Investment firms must take a more comprehensive look at how they manage compliance across the organization, or face being suffocated by the flurry of regulatory change sweeping the profession, says Bill Irving, president of Capco, a New York-based consulting firm.
The past couple of years have been the busiest periods on record for governance initiatives. Sarbanes-Oxley (SOX), the USA Patriot Act, new rules governing analysts, the Basel II Accord and SEC mandates on e-mail and instant-message archiving are just some of the key challenges that firms are scrambling to meet.
"(Firms) must take a much more holistic look at areas of control and operational risk," says Irving. They need to create internal committees that look at operational risk on a global basis and comprise senior executives from across finance, compliance, audit and IT, he says.
According to AMR Research of Boston, Fortune 1000 corporations will spend up to $2.5 billion in 2003 simply to comply with SOX. The money will go towards IT, business-process change, corporate governance and consulting.
James Ward, a consultant at London-based PA Consulting Group, says that issues raised in initiatives like SOX and Basel "cut across functional boundaries." Risk used to be the focus of the financial departments and auditors, but now it involves IT and compliance. That means companies must revisit how they manage risk in their organizations, says Ward.
Most are engaged in that process, he says, and are "looking ahead." However, there "are firms out there that haven't been thinking ahead and are waiting for someone to tell them exactly what to do. Clearly, some will land in trouble."
One firm looking ahead is mutual-fund-giant Vanguard. "This is the busiest I've seen it," says Jim Hyatt, a 24-year veteran of the securities industry who is responsible for security and contingency at the Valley Forge, Pa.-based firm. "There's a lot of (risk) projects going on right now."
Hyatt says that when Vanguard first created its risk-management program, "We tried to do it with a centralized approach, but found out that one size doesn't fit all. We found that it was far better to give it to the business units themselves. Give them some structure to work around, but let them develop programs that manage the risk."
Joe Sabatini, managing director and head of corporate operational risk at JPMorgan Chase & Co., agrees that "risk is usually best understood and managed where it is generated. You have to manage risk within each business unit, location or activity. Corporate functions, review processes and governance structures can then compliment and strengthen this risk-management approach." What you can't do, he says, is try to manage risk on a "part-time or absentee basis."
A key to successfully incorporating new legislative initiatives into the organization is having a flexible risk-management structure, says Sabitini. "With any new legislation or regulatory initiative we first need to assess the new requirements and determine what is needed to meet these. Large financial firms like ours generally have a robust governance structure for risk management. So with any new requirements, hopefully, it is a matter of leveraging existing processes and structures rather than creating new ones."
JPMorgan is structured around the three primary risk classes - market, credit and operational risk - with a dedicated team for each. The teams set policies and standards, communicate best practices and make sure there is good governance around risk. The risk mangers report to a chief risk officer.
That contrasts with Vanguard, where, Hyatt says, "There's no one title in charge of corporate risk" across the organization. Rather, "We have what we call our compliance forum," a monthly meeting of top executives from key departments like compliance, internal audit, and security who review issues around risk management.
Capco's Irving says the key to coping with the legislative tornado is making sure that "you have the leadership and organizational structure in place." He notes there's been a spate of appointments to positions like chief risk officer and the role of the chief compliance officer is taking on more prominence. But, he says, it will go even further than that.
Firms are forming senior-level committees mandated with the task of assessing and ensuring that risk controls are in place, explains Irving. That's being driven by the threat of personal liability and the fact that the CEO and CFO must now sign off on financial statements. "It's making everybody a little nervous" and is a "powerful incentive to make senior leadership announcements or organizational changes," he says.
Irving says that the increasing focus on operational risk will require tighter integration among departments, such as compliance, finance and technology.
He adds that firms must also look at their risk from a global perspective, since foreign regulators are also busy drafting changes that parallel SOX. For example, Irving says that Goldman Sachs has created a global compliance and control committee to manage risk across the entire organization.
Mike McGrann has benefited from the regulator's heightened focus on operational risk stemming from the Enron collapse. Last summer, he was appointed chief compliance officer at BMO Financial Group in Toronto. "What we have done at BMO is implement financial enhancements and modifications, rather than major changes," he says.
The challenges BMO faces are typical of a large financial institution operating in more than one market. Although based in Canada (its stock trades on the NYSE and the TSE) it has American companies and its Canadian broker's research is distributed in the United States. Not only has the firm had to cope with the U.S. regulatory changes, but Canadian regulators are in the throes of introducing their own Sox-type reforms. "I don't think you will ever have one standard for the world," McGrann says, who explains that the position he holds is not new, but has been elevated from a VP to a senior VP level.
BMO has a risk-management group to oversee operational and credit risk, and compliance answers to the legal department. Compliance and risk have an informal committee that has "grown much stronger" in this new climate, he says. "Everybody is paying more attention to regulation. What has got people's attention is that regulator's are being much more aggressive" and that increases reputation risk, says McGrann.
He also says there has to be a tighter integration within financial conglomerates. "We need to work more closely and make sure we don't miss anything by being silo-organized." So, if a firm improves policies and procedures in one area, the lessons needs to be passed on to other areas of the company.
While firms are reviewing procedures to ensure that they can accommodate the change, technology and information systems are also being reviewed, as vendors hit the market touting "compliant" software designed to helping with issues like anti-money laundering or e-mail retention.
McGrann says that technology has an important role to play in the new environment. BMO built a new trading-review system that vets a broker's trade against a client's investment profile and flags those that don't comply for follow-up investigation.
He says anytime a firm can automate a process and eliminate human intervention it reduces the chance of error. Some of the new laws, such as anti-money laundering, are ripe for technology, since they're transaction-based. As well, there's a need for better storage and retrieval systems to accommodate new rules around e-mails and business continuity.
Irving says that while compliance has ranked as a low priority when it comes to tech spending, that will change. As well, IT managers will have to shift their focus towards risk when it comes to their own departmental structure. "We're going to see the rise of the chief technology officer for global risk and control simply because it's so critical."
Sabatini agrees that technology plays an increasingly important role in risk management. "Twenty years ago, risk management was handled by seasoned veterans with a few battle scars who learned coming up the ranks. Today, experience is still an essential component of effective risk management; but experience alone is inadequate without timely and accurate information, effective risk-measurement and analytic tools, and value-based technology supporting the entire effort."