Governance of your enterprise risk management: How to stay in control of your ERM programme and prove it

Governance of your enterprise risk management: How to stay in control of your ERM programme and prove it

Richard Pike is the CEO and Founder of Governor Software a company focused on Governance & Oversight at financial institutions and a Main board director of permanenttsb plc, (LSE listed €23bn bank) & JP Morgan Fund administration Ltd. We speak to Richard ahead of the Operational & Enterprise Risk Management Congress to gain his insight on what he believes is the main focus for Enterprise Risk Management Professionals today.

Richard, can you please tell the Risk Insights readers a little bit about yourself, your experiences and what your current professional focus is?

I am also a Steering board member of government funded research centre GRCTC and a Lecturer on ERM for Certified Bank Director and MSc Compliance courses at the University College Dublin.|

Previously I was the Senior Market Manager for Risk & Compliance in EMEA [2008 to 2015], managing six Governance Risk & Compliance software products go-to-market activities across the region for a global financial technology company.

At the Operational & Enterprise Risk Management Congress, you will be sharing your insight regarding governance of Enterprise Risk Management. Why do you believe this is a key talking point in the industry right now and what can risk professionals gain from this insight?

My observation is that compliance and risk oversight, as operated within financial institutions, is inefficient and ineffective in a world of ever changing regulation and ever more intrusive supervision.

Most firms operate a compliance and risk oversight process that is siloed and reactive. In order to operate a process that achieves its goals in a more cost effective manner compliance executives need to design their oversight process to be more holistic and agile.

What are the essential considerations that need to be made to ensure institutions stay in control of their ERM program, and how can they ‘prove it’?

The main tenets of an ‘efficient and effective’ oversight process are:

  • Line of sight from obligations to policies, controls, metrics etc
  • Collaboration between 1st and 2nd line in terms of piecing the puzzle together
  • Ability to see demarcation zones between 1st and 2nd line activities
  • Documentation / evidence management
  • Seamless transition from agile project delivery straight to BAU oversight
  • Complete record over time

How would you recommend institutions improve practices to prove compliance to stakeholders and why is this so important?

What if the compliance team were to map out a new or amended regulation when they first receive it. This mapping would involve breaking down the requirements into specific obligations and for each obligation defining what proof points they need for good compliance oversight. These items might be metrics, audits, assessments, outcomes etc.

The policy writing team will then take these regulatory maps and match their individual policy elements to these obligations. They will also include in their policies the items that will make for good policy oversight. For each of those items they may also define the appetite or tolerances that will cause the policy to be in ‘breach’.

So now we have a regulation mapped to its obligations and then a set of policy statements that map to those obligations. For both of these we have the set of indicators (qualitative and quantitative) that will enable compliance oversight.

When this is presented to the business as the input to the change programme, there will be a clear understanding of what information is needed for compliance oversight to do their job. While the operational approach may rely on differing approaches, systems and MI to ensure their own processes, the business is well aware of the items that they have to record and store for oversight. If this is done well then those items should be the same regardless of the oversight function that needs them (compliance, audit, regulators, etc.).
So the finish line is a map of the regulatory obligations, linked to a set of internal policy statements, linked to a set of internal proof points (metrics, assessments, reviews) all of which record and store all changes in real time thus allowing anyone to go back to a point in the past to see the state of compliance.

In your experience, how can financial institutions best manage communicating obligations to stakeholders?

I think that financial institutions need to focus on two things

  • Visualization
  • Context

It needs to be easier to see exactly what is new and what is the status of a firm’s compliance. Financial Institutions often use detailed plans and documents, but these suffer from a lack of clarity and too much detail.

Communications should always add context regarding your current business processes, the effects of the new regulations and the plans for becoming compliant

What, in your opinion does the future hold for operational risk professionals, and how can they keep up with the increasing change?

I am very interested in how the new areas of machine learning and unstructured data analysis will be utilized by Operational Risk. I think that if we can start to analyse all of the data we have diligently collected over the last number of years to start to enhance our ability to spot trends and highlight problems we will add more value to the business, which is the end goal.

We asked Richard some informal questions…

If you did not pursue your current career path, what do you believe your alternative career path would have been?


What is your favourite thing to do to wind down after a long week?

A game of soccer

What came first, the chicken or the egg?  

Definitely the egg!