I read with a tinge of sorrow an article in the Australian Financial Review that details the shortcomings of one of Australia’s largest banks in terms of its risk culture, particularly its growing concern that bad news does not bubble up to senior management. The article further states that “the bank’s audit and risk teams are not sufficiently respected by its business units”.
If you talk to enough business line managers (Line 1), you get the feeling that they see risk and compliance as a necessary evil at best, and a millstone around their necks at worst. The occasional person may say that they find their risk adviser ‘quite helpful’, but you would struggle to hear anything manifestly praiseworthy.
There are, in my opinion, a few contributing factors for this rather lukewarm relationship between business and risk/compliance (and this is by no means an exhaustive list):
- A lack of real engagement between both parties, which often times is attributed to the administrative burden placed on risk/compliance professionals thus detracting them from being able to meaningfully engage with business stakeholders on a regular basis.
- An institutionalized disdain for risk and compliance among business units, either because of previous bad experiences with a risk/compliance staff member or disgruntlement with the level of perceived ‘bureaucratic’ paperwork imposed by Risk and Compliance to get any deal/transation/product off the ground
- Risk and Compliance staff being seen as inflexible one-sided arbiters rather than pragmatic yet prudent advisers. This does also tie in to the level of expertise, competency and experience of the risk/compliance adviser, with their quality and caliber not always up to par with what business units would expect.
- The perennial tug of war that business units face with trying to increase revenue while managing ever-shrinking margins to maintain high levels of profitability , while balancing the need to divert increasingly scarce human resources to handle the onslaught of ever increasing regulatory scrutiny. Ironically, its a bit of a round-about face, because it’s that very chase for continued profits that have arguably resulted in corners being cut that has resulted in the need for increased regulation. But I digress.
So, how do we, as risk and compliance professionals, gain (back) trust and respect and position ourselves as business enablers, rather than as business burdens? I propose 3 things that we can do turn the dial and create a more symbiotic relationship between business units and risk/compliance (again, not exhaustive):
- Maintain our relevance. The world is changing quickly, with new technologies and ways of doing business disrupting the status quo. We need to either upskill quickly or make sure we have a wide range of complementary skills and experiences in our teams to be able to provide proactive and unbiased advise to those who need it. On-demand talent is a good source for finding the right skills at the right time without the lag time of training and upskilling existing talent, though upskilling should remain a focal point for continued rejuvenation of your team.
- Disrupt the status quo of risk and compliance in your division. Many risk and compliance processes in our organisations are burdensome, heavily bureaucratic and time consuming, and that’s from my perspective as a risk professional. Put yourselves in the shoes of our end-customer (our business unit counterparts), and you will understand why they are frustrated and disgruntled. Reimagine ways to promote compliance by designing processes with the user in mind. Make compliance and risk intuitive and part of the user experience. Tear up things that are there as relics of the past if they really don’t seem to serve any distinct purpose. And bring the end-user in on the journey. They will be grateful that you are designing a process with their experience in mind, and you may just create advocates for your proposed process improvement.
- Engage frequently and intentionally. Set up regular risk/compliance meetings with your business unit colleagues. Keep it sharp and to the point. Have sufficient senior representation in these meetings from all relevant stakeholders, so that these meetings are productive, thought provoking and enables more agile and swifter decision making. And to clarify, swifter decision making does not mean poorer decision making. With the right people in the room, smarter decision making is facilitated, thus supporting agility and speed, something much needed to just keep up with the unrelenting pace of change.