Canary in a Coal Mine

During the recent boom in mortgage-backed securities and credit derivatives, many risk managers were hired to serve as the "canary in a coal mine" for financial institutions.   In the past, coal miners would bring a canary with them to work to ensure that they did not die as a result of carbon monoxide poisoning.  If the canary stopped singing and died, then the coal miners knew to evacuate due to the risk of high levels of carbon monoxide gas in the mine.   The problem with the financial institutions was that the canary (i.e. risk manager) stopped singing in many cases.  The miners (i.e. bankers) chose not to pay attention to the canary at their own peril.  

Just this week, the following was published in US Banker magazine.

"There’s a lot of finger pointing going around about what led to the current financial market breakdown, but perhaps the most ridiculous target of blame is the very idea of financial derivatives, as if these products sprang out of the ground like a particularly potent crop of poison ivy while no one was looking. In reality, a lot of people were looking, and a fair number of risk managers were warning, but too many institutions were either ignoring or mis-measuring the risk."

Rather than solely rely in the future on sophisticated models, the magazine suggests that many financial institutions are getting back to basics.  Edward Hida, a risk management expert from Deloitte, is quoted by the magazine as saying that it all begins with:

"a strengthening of governance and monitoring. The chief risk officer “should serve as a central point. Risk management should be a robust process across functions.”

He makes a great point, but the rest of the organization must heed the warnings of the chief risk officer in the future or suffer the same fate as the poor souls at the bottom of the mine.

GRC Software Swamp

When you think of a swamp, what comes to mind?  Murky, squishy, and difficult to find your way through? Well, the same can be said for today's Governance, Risk & Compliance ("GRC") software marketplace.  There are many vendors crowding the market with all sorts of products that address various components of GRC. However, it is extremely difficult for companies to determine what software may be best suited for their processes and environment.  That's because the software market and the products themselves are evolving continuously.  

Wheelhouse Advisors can help you determine not only your requirements, but also the solutions that are best suited for your company.  It starts with gaining a solid understanding of your GRC process design and overall vision for the desired end state.  With that in hand, Wheelhouse Advisors can then work to help you successfully navigate through the swamp to find a software product that will enable your program to reach its fullest potential.  

Visit www.WheelhouseAdvisors.com to learn more about how we can help your company Navigate Successfully™.

You can pay me now... Or, pay me later!

A study was released this week that examines worldwide regulatory compliance efforts and implementations in large organizations.  The results of this study are surprising, if not alarming, given the current state of the worldwide economy.  Sponsored by CA and conducted by GMG Insights, the study found that many organizations in Europe and the Asia/Pacific Region are not fully compliant with many regulations even though they are required to be.  For example, 46% of European companies and 50% of Asia/Pacific companies anonymously reported that they are not fully compliant with the Sarbanes-Oxley Act.  To be sure, these companies do not have very mature risk and control programs.  The researchers conducting the study concluded the following.

"The conclusion we come to, is that in-spite of the rising costs associated with compliance and the severe penalties that can come from non-compliance, organizations are still managing down to a “just enough to get by” strategy. In our opinion this strategy cannot be sustained. Organizations face exponential growth of regulations and systems affected by those regulations must be monitored. Managing compliance with an ad hoc approach subjects organizations to significant risks. Recognition of the organizational risk and the growing costs will ultimately drive the adoption of broader, enterprisewide compliance management solutions."

These companies and many others may believe they are saving money by addressing compliance in this fashion.  However, most will ultimately find that this short-term, ad hoc approach will not only lead to greater risk of potential non-compliance, but also to greater cost due to fragmented and duplicate activities.  As the mechanic says to his customer in the oil filter commercial, "you can pay me now..... or pay me later".

A Financial 9/11?

Last week, two past chairmen of the US Federal Reserve provided their perspectives on the current financial crisis gripping the world economies.  Alan Greenspan testified before the US House Committee on Oversight and Government Reform that we are experiencing a "once-in-a-century credit tsunami".  He went on to say that, "In 2005, I raised concerns that the protracted period of underpricing of risk, if history was any guide, would have dire consequences."

However, in a 2005 speech, Mr. Greenspan lauded the sophistication of risk management related to derivatives that led to us to the current financial market collapse.  He noted the following, 

"The use of a growing array of derivatives and the related application of more-sophisticated approaches to measuring and managing risk are key factors underpinning the greater resilience of our largest financial institutions..."

