When implemented properly, it can help companies assess the impact of a risk against
a particular objective, and increase visibility into the effectiveness of compliance efforts. That said, people
are just as important in the process. “We don’t want the risk function to become a team of data entry and
monitoring personnel,” says Mr Samuel. “It’s important to think through any technology solution and
ensure that it is carefully tailored to our needs and does not just add a layer of bureaucracy.”
Mr Newlands agrees and sees the risk management process as primarily a process of face-toface engagement between the risk function and business units. “It is a qualitative discussion with
management involving people, and technology plays only a small part,” he explains. “We have some
technology that helps us capture, store and analyse the output of our work, but what we don’t do is
get into a great deal of quantification. It has its place, but by far and away the most important thing
© The Economist Intelligence Unit Limited 2010

11


The age of compliance
Preparing for a riskier and more regulated world

is the judgment of the people who are managing risks on a day-to-day basis. The danger I see with
quantification is that the one thing you can guarantee is that you will be precisely wrong.”
Problems with gaining access to accurate, high-quality data also hamper the quantification and
analysis process. “The question of appropriate data and the analysis of that data is probably the biggest
issue that companies face,” says Mr Apostolik. “Putting the systems in place to collect the data that you

can analyse and report from is a huge undertaking.”

Eli Lilly: Linking risk with strategy

An enterprise-wide approach to risk and compliance brings significant
benefits in terms of visibility into risk exposure and adherence,
but it can be difficult to elevate the programme beyond a focus on
operational processes. To date, few companies have taken the next
step, which involves integrating this enterprise-wide approach with
the broader strategy of the business. All too often, strategy and risk
assessment are only tangentially connected—chief risk officers rarely
sit on executive boards and their role in terms of the broader strategic
direction of the business is one of support and analysis, rather than
active participation.
Eli Lilly, a pharmaceuticals company has run an ERM programme
since 2005. However, there was a growing sense among senior
management that it was not well integrated with the overall business
planning and longer-term strategy. Major strategic risks—or the
potential impact of major external events, such as the financial
crisis—were not sufficiently factored into the existing programme.
“When we went to the board, we found that we were talking about risk
from a different perspective,” says Peter Johnson, vice-president of
corporate strategic planning at Eli Lilly. “That’s what drove us to say,
‘Are we asking the right questions about the risks we really face and
that will make us vulnerable?’”
The treatment of strategic risk is inherently different from that of
operational risk, and requires a different framework for identification,
assessment and mitigation. “With operational risk, you can usually
quantify it,” says Mr Johnson. “You may run it 7,000 times and get five
errors. Strategic risk doesn’t work like that. There are some things you

can prevent and want to prevent, there are others you can only react

12

to, and there are some that you can prepare for and hope they don’t
happen. We’re trying to look at all these different situations as part of
our management of these risks.”
This more thorough risk identification process—particularly
in a company as large and complex as Eli Lilly—requires careful
prioritisation to ensure that the right issues are being examined. “It’s
very clear that you can easily get bogged down in identifying so many
different risks and developing action plans that you don’t actually
accomplish anything,” says Anne Nobles, chief ethics and compliance
officer and senior vice-president for enterprise risk management at
Eli Lilly. “I think the biggest challenge is going to be to really refine
the list and focus attention on areas where we need thinking and
planning in order to prepare the company.”
The integration of ERM and the strategy process at Eli Lilly
leads to a different mode of thinking about the overall role of
risk management at the company. “Strategy processes tend to be
opportunity-oriented and risk management ones tend to be fearbased,” says Mr Johnson. “But what we’re trying to say is that they’re
two sides of the same coin. Once you’ve made your decisions from an
opportunity perspective, you can begin to ask ‘What could go wrong
with those decisions and how do we manage that?’”
As with any major change project, there is a risk associated with
this transition that it fails to achieve its overall objective—to change
people’s behaviour. “There’s a danger that it can become all about the
process rather than the outcome,” says Ms Nobles. “If corporate staff
ends up owning this rather than the business managers themselves,
then we will not have been successful.”

Equally, the identification and assessment of strategic risk should
not lead to a kind of paralysis. “You can’t remove all risk,” says Mr
Johnson. “If that’s the objective, we shouldn’t be in business because
we take on a massive amount of risk every day here. The question is,
are we competent to do it and are we doing it in an effective way.”

© The Economist Intelligence Unit Limited 2010


The age of compliance
Preparing for a riskier and more regulated world

Conclusion

T

he concept of an integrated approach to risk and compliance is not new, but the financial crisis and
major risk events have placed fresh impetus behind it. More than ever, boards and senior management
want to understand overall risk exposures, and be provided with clear, consistent information in a timely
manner. With corporate governance legislation increasingly stressing the importance of personal liability
and accountability for executives and non-executives, companies cannot afford to be in the dark about
their risk position.
As with any three-letter business acronym, GRC can elicit scepticism from the business community.
Many companies have attempted to implement an enterprise-wide view of risk and compliance, but
have been frustrated by political resistance, a lack of board-level support or inadequate technology and
infrastructure. Although these problems have not gone away, companies would be wrong to give up hope
of achieving a more holistic picture of their risk.
No major change management programme is ever easy, but with the right board-level commitment,
tools and processes, integrating the management of risk and compliance across the organisation is
achievable, and the potential benefits difficult to dispute. Visibility into decisions taken across the

enterprise will help to preserve a company’s reputation, while a more efficient approach to managing risk
and compliance will help to reduce duplication of effort and streamline business processes. And for senior
executives who carry responsibility for corporate activities, there will be the potential for more thorough
knowledge about their business and, hopefully, a less stressful work environment.

© The Economist Intelligence Unit Limited 2010

13


Design: Cover: Getty Images

Whilst every effort has been made to verify the accuracy
of this information, neither the Economist Intelligence
Unit Ltd nor the sponsors of this report can accept any
responsibility for liability for reliance by any person
on this report or any other information, opinions or
conclusions set out herein.


LONDON
26 Red Lion Square
London
WC1R 4HQ
United Kingdom
Tel: (44.20) 7576 8000
Fax: (44.20) 7576 8476
E-mail:
NEW YORK
750 Third Avenue

5th Floor
New York, NY 10017
United States
Tel: (1.212) 554 0600
Fax: (1.212) 586 0248
E-mail:
HONG KONG
6001, Central Plaza
18 Harbour Road
Wanchai
Hong Kong
Tel: (852) 2585 3888
Fax: (852) 2802 7638
E-mail:
GENEVA
Boulevard des Tranchées 16
1206 Geneva
Switzerland
Tel: (41) 22 566 2470
Fax: (41) 22 346 93 47
E-mail: