What is the future for Compliance?

                                                                                         

IT can be blamed for many things but not for one of the main issues that you can see forming on the horizon is the complex world of Governance, Risk & Compliance (GRC). It makes perfect sense to have a unified approach, “all singing from the same hymn-sheet” when you analyse the actual areas that these disciplines cover today. Much has changed, even from three or four years ago.

Financial services organisations are constantly battling between the “sunk costs” of compliance yet are forced to grapple with the biggest shake-up and imposition of regulation for a generation. Piecemeal projects of covering new development by the legal or executive department concerning the governance changes, new regulatory senior management responsibilities and the subtle reporting tweaks and developments are then duplicated in the Compliance Department. Here, as they interpret the rules as pertains to the organisation implementing reforms ranging from the ever growing array of Anti-Money Laundering provisions, the Training and Competency requirements, monitoring of transactions and Sanctions checking (did any one mention the Enhanced Due Diligence requirements?). Then, with the changes to the transaction monitoring, the sanctions checking just got more complicated and actually doing business, conducting operations has rapidly become not only a costly and complex challenge but in money, time and inter-departmentally.

Companies in the EU face the additional hurdles of complying with a raft of directives flowing semi randomly from the European Commission’s Financial Services Action Plan, and the variety of interpretation covering everything from classification of clients under MiFID and the calculations needed under Solvency II propositions.

The eventual and potential payback is seen in the vision, as far back as the Lisbon Conference about a millennium ago, and should provide senior management with a more informed basis for decision-making and greater strategic assurance in the face of the ever increasing complexities and uncertainties of modern financial services business. More Principle Based Regulation has to be the way forward. However, the noises that are roaring around the city, with constant reshuffles, strategic developments and reorganisations, would appear to suggest that many institutions believe that the expense (wages), burden (resource) and indeed apparently growing risk exposure (slower moving decision process) of ever encroaching compliance still largely outweigh the business benefits. In association with Price Waterhouse Coopers LLP please see the latest Banana Skins report
Banking Banana Skins 2008
(Previous ranking in brackets)

1. Liquidity (-)
2. Credit risk (2)
3. Credit spreads (-)
4. Derivatives (3)
5. Macro-economic trends (14)
6. Risk management techniques (10)
7. Equities (12)
8. Too much regulation (1)
9. Interest rates (5)
10. Hedge funds (7)
11. Fraud (11)
12. Commodities (4)
13. Currencies (13)
14. Rogue trader (27)
15. High dependence on technology (6)
16. Corporate governance (8)
17. Management incentives (26)
18. Emerging markets (9)
19. Back office (24)
20. Retail sales practices (22)
21. Conflicts of interest (16)
22. Political shocks (15)
23. Business continuation (21)
24. Money laundering (18)
25. Environmental risk (25)
26. Banking market over-capacity (17)
27. Payment systems (29)
28. Merger mania (19)
29. Too little regulation (30)
30. Competition from new entrants (28)

This change from the previous report in 2007 shows that “Too much regulation (1)” has moved from 1st position to 8th. All the usurpers are directly attributable to the current credit crunch, and although prominent, are all pretty much knee jerk reactions following the macro-economic trends.
More effective embedding of regulatory compliance and related governance and risk management in to frontline operations could help financial services organisations to realise the business benefits of their investment. However although there is a plethora of information circulated around most organisations, some research carried out suggests that potentially useful information is often poorly disseminated around the organisation and even if business areas do receive such information, they often do not understand how it can be applied, or how it impacts, any other business process other than their own discipline.

Ultimately, today’s compliance costs would still appear modest when compared to the billions that have been wiped off share values when lapses in probity, business conduct or financial reporting come to light. Indeed, the increasing pressure to improve controls and accountability is coming from investors, customers, employees and other key stakeholders, not just governments and supervisory bodies. Companies may therefore need to look beyond narrow regulatory expectations to develop a more holistic and proactive approach to compliance – one that embraces broader ethical and strategic considerations. Bridges not only have to be built, but the building of these bridges will have to be wholly transparent.

So what is Compliance? Considering the furore of the last ten years with pension and endowment mis-sales and mountain of complaints, compliance has evolved from the department that always played catch-up to a more forward thinking and risk aware group of people, often with their own sub-specialisation. A contemporary definition could be; “a diverse set of monitoring and reporting on adherence to regulations focused on a range of interests, including; responsible corporate governance and process transparency, financial promotions, the protection of customer information and privacy, and the prevention and detection of illegal activities, which is aimed at securing citizen safety and economic stability on a local, national and international-basis.

So therefore it could be argued that if this definition were accurate for the main activities of a Compliance Department, it would follow that the objects of the monitoring are internal processes, people and systems or external events (regulatory and market/environment) and developments that have a direct impact on the organisation.

Compliance is therefore a comfort department. It has become an exercise in corporate reassurance that all is well in the world and working within prescribed parameters. The occasional overlap with the legal world, usually concerning statutory instruments and their interpretation, are often thrashed out with a cool professionalism that demonstrates a keenness to accommodate idiosyncrasies on both sides. All in all, things run smoothly, the occasional upset, rogue trader, dishonest salesman, fraud or misappropriation is extracted, sanitized and remedied. New process recommendations are made and things settle down to business as usual.

There is no specific or measurable reduction in a well run compliance department within an organisation. Nobody can quantify any well operated monitoring program to determine if that bank is better than another. There is no clear qualitative data that can influence any regulator to reduce the capital requirements of an organisation and their compliant culture.
However, banks with better Operational risk management have been permitted to set aside less capital than banks with poor or basic Operational risk management – making them more or less flexible and ultimately competitive. What is good for the banks as lenders is increasingly seen to be good for other large managers of capital – namely, issuers of debt and equity. This represents a culture shift in risk management for rating houses, dealers, traders and large corporate entities. Qualitative and quantitative measuring of risk through Operational Risk (Controls) Framework and demonstration of process simulations can allay the fears of the most critical auditor provided it follows accurate and understood, recognised basis. There are three types of calculation, basic, based on a simple 15% of gross annual income, standardized, which requires three year averages across each business line and positive effort by senior management and a strong framework of implemented measures and the resource to operate and monitor this. The advanced technique is the only one that pays capital requirement reductions and is defined in section 664 of original Basel Accord

Qualitative techniques can easily be overlooked but they carry enormous weight with regulators. They can include;

• Loss event reports
• Management oversight
• Employee questionnaires
• Exit interviews
• Management self assessment and
• Internal audit.

A robust and tested controls framework and active and effective operational risk is part of the assessment criteria of buyers and rating agencies of equity and debt, and become a major and accepted component of Financial Risk Management (FRM). Basel II started this trend in banks and it has since flowed to the rating agencies, dealers, traders and large corporate entities. Good Operational Risk Management (ORM) means lower capital set-asides, better ratings, cheaper capital and more willing investors.

So what is Operational Risk? According to the Basel Committee it is;
“The risk of loss resulting from inadequate or failed processes, people and systems or from external events.”

Further to this insight, the following list is the official Basel II defined event types with some examples for each category:
• Internal Fraud – misappropriation of assets, tax evasion, intentional mismarking of positions, bribery.
• External Fraud – theft of information, hacking damage, third-party theft and forgery
• Employment Practices and Workplace Safety – discrimination, workers compensation, employee health and safety
• Clients, Products and Business Practice – market manipulation, anti-trust activity, improper trade, product defects, fiduciary breaches, account churning
• Damage to Physical Assets – natural disasters, terrorism, vandalism
• Business Disruption & System Failures – utility disruptions, software and hardware failures
• Execution, Delivery & Process Management – data entry errors, accounting errors, failed mandatory reporting, negligent loss of client assets

If this list is the main events risks, then are these not the same risks that Compliance seek to identify and mitigate?

