In a recent SearchCompliance.com news article, we examined the chief compliance officer's expanding role in overall business strategy. Chris McClean, an analyst at Cambridge, Mass.-based Forrester Research Inc., agrees with the assessment: In a recently released Forrester "Playbook" report titled "Navigate the Future of Compliance and Risk Management," McClean states that risk management and compliance processes will become increasingly important to business' success in the next five years. As a result, chief compliance officers can expect more reliance on their input and decisions, he says.
In this Q&A, McClean discusses the playbook's predictions for governing risk management and compliance in the near future, the importance of accountability and why governance, risk and compliance (GRC) professionals should emulate the chief financial officer.
SearchCompliance.com: How do you think the chief compliance officer's role will evolve in the coming years?
Chris McClean: If the executives and the board see what you're doing as valuable and important to the company, you're more likely to get resources; you're more likely to get involved in very strategic-level decisions.
I'll give you an example: One of the heads of risk I've been working with over the last few years says he's been involved in merger and acquisition (M&A) discussions. The M&A team will actually work with him, do risk assessments, identify what are the risks of acquiring this certain company, see how good their compliance program is and whether or not they would fit their expectations of compliance. In some cases, he is able to vote down a merger or an acquisition because of that risk management and compliance consideration. That's not something you see happening too often, but it was never happening two to four years ago.
The report mentions that the success of GRC solutions still comes down to the people operating them. Is that a trend you are noticing -- you can have the best tools around, but if your employees aren't doing the right thing, it creates GRC problems?
The tools, for the most part, help you automate or help you facilitate a process. You're making that process more efficient. If you're not measuring risk in a way that makes sense for the business, if you're not keeping up with the regulatory requirements that you should be meeting, then you know automation is just going to make your mistakes more efficient.
More on compliance strategy
The work that we normally do is to start off by saying, "Do you have the right framework in place, the right processes, the right goals and responsibilities?" I did a workshop with a client a few weeks ago, and we spent a couple of hours just on the idea of accountability. If you have all these different elements of compliance, of risk, of governance, can you tell who is ultimately accountable for these things? Who's responsible for understanding regulatory requirements? Who's accountable for measuring or identifying risks? Most organizations don't have those accountabilities very well defined. If you don't have that, it doesn't really matter whether or not you have technology, because technology helps you find your risk, but you still don't know who's accountable.
The playbook recommends that risk and compliance professionals emulate the tactics used by CFOs. Why do you think that's a beneficial approach to GRC?
If you look at where risk should be going as a function in an organization, you want it to be pervasive. You shouldn't be siloed into one centralized function that doesn't operate with the rest of the business. You want that high level of visibility; you want a lot of people to be involved -- and that's how the CFO runs the organization.
Everybody has sort of an understanding of how finance impacts the organization. They have very clear financial metrics. Those attributes are what risk should be striving for. You want somebody who's in charge if you aggregate risk data across the organization, but it should be something that everybody contributes to, even at the individual level within different business units.
If you're not keeping up with the regulatory requirements that you should be meeting, then you know automation is just going to make your mistakes more efficient.
People should understand how risk actually impacts the rest of the organization. They should have risk metrics in place and make decisions based on those metrics in the same way they base decisions on financial metrics.
As the spotlight on risk management and compliance gets brighter in the coming years, how will the chief compliance officer, and the compliance department as a whole, have to change their approach?
You do have to kind of be a spokesperson if you are in charge of risk or compliance. You do have to accept that level of visibility; you have to be up in front and advocating processes, advocating the reason why risk and compliance is really important. A big part of that job is going to be marketing the value of risk and compliance, how you can improve the quality of your services, the quality of your products. You really have to accept that role as a marketing spokesperson for risk and compliance.
People are going to push back on that a lot, so you do have to generate a kind of grassroots support. You have to make some compromises in some cases. There is a lot of politics involved in it.