Towards a Global Compliance Risk Assessment Approach
When Societe Generale decided to upgrade their compliance risk assessment program, the objectives were as follows: To know, anticipate, and/or mitigate the risks of non-compliance with regulations in order to (a) ensure that the bank acts in compliance with any regulation applying to any type of business and in any country (b) protect the bank, clients, and employees (c) reinforce the bank’s reputation.
To achieve these objectives, the Group Compliance needed a system that would enable a consistent and cross-border approach to compliance risk assessments across the bank, while also facilitating updates of compliance risk cartographies.
The Group also wanted to ensure that regulations were being effectively identified, analyzed, and managed. They needed to monitor action plans, consolidate compliance risks across various levels into a cohesive view, enhance reporting across all levels of the management team, manage Compliance programs and identify where resources were needed most. All these processes required the support of a robust compliance risk assessment system.
As the Group moved towards finding the right system and enhancing their compliance risk assessments, they began to think from a global perspective. The first step was to design a global compliance risk table that would be applied across all business units in different countries. The next step was to create a common compliance risk approach and a global compliance risk calculation methodology.
The global compliance risk table has helped to minimize differences in regulatory compliance between countries such as the U.S., U.K., and France. Each risk in the table is defined in such a way that compliance teams across countries can map their regulations to the corresponding risk.
To enable and support their compliance risk program, Societe Generale selected MetricStream’s Compliance Risk Management Solution. Compliance executives believed MetricStream would be the best partner for the bank, offering the technology to organize data and help the bank strengthen reporting. By using the MetricStream solution, the bank would be able to view all relevant regulations, procedures, controls, training, risk subjects, and actions plans, supported by color coded charts - providing a truly global overview of compliance risks.
Only the compliance officers, not the business units, are authorized to enter data into the MetricStream solution. But then it was realized that while Compliance Officers could manage regulatory databases, inputs from the business were needed to list the mitigants. As a result, the Compliance Officers collaborate more closely with the business to gather data around mitigants, share the results of compliance risk assessments, identify gaps or loopholes and implement and follow up on action plans. All this data is actually being managed in the MetricStream solution.
Implementing the Compliance Risk Management Solution
Societe Generale implemented MetricStream Compliance Risk Management Solution to streamline and standardize compliance risk assessments, and to strengthen reporting.
The solution maintains several databases: (a) the business organization database which provides a consolidated, tightly mapped structure of the organization, (b) the regulatory databases which provide comprehensive information on the regulations in each country, (c) the global compliance risk database or table, and (d) the mitigant database which consolidates all controls, procedures and trainings used to mitigate compliance risks for each Business Division in each country.
The solution is also used to evaluate all inherent compliance risks (based on impact and probability), cover of risks, as well as residual risk. If the residual risk is high, the solution triggers a streamlined action plan process. It also provides dashboards and charts for risk reporting.
The solution was rolled out in phases - first in various business division, and then in various countries. Today, Societe Generale continues to work towards upgrading the solution with new capabilities and new possibilities and continues system’s implementation across the various Business Divisions and countries.
Throughout their journey, Societe Generale identified a few key best practices:
- Understand that your risk and compliance culture will vary from one country to the next. Regulatory pressures are also different across geographies.
- Stay flexible and inventive. Some things may not go according to your plan or strategy, but wherever possible, work as a team to find the solution.
- Think global right from the start. Even if you have a small department, look at the big picture, and determine how to manage compliance across the global enterprise.