Another former chairman, Paul Volcker, provided a simpler view at a roundtable session at Columbia University last week.  He stated, 

"We are dealing with unprecedented events, and unprecedented events call for unprecedented measures.  I think we really are going to have to rebuild the system pretty much from the ground up."

Instead of a "tsunami", maybe Mr. Greenspan should have used a different metaphor - a financial 9/11, perhaps?  Just as we are now rebuilding the World Trade Center, we will need to rebuild, according to Mr. Volcker, the financial system headquartered only a few blocks away on Wall Street.  Your thoughts?

Better Ingredients. Better Governance.

This weekend, the Wall Street Journal included the opinion of John Schnatter on the current financial crisis.  For those of you who do not recognize his name, Mr. Schnatter is none other than "Papa John" of the famous pizza franchise, Papa John's.   As Chairman of the Board at Papa John's International, Inc., Mr. Schnatter points out that the failings of the many corporations that were involved in the carnage started in the boardroom.   With weak oversight, these companies did not possess the strong level of governance required to hold the CEO accountable as the bubble expanded.  Mr. Schnatter explains,

"As our nation works its way through this crisis, and we look for explanations as to how we reached this point and how to avoid another crisis in the future, let us keep in mind that a significant set of checks and balances -- ultimately ending with the boards of directors -- has failed."

Checks and balances must be improved, beginning with the board and ending with strong controls throughout the enterprise.  As Papa John himself says, better ingredients lead to better pizza and, in the case of enterprise risk management, better governance.

How Mature is your Risk & Control Program?

Do you know how mature your risk and control program may be?  More importantly, do you know how mature you want your program to be?  Wheelhouse Advisors provides services to give companies a better understanding of the current state of their risk and control program as well as how to achieve the desired state. Through a comprehensive diagnostic review, Wheelhouse Advisors can quickly provide Executive Management and Board Members an independent view of their program.  We examine the following five main components to determine the maturity level.  

1. Infrastructure


2. Control Portfolio


3. Governance Model


4. Capabilities


5. Cost Structure

Clients can then use the results of this diagnostic review to develop a road map that will help them achieve the desired maturity in their risk and control program.  If you would like to learn more about how Wheelhouse Advisors can help your company, email us at NavigateSuccessfully@WheelhouseAdvisors.com.

Operational Risk Is Quickly Gaining Attention

As the financial crisis continues to unfold, one area of risk management that is gaining an increasing amount of attention is operational risk.  Operational risk is typically defined as the risk of loss resulting from inadequate or failed internal processes, people, technology or from external events.  Earlier this year, the massive trading losses at Société Générale resulting from the activities of a rogue trader exemplified the need for stronger operational risk management practices.  Just last week, the Financial Times reported that,

".....some of the world’s biggest investment banks, including Goldman Sachs, Morgan Stanley and Citigroup, issued a report criticising risk management at their own institutions and urging “serious and sustained investment” in better people and technology."

Greater investment is needed to get ahead of the operational risk curve before the next rogue trader comes along.  What do you think?  Please share your comments below.

Risk Management as a Competitive Advantage

When asked, most corporate executives do not think of risk management or regulation as a competitive advantage.  That is until confidence and trust are no longer commodities, but highly treasured assets.  Looks like the US Government is also realizing the value of risk management and regulation.   Earlier this week the Wall Street Journal noted the following,

"Two years ago this month, Treasury Secretary Henry Paulson was talking about how the regulatory pendulum "may have swung too far" in the wake of corporate scandals earlier this decade.  Mr. Paulson's fear: That overly burdensome regulation would make U.S. capital markets less innovative and competitive globally. If only."

Yes, how quickly things change.  If you are interested in learning more about how Wheelhouse Advisors can assist your company in strengthening risk management to become a competitive advantage, visit our website at www.WheelhouseAdvisors.com or email us at NavigateSuccessfully@WheelhouseAdvisors.com.

A Case for Strategic Risk Management

Yesterday, Federal Reserve Governor Randall S. Kroszner delivered a speech to the 2008 Annual Risk Management Association Conference in Baltimore, Maryland.  In his speech, Governor Kroszner made the case for strengthening risk management practices by integrating risk management with strategic planning.  Governor Kroszner stated,

"In my view, an effective overall corporate strategy combines a set of activities a firm plans to undertake with an adequate assessment of the risks included in those activities. Unfortunately, many firms have forgotten the second part of that definition. In other words, there can be no real strategic management in financial services without risk management, hence my use of the term "strategic risk management." Risk management needs to be interwoven into all aspects of the firm's business and should be part of the calculus for all decision-making. Strategic decisions about what activities to undertake should not be made unless senior management understands the risks involved; assessing potential returns without fully assessing the corresponding risks to the organization is incomplete, and potentially hazardous, strategic analysis."

