By now, everyone knows that regulators of all stripes are asking institutions to do more to manage their risks. However, for the most part, they have not said exactly how much more needs to be done. Rather, their strategy is to keep the pressure on until the institutions themselves find a new standard. Historically, when it comes to compliance risk management, the industry chased the elusive “industry standard”. But in an environment where everyone is being asked to do more, what is that new standard? What is the “new normal”?
While every institution has a zero-breach risk appetite for regulatory risk (is there any other choice?), no one attempts to maintain a compliance risk management program that will absolutely assure management or regulators that there will not be any compliance events. With hundreds or even thousands of employees, it is simply not possible to monitor every employee and every transaction. Rather, institutions attempt to minimize the risk of a compliance event to acceptable levels both in terms of numbers of events and their potential impact on the institution. For example, OSFI guidance provides that regulatory risk management must be tailored to the circumstances, including the size, complexity, geographical location, nature of business, structure and ownership of a particular institution.
Perhaps with the exception of a few outliers, institutions have attempted to do this analysis, including identifying their key risks and determining how large and complex a compliance structure they require. To be blunt, the institutions have landed on the amount of investment in compliance risk management that is reasonable given their level of risk. For the institution to reduce their risk, additional investment is required. But, because there is no clear standard to be met, how do you know when new level of investment is adequate and the new normal is achieved.
While each institution will have to assess the individual strengths and weaknesses of their compliance program to identify possible areas for improvement, certain areas appear to be the focus of the regulators and might be good places to begin the analysis. Here is a description of some of those starting places.
While many compliance programs function relatively well in terms of preventing compliance events, they lack provability. When regulators examine compliance programs, their first stop is the written program documents. For example, OSFI’s objective is to establish whether a framework exists that defines regulatory risk, outlines the process through which it is to be identified and assessed and outlines the key controls through which it is to be managed. They are also interested in the governance structure to ensure that compliance is being managed on an enterprise-wide basis with appropriate levels of oversight. In many institutions responsibility for compliance has disbursed into decentralized compliance teams or business groups. As a result, inadequate effort has been made to collect the program documents into a true enterprise-wide program. In larger institutions, often even the sub-programs do not have comprehensive program documents for the sub-program. This makes it very difficult for regulators to assess the strength of a program in the limited time that they have available for any one exam. What follows is a finding of poor program governance. Moreover, regulators are unable to ascertain the true quality of the program, casting doubt in their minds about its strength. Having a program that is well-documented and governed is clearly a requirement of the new normal.
Meaningful Risk Indicators
While strong program documents and governance structures are important in creating provability, they may not completely answer the question, “is our program strong”. Another step in creating provability might be to develop meaningful risk indicators.
Many risk indicators have been suggested. The difficulty with many is that either they do not provide any meaningful measure of the success of a program or they require significant structures to capture reliable supporting data on an enterprise-wide basis.
Without a doubt, the strongest measure of a program’s success is the regulatory record. This includes both the incidents of actual violations and the finding of regulators. While regulatory findings do not always link to an actual breach of a regulatory requirement, they represent areas of perceived weakness in the compliance program. As institutions generally strive to have the confidence of their regulators, whether a finding relates directly to a violation of a law or merely represents an observation on the strength of the program, they represent important measures of the overall strength and success of the program.
Of course, tracking regulatory findings over too short a period can be problematic as the examination schedule of regulators is not consistent. In some months an institution may be subject to several examinations while there may be few, if any, in other months. In addition, we may be in a period of issue escalation with regulators being more critical and more detailed with their findings.
Because of the potential flaws in tracking regulatory findings, a further refinement may be required. For example, one possibility may be separating findings into those than are “anticipated” and those that are “unanticipated”. A finding would be anticipated if it relates to a risk that was identified and for which a control was developed that the regulators believe can be further strengthened. Unanticipated findings related to risks that were not identified or for which no control was developed. These are clearly of more importance as they suggest a possible fundamental flaw in the program.
Updating your risk assessments
An obvious element of a successful program is being able to demonstrate that risks have been accurately identified. In many institutions, the methodology for doing these assessments was created before the financial crisis of 2008. This can lead to a misalignment between what the institution believes is its key risks and what the regulators believe. In addition, regulators believe that for risk assessments to be meaningful, they must be developed by the compliance group and management working together. Reviewing and updating the risk assessments methodology and current risk assessments is another step in moving to a new normal.
Understanding your culture
One of the biggest concerns for regulators, and one of the most difficult things for them to measure, is the attitude of the institution to regulatory compliance. Again, regulators are trying to determine the extent to which they can trust that an institution is attempting to do the right thing. An important component of earning that trust is being able to demonstrate management’s commitment to compliance.
If senior management is not currently committed to compliance, it is probably because your organization has somehow slipped below the radar screen. However, there are various levels of commitment. In most institutions, senior management will confirm that compliance is important, if not crucial to the success of the organization. Senior managers have all seen how a compliance event can impact reputation and, ultimately, business. However, there can be wide variations in how this commitment is felt throughout the organization. For example, many organizations continue to believe that compliance is the duty of the compliance group. In fact, regulators expect that management will be integrally involved in identifying risks and developing and monitoring the related controls. Further, the commitment of senior management is often not shared equally by the management groups that deal with the day-to-day operations of the institution. The issue for many institutions is ensuring a shared commitment through out the organization.
Finding ways to first measure the culture of the organization and to communicate that culture to the regulators is another demonstration of a top performing compliance program.
These are a few of the starting points for moving to a new normal. If you would like to have more information about the new normal, please do not hesitate to contact us.
Canadian Compliance Group - Our contacts
One of the features of the OSFI Corporate Governance Guideline, is an expectation that directors will seek out both internal and external education opportunities. With almost 30 years experience with bank and insurance company regulation, we have the knowledge and background to assist directors to understand current regulatory issues and developments, OSFI expectations for directors and the regulatory framework within which the company operates, all essential information for directors.
We can assist your directors with a quick, cost effective training program that will give them the comfort of knowing that they are fully meeting their responsibilities and the regulator's expectations.
Call us to discuss your director training needs.
CCG and Resolver join forces
We are extremely excited to have partnered with :Resolver to build a powerful turn-key solution for compliance risk management for the Canadian banking and financial services sector. Resolver’s integrated platform supports application areas including Risk Assessment, Internal Control, Internal Audit, Compliance Management, Enterprise Risk Management and Incident Management. Resolver’s team is comprised of security, risk, and compliance experts supporting customers across 100 countries with offices in North America, United Kingdom, the Middle East, and Australia.