Financial cesspits and compliance

Governance risk and compliance are not the most popular of topics. Until there is a monumental screw up that is.
Written by Dennis Howlett, Contributor

Governance risk and compliance are not the most popular of topics. Until there is a monumental screw up that is. Then everyone with a GRC solution emails to remind me they have the solution that could have avoided last week's mayhem in the financial markets,which will fix the ongoing situation or some other perceived disaster in waiting.

It's interesting to note that in all the broo-ha-ha around finding solutions to the crisis, GRC has been a recent major contributor to fresh license sales by the big enterprise vendors. Yet it's not without problems. Last December for instance, I said that:

In my opinion GRC is one of the most urgent yet difficult management areas for large scale business to address with technology solutions.

Earlier still, in June 2007, Amit Chatterjee of SAP responded to my critique of the GRC market claiming that:

In his piece, Dennis asks how to manage against error, fraud and deliberate acts of omission.  Funny thing is that is exactly what enterprise software was designed to do...By simply establishing proper automated controls, not SOx compliance software companies can avoid this [simple error.]

You would think that in the aftermath of the SocGen rogue trader debacle that the American financial institutions would have taken notice, considered more carefully their 'mark to market' practices for complex, illiquid financial instruments and done something to ensure that their governance policies had teeth. No such luck it would seem. Or maybe they were in too deep. We may never know.

I am not for one minute suggesting that a direct comparison can be drawn between what the US might deem fraud (as was the case at Societe Generale) and the goings on in the investment banking community over the last years. I leave that for others to opine upon. But in some circles, I am hearing that GRC controls were dialled down to lower the incidence of exception reporting. If true then that begs the question who controls the controllers?

Over the last week, my Irregular colleagues have expressed shock, horror, dismay and deep concern over the past, present and future of the financial markets. So much so that the main discussion on this topic has run 95 messages so far. Rather than single out individuals out on this most sensitive of topics I can summarize the general sentiment in a few bullet points:

  • Mark to market rules have been a disaster.
  • Going forward requires 'smart government' which is not the same as more government.
  • Whatever regulation comes out of this mess, it needs to be rooted in a genuine sense of ethical business activity.

The software that is used to help govern these complex businesses needs to be capable of independent verification as to its utility and application. Unfortunately, I am far from convinced that we have the framework in place nor the scale among specialist advisers to ensure that will happen. The alternative looks grisly. GRC will likely fall squarely into Mike Krigsman's definition of failure. If it hasn't already done so. But then none of this may matter if Paul Krugman's Cash for Trash op-ed is remotely correct.

Look forward to a period of warning shots from the vendor community.

Editorial standards