While many institutions may have thought they were considering risks when setting strategy, most were blinded by the potential profits without a healthy consideration of the risks.  As Governor Kroszner reiterated in his remarks,

"...the ongoing fundamental transformation in financial services offers great potential opportunities for those institutions able to integrate strategy and risk management successfully, and I will argue that survival will hinge upon such an integration...."

Click here to read Governor Kroszner's full speech.

An Office of One - Revisited

For those who have been keeping up with The ERM Current™ this month, you might recall the blog from October 9 titled "An Office of One".   It details the Security and Exchange Commission's approach to risk management and the impact of cutting the office of risk management back to one person.  Well, in reading some earlier thoughts from former SEC Chairman Harvey Pitt, it seems that the vision for Enterprise Risk Management at the SEC was much broader and simply suffered under the current administration of Chairman Christopher Cox.   As Mr. Pitt explained in a Compliance Week article earlier this year, 

My years in government have taught me that government seems far more adept at examining the past than anticipating the future. When I became chairman of the SEC in 2001, for example, the agency had never—not once in its nearly seven decades—ever conducted a top-down management review of efficiency and processes. While the result of the review I commissioned recommended the creation of a risk-management group within the SEC, this recommendation has taken years to implement, and even then with a paucity of resources that makes the effort almost worse than never having undertaken it.

Mr. Pitt deserves credit for his vision.  If only he had been around longer to have seen it fully implemented, we may have been experiencing different and much less severe consequences today.

Better late than never!

Yesterday, the Federal Reserve released guidance to major financial institutions on how they should be managing compliance risk across the enterprise.  The guidance is very similar to enterprise risk management frameworks that have been in existence for some time now.  Here is an excerpt from their release describing the need for additional guidance.

While the guiding principles of sound risk management are the same for compliance as for other types of risk, the management and oversight of compliance risk presents certain challenges. For example, quantitative limits reflecting the board of directors’ risk appetite can be established for market and credit risks, allocated to the various business lines within the organization, and monitored by units independent of the business line. Compliance risk does not lend itself to similar processes for establishing and allocating overall risk tolerance, in part because organizations must comply with applicable rules and standards. Additionally, existing compliance risk metrics are often less meaningful in terms of aggregation and trend analysis as compared with more traditional market and credit risk metrics. These distinguishing characteristics of compliance risk underscore the need for a firmwide approach to compliance risk management and oversight for large, complex organizations. A firmwide compliance function that plays a key role in managing and overseeing compliance risk while promoting a strong culture of compliance across the organization is particularly important for large, complex organizations that have a number of separate business lines and legal entities that must comply with a wide range of applicable rules and standards.

The guidance is very well intended and comprehensive, but not well timed.  The subjects of this guidance should have been addressing these risks on an enterprise level well before the current collapse.  However, as the saying goes, "better late than never!".  Your thoughts?  Click here to read the entire supervisory letter from the Federal Reserve.

Board Members Agree - ERM is Top Priority

As we move into the fourth quarter of a year filled with major corporate calamities, a recent survey of over 1,000 public company board members points to the need for stronger enterprise risk management.  Today, Corporate Board Member magazine released the results of their 7th annual survey entitled "What Board Members Think".  This survey, conducted by PricewaterhouseCoopers, highlights the board members' belief that shareholders deserve greater assurance that risks will be effectively managed.  The magazine reported the following.

When asked if they felt their board members could adequately meet the responsibility of monitoring the company's multitude of risks, 81 percent of directors felt their board was capable; yet only 50 percent said their board was effective or very effective at monitoring a risk management plan to mitigate corporate exposures.

Based on this survey, board members seem to understand their role and also, more importantly, seem willing to address the challenge of holding management accountable for building and maintaining strong enterprise risk management programs.  Do you agree with these results?  Share your thoughts below.

The Devil is in the Details

Yesterday, the US Treasury released highlights of its proposed Executive Compensation Rules associated with the $700 billion Emergency Economic Stabilization Act ("EESA").  Here is a summary of the key provisions.

