effective governance, risk & compliance · 1 © riskiq limited effective governance, risk &...
TRANSCRIPT
1 © RiskIQ Limited
Effective Governance, Risk & Compliance
Reflections on Enabling Infrastructure
June 2016
2 © RiskIQ Limited
GRCA Decade Young
Preparing for Strategic Governance – The Coming Convergence of Risk Management, Governance, Control and the Efficient Enterprise
There is a growing consensus that our industry needs to move toward solutions that integrate the currently fragmented risk, governance, compliance and control functions into a single framework that can also serve as a strategic asset to the organisation. The RMA Journal – October 2005
3 © RiskIQ Limited
GRCA Definition
GRC - A capability that enables an organization to reliably achieve objectives while addressing uncertainty and acting with integrity;
including the governance, assurance and management of performance, risk and compliance.
OCEG 2004/5
"It seems very pretty," she said when she had finished it, "but it's rather hard to understand!" (You see she didn't like to confess even to herself, that she couldn't make it out at all.) "Somehow it seems to fill
my head with ideas-only I don't exactly know what they are!”Jabberwocky – The Lewis Carroll poem in: Through the Looking-Glass and What Alice Found There.
4 © RiskIQ Limited
A ‘Work-in-Progress’Some Perennial Questions
How can we build systems, networks, organisations and the associated human and social capacity (“Infrastructure”) that:
• Are anchored mindfully in the present?• Take a ‘long-term view’?• Retain memory?• Anticipate and initiate change?• Withstand, adapt to / learn from disruptive events?
5 © RiskIQ Limited
What will it Take?An Evolutionary Step-Change
“The significant problems we have cannot be solved at the same level of thinking with which we created them.”
Risk management - dealing with the consequences of our earlier decisions.
6 © RiskIQ Limited
HARD• Law• Structure• Cognitive• Control• Capability
SOFT• Culture• Behavioural / Conduct• Capability• Information• Comms
Accountability
TECH
• Structure• Data• Permissions• Control• Capability
Rules
Judgement
Review
Monitor
“Infrastructure” – What do we mean?
7 © RiskIQ Limited
Soft InfrastructureA New Zealand Perspective
8 © RiskIQ Limited
Why Should it Matter?‘Outputs’ to ‘Outcomes’ / The (4) Capitals
Economic Capital
Natural Capital
Social Capital
Human Capital
Sustainability for the future
Managing Risks
Economic Growth
Increasing Equity
Social Cohesion
Source: NZ Treasury – Living Standards Frameworkhttp://www.treasury.govt.nz/abouttreasury/higherlivingstandards
9 © RiskIQ Limited
Expectations GapMind the Gap
NZ PublicPerformanceExpectations
Regulators and Standard-setters
Performance Outcomes
WorkSafe
RBNZ
FMA
DIA
CommunityParticipants
Clients
Employees
Suppliers
Investors
Formal Informal
AssessmentAssessment
Board
Organisation
InfluenceInfluence
10 © RiskIQ Limited
Risk-based RegulationRegulation as Delegation
“Regulators increasingly enlist the judgment of the private firms they regulate to achieve public ends. Whether capital markets regulation spurred by high-profile fraud, data security and privacy responses to information technology abuse, or security responses to new global threats, regulatory measures seek to tame complex risk by mandating broad policy outcomes, but according regulated parties wide discretion in deciding how to interpret and achieve them. Yet the dominant paradigm of administrative enforcement, monitoring and threats of punishment, is ill suited to oversee the sound exercise of judgment and discretion”.
Duke Law Journal - ‘Regulation as delegation: Private firms, decision making, and accountability in the administrative state’. Kenneth A. Bamberger.
11 © RiskIQ Limited
Risk-based ComplianceA New Paradigm
Regulatory
Compliance
Administrative
Accountability
• Regulatory specificity• Monitoring• Incentives• Unitary
• Regulatory delegation• Superior information• Expertise • Doctrines, procedures and
relationships to channel decision-making
Predominant GRC Paradigm
12 © RiskIQ Limited
Risk-based ComplianceA New Paradigm
Cognitively rooted
Threats
Behaviourally rooted
Threats+• Failures of Rationality• Failures of Responsiveness
• Decision-making pathologies• Biases
Predominant GRC Paradigm
13 © RiskIQ Limited
Biases Our Toolkit
Hindsight Bias
Illusion of Control Bias
Representativeness Bias
Confirmation Bias
Conservatism Bias
Anchoring and Adjustment Bias
Mental Accounting Bias
Framing Bias
Availability Bias
Loss Aversion Bias
Overconfidence Bias
Status Quo Bias
Self Control Bias
Endowment Bias
Regret Aversion Bias
EmotionalCognitive – Belief Perseverance Cognitive – Info. Processing
14 © RiskIQ Limited
The Mindful BoardEvolution of the Species
• Boards play a critical role but need to themselves evolve.• Our view is that a majority of New Zealand boards are spread across
stages 1 and 2:
Stage 1Consent Board
Stage 2Working Board
Stage 3Strategic Board
Stage 4Mindful Board
Source: The Mindful Board: Charlotte M. Roberts and Martha W. Summerville
15 © RiskIQ Limited
Evolution of the GRC StackOur Journey
Cognitive
Behavioural
Situational
Consulting led insight and experience
GRCbench-strength
16 © RiskIQ Limited
Tech InfrastructureHarnessing Technological Convergence
Level of Intelligence
Task Type
Human Support Repetitive Task Automation
Content Awareness & Learning
Self-Aware Intelligence
The Great Convergence
Analyse Numbers BI, Data Viz. Hypothesis driven analytics
Operational analytics, scoring, model management
Machine learning, Neural nets
Not Yet
Digest Words and Images
Character and speech recognition
Image recognition, machine vision
Q&A, NLPhttp://vhqsentiment
.au-
syd.mybluemix.net/
Not Yet
Perform Digital Tasks (Admin & Decisions)
BPM Rules engines, RPA
Not Yet Not Yet
Perform Physical Tasks
Remote operation Industrial robotics, collaborative robotics
Fully autonomous robots, Vehicles
Not Yet
Source: MIT Sloan 2016: Cognitive Technologies – The Next Step up for Data and Analytics
17 © RiskIQ Limited
Far-Fetched?Think Again!
A Hong Kong venture capital fund recently appointed a computer algorithm to its board of directors, claiming to be the first company of its kind to give a machine an "equal vote" when it comes to investment decisions. The firm, Deep Knowledge Ventures (DKV), which invests in companies researching treatments for age-related diseases and regenerative medicine, uses the algorithm to analyse financing trends to make investment recommendations in the life sciences sector.
18 © RiskIQ Limited
Make a DifferenceIn Closing
• Are you mindfully aware of your ‘infrastructures’?
• Do you know where your current and prospective ‘infrastructure’ gaps are? Are you sufficiently persistent in their resolution?
• Are you designing your ‘infrastructures’ with foresight for the expected and unexpected?
• Are your board/s similarly challenging themselves on these questions?