1 © RiskIQ Limited

Effective Governance, Risk & Compliance

Reflections on Enabling Infrastructure

June 2016

2 © RiskIQ Limited

GRCA Decade Young

Preparing for Strategic Governance – The Coming Convergence of Risk Management, Governance, Control and the Efficient Enterprise

There is a growing consensus that our industry needs to move toward solutions that integrate the currently fragmented risk, governance, compliance and control functions into a single framework that can also serve as a strategic asset to the organisation. The RMA Journal – October 2005

3 © RiskIQ Limited

GRCA Definition

GRC - A capability that enables an organization to reliably achieve objectives while addressing uncertainty and acting with integrity;

including the governance, assurance and management of performance, risk and compliance.

OCEG 2004/5

"It seems very pretty," she said when she had finished it, "but it's rather hard to understand!" (You see she didn't like to confess even to herself, that she couldn't make it out at all.) "Somehow it seems to fill

my head with ideas-only I don't exactly know what they are!”Jabberwocky – The Lewis Carroll poem in: Through the Looking-Glass and What Alice Found There.

4 © RiskIQ Limited

A ‘Work-in-Progress’Some Perennial Questions

How can we build systems, networks, organisations and the associated human and social capacity (“Infrastructure”) that:

• Are anchored mindfully in the present?• Take a ‘long-term view’?• Retain memory?• Anticipate and initiate change?• Withstand, adapt to / learn from disruptive events?

5 © RiskIQ Limited

What will it Take?An Evolutionary Step-Change

“The significant problems we have cannot be solved at the same level of thinking with which we created them.”

Risk management - dealing with the consequences of our earlier decisions.

6 © RiskIQ Limited

HARD• Law• Structure• Cognitive• Control• Capability

SOFT• Culture• Behavioural / Conduct• Capability• Information• Comms

Accountability

TECH

• Structure• Data• Permissions• Control• Capability

Rules

Judgement

Review

Monitor

“Infrastructure” – What do we mean?

7 © RiskIQ Limited

Soft InfrastructureA New Zealand Perspective

8 © RiskIQ Limited

Why Should it Matter?‘Outputs’ to ‘Outcomes’ / The (4) Capitals

Economic Capital

Natural Capital

Social Capital

Human Capital

Sustainability for the future

Managing Risks

Economic Growth

Increasing Equity

Social Cohesion

Source: NZ Treasury – Living Standards Frameworkhttp://www.treasury.govt.nz/abouttreasury/higherlivingstandards

9 © RiskIQ Limited

Expectations GapMind the Gap

NZ PublicPerformanceExpectations

Regulators and Standard-setters

Performance Outcomes

WorkSafe

RBNZ

FMA

DIA

CommunityParticipants

Clients

Employees

Suppliers

Investors

Formal Informal

AssessmentAssessment

Board

Organisation

InfluenceInfluence

10 © RiskIQ Limited

Risk-based RegulationRegulation as Delegation

“Regulators increasingly enlist the judgment of the private firms they regulate to achieve public ends. Whether capital markets regulation spurred by high-profile fraud, data security and privacy responses to information technology abuse, or security responses to new global threats, regulatory measures seek to tame complex risk by mandating broad policy outcomes, but according regulated parties wide discretion in deciding how to interpret and achieve them. Yet the dominant paradigm of administrative enforcement, monitoring and threats of punishment, is ill suited to oversee the sound exercise of judgment and discretion”.

Duke Law Journal - ‘Regulation as delegation: Private firms, decision making, and accountability in the administrative state’. Kenneth A. Bamberger.

11 © RiskIQ Limited

Risk-based ComplianceA New Paradigm

Regulatory

Compliance

Administrative

Accountability

• Regulatory specificity• Monitoring• Incentives• Unitary

• Regulatory delegation• Superior information• Expertise • Doctrines, procedures and

relationships to channel decision-making

Predominant GRC Paradigm

12 © RiskIQ Limited

Risk-based ComplianceA New Paradigm

Cognitively rooted

Threats

Behaviourally rooted

Threats+• Failures of Rationality• Failures of Responsiveness

• Decision-making pathologies• Biases

Predominant GRC Paradigm

13 © RiskIQ Limited

Biases Our Toolkit

Hindsight Bias

Illusion of Control Bias

Representativeness Bias

Confirmation Bias

Conservatism Bias

Anchoring and Adjustment Bias

Mental Accounting Bias

Framing Bias

Availability Bias

Loss Aversion Bias

Overconfidence Bias

Status Quo Bias

Self Control Bias

Endowment Bias

Regret Aversion Bias

EmotionalCognitive – Belief Perseverance Cognitive – Info. Processing

14 © RiskIQ Limited

The Mindful BoardEvolution of the Species

• Boards play a critical role but need to themselves evolve.• Our view is that a majority of New Zealand boards are spread across

stages 1 and 2:

Stage 1Consent Board

Stage 2Working Board

Stage 3Strategic Board

Stage 4Mindful Board

Source: The Mindful Board: Charlotte M. Roberts and Martha W. Summerville

15 © RiskIQ Limited

Evolution of the GRC StackOur Journey

Cognitive

Behavioural

Situational

Consulting led insight and experience

GRCbench-strength

16 © RiskIQ Limited

Tech InfrastructureHarnessing Technological Convergence

Level of Intelligence

Task Type

Human Support Repetitive Task Automation

Content Awareness & Learning

Self-Aware Intelligence

The Great Convergence

Analyse Numbers BI, Data Viz. Hypothesis driven analytics

Operational analytics, scoring, model management

Machine learning, Neural nets

Not Yet

Digest Words and Images

Character and speech recognition

Image recognition, machine vision

Q&A, NLPhttp://vhqsentiment

.au-

syd.mybluemix.net/

Not Yet

Perform Digital Tasks (Admin & Decisions)

BPM Rules engines, RPA

Not Yet Not Yet

Perform Physical Tasks

Remote operation Industrial robotics, collaborative robotics

Fully autonomous robots, Vehicles

Not Yet

Source: MIT Sloan 2016: Cognitive Technologies – The Next Step up for Data and Analytics

17 © RiskIQ Limited

Far-Fetched?Think Again!

A Hong Kong venture capital fund recently appointed a computer algorithm to its board of directors, claiming to be the first company of its kind to give a machine an "equal vote" when it comes to investment decisions. The firm, Deep Knowledge Ventures (DKV), which invests in companies researching treatments for age-related diseases and regenerative medicine, uses the algorithm to analyse financing trends to make investment recommendations in the life sciences sector.

18 © RiskIQ Limited

Make a DifferenceIn Closing

• Are you mindfully aware of your ‘infrastructures’?

• Do you know where your current and prospective ‘infrastructure’ gaps are? Are you sufficiently persistent in their resolution?

• Are you designing your ‘infrastructures’ with foresight for the expected and unexpected?

• Are your board/s similarly challenging themselves on these questions?