Any financial institution participating in the Capital Purchase Program will be subject to more stringent executive compensation rules for the period during which Treasury holds equity issued under this program. The financial institution must meet certain standards, including: (1) ensuring that incentive compensation for senior executives does not encourage unnecessary and excessive risks that threaten the value of the financial institution; (2) required clawback of any bonus or incentive compensation paid to a senior executive based on statements of earnings, gains, or other criteria that are later proven to be materially inaccurate; (3) prohibition on the financial institution from making any golden parachute payment to a senior executive based on the Internal Revenue Code provision; and (4) agreement not to deduct for tax purposes executive compensation in excess of $500,000 for each senior executive. 

While this sounds good enough, there is a great deal of room for interpretation that may or may not help deal with the real problem at hand.  If you read my blog entry on September 24, you will have a better appreciation for the incentive programs leading to firms taking excessive risks.   The senior executives' pay packages certainly added to the problem, but the great extent of the excessive risk taking is found throughout the institutions' trading floors and mortgage origination ranks.  So, how will the Treasury ensure excessive risks are not taken by non-senior executives?  As with everything, the devil is certainly in the details.  I'm sure there will be more debate once the detailed rules are released. Stay tuned.

Who's to Blame? The Better Question is "Who's Accountable?"

This week, Gartner Research is hosting its 2008 Annual Symposium in Orlando, Florida to discuss what is on the horizon for Information Technology professionals in the coming years.   Several Gartner analysts unveiled what they see as the nine most contentious issues for IT professionals over the next two years.  Risk management made the list as the third most contentious issue - specifically, determining the accountability for security and risk management as it relates to business applications.  Here's what they had to say.

Issue 3 – Business Accountability for Security and Risk Management.  Security and risk management is not just an IT issue. It is essential that the IT risk manager, using effective communications skills, persuade the appropriate IT owners and line-of-business managers to accept explicit, written responsibility for residual risk impacting their systems and processes, on either a direct or a dotted-line basis. Risk managers should develop mechanisms for assignment and acceptance of residual risk and risk decisions — for example, signature forms, processes, and policies that address the requirement and execution of risk acceptance. The risk manager should also develop mechanisms to convey residual risk levels that remove reference to technology but still support good risk-based decisions at a business level that may result in the implementation of technical controls.

Understanding the risks well enough to establish the appropriate accountability structure in advance of a risk event is a key element for strong risk management.  Otherwise, energy that should be focused on proactively managing risks becomes focused on determining who should be blamed for the risk that resulted in a catastrophe. Do you agree? Please share your thoughts below.

Does the US Government Need ERM?

As we enter another week in the evolving crisis sweeping our financial markets, it is clear that the central figure in this crisis, the US Government, has been reacting to events as they happen.   From the outside, it appears that the Government is using a trial-and-error approach by launching various imperatives with little knowledge of the expected result.  This is crisis management at its worst.

Once this crisis has passed, our Government should look to our northern neighbors for a lesson in risk management. The Canadian Government has been endorsing a program called "Results for Canadians" since the late 90's.  Part of this program focuses on how the Government can improve their approach in proactively dealing with potential risks.  In 2003, the Canadian Treasury Board developed an Integrated Risk Management Framework for use by all areas within the Canadian Government.  The Treasury Board explains the purpose of the framework as follows:

The Integrated Risk Management Framework provides guidance to adopt a more holistic approach to managing risk. The application of the Framework is expected to enable employees and organizations to better understand the nature of risk, and to manage it more systematically.

Could the US Government and Treasury use a risk framework, eh?  What are your thoughts?

Blame Technology? Not so fast!

Many people are asking about the huge technology investments made by financial institutions to provide risk management capabilities designed to prevent major market catastrophes (like the one we are currently experiencing). Well, based on a recent article in Information Week entitled "Risk Management Failings Spur Big Financial IT Investments", huge investments were made and continue to increase.  However, simply investing more in technology is not the full answer.  Many institutions had the risk information readily available, but chose to ignore it because of greed.  According to Gregg Berman, risk management practice head at RiskMetrics, this was certainly the case.  He states,

"Given the levels of technology that we have today, this crisis we're going through is something that was very avoidable.  This was not a natural disaster. The writing was on the wall for quite some time and people ignored it."

So, once again, superior risk management practices hinge on the abilities of the right people creating the right culture supported by the right infrastructure.  Without all three legs of the stool (people, culture, infrastructure), well, you know what happens - someone will take the fall.