Interesting simplistic analysis here could be interpreted as, operational risk is the risk of compliance monitoring & controls failing, which can occur through excessive strain on the internal processes, people or systems due to unusual external influences. Compliance is the placing of controls around the identified risks of the operations (internally and external facing) to ensure smooth, accurate, competent and legal running of internal processes, people or systems. It would appear that these are synergistic and complimentary roles that if combined would provide a more feasible, faster identification, assessment, recommendation, acceptance, embedding and therefore more effective processing thus reducing costs overall.

Put another way, compliance management could be seen to be the top down influence on impacting external and internal factors, and identification of the broad, over-arching legal and governance requirements, this then ensures things are built around a cage of regulation and reporting. Operational risk management can be the detailed process and procedure, the engine of the organisation, where identification of potentially weak or areas under stress that could be breached, increasing a potential risk where a holistic understanding of both areas could provide simple and reinforced single solutions rather than delayed, range of measures to be monitored and fine tuned or deleted as time proves them worthy or not. Governance can be the instrument to bind these disciplines and (very) different worlds together for a vertical functionality providing timely and accurate information to those who matter.

Whilst all these changes are going on, there are changes to senior management controls, adaptation of and development of greater governance. Whilst many senior managers and Boards of Directors have been on a roller coaster ride of wonderful promises and huge let down on “Enterprise wide” risk management that has cost a fortune and delivered confusion and cynicism, there is a very real set of reasons to employ Governance, Risk & Compliance initiatives.
Firstly, complexity is not going to get easier. The overlap of common areas between governance functions, compliance and operational risk is likely to become more blurred as the credit crunch develops and undoubtedly will force focus on costs and expenses.

Secondly, the development of taking the best of the governance, compliance and (fairly new) Ops Risk world and merging them into an “Executive” function provides a bridge between the hands on processes and senior management directly, without the sub-committee interpretation, positioning, redrafting and emphasis placing to try and protect misguided and inopportune blushes.
Thirdly, businesses do not need more dictates and mile upon mile of more red tape, analysis and theory as to what went wrong with the sub-prime market; business today, if it is going to survive, needs a philosophy, a dream, a vision and structure to support the entire organisation from top to bottom.
Fourthly, the long term well being of the organisation is going to depend on initial funding and careful reorganisation and embedding. The best change managers and best project managers will be needed to give senior management and the board, the best GRC structure available. Up to now the business units have had the power due to their chequebook and appetite for any change. If they found the changes proposed to be a little distasteful, they strangled the funding of the ops risk and compliance initiatives. Senior Managers need to allay the fears of department heads that their bonuses will not be affected by any costs incurred, but it is vital they understand that their world will benefit over the medium term exponentially compared to their recent past.
Lastly, the speed of risk identification, reporting, recommendation and implementation will save a vast amount of man-hours wasted in meetings and negotiations and the entire area of governance, ops risk and compliance would be not only “in house” but totally “in department” and address all aspects simultaneously, including external negotiation or compliance.

Conclusion
Whilst these reasons are all very positive reasons for change, there is also a very clear link to the Treating Customer’s Fairly (TCF) regime that is currently being embedded across the UK. Although the principles and outcomes of TCF are sound business sense, I have declined to use these reasons in the argument as this GRC change can be adopted globally (and I am sure it will), not just in the UK.

About the author:
Lee Werrell FInstSMM MSI is the Owner and Principal Consultant of CEI Compliance Limited, a Compliance Consultancy. CEI provide a broad range of expertise having worked with governance, risk and compliance functions for a number of years. Details can be found at http://www.cei-compliance-limited.co.uk Lee has recently been the Principle Compliance Consultant in a project to set up a UK office of an International Bank and working with brokers & IFAs

Article Source: http://www.Free-Articles-Zone.com