The role of governance risk and compliance management in corporate business

The organizations have seen their boards of director’s press for improved governance structures in their organizations. That pressure for better governance is not a recent phenomenon. New rules also boosted the increase in governance around internal processes. And the regulatory agencies are not the only catalysts for change. The expectations of investors and other stakeholders in relation to governance risk and compliance are increasing. More than ever, stakeholders are holding management accountable for the effectiveness of its overall governance process. This change is real and significant and, probably, it amounts to an expectation of greater bond of the council in the means by which the government is organized and carried out.

Although the direct link of the board may be realistic in smaller organizations, banks, and larger insurance companies may find those requirements challenging. In general, the council has responded by strengthening internal policies and establishing steering-level committees with clear functions. Functions such as risk executives are now common and lead units with good resources that can help the council in its monitoring work. It is no longer unusual, especially in larger organizations, to find individuals with risk-related functions, such as specialists in corporate risk management, compliance managers, specialists in internal controls and fraud investigators, among others. Each one examines specific areas of risk in order to help the board manage the different risks that the organization may face.

However, the challenge is to transform the various governance risk and compliance management functions into a discipline incorporated throughout the company and viewed as a strategic asset. With that, it is also necessary that there is a convergence of existing compliance solutions, specific to each user that integrates financial, operational, risk and regulatory requirements. Only through such transformation can the full benefit of risk management be obtained. However, recent surveys showed that only 28% of the audit executives believe that their functions have a strong impact and influence within the organization. In fact, many of them believe that internal audit has little or no influence, being only a normative and mandatory function within the organization.

The synergy between the two functions is fundamental. The challenge that both functions face and that, in the final analysis, have an impact on their strength and effectiveness within the organization is to have skills that remain relevant as organizations grow and develop. While previously the skills were focused on the understanding of the operational structure, controls and audit methodologies, IT-focused knowledge is now necessary. Regulations such as the General Data Protection Directive (GDPR), which affects all financial services companies, clearly require a team of people from risk and internal audit environment with knowledge of risks and operational and IT controls.

It is clear that only the presence of the risk function and internal audit in an organization is not enough. The challenge is to effectively coordinate the tasks of both functions. This is essential to ensure that there are no gaps in controls or unnecessary duplication of work. Clear attributions should be defined so that each function understands the limits of their responsibilities and how their position fits into the overall risk and control structure of the organization. Without a cohesive and coordinated approach, limited resources may not be implemented effectively and significant risks may not be identified or adequately managed. With the variety of threats faced by the organization, internal weaknesses can pose a great risk. The resulting consequences would be too high to be ignored.