How to Embed a Strong Control Framework in Risk and Compliance StrategiesRisk Management | 6 Min Read |06 July 23|by Sumith Sagar
In today's dynamic business environment, organizations face numerous risks and regulatory challenges that can impact their operations, reputation, and profits. To navigate these complexities successfully, businesses need to establish a robust control framework that provides a solid foundation for effective risk management and compliance practices.
We recently discussed these challenges with key experts Ivan Martinez, Chief Auditor, Banco Santander, London, and Charles Nicholls, Enterprise Risk Solutions Specialist, MetricStream, in a webinar titled, “Embedding a Strong Control Framework in Your Enterprise Risk and Compliance Strategies.”
Our panelists discussed the importance of incorporating a strong control framework into GRC strategies, the role of risk culture in taking risk management to the frontline, the UK SOX requirements, and more. It was a lively and useful discussion with an engaged audience who asked multiple questions.
Here are some of the key takeaways – as well as some of the audience questions.
Want to hear the original in its entirety?
Why Strong Controls Matter More than Ever
The risk environment isn’t the same as even 5 years ago. We’re dealing with different kinds of risks. The volume and velocity of risks have increased, and the way we manage risks and the type of risks are not the same. Today organizations have to deal with a diverse set of risks, including Environmental, Social, and Governance (ESG) risks, advanced cyberattacks, lurking third-party risks, and geopolitical risks.
The financial services landscape has also changed. The modern banking revolution is being driven by advanced technologies like AI, ML, and RPA with chatbots, and cloud computing, along with the emergence of business models such as FinTechs and InsureTechs.
We are witnessing collaboration between banks and financial service providers and Fintechs resulting in better customer service and enhancement of profits. However, these innovations, have also introduced newer and more complex risks.
Risks are inherent to every business. This increases the importance of staying vigilant and resilient in our approach. It is how we manage and thrive on risks that set us apart from our peers and competitors. Being agile requires organizations to respond and learn quickly from adverse situations and land back on their feet as quickly and effectively as possible.
Controls, compliance, and robust risk management processes are critical to building this resilience and agility. Let’s take a look at some of the key recommendations and takeaways that Ivan and Charles discussed – and their impact on anticipating risks.
Key Takeaways and Recommendations
Highlights and takeaways from the discussion included:
- An effective risk management program reflects the effectiveness of the organization’s control framework. No GRC or integrated risk management effort can be effective without cohesive and connected controls.
- There is a direct correlation between control, compliance, and positive risk culture. Controls foster transparency, accountability, and responsibility. Employees from the front line to senior management all have the same standards to align with, resulting in a common understanding and pro-risk behavior.
- Controls (and compliance) are more than a regulatory checkbox exercise. Controls and compliance have the potential to not only mitigate risks but also avoid business disruption if managed properly.
- UK SOX puts controls front and center. It requires companies to assess and report on the effectiveness of internal controls as it focuses on promoting financial transparency and prevention of corporate fraud. Key steps to comply with UK SOX are to identify and assess financial-related risks and related controls, periodic testing of the entire program for its effectiveness, and compliance with the regulation.
- Centralizing risk, control, and UK SOX certification details is a must for an effective SOX compliance program. This includes technology as well as the alignment of roles, responsibilities, and accountability.
- On the technology front, it is very important to bring risk, control, policy, and compliance details on a single platform. This ensures the integrity of data, rationalization of controls, and a reduction in the cost of compliance. It also provides enterprise visibility, enabling collaboration and contributing to a positive, risk-aware culture of compliance.
- The future is efficiency and effectiveness, driven by AI and ML. Adopting advanced technologies like AI and ML to automate some of these processes and rationalize data elements across risk and compliance programs is essential to lower risk, improve compliance and do more with less.
Addressing Customer Questions
Below are some of the questions that were asked during the webinar and our responses:
- Which companies will be regulated under UK SOX?
The businesses that will be impacted by UK SOX are:
- Large organizations (private & public) operating in the UK due to the impact they have on the wider corporate climate
- Publicly-listed companies in the UK
- The scope of the regulation is expected to be expanded to mid-market organizations
- What is SMF?
SMF stands for Senior Management Functions. As laid out in SUP 10C by FCA, SMF needs to be allocated to the most senior individual within an organization. Senior Management Functions are:
- Governing Functions
SMF1 (Chief Executive)
SMF3 (Executive Director)
- Governing Function: Non-executive
- Required Functions
SMF16 (Compliance Oversight)
SMF17 (Money laundering reporting officer)
SMF29 (Limited scope function) – Limited scope firms only
- Governing Functions
- What is the biggest challenge and solution in achieving a successful culture and getting that accountability embedded from the top down?
One of the biggest challenges is to implement an adequate control culture. The solution is to break silos across areas and agree and delimit responsibilities among those different areas. It is very important to design spaces of common objectives and search for accountability by documenting the control framework, at a high level, and then asking the senior managers to land and cascade down these responsibilities into their teams and areas.
How are emerging risks identified? Who should own and manage these risks?
Several analysts, market research, and consulting firms have conducted thorough research based on macroeconomic conditions and drivers to understand the top emerging risks. Emerging risks need not be new but an existing risk with an elevated impact on business compared to the past. Some of the emerging risks listed by these companies are:
- Emerging structural challenges, including digitalization, climate change, and ESG
- Advanced cyber threats
- Geopolitical risks
- Financial sanctions
- Regulatory risks
- Digital asset market turbulence
- Theft, fraud, and other conduct risks
- Systemic risks
Everything from the above may not be applicable to all organizations. Individual organizations need to review their business objectives, respective industry trends, and risk appetite to identify and map risks to these categories.
When it comes to emerging risks, involving the frontline is very important as they are the most exposed to the lurking risks. Training and awareness of these risks are key to enabling the frontline to be ahead of these emerging risks. The ownership of identification and self-assessment of risks should remain with the frontline, and further analysis and mitigation strategies should be managed by the second line. From the technology standpoint, companies must streamline the identification of observations from across the organization, while also enabling anomalies to be recorded anonymously and triaged based on business criticality.
- Are antagonistic threats included in the definition of emerging risks?
They are not included in the emerging threats as their impact has not changed over the years. However, they must be managed by the organization. For example, for a bank, any employee unrest or strike will not only impact the business but also create reputational damage.
- Does the Enterprise Risk Management (ERM) model also include third-party risks and outsourcing? Most financial institutions have a lot of outsourcing arrangements since data is in the cloud.
As a best practice, ERM should have third-party risk exposure as a component, which will help risk leaders understand the overall risk exposure by the organization. However, the effective management of third-party or vendor risk management will require a separate program where all processes from vendor onboarding, risk assessment (for compliance, ESG, security, and operational risks), certifications, issue management to offboarding are managed for better visibility into the extended ecosystem and related risks.
- Is risk management or compliance management responsible for the risk and control framework?
The second line of defense from risk and compliance functions is responsible for control frameworks.
- Is risk management or compliance management responsible to report incidents to regulators and auditors?
Organizations must empower each function to report issues, observations, anomalies, incidents, and risks. An informed frontline can become a great resistance against any risk or incident. Once they are reported, the second line should investigate, and report based on the severity of issues or incidents.
Stay Ahead with MetricStream
Implementing strong internal controls, compliance, and a robust GRC framework are the keys to building agility, resilience – and staying ahead of ever-evolving risks.
To learn more about how MetricStream can help, please request a demo today. To get a copy of the slides, please get in touch with firstname.lastname@example.org.