For a bank, investment bank or insurance company the identification, understanding and management of risk has always been at the core of sound business management. Earning revenue without accepting risk is unlikely, earning sustainable revenues without managing (including declining) risks, unlikelier still. Risk management is therefore at the core of business decision making.
However, regulators have a somewhat different agenda from that of firms' management when it comes to risk, and compliance departments must understand and take on board this perspective. The regulatory agenda is a broad one, and regulators need senior management to address the risks they pose to that agenda and direct their business decisions and risk mitigation accordingly. The compliance department therefore must function alongside other more mature risk management functions, deriving timely risk information, for example from an integrated view of their processes and data.
According to the Financial Services Authority's (FSA) senior management arrangements, systems and controls (SYSC) a firm should plan its business so that it is able to identify, measure, manage and control risks of regulatory concern (see SYSC 3.2.11 G (2)). In some firms, depending on the nature, scale and complexity of their business, it may be appropriate to have business plans or strategy plans documented and updated on a regular basis to take account of changes in the business environment.
The FSA expresses the regulatory agenda for risk with refreshing clarity: 'confidence in the financial system; to the fair treatment of firms' customers; to the protection of consumers; and to the use of the financial system in connection with financial crime. The FSA is not primarily concerned with risks which threaten only the owners of a financial business except in so far as these risks may have an impact on those matters'.
Risks of confidence
Risks relating to confidence in the financial system are essentially embodied in the concept of prudential risk or, as a US regulator might prefer, 'safety and soundness'. If an institution with any kind of footprint in the financial system suffers a crisis, either in the context of poorly controlled exposure to a wider market dislocation, or one stemming from a failure in controls, the consequences are potentially far greater than those of lost jobs or diminished investments.
Regulators fear that the failure of one large financial institution would spill over to another, not just in the banking system but in the financial system as a whole. In the case of banking this is easy to see, given how closely the large banks intertwine through lending and borrowing from each other, holding deposits with one another and the payments system. This concern has long underpinned banking regulation on both sides of the Atlantic.
This fear - and further concerns about the fragility of the banking system - are increasingly driving change in approaches taken with insurance firms and the large investment banks. In readiness for Basel 2 implementation, regulators are prepared (or at least preparing) to approve complex models for identifying and managing risks and identifying appropriate capital charges against them. The 'use-test' exemplified in the Basel 2 architecture is key here: scenario modelling is not enough. As Governor Olsen of the Federal Reserve Board recently stated: "Scenario analysis is not the end goal. Something must be done with the results of the analysis. Management needs to ask itself whether the organisation needs to restructure its balance sheet or modify its current risk management strategy in order to be prepared for a scenario (that might well unfold)."
Clarity of regulatory expectation for credit, market, liquidity and operational risk management process has increased significantly over the last five years as firms have prepared to meet the challenges of prudential regulation in Basel 2.
Extending the risk agenda
In the area of prudential risk, regulators rely on senior management addressing their concerns by identifying risks and making informed business and risk mitigation decisions. Inevitably this is extending itself to the other risks regulators care about.
These are the areas of the agenda traditionally looked after by the compliance department: fair dealings with consumers and the market and preventing financial crime (principally anti-money-laundering).
However, there has been little guidance provided - as there is in market risk for example - as to how the risks the compliance function deals with should be identified and reported so that management can then direct compliance in mitigation. In the absence of guidance and pressure a tick-box mentality can develop and, worse, little evidence can exist of engagement between compliance department work and senior management decision making.
It is this which is changing. Ever since the FSA implemented its own risk-based approach to regulation and in particular to its 'risk mitigation programmes' for high impact firms, a number of institutions in the City of London have similarly begun to run their compliance programmes on the basis of risk-assessment. As one chief compliance officer (CCO) said recently: "If the regulators' defence against missing something is that they were reasonably looking elsewhere then we need to avail ourselves of the same". This in turn has fed regulatory expectation in three main areas:
- the demand for greater certainty over the integrity of financial reporting
- international efforts to combat money-laundering
- more recent pronouncements on both sides of the Atlantic from the Securities and Exchange Commission (SEC), Federal Reserve and FSA.
