Author: Chris Webb, Linkedin Profile

 

Synopsis – this short document is intended as a discussion paper – posing the question above, and hypothesis that there are two reasons which do not apply to other communities (they have their own difficulties), and providing some potential solutions.

Context

Managing change is difficult. We all have a collage of failed projects and programmes on our wall of experience. Many projects fail as a result of a lack of clarity, executive support, governance, resourcing, experience, planning and leadership to name a few reasons. Financial Services has also been a later adopter of change/project management tools and methodologies compared to several other industries. But what is different about Risk and Compliance Communities that makes successful change even more difficult?

The question “Managing Change in Financial Services Risk and Compliance Communities – why is it more difficult?” has been posed following:

  • observation of Risk and Compliance communities change ability on several major enterprise-wide programmes of change;
  • experience from within the communities when they have been accountable for an enterprise-wide change programme.

This paper does not present any empirical evidence to support the question, mainly for reasons of confidentiality. However, part of the discussion is to gauge how much the question “resonates” with the readers. Qualitative experience is that there is a good level of discussion and analysis within the communities, often very well-prepared theoretical frameworks, governance and multiple committees are set up, but planning the change, managing it and achieving the required business outcomes is slow, or fails.

Questions

  • What could be the key factors applicable to Risk and Compliance?
  • What measures can be taken to improve Risk and Compliance’s ability to manage change?

Conclusions

 

What could be the key factors applicable to Risk and Compliance?

As a hypothesis I put forwards two areas for consideration and discussion:

  • Culture, skills and experience of risk and compliance resource;
  • Approach to change mirroring that of the regulators.

Culture, skills and experience of risk and compliance resource

Let’s first look at some statements about the purpose and activities of the 2nd Line of Defence.  The diagram below shows where these functions “fit”.

 

“This line of defence monitors and facilitates the implementation of effective risk management practices by operational management and assists the risk owners in reporting adequate risk related information up and down the organisation”2. See the Appendix for further examples.

Key words that reappear are: monitors, facilitates, assists, reporting, monitoring. These are very different from the words one would expect to find describing change/project management: scoping, planning, stakeholder management, managing and leading.

So the personal psychometrics, skills and experience of resources one finds in Risk and Compliance departments are of course different from those in change /project management. Furthermore, the Risk and Compliance resources have often been recruited from the legal profession or a regulator; again, not a change management background. Right from the start we may not have created the ideal A team for change.

But many other departments/communities don’t have change professionals in them or have the same skills / experience associated with change professionals, so what else is ”in play”? Maybe it is that the other areas are part of an Operational Value Stream providing ever changing “product” to customers, or are part of a Development Value Stream, providing new capabilities to an Operational Value Stream.

In summary, Risk and Compliance Communities have specific skills and experiences which are not usually associated with change, but more importantly the community’s focus is to provide advice and commentary as opposed to delivery. This later point is in contrast with other functions e.g. Human Resources where an element of their day to day operation is the delivery of a tangible service to internal customers.

(Please note that as always there are exceptions to the rule and some individuals in the Risk and Compliance Community have managed change well themselves, or have effectively supported change teams)

Approach to change mirroring that of the regulators.

The second key factor has been noted when the risk and Compliance Community has been asked to lead an enterprise wide initiate, i.e. risk culture, conduct, controls improvement.

When a regulator wants to change the way a bank operates it will (simplified version):

  • Analyse the situation
  • Provide a position statement and ask for industry comment
  • Publish a high-level policy statement and/or framework
  • Allow for a period of, and support of, clarification
  • Monitor each individual institution’s implementation progress (typically every 6 months or year)

Often this is called a “fire and forget” approach, however, a regulator does not have the options open to an institution to lead a more coordinated and effective implementation, as illustrated in the diagram below.

 

 

Conversely if a Risk and Compliance Community adopts the same approach the change will be:

  • Inefficient – each non risk and compliance department will have to create its own implementation project and supporting guidance, training etc. from scratch with no economies of scale or cross-department learning. In the worst case a department may not even know how to discharge its accountabilities/responsibilities at the operational level;
  • Lacking in consistency – each department will have its own interpretation of the policy / framework;
  • Lacking real ownership – without the appropriate level of involvement from the start, the business departments who are required to implement the change will not be engaged. The change may be seen as just another piece of bureaucracy, and the change will certainly be given to a non-core team to “do their best with it”. Desired business outcomes are rarely achieved without business ownership;
  • Lacking predictable timescales and business outcomes. Without an enterprise-wide programme/project management, each department will implement to its own level of planning, quality and timescales.

