Governance, Risk and Compliance – A Culture and Philosophy

By Ashish Agarwal, Chief Risk Officer, Yes Bank

content-image

Ashish Agarwal, Chief Risk Officer, Yes Bank

The increasing inter-connectedness amongst financial intermediaries, complex financial products, myopic vision of the management, conflicting goals of maximisation of RoEs and higher capital adequacy are all leading to more systemic risk in the financial system. In that backdrop, the role of the Governance, Risk and Compliance functions within financial organisations is transforming from a peripheral support function to a much more strategic and central role wherein these functions are not only occupying a larger mind share in the Board Room of institutions, but are also being instrumental in driving business strategies.

GRC should not be viewed as a function being performed by a silo of professionals who are part of a particular department, but an ethos that has to run through the organization. It is an integral part of risk culture within the organization wherein each employee imbibes it as a philosophy that drives daily actions. An organization that works under this philosophy shall proactively identify, mitigate and thereby avoid a lot of risks. This culture is driven from top to bottom – from the Board to the top management and to the senior/middle/junior management.  Consistency of messaging and reflection in actions from the top management shall drive the culture.

The most underestimated risk emanating from a weak GRC culture is the reputational risk. The institutions have realized the impact of the reputational risks, the hard way. Billions of dollars in fines paid by institutions on account of unethical practices/benchmark riggings/weak KYC practices leading to use of banking channel for money laundering etc are paltry compared to the reputation and credibility erosion that institutions have suffered. When a high magnitude reputation risk event occurs and in an absence of a well defined crisis management process, the organization typically gets into a flux, internal decision making gets stalled, institution becomes rudder less, business moves away, employee morale goes down and more importantly the organization goes back in time.

It takes years to come out from such a devastating situation. On the contrary, a strong GRC culture gives sustainability, predictability and credibility which not only gets reflected in the respect that the organization gets but also gets translated in the earnings multiples that the organization commands. The valuation of the organization increases and becomes far more sustainable.

Organisations today are struggling to get the GRC culture right. While data analytics aided by technology help in identification and assessment of risk, it is no good unless the underlying user(s) of that data/information are highly sensitive to risks. Compliance is easy but practicing this as risk mitigation is tough. The efficacy of GRC departments is linked to human behavior that emanates from motivations. The motivation could be the incentive structure that could finally drive the culture within the organization. A lot of what happened in 2008 financial crisis was linked to lopsided incentive structures that resulted in complete disregard for tail risks. Risk based allocation of capital to businesses, risk adjusted return calculations on profits made, longevity and sustainability of earnings, has to be driven into risk takers during the budget and appraisal meetings. The incentive structures for risk takers within the organization have to be long term. Deferred bonuses/Employee stock options with a long vesting could be one good way to align employees in a right way.

While the above can help align management internally, the Banking supervisors globally are dis-incentivizing high risk taking as well by increasing the requirement of capital for higher risk businesses. Both the quality and quantity of capital that the Banks need to keep is increasing which is resulting in pressures on return on equities and shareholder value. The financial institutions today are in middle of increasing regulation and more stringent supervision. The cost of compliance and regulation is continuously increasing. Whether it is with respect to investments in technology towards data aggregation, analytics, reporting or in terms of higher cost of capital (BASEL III Compliant), or maintaining higher liquidity, the challenge of compliance is daunting. The conflict between capital, growth and liquidity is forcing managements to answer some very difficult questions. How well the management of various banks deal with this shall determine the future of individual institutions. Risk appetites shall need to be defined or re-defined as the case may be, business models and strategies will need to change. This may result in consolidation in the industry with weaker players making way for stronger.

Ensuring all of the above is not possible unless the quality of people within the GRC function is the best in class. Organisations today need to ensure that the pay structure, credentials, and experience of GRC professionals are the best to ensure that this becomes strategic and not a mere compliance – tick in the box, function.

To conclude, if we have to harness the benefits from financial development while limiting its instability, the GRC has to be driven not just by the supervisors but has to become an internal ethos and culture within the organization.  

Current Issue