Governance, risk and compliance: the need for integration on financial markets



In January 2008, Wachovia Bank, a North-Carolina based bank founded in 1879, enjoyed an Aa1 rating from Moody’s for its deposits, with over $810bn dollars worth of assets. Then Wachovia suffered a $23bn third-quarter loss in 2008 and had to be rescued by a $25bn federal funding package. Involved in the sub-prime crisis, as well as many other scandals, including telemarketing crimes between 2003 and 2008 and the transfer of $378.4bn into dollar accounts from so-called ‘casas de cambio’ in Mexico, currency exchange houses with which Wachovia did business, Wachovia declared, in the statement of settlement with the federal government, that “as early as 2004, Wachovia understood the risk (but) despite these warnings, Wachovia remained in the business”.

Martin Woods, the whistleblower who disclosed the whole affair to authorities, concluded in the Guardian, in April 2011: “What happened at Wachovia was symptomatic of the failure of the entire regulatory system to apply the kind of proper governance and adequate risk management which would have prevented not just the laundering of blood money, but the global crisis.”

Why governance had been disconnected from risk and compliance

The shareholder value activism that was so prevalent in the 1990s, led by urgent needs of quick and high returns for US pension funds, has focused interest on return on equity, whatever means and risks were taken. Regardless, equilibrium would be back to the average. The Black and Scholes formula for options was a good symbol of this belief of a ‘no-risk world’. It was based on the insight that one can hedge the option by buying and selling the underlying asset in the right way and, consequently, ‘eliminate risk’. Governance was therefore focused on value maximisation with almost no integration of risk and compliance. The failure of LTCM, the hedge fund launched by the inventors of the equation, demonstrated in 1998 that risk had not been eliminated.

The succession of scandals, such as Savings and Loans, Enron, Worldcom, Arthur Andersen, Wachovia, HSBC, Siemens, Volkswagen and others, and financial crashes, such as Black Monday in October 1987, the Asian and Russian crisis in 1998 and the sub-prime crisis in 2007-2008, have urged governance to tightly rely upon active risk and compliance integration.

As Richard Zeckhauser announced in the Journal of Business in 1986, the battle has been raging more and more between rational economics and behavioural economics. In the classical or neoclassical view of economics, actors on the markets were supposed to act in a rational way and maximise their utility function. The belief of an invisible hand regulating the equilibrium between offer and demand to fix prices was granting efficiency to market. Herbert Simon had introduced a shade of realism, using the term “bounded rationality” – economic actors are assumed to be “intendedly rational, but only limitedly so”. Since George Akerlof, this belief is less and less prevalent and behavioural research is exploring the biases and illusions in economic choices, and the consequences of the animal spirits that govern human behaviours in economic areas.

What is an adaptive organisation?

If you contest the self-regulation of markets and the perfect rational behaviour of actors, then the functions of governance take on more importance.

On a macroeconomic scale, Nelson and Winter proposed an evolutionary theory of economic change in 1982. It enhances the importance of organisational capabilities and behaviour. An adaptive organisation is able to anticipate variations in its environment, select the appropriate strategy and implement the operational process allowing for feedback integration and iterative evolution. We summarise it as a variation/selection/replication feedback loop. Governance deals with the decision making process. Decision nodes must be set according to objectives and means. The level of integration depends on the intensity of cooperation, consistency and cohesion that is expected.

How to integrate governance, risk and compliance for an adaptive organisation

Alignment of governance, risk management and compliance (GRC) is necessary as soon as one considers that economic growth is the result of a pure selection process under uncertainty and that technological change is not a residual ‘neutrino’.

The evolutionary preparation to variation relies on governance to imagine prospective scenarios. They should integrate external risks, considered as low probability and high impact events, as well as shifts and bifurcations in trends. They also should integrate compliance risks, such as changes in jurisprudence and consumer forces.

For the selection step, where strategy is decided by the board, risk appetite definition, that is, the design of a forward-looking risk profile, is the first and foremost duty. The code of conduct sets compliance rules and regulates risk culture.

Through the replication process, governance consists of operational routine supervision to ensure that risk tolerance is acceptable through an ongoing review of parameters and metrics, and that sanctions are appropriate and applied.

An illustration of different stages of integration

Integration modes differ from one organisation to another. Though it does not necessarily imply a merger of risk and compliance departments with a direct link to the board, if these departments are autonomous, they need an institutional coordination and a close cooperation.

For instance, HSBC recognises first that “the environment in which (it) operates changes all the time...and so monitoring risk is a continuous process”. To integrate the evaluation based on an overall understanding of internal and external risks it faces and the interaction between them, the board has set up several committees: the risk committee, to oversee risk-related matters and the principal risks impacting the group, risk governance and internal control systems; the conduct and values committee, to align employee behaviour with risk appetite; the financial vulnerability committee, to study geopolitical risk, financial crime risk, international security, cyber security and law enforcement matters; and the audit committee, for internal control over financial reporting.

When we compare HSBC’s and BNP Paribas’ GRC devices, we see that HSBC has a more forward-looking approach to risk and a more integrated approach to GRC. At BNP Paribas, code of conduct is split between corporate governance, ethics, nominations and the CSR committee and the internal control, risk and compliance committee. At HSBC it is clearly understood that this is the responsibility of the conduct and values committee. Compliance with the law can be studied together with ethics, as it is usually a more restrictive constraint. For example, there could be no legal sanctions for a bank not providing the overall effective rate of loans to its clients. But, from an ethical standpoint, the bank could consider that it owes honesty and transparency to its clients.

BNP Paribas states that the internal control, risk and compliance committee deals with the bank’s current and future risk appetite; nevertheless the various governance tasks around variation and risk anticipation are not clearly highlighted.

It is a good illustration of the different perception of GRC in the Anglo-Saxon world and in continental countries such as France. The GRC triptych is a generally accepted concept in the Anglo-Saxon world, though not yet in continental Europe. This is probably because, notwithstanding the adaptive market hypothesis of Andrew Lo, adaptive behaviour in economy is far less populated. In the country of Descartes, who wrote “I think therefore I am”, rationalism permeates the whole society, which sometimes leads to the denial of biases in decision-making, covered by the influence of certain mathematics and statistics schools.

 Key success factors for integrated GRC

The successful implementation of integrated GRC depends on the existence of common values, a good mutual knowledge of business partners acting on engagement on the GRC side and most importantly, the absence of domination or inequality of treatment between engagement and GRC departments. This is a factor of trust, and provided that the chief risk officer in charge of GRC has moral authority (gathering financial and legal risks skills), power and charisma, integrated GRC will not only avoid duplication of audit costs, and excessive reliance on statistical models, but also enhance the “confidence multiplier”, to borrow George Akerlof and Robert Shiller’s concept, in Animal Spirits, both for the organisation itself and for the whole economy.


Miriam Garnier is the founder of Finance & Governance. She can be contacted on +33 6 23 76 22 78 or by email:

© Financier Worldwide


Miriam Garnier

Finance & Governance

©2001-2019 Financier Worldwide Ltd. All rights reserved.