An Office of One

Earlier this week, Lynn Turner provided extensive testimony to the US House Committee on Oversight and Government Reform on the many ills of our current corporate and regulatory governance regime.  He had many great points, but one that stood out was his commentary on the demise of the Securities and Exchange Commission ("SEC").  The following is an excerpt from Mr. Turner's testimony.

"Regulation also failed to keep pace. At the Securities and Exchange Commission (“SEC”), the Office of Risk Management had been reduced to an office of one by February of this year. From 2005, the number of SEC enforcement division personnel was cut by 146 from 1338 to 1192 in 2007. In 2004, the SEC reduced the capital requirements for the largest Wall Street investment banks."

As he points out, the SEC mirrored what many companies were doing themselves - cutting back in areas that were meant to prevent future catastrophe.  During good times, few concern themselves with growing risks or possible downturns.  However, the SEC took "putting your head in the sand" to a new level by reducing their office of risk management to one person.

Mr. Turner offered the following recommendations to Congress and the SEC.

"The SEC also needs to take actions to shore up confidence in the agency which I believe has been seriously eroded as a result of the current crisis. For example, the Office of Risk Management should be adequately staffed to allow the agency on a proactive basis to identify risks in the market place such as those created by excessive leverage, or new financial instruments that carry significant system risks such as credit derivatives. Once identified, a plan for promptly and appropriately addressing regulatory and public policy issues should be formulated and an action plan established on a proactive basis before, not after, the train wreck has occurred."

Several years ago, the US Army ditched their slogan "An Army of One" for obvious reasons.  I think the SEC may need to do the same.  Your thoughts?

Click here to read more of Lynn Turner's testimony to Congress.

Punishing the Monkey at AIG

Yesterday, the US House Committee on Oversight and Government Reform had quite a session receiving testimony from those involved in events leading to the massive bailout of American International Group ("AIG").  Of particular concern was a letter from Joseph St. Denis, an AIG accounting policy expert that had been hired, as he explained, "as part of an entity-wide effort to address material weaknesses by AIG's external auditor".   Unfortunately, Mr. St. Denis could not participate in this effort because he was restricted from reviewing the area with the highest risk - accounting for credit default swap derivatives.  

Mr. St. Denis resigned from AIG after serving just over a year due to restrictions placed on him by senior executives. After surfacing many legitimate issues, he was demoted even though he had received a stellar performance rating only a few months before.  Then, according to Mr. St. Denis, he was prohibited from reviewing the very area that led to AIG's ultimate demise.  Joseph Cassano, head of AIG's Financial Products group, was the executive responsible for the valuation of AIG's Super Senior Credit Default Swap portfolio and the same executive who made the following statement to Mr. St. Denis:

"I have deliberately excluded you from the valuation of the Super Seniors because I was concerned you would pollute the process."

The improper valuation of this portfolio led to another material weakness in 2007 and ultimately led to AIG's death spiral.  Meanwhile, Mr. Cassano retired from AIG earlier this year and continues to receive $1 million per month in consulting fees from AIG.  In the words of famous musician Mark Knopfler, I think this is a clear case of "punishing the monkey while letting the organ grinder go free".  Your thoughts?

Click here to read Joseph St. Denis' letter to Congress

Fooled by Fuld?

Yesterday, Richard Fuld, CEO of the recently defunct Lehman Brothers, testified before Congress in regards to his role in the demise of his firm.  Here is an excerpt from his prepared testimony.

No one realized the extent and magnitude of these problems, nor how the deterioration of mortgage-backed assets would infect other types of assets and threaten our entire system.  In April 2006, Chairman Bernanke predicted that the housing market “will most likely experience a gradual cooling rather than a sharp slowdown.”  In March 2007, he stated “the impact on the broader economy and financial markets of the problems in the subprime market seems likely to be contained.”  Similarly, Secretary Paulson said in June 2007 that the crisis in the mortgage markets “will not affect the economy overall,” echoing the views of the International Monetary Fund.  And at Lehman Brothers’ annual shareholder meeting, I too said what I absolutely believed to be true at the time – that the worst of the impact to the financial markets was behind us.

How could Mr. Fuld truthfully tell shareholders in April that "the worst was behind us" during a 2nd quarter performance period that would result in a loss to those same shareholders of $2.8 billion?  Also, how can he place blame on those outside his organization for a failure within his own organization?  He added the following later in his testimony.