Whilst the above approach to change has been witnessed on several major change initiatives in different institutions, it being a root cause of change failure remains a hypothesis.  Do any of the readers identify with these as being problems unique to Risk and Compliance departments?  Are they most important ones?

What measures can be taken to improve Risk and Compliance’s ability to manage change?

Whereas the hypothesis for the root causes can be supported by qualitative evidence, the link from root cause to remedial measures below is currently unsupported by tangible evidence.  As above, the author would be very interested in any feedback on whether readers agree or disagree on these as solutions.

Potential remedial measures are grouped under four headings:

  • Project & Programme management methodologies, tools and techniques;
  • Addressing the culture, skills and experience of risk and compliance resource;
  • Addressing the “fire and forget” approach;
  • Changes to accountabilities.

Project & Programme management methodologies, tools and techniques – Whilst not only specific to Risk and Compliance any change managed by the area has to ensure that the best practice change management tools, techniques and ways of working must be employed before any specific remedial measures are introduced. “Get the basics right”

Addressing the culture, skills and experience of risk and compliance resource:

  • Partner with change management professionals. Accepting that the skills and experience of Risk & Compliance professionals are generally different from those of change management professionals is a first step to a partnering arrangement. The acceptance is required to provide a positive environment for the change professionals to work in. Without it, expensive change resources will end up as no more than administrative assistance. A further risk with this remedial action is that key stakeholders might absolve themselves of all responsibility;
  • Provide project/change education and training to Risk and Compliance resource. Experience has shown that Training & Education of project team members always helps to create a better performing team, either by raising skill levels and/or simply creating a common language and mind set for the team. Whilst it could be argued that this measure is part of getting the basics right, it is also directly related to the culture/experience root cause.

Addressing the “fire and forget” approach – To help with the explanation we can draw a parallel to a systems implementation. Let’s assume that a good system has been designed, built and tested. Would you release to the user departments without training, guidance, materials, and a support organisation to ensure its successful usage and take up? No, of course not. So before a Risk and Compliance led initiative is set up the remedial action could be to work with the business areas to create the “toolkit” of guidance and education they will need for successful and coordinated enterprise wide implementation. For avoidance of doubt this doesn’t mean that the implementation is performed by a centralised Risk and Compliance Community, so no massive programme structure is required, but it will achieve:

  • Buy-in from the business areas;
  • Opportunities to spot issues before implementation;
  • A set of changes which have a much higher probability of successful implementation;
  • A more consistent implementation across the enterprise.

 

 

Changes to Accountabilities:

  • Given both of the root cause issues, one remedial action would be to ensure that the Risk and Compliance change initiative was part of a larger enterprise wide programme of change and for its management / governance to form part of the programme. The Risk and Compliance accountable executive would then be held accountable to the programme board and executive change management who would drive more “Change like” behaviours than “Regulator like” ones;
  • A more provocative suggestion is that the accountability for the management /implementation of the change initiative be removed from the Risk and Compliance function. The function would retain responsibility for specific deliverables using their specialised knowledge e.g. design of a framework. But the overall implementation across the enterprise would be handed to change professionals. In PRINCE2 terms the Risk and compliance AE would take the role of a Senior Supplier.

Where now?

The path to improved delivery of Risk & Compliance led or focused change surely starts with recognition and acceptance of the problem.

How can we achieve the recognition and acceptance both within Risk & Compliance communities and the wider enterprise?

Are the remedies outlined in this paper sufficient? Are there others?

Are there specific case studies that institutions would be happy to publish?

Readers are encouraged to post their thoughts in response to the paper.

 

Appendix

1 https://www.webopedia.com/TERM/G/grc-governance-risk-compliance.html

2  IAA Position Paper https://na.theiia.org/standards-guidance/Public%20Documents/PP%20The%20Three%20Lines%20of%20Defense%20in%20Effective%20Risk%20Management%20and%20Control.pdf

And also:

“A risk management function (and/or committee) that facilitates and monitors the implementation of effective risk management practices by operational management and assists risk owners in defining the target risk exposure and reporting adequate risk-related information throughout the organization”

“A compliance function to monitor various specific risks such as noncompliance with applicable laws and regulations. In this capacity, the separate function reports directly to senior management, and in some business sectors, directly to the governing body. Multiple compliance functions often exist in a single organization, with responsibility for specific types of compliance monitoring, such as health and safety, supply chain, environmental, or quality monitoring.”