Standardizing Compliance Risk Assessments and Strengthening Reporting
Enabling a consistent approach to compliance across the global organization
The Client: Societe Generale
Compliance is a fairly young function, but it has a number of key responsibilities. Compliance analyzes the full range of banking regulations, and manages relationships with regulators - both important roles, considering that Banking is one of the most highly regulated industries. It also conducts compliance risk assessments, defines norms and policies, helps implement procedures, and manages controls and results. If compliance incidents occur, Compliance investigates, resolves, and follows up with the appropriate action plans.
At every point in their activities, Compliance Officers have to keep in mind various compliance terms and trending topics, such as Anti-Money Laundering (AML), know your customer, embargoes, corruption, conflict of interest, client protection, market abuse, employee code of conduct, banking data privacy, and regulatory reporting.
Towards a Global Compliance Risk Assessment Approach
When Societe Generale decided to upgrade their compliance risk assessment program, the objectives were as follows: To know, anticipate, and/or mitigate the risks of non-compliance with regulations in order to (a) ensure that the bank acts in compliance with any regulation applying to any type of business and in any country (b) protect the bank, clients, and employees (c) reinforce the bank’s reputation.
To achieve these objectives, the Group Compliance needed a system that would enable a consistent and cross-border approach to compliance risk assessments across the bank, while also facilitating updates of compliance risk cartographies.
The Group also wanted to ensure that regulations were being effectively identified, analyzed, and managed. They needed to monitor action plans, consolidate compliance risks across various levels into a cohesive view, enhance reporting across all levels of the management team, manage Compliance programs and identify where resources were needed most. All these processes required the support of a robust compliance risk assessment system.
As the Group moved towards finding the right system and enhancing their compliance risk assessments, they began to think from a global perspective. The first step was to design a global compliance risk table that would be applied across all business units in different countries. The next step was to create a common compliance risk approach and a global compliance risk calculation methodology.
The global compliance risk table has helped to minimize differences in regulatory compliance between countries such as the U.S., U.K., and France. Each risk in the table is defined in such a way that compliance teams across countries can map their regulations to the corresponding risk.
To enable and support their compliance risk program, Societe Generale selected MetricStream’s Compliance Risk Management Solution. Compliance executives believed MetricStream would be the best partner for the bank, offering the technology to organize data and help the bank strengthen reporting. By using the MetricStream solution, the bank would be able to view all relevant regulations, procedures, controls, training, risk subjects, and actions plans, supported by color coded charts - providing a truly global overview of compliance risks.
Only the compliance officers, not the business units, are authorized to enter data into the MetricStream solution. But then it was realized that while Compliance Officers could manage regulatory databases, inputs from the business were needed to list the mitigants. As a result, the Compliance Officers collaborate more closely with the business to gather data around mitigants, share the results of compliance risk assessments, identify gaps or loopholes and implement and follow up on action plans. All this data is actually being managed in the MetricStream solution.
Implementing the Compliance Risk Management Solution
Societe Generale implemented MetricStream Compliance Risk Management Solution to streamline and standardize compliance risk assessments, and to strengthen reporting.
The solution maintains several databases: (a) the business organization database which provides a consolidated, tightly mapped structure of the organization, (b) the regulatory databases which provide comprehensive information on the regulations in each country, (c) the global compliance risk database or table, and (d) the mitigant database which consolidates all controls, procedures and trainings used to mitigate compliance risks for each Business Division in each country.
The solution is also used to evaluate all inherent compliance risks (based on impact and probability), cover of risks, as well as residual risk. If the residual risk is high, the solution triggers a streamlined action plan process. It also provides dashboards and charts for risk reporting.
The solution was rolled out in phases - first in various business division, and then in various countries. Today, Societe Generale continues to work towards upgrading the solution with new capabilities and new possibilities and continues system’s implementation across the various Business Divisions and countries.
Throughout their journey, Societe Generale identified a few key best practices:
Understand that your risk and compliance culture will vary from one country to the next. Regulatory pressures are also different across geographies.
Stay flexible and inventive. Some things may not go according to your plan or strategy, but wherever possible, work as a team to find the solution.
Think global right from the start. Even if you have a small department, look at the big picture, and determine how to manage compliance across the global enterprise.
Added to these requirements are multiple compliance regulations, including the Dodd-Frank Act, Foreign Account Tax Compliance Act (FATCA), European Market Infrastructure Regulation (EMIR), Markets in Financial Instruments Directive (MIFID II), Packaged Retail Investment Products (PRIPS), Financial Transaction Tax (FTT), and Basel III. In fact, the amount of new and evolving regulations that banks like Societe Generale have to keep pace with in recent years is tremendous. Added to that, various regulations apply to different banking divisions. For instance, Basel III is relevant across divisions - right from private banking and insurance, to corporate investments and retail banking. However, EMIR is relevant only to securities services, asset management, and corporate investments.
Mapping and managing these compliance regulations and requirements become increasingly challenging for Compliance at Societe Generale and each team has to juggle multiple tasks. There are other challenges, too. For instance, the compliance risk culture varies from one part of the organization to the next, also depending on countries. In addition, there is a lack of integration across business systems storing and managing compliance-related information or activities.
Added to all this is an increase in the number of global projects, as well as an increase in the frequency and scope of reporting to regulators and management teams within the bank.
There is also the challenge of preparing a Compliance risk cartography. The use of spreadsheets only made things more complex, considering the amount of data involved (e.g. for just two Dealing Rooms - Trading Rooms - in two countries, around forty spreadsheets of data were created).
Given the scale of these compliance risk assessments, the Group realized the need for a system that could help automate and standardize their compliance risk assessment processes across the global organization.
Ability to view all residual risks, and trigger immediate action plans
Global overview of compliance risks to enable informed decision-making
Visibility into key compliance risk metrics such as the number of risks assessed, number of high residual risks, number of actions plans open or closed
A consistent and streamlined approach to compliance risk assessments across the global organization
Greater speed and efficiency in risk assessments due to automation
Well-structured compliance reports that can be shown to regulators and auditors
Ability to mitigate compliance risks in a timely manner