Transforming compliance into effective risk management

March 18, 2021

The “father of GRC” Michael Rasmussen will address FinCrime World Forum next week on the topic of transforming compliance into effective risk management. Here, he tells us about the importance of collaboration, right-brain thinking, enforcing rules, ethics and more.

The “father of GRC” Michael Rasmussen will address FinCrime World Forum next week on the topic of transforming compliance into effective risk management. Here, he tells us about a changing world, the importance of collaboration, right-brain thinking, ethics and more.

“I just find it a fascinating area because the world is dynamic, so the risks and challenges organisations face are constantly evolving and changing” Michael Rasmussen is explaining to GRC World Forums what lies behind his fascination with governance, risk and compliance.

Rasmussen’s fascination has spawned a 27-year career that has seen him become one of the world’s most renowned pundits in the GRC space.

Indeed, Rasmussen, an analyst and pundit at GRC 20/20 Research, has been credited with being the very first person to define the term ‘GRC’ while at Forrester Research in 2002.

We catch up with the ‘Father of GRC’ just a few days before he is due to address FinCrime World Forum on the topic of “transforming compliance into risk management”

We kick off by talking about why we need this shift towards a risk-based approach.

“Today’s world is very dynamic, distributed and disrupted, it is like navigating chaos, changing minute by minute and second by second, and one of the biggest challenges of compliance is keeping everything in sync,” says Rasmussen,

“You can devote a tonne of expertise and staff time to being very intelligent about the law and regulation, but if the business process isn’t kept current you still face compliance risk.”

In order to manage all this change, businesses “really need to take a risk-based approach” says Rasmussen.

In addition to this, regulatory bodies across the world, notably in the United States and United Kingdom have been pressurising organisations to “add risk assessment to compliance programmes”, Rasmussen adds.

So, there are a number of drivers for transforming a mere compliance, ‘tick-box’ approach, into an effective risk management strategy,

But what should such a strategy look like? At the broadest level it is to do with fully understanding your organisation’s risk.

“It is understanding what your risks are…being able to identify different types of risk but also their scale of impact, so you can target your compliance resources at the greatest risk exposure,” he says,

Rasmussen stresses that this should not be limited to “left brain”, mathematical thinking around modelling and analysis. It is crucial, he suggests, in a complex and shifting operating environment, that creative ‘right brain’ thinking is also utilised to join the dots.

He says: “There needs to be an element of creativity and that’s about taking a step back and thinking how things are linked up and what are the other risks that could come from that, which aren’t necessarily obvious?”

He gives the example of Covid- 19 restrictions on exports and imports increasing the risk of bribery and corruption, as an example of a downstream inter-linked risk that might not have been immediately obvious. Likewise, the increase in fraud and cyber security around home working.

While a good risk management strategy should involve ‘left-brain’ and ‘right-brain’ thinkers it is also crucial that both front office and back-office staff are involved, says Rasmussen.

“Compliance isn’t just about the back office. Compliance, where the rubber meets the road is in the front office, the front office employees are making compliance decisions and either increasing or decreasing our compliance risk exposure,” he says.

“A lot of times those front office employees can tell you exactly where things break down and fall apart and can get you in trouble because they understand some processes at a level of detail that the back-office compliance function doesn’t”.

To achieve this, communication and collaboration is key.

“You need good, well-written policies and to give an easy way for employees to access the policies and understand what is expected of them,” he says.

“You also need easy mechanisms to report risks and other issues or incidents through hotlines and whistle blower systems.”

Policies and training should be focused on creating engagement throughout a business with compliance risk management to ensure everybody buys into the culture and knows what’s required of them, says Rasmussen.

And, if people don’t do what’s required, companies have to be prepared to take action.

“When people step over the line and nothing is done, that can actually completely destroy culture. I mean, if you want to have a strong ethical culture in the organisation, then you need strong enforcement,” he says.

One mistake businesses can make is to confuse accountability with responsibility, Rasmussen says, particularly regarding supply chain management.

I think there are a lot of organisations that feel they can outsource or hand out tasks and therefore they can just sleep at night and not worry about it, but when there’s an issue they are still accountable”.

The final element of effective risk management is to not just follow the lowest risk approach but to actually think about what is the ethical thing to do.

Rasmussen warns of the danger that risk management tools are used to inform judgements about what companies can “get away with”.

“I can assess the risk of a bribe, corruption or fraud to be low because I think ‘the chances are nobody will catch us’”

“We need to maintain the balance of compliance and ethics and not just make it a risk equation.”

Michael Rasmussen will be giving a presentation on “Transforming Compliance into Risk Management” at 12.15pm on 24 March at FinCrime World Forum