The traditional compliance model, which has been to the fore in many Irish firms, was designed in a different era and with a different purpose in mind. Those charged with the compliance function worked in an advisory capacity with a limited focus on actual risk identification and management. The operational-risk playbook emphasised a bottom-up process of control testing versus a more objective, risk-based approach that monitors material risks. Frequently, this approach has forced managers to design and implement the specific controls necessary to address regulatory requirements. This typically leads to a build-up of labour-intensive control activities with uncertain effectiveness. Where this is the case, compliance activities tend to be isolated, lacking a clear link to the broader risk-management framework, governance and processes. More often than not, the net result is primarily a dramatic increase in compliance-and-control spend with an uncertain impact on the residual risk profile of a firm. A best-practice model for compliance needs to rely on four core principles to address these challenges:
1. Expand the compliance role through a risk-and-control
framework.
2. Instil a strong risk culture.
3. Implement standardised and transparent residual risk
management processes.
4. Integrate the risk-management governance, regulatory
affairs and issue-management processes.
Expand the compliance role through a risk-and-control framework
In most cases firms need to transform the role of their compliance officers from that of an adviser to one that puts more emphasis on active risk management and monitoring. In practice it means expanding beyond offering advice on statutory rules, regulations, and laws and becoming an active co-owner of risks to provide an independent oversight of the control framework.
Given this evolution, responsibilities of the compliance function are expanding rapidly to include the following:
• Generating practical perspectives on the applicability of laws, rules, and regulations across businesses
• Creating standards for tolerance levels, and tie to risk appetite
• Developing and managing a robust risk identification and assessment process/toolbox
• Developing and enforcing standards for an effective risk-mediation process
• Establishing standards for training programs and incentives tailored to the realities of each type of job or work environment
• Ensuring that the front line effectively applies processes and tools that have been developed by compliance
• Approving clients, transactions, and products based on predefined risk- based rules
• Performing a regular assessment of the state of the overall compliance program
Instil a strong risk culture
Risk culture has a special place in the compliance playbook. Indeed, most serious failures across financial institutions in recent times have a cultural root cause leading to heightened regulatory expectations. Elements of “strong” risk culture are relatively clear and include timely information sharing, rapid elevation of emerging risks, and a willingness to challenge the status quo. Consequently, a risk culture can be actively shaped, monitored, and sustained by committed leaders and organisations.
Effective execution of these expanded responsibilities requires a much deeper understanding of the business processes by compliance. There are a few practical ways to achieve this:
• Incorporate process walk-throughs into the regular enterprise compliance-risk assessments
• Implementing a formal business-change-management process that flags any significant operational changes
• Move away from a silo model to a matrix model
• Develop a robust tool kit to objectively measure risk
Implement standardised and transparent risk management processes
The new approach focused on residual risk exposures and critical process breakpoints ensures that no material risk is left unattended and provides the basis for truly risk-based, efficient oversight and remediation activities. It addresses these challenges by directly tying regulatory requirements to processes and, by cascading material risks down to the front line in a systematic and truly risk-based way, and by defining objective key risk indicators (KRIs) in the areas where the process “breaks” and creates exposure to a particular risk. Informed by the identified process breakpoints, one can then design KRIs that directly measure the residual risk exposure. This approach leads to far fewer items to test and much more robust insights into what the key issues are. Moreover, it provides the essential fact base to guide and accelerate the remediation process and resource allocation.
Integrate the risk-management governance, regulatory affairs and issue-management processes
Compliance risks are driven by the same underlying factors that drive other operational risks, but their stakes are higher in the case of adverse outcomes (for example, regulatory actions that can result in restriction of business activities and large fines). Therefore, it’s only fitting that a modern compliance framework needs to be fully integrated with the firm’s operational-risk view of the world.
Integrating the management of these risks offers tangible benefits;
1. It ensures the enterprise has a truly comprehensive view of its portfolio of risks and visibility into any systemic issues (for example, cross-product, cross-process), and that no material risk is left unattended.
2. It lessens the burden on the business (for example, no duplicative risk assessments and remediation activities) as well as on the control functions (for example, no separate or duplicative reporting, training, and communication activities).
3. It facilitates a risk-based allocation of enterprise resources and management actions on risk remediation and investment in cross-cutting controls.
Summary
In summary, the following practical actions can help firms to integrate compliance into the overall risk-management governance, regulatory affairs, and issue-management process:
• Develop a single integrated inventory of operational and compliance risks
• Develop and centrally maintain standardized risk, process, product, and control taxonomies
• Coordinate risk assessment, remediation, and reporting methodologies and calendars (for example, ensure one set of assessments in cross-cutting topical areas like client on-boarding and third-party risk management
• Define clear roles and responsibilities between risk and control functions at the individual risk level to ensure there are no gaps or overlaps, particularly in “grey areas” where disciplines converge (for example, third-party risk management, privacy risk and AML)
• Develop and jointly manage integrated training and communication programs
• Establish clear governance processes (for example, escalation) and structures (for example, risk committees) with mandates that span across risk and support functions (for example, technology)
• Consistently involve and timely align senior compliance stakeholders in determining action plans, target end dates, and prioritization of issues and matters requiring attention.
If you would like to organise a trial of WiseBOS AML, the leading AML compliance toolbox, call us @ 01-4927000 or email us at info@amlquest.ie
|