We exist in a regulatory regime created in a vastly different world for vastly different markets. Some have compared the regulatory and risk management systems of our current markets to trying to run a bullet train on ancient track.

Blaming the system is as weak as it gets.  Call it a lack of accountability or responsibility or simply a lack of integrity.  To me, it sounds like Mr. Fuld tried to fool the market and lost.  Your thoughts?

My Name is Mudd

An article in yesterday's New York Times details the contribution made by Fannie Mae's former chief executive officer, Daniel Mudd, toward the financial meltdown we are experiencing in the US mortgage securities market.  Mr. Mudd, like many other CEOs of his time, joined the group of lemmings chasing profits, placating investors and taking excessive risks.  The article points out that Mr. Mudd told employees to “get aggressive on risk-taking, or get out of the company.”  When Mr. Mudd's chief risk officer warned him about the housing bubble and the potential negative impact to the company, Mr. Mudd argued that the market, shareholders and Congress all thought the companies should be taking more risks, not fewer.

While his name is literally Mudd, Fannie's CEO also serves as a metaphor for the dozens of CEOs and many more executives who failed to heed the warnings of risk professionals in the face of external pressure and personal greed.   Do you agree?  Please join the conversation below.

Where is the A-Team?

At many companies around the world right now, executive management is feverishly looking for ways to cut costs and eliminate headcount to bolster the bottom line.  As I have heard many times before, many are probably asking themselves, "Do we really need an A-Team to handle our enterprise risk and compliance activities?"  As a result, risk management and compliance are areas that are typically cut first.  While that may be helpful to the bottom line in the short run, it typically comes back to haunt companies as we are seeing today in the many corporate failures related to poor risk management and compliance practices.  

So, those same executives shoud be asking themselves, "Do we have the right talent to address our risk management and compliance activities?"  Some key skills required for the "A-team" include:

• Solid understanding of the business


• Well informed on regulatory and compliance requirements


• Ability to see the big picture beyond just the rules


• Uncompromising integrity and courage


• Strong communications skills to articulate risk exposures as well as opportunities


• Capability to persuade and influence appropriate behavior in others

So, as budget season winds down in many corporations, executives need to be very careful not to succumb to the temptation to cut what may seem like a non-essential activity.  As Mr. T from the original A-team would say, "I pity the fool who cuts enterprise risk!"  Do you agree with Mr. T?  Comment below.

Fannie + Freddie = Fraud

According to recent reports about investigations into the corporate governance and accounting practices at Fannie Mae and Freddie Mac, it appears that the two Government Sponsored Entities (GSEs) did not learn their lesson from improper disclosures made only a few years ago.  This is what was reported by the Associated Press yesterday.

The mortgage finance companies said Monday that a federal grand jury in New York is investigating accounting, disclosure and corporate governance issues at Washington-based Fannie and McLean, Va.-based Freddie.  Critics have long questioned the companies' bookkeeping.  Last November, for example, a Fortune magazine story said new accounting procedures at Fannie Mae masked potential losses on bad loans.  And several years ago, both Fannie and Freddie were forced to restate billions in earnings after federal regulators discovered accounting irregularities at both companies.

If we can't trust these GSEs to clean up their act and root out fraud, how can we again trust our government with $700 billion of our money to handle the very same mortgage-backed securities that ran through these corrupt GSEs?  What are your thoughts?  Please join the conversation below.

GRC Convergence - Where's the "B"eef?

Many software vendors and professional services firms are touting their abilities to converge or integrate what has become a common buzz word - "GRC".   For those who are unfamiliar with the term, GRC stands for Governance, Risk and Compliance respectively.  In many companies, activities related to each of these areas often over overlap and lend themselves to duplicative efforts as well as excessive costs.  As such, there is a true need and benefit to integrating these disciplines.  

However, what is often missed in this push for convergence is the need to first integrate these disciplines into the business processes themselves.  The greatest convergence benefit will be achieved when Enterprise Risk Management becomes a part of running the business, rather than a separate exercise performed by units outside of the business.  By focusing first on the "B" (the business) with the "G", "R" & "C" in mind, GRC convergence will begin to occur naturally as a by-product of the business integration efforts.  Then, when that little old lady from the burger joint comes to review your Enterprise Risk Management Program (or more likely a rating agency, regulator or auditor), you will know the answer to the most important question.  Share your thoughts and comments below.