The years that followed the financial crisis were marked by a globally coordinated effort to implement stricter regulatory measures aimed at guarding the financial system against future shocks. Basel III, for instance, introduced tighter capital requirements, widened risk coverage, and stipulated leverage ratios to protect against excessive borrowing, among other requirements.
Today, however, there appears to be a gradual shift away from global regulation, as each geography implements laws or standards that are specific to their own markets, needs, and concerns. The US, for instance, is in the thick of a deregulatory drive, but in regions like Europe, regulators show no signs of slowing down with new directives like MiFID II and PSD21.
As regulatory agendas continue to diverge, global banks and financial services institutions face the two-fold challenge of not only juggling multiple international compliance requirements that often vary from one jurisdiction to the next, but also conforming to local regulations governing business models and operations.
Meeting the demands of this complex regulatory environment calls for a renewed approach to compliance -- one that focuses on analyzing the business impact of regulations, identifying and prioritizing the underlying compliance risks, applying mitigating controls, and monitoring the entire system consistently.
Over the last decade, compliance risk—i.e. the potential for material loss and legal penalties arising from violations of, or non-conformance to, industry regulations, laws, and codes of conduct—has become a key concern, driven largely by a wave of record-high regulatory fines. Yet, compliance risk is more than just a regulatory issue. It’s also a business one with the potential to damage organizational reputations, diminish customer trust, and limit market opportunities.
Despite these consequences, many financial institutions are lagging in their compliance risk management efforts. McKinsey research finds that most senior managers feel more comfortable with their credit-risk management than with their control of compliance risk. The reasons for this are many -- best practices for compliance risk are still emerging, few agree on the most effective organizational approach, and business ownership of the risk is weak.
Some banks, however, are changing the tide. A top Canadian bank, for instance, has found a way to strengthen the effectiveness and efficiency of their compliance risk management program. Ad hoc and siloed risk assessments have given way to standardized and integrated processes that offer stakeholders a holistic view of compliance risks across the organization. A strong foundational framework maps compliance risks to regulations, controls, processes, and internal organizations, enabling the bank to easily understand the business impact of a compliance risk. Legacy tools and manual processes have been replaced with automated workflows, while advanced analytics accelerate decision-making by drawing out meaningful insights from compliance risk data. All these changes have strengthened the bank’s credibility with senior stakeholders and regulators.
Compliance risk management can turn into a strong driver of integrity and performance if it has the right ingredients in place. Here are a few aspects to consider:
A systematic assessment of compliance risks across the enterprise enables financial institutions to clearly understand their risk exposure, including the likelihood that a particular compliance risk will occur, the reasons for its occurrence, and the extent of its impact. Risk computations also make it easier for organizations to rank and prioritize compliance risks, link them to the appropriate risk owners, choose the right approach to mitigation, and allocate resources efficiently.
A well-defined risk assessment methodology helps stakeholders understand the impact of compliance risk not just at a financial level, but also at a reputational, legal, and business impact level. Having both qualitative and quantitative risk measures in place goes a long way towards providing a nuanced picture of risk. Also of significant value is an integrated compliance data model which can provide a contextual view of risk i.e. in terms of its link with other risks, as well as controls, regulations, policies, departments, and objectives.
Once compliance risks have been assessed and ranked, the appropriate controls can be chosen to prevent or detect the risks. These controls, in turn, need to be evaluated periodically based on their design and operating effectiveness. Higher risk controls require more comprehensive and frequent evaluations, while lower risk controls may not require as much focus.
Compliance software tools can help accelerate control assessments by streamlining and automating the process. Some tools offer predefined criteria and checklists to simplify assessments, along with mechanisms to score, tabulate, and report results. Any potential risk issues or exceptions that are found can be documented in the compliance tool, post which a systematic mechanism of issue investigation and remediation can be initiated and tracked up to closure.
Many large banks, like the Canadian one mentioned earlier, are beginning to rationalize their compliance controls, thus minimizing redundancies in control testing, while also saving on the time and effort involved in compliance. Fewer and better controls improve not only risk mitigation, but also compliance monitoring and testing.
Meanwhile, some financial institutions are looking at the use of robotic process automation (RPA) in control assessments. RPA tools have the potential to minimize manual intervention, thus freeing up time for compliance managers to focus on more strategic, high-priority, and value-adding tasks.
Compliance managers are almost always under pressure from senior stakeholders to report on the status of compliance risks and controls in as close to real time a manner as possible. Meeting these expectations can be extremely difficult given the number of departments and processes that a compliance program covers. Reporting becomes even more complex in organizations that operate across multiple countries.
Advanced reporting tools can be useful in these situations. Graphical dashboards, for instance, offer compliance managers comprehensive visibility into the compliance risk management process with aggregate reports, as well as individual status trackers. Viewers can browse both historical and real-time data on risk, including an analysis of control and risk assessment results. These insights enable compliance managers to stay in constant touch with the ground reality and progress on their compliance risk management program. Automated alerts for events such as exceptions and failures help eliminate any surprises, and make the compliance process predictable.
Many financial institutions are also exploring the use of advanced analytics and machine learning in detecting and predicting compliance risks. With faster, better, and more in-depth risk insights, decision-makers can swiftly identify potential compliance blind spots, and address them before they snowball into bigger issues.
In an era of rapidly changing and diverging regulatory landscapes, a solid compliance risk management program is key to reducing the likelihood of compliance failures. But the program must become an integral part of day-to-day business operations, as well as a priority for the senior management and board. Sustained collaboration across the three lines of defense, coupled with well-designed and wellimplemented compliance risk management processes and tools, will be integral in building financial institutions that are able to thrive in a complex, highly regulated world.
1 MiFID II - Markets in Financial Instruments Directive; PSD2 - Second Payment Services Directive