All of these examples have something in common: an increasing emphasis on a risk management approach. In the UK, the January 2006 Joint Money Laundering Steering Group (JMLSG) guidance, Prevention of money laundering, combating the financing of terrorism, contains an entire chapter on risk identification and mitigation. It is a powerful instance of applying risk management standards to non-prudential risks, a shift in regulatory attitude which is changing expectations of the modern compliance function.
The guidance explains that the way in which firms assess their money-laundering risk and then manage it cannot be fixed in a prescriptive cookie cutter way. Complex businesses will require sophisticated approaches - particularly wholesale firms looking to identify customers' potential for criminality and the extent to which the work of other parties can be relied upon.
The SEC clearly sees regular risk assessments and risk-based monitoring and mitigation programmes as important tools in any compliance programme. Mary-Ann Gadziala, associate director, in a recent speech gave a comprehensive description of the SEC's own risk assessment process before moving to current examination priorities and finally to her comments on firms' compliance organisation. The implication was clear: that if the SEC can do it then so should firms. In her list of top five challenges for a firm's compliance programme Gadziala listed the "identification and control of compliance risk" as number one.
In a speech to the Fiduciary and Investment Risk Management Association in April 2006, Governor Mark Olsen of the Federal Reserve Board covered the topic of enterprise risk management. He chose examples of recent failures which were not drawn from traditional prudential risks.
"Well-publicised accounts of late trading and market-timing at mutual fund firms, and the related investigations have touched on many firms ... we are seeing an increasing focus on enterprise-wide compliance-risk management systems". These he said are not blindly iterative but require testing and validation to be conducted in a continuous and dynamic way: in other words responsive to changing perceptions of risk.
The FSA's recent consultation paper CP06/9 Organisation systems and controls (Common platform for firms) is also revealing. Proposed rules on the compliance function state clearly that the scope of that function is the broad regulatory agenda - that of compliance with: 'obligations under the regulatory system, as well as associated risks, and (firms must) put in place adequate measures and procedures designed to minimise such risks and to enable the FSA to exercise its powers effectively'.
So, a common theme emerges: the regulatory agenda is a broad one, regulators need senior management to address the risks they pose to that agenda and direct their business decisions and risk mitigation accordingly. The compliance department therefore must function in a way that is similar to other more mature risk management functions: deriving risks from an integrated view of their processes and data, scenario modelling and being able to drill down from those risks to underlying information. This is not easy when the risks we are talking about are qualitative not quantitative: these risks are essentially reputational.
By continuing to operate in a siloed environment compliance departments will forever remain outside 'the risk pizza' (see diagram). To join it and serve management with a complete view of regulatory risk, compliance departments face three challenges and one huge opportunity.
Three challenges
- Firstly, compliance departments must provide management dashboards on compliance activity to support better business decisions and to direct risk mitigation. A methodology for setting risk appetite should be adopted: for example. a scoring system that looks at the current impact/probability of failure in a regulatory theme and then prioritises compliance resources to drive the business to a target score. These continued conversations about risk appetite and profile underpin risk management.
- Secondly, such dashboards must be current, presenting risks derived systematically from compliance work (not haphazardly as a monthly exercise). They must allow that compliance work to be redirected in risk mitigation. To do this in a large complex firm, the different processes and data that represent compliance work (from responding to regulatory proposals to investigating problems) must be captured electronically. This is not a five year programme but something a dedicated compliance software suite should begin delivering in months.
- Thirdly, compliance departments need to organise their presentation of risk and their underlying compliance programmes to reflect complex organisational structures. Senior management could be operating at legal entity, product-line, country or group level. Being able to map the organisational structure and slice and dice data as required is therefore an integral part of the system.
The opportunity is that, by integrating compliance work and exposing it to sound risk management, compliance will be armed with the information they need to make better business decisions and direct compliance activity. They can then set about ensuring that the other parts of the risk pizza are properly addressing the regulatory agenda. They will be far more speedy and agile, automating a lot of the work currently done manually. The key benefit of this is competitive advantage - the more a firm can demonstrate its capacity to manage risk, the more it can be allowed by a regulator to accept it.
- This article is an abridged version of the first in a series of papers by Kevin Ludwick, head of regulatory services, QUMAS, on the compliance department as a risk management function, www.qumas.com