Addressing Compliance : Creating Value, Not Waste

So what are the main compliance concerns that risk managers are likely to face in the year ahead?

When it comes to larger financial service organizations, Mark Opausky, CEO and Founder of Canada-based Business Propulsion Systems (BPS) – a leader in enterprise-wide, web-native business process execution solutions – believes 2006 will, in Canada at least, mean “reaching a demonstrable phase in credit risk calculation as part of Basel II. Meanwhile, companies will need to continue to develop a more comprehensive approach to the assessment and management of risk information in their enterprises.” He adds, however, that this trend seems to be a lower priority in the US.” In all situations, operations with global considerations are now being forced to coordinate decision-making and risk mitigation processes across traditional silos that are both functional and geographic. As Opausky explains: “Establishing a common approach that does not sacrifice near-term regulatory reporting requirements and critical deadlines remains a massive challenge.”

While much focus today is given to compliance, Opausky points out that the difference between compliance and governance is actually pretty slim. “Governance is all about protecting and increasing shareholder value,” he says. “Compliance is, in fact a component of governance and a sustainable approach to compliance is rooted in the same values as good governance. Good governance is rooted in best practices, corporate culture and ideals and at best leads to competitive advantage.” He continues: “It is reasonable that in a world where legislative and accord-based requirements are designed to drive increasing levels of responsibility for improved internal standards, that leading organizations will leverage this opportunity to implement best practices and reap a competitive advantage. For FSIs in particular this is an important market differentiator.”

In fact, rather than creating the business waste, as some would believe, the process of compliance can be transformed into real business value. “Taking a comprehensive and lean thinking approach to compliance creates data gathering and communication pathways in a company that can make it more nimble, able to capture opportunity and operate with increased profile and capital,” explains Opausky. “Properly implemented, the operational costs should also be lower.” The word ‘holistic’ is one that is being increasingly used in the context of this approach. In essence, it means improving and maximizing the return on investment in compliance-related effort and expense, which most now recognize is a proxy for excellent governance.

Opausky believes BPS’s biggest differentiator in enabling that solid approach is twofold. First, it makes it possible to fully execute and value add numerous compliance-related processes such as internal audit, Sarbanes-Oxley, etc. on the same solution. The second element is in extending the application to the entire enterprise so that managers can roll up the results of all these activities into a global view of risk and risk mitigation. He adds: “An important differentiator for BPS is our client-directed approach to the market. The BPS solution is a place where clients design, maintain, run and continuously improve their processes, their way. These elements overcome key hurdles such as: meeting immediate tactical requirements; providing the platform strength to extend to the enterprise and build a holistic approach; and putting the client and their IT groups in charge of their own destiny with respect to their approach to compact and governance.”

The BPS solution works by driving activities according to strategies designed by the client. As Opausky elaborates: “BPS has one of the best approaches to technology in the market and a very strong product concept. We manage risk information, documents, audit findings and issues, as well as people alerts and comprehensive reporting.” How those compliance issues are implemented within an organization depends on the type of reporting issue one is reviewing but, according to Opausky: “As a general rule, compliance should concern all departments that are directly or indirectly tied to the enterprise’s fiscal processes; from product and service to finance and reporting.” He adds, however, that “for practical reasons, this level of penetration is yet fully appreciated.”

When it comes to the situation facing organizations today – the compliance challenges that they are facing and the impact that those issues are having on their business – Opausky sees certain historic parallels. “There are numerous examples that lead one to believe that there is a predicable outcome to the current compliance push.” He cites the example of the automotive industry between the late 1980s to mid-1990s. “During this time, comprehensive and sweeping quality compliance requirements were rolled out across the industry and its considerable supply base. Every element of design, manufacturing and sustainability was analyzed for risk and it demanded the installation of comprehensive process controls across literally thousands of companies.” He explains that, initially, this movement was viewed as an extreme fiscal burden on what was already a challenged and highly competitive market. “Eventually, the standards were largely adopted as part of an overall quality system strategy and became a process driven, continuous improvement ‘religion’ within virtually all aspects of the industry. Those that led this movement also led the industry in profitability and overall sustainable value to their stakeholders.”

The parallels will, Opausky believes, prove to be remarkable. “In particular,” he says “I see a trend where the market leaders define and achieve self directed standards that actually lead the regulators.”

Faced with unprecedented levels of tension surrounding corporate malfeasance, some are concerned that those regulators are becoming less and less tolerant where compliance is concerned. Opausky, while seeing a certain amount of streamlining of the interpretation of compliance regulations, would not completely agree with this claim, saying: “The regulators are staying on track with their timing and core message that organizations are accountable and should be driven to articulate and demonstrate control to their stakeholders,” adding: “I believe regulators are cognizant of the fact that compliance for its own sake is arbitrary costly.”

Mark Opausky’s five steps to good governance?

1. Establish a comprehensive understanding of the risks your business faces for a given cycle.
2. Decide at the strategic level what your risk appetite is for a given fiscal cycle.
3. Establish a process to communicate the strategy to the enterprise.
4. Empower management and make them accountable.
5. Measure your success accurately and repeat process with necessary improvements.

What businesses face the most risk? And why?
According to Opausky, the amount of risk increases with three key variables and, given this basic set of criteria, financial services organizations that operate globally and are acquiring and divesting regularly are at the greatest risk.

• The amount of ‘change’ that the business undergoes as part of its normal practice.
• The number and nature of discrete transactions the business conducts.
• The number of fiscally tied business processes within the enterprise and the degree to which they are measured for effectiveness.

How to tell if your business is vulnerable to a government investigation?
Lack of complete evidence and audit trail to support reporting.
Lack fully documented and audited business processes.
Lack of and accessible understood and visible risk and control structure throughout the company.
Questionable process maturity in security and data integrity.