Posted on 31/01/2012 · Posted in Change, Jersey, Process improvement, Trust Industry

“[T]here are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – there are things we do not know we don’t know.” Source: Donald Rumsfeld

The above statement articulates one of the key challenges facing those responsible for managing risk – that the risk landscape is changing.  As well as ‘known risks’ and ‘emerging risks’ organisations need to be able to prepare themselves for ‘unknown unknowns’ or ‘black swan’ events as they have become to be known[1].

What is clear is that the risk landscape is changing. Today’s fast changing world creates more uncertainty for organisations – and makes it harder for them to understand where new risks are going to come from[2].  Stephen Platt stated at a recent conference[3] “we value achievement not prevention, and laziness means we don’t measure the value of disasters averted; instead we merely measure the cost of controls and business lost”.

Changing this mind-set is not easy, particularly when most Risk & Compliance Officers are swamped with demonstrating compliance through form-filling, producing checklists and carrying out reviews.

To give the Compliance Officer capacity to address these issues and re-focus on proactive risk management they need tools that will help with the regulatory compliance.  Senior managers also need reliable information to make informed decisions on risk issues.

The problem in most companies today is they look at risk from a one sided perspective to meet their regulatory compliance needs. Risk management is viewed as a fixed cost to help the company avoid financial penalties, litigation and/or bankruptcy.  This recognition of the cost of managing risk provides a good base to build and leverage a framework for proactive risk and compliance.

Governance, Risk Management & Compliance (GRC)

Governance, risk and compliance activities are increasingly being integrated and aligned to some extent in order to avoid conflicts, wasteful overlaps and gaps. GRC typically encompasses activities such as corporate governance, enterprise risk management (ERM) and corporate compliance with applicable laws and regulations.

Interest in GRC was initially sparked by the US Sarbanes-Oxley Act. However, the focus of GRC has since shifted towards adding business value through improving operational decision making and strategic planning. Integrated approaches to GRC will also assist in meeting the requirements of Anti-Money Laundering legislation. This is a mandatory requirement of all regulated businesses in the fight to combat the financing of terrorism.

To remain competitive, companies must have a GRC strategy in place that keeps pace with new legislation and stakeholder expectations. An associated framework will aid strategic decision making by clearly defining risks and opportunities.

What is still needed is a near real-time proactive monitoring process that will minimise unexpected incidents by providing the right information to the right people.

The changing face of Risk Management:

  • Organisations categorise risks into Financial, Operational and Strategic, but often fail to link them
  • Increased globalisation results in risks emerging quickly across traditional categories
  • Current thinking prevents risks that cannot be identified from being managed
  • On-going changes to regulation requires frequent changes in systems to demonstrate compliance
  • Just collecting more data does not necessarily provide more protection
  • To manage these new ‘risks’ needs a new holistic and more agile approach
  • Risk needs to become the responsibility of all and not just the Risk & Compliance department

An integrated approach – without spreadsheets

The ‘single view of the client’ is promoted by many vendors of integrated technology systems for financial services businesses as a panacea for proactive risk management and compliance.  In an ideal world this is great and for many new businesses there are plenty of options to choose from.  However, back in the real world, most existing businesses have invested heavily in legacy systems where the cost of change is just too high.  To meet their regulatory Compliance requirements many ‘bolt-ons’ are developed using ad-hoc systems usually based around the humble Microsoft Excel spreadsheet.  Whilst enormously powerful, spreadsheets actually increase risk due to the ease of update, errors in formulae and portability of client data.

To mitigate risk and drive value from existing investments intelligent ‘middleware’ can be deployed that draws information from existing systems; replacing spreadsheet based registers, reviews and checklists; eliminating double keying of data and automating much of the administrative burden of the Risk & Compliance Department.  Properly configured and deployed, this type of solution can provide real-time warnings of potential breaches of policy that will completely avoid the need to manually review update client files.

One such system is the new Risk Management Suite from BankClarity Limited.  With a reputation for providing tools to bridge the gap between in-house systems and the banks to create the ‘completely compliant payment’ the next logical step was to use the same data to provide an enhanced toolset for the Risk & Compliance Officer.

A review of your current structure, process framework and systems can be used to identify the opportunities to streamline processes and workflows and generate a case for change.  The automation of common tasks, removal of duplication and elimination of spreadsheets can all help to give back time to your Risk & Compliance Department to enable them to focus on proactive Governance, Risk and Compliance to support the Board.  A further benefit, over some of the other solutions only offering screening capabilities, is the ability to create and change your own bespoke systems using the proven .NET framework.

How Solitaire Consulting can help you

There will always be unknown unknowns or ‘black swan’ events in any business and our very survival depends on the ability of all leaders, but particularly Risk & Compliance professionals, to do a good job in preparing for them.  An appropriate GRC framework, supported by technology, will enable these professionals to proactively focus on managing risk, rather than on administering yet more controls and monitoring programmes to identify issues after they have occurred.

Engaging with Solitaire Consulting will bring our many years of practical experience of using technology to drive business change to your organisation to assist you in creating an efficient and effective approach to Risk & Compliance.


[1] The Black Swan: The Impact of the Highly Improbable. Nicolas Taleb: 2007

[2] Black swans turn grey. The transformation of risk. PWC: 2012

[3] Jersey International Business School Annual Leadership Forum 2011