The traditional model for compliance belongs to a bygone age – one in which compliance was synonymous with the enforcement of legal requirements and had little focus on actual risk management. This approach created little insight into business operations and the associated risk ecosystem, and also failed in making the link back to corporate strategy and the translation into management action. The failure to approach compliance holistically left business managers accountable for determining what specific controls were required to address regulatory requirements, which typically resulted in an overly labor intensive series of controls. The final result was out of control compliance spend with uncertain effectiveness and little to no impact on the residual risk profile.
Compliance leaders need to be able to find sustainable solution while managing an expanding set of responsibilities, keeping up with the evolving regulatory landscape, the increased pace of innovation and broader market changes. To meet these challenges, change is required across the axes of talent, technology, and the operating model. To gain further insight into the regulatory challenges facing companies today, Mavim initiated research into our own customer base to understand the challenges they faced in developing a more sustainable approach to enterprise risk management. Here are four obstacles identified:
- Lack of insight into residual risk
A standard industry practice is to identify “high-risk processes” and then fully map all associated risks and controls. However, this approach falls short on many levels. To begin with, there is generally a lack of consensus about what classifies as a “high-risk process” which can lead to serious omissions, especially when the business lines are themselves in charge of this identification. Additionally, any approach which focuses on the documentation of all risks and controls indicates the inability to understand and classify , and prioritize. When the focus is on all risks instead of key risks, organizations are limited in their ability to analyze material risks, discover root causes and implement the needed controls.
Fix: Create insight into Risk Universe and Discover Root Causes
Creating deep insight into the enterprise risk universe requires a different approach – one that focuses on process breakpoints within the context of the operating model. In addition to ensuring that no material risks get overlooked, this approach creates effective oversight for the execution of remediation activity when necessary. By directly connecting regulatory requirements to the processes and controls, and by defining Key Risk Indicators to the vulnerable parts of the process, it is possible to build an operating model that creates much more robust insights into where the real issues are, which aids in the correct allocation of resources and helps in the acceleration of remediation where necessary. To learn more about how to build out a regulatory-ready operating model, see more on page 9.
- Lack of insight into risk culture
According to McKinsey, most “serious failures across financial institutions in recent times” can be boiled down to the lack of a strong risk culture. The characteristics of a strong risk culture include the rapid elevation of risks as they emerge and a continuous and timely communication of information across the organization. However, this type of information is difficult to measure and the lack of insight into the level of an organization’s risk culture makes it difficult to shape and monitor the organization on both a granular and aggregate level.
Fix: How to Measure Risk Culture
Objective measurement of risk culture is exceedingly difficult to achieve, but there are solutions for organizations serious about creating a deeper understanding. Surveys that ask individuals to self-assess their own risk behavior can help create insight into the nuances of risk across the organization. In addition to creating a deeper consciousness within the organization, these results can be used to benchmark peers or groups in order to reveal the gaps. However, it is important that these surveys and results are connected to and visible as part of a process in order to establish relevant insight and to create a clear path for future improvement.
- Overly Complex RegTech
There is a trend towards investment in RegTech in order to help improve risk management outcomes and counteract the performance of bad actors. Machine learning is being put in place to help compliance leaders make sense of the big data landscapes they face and to help them transform previously manual activities into automated ones. However, as the number of new and innovative technologies multiply, the skill sets of compliance officers are increasingly responsible for limiting the return on investment. Additionally, placing too great a focus on the latest technology minimizes the focus on the human actors – which is necessary in order to create a strong risk culture.
Fix: Choose your battles
In this day and age, engaging with no RegTech would be a seriously foolhardy proposition. But it is possible to engage with innovative tech that solves discrete problems alongside technology that is meant to bring the workforce together to collaborate on the risks involved in certain processes. This approach helps minimize the necessity to “upskill” all business units engaged in high risk processes, while allowing the organization as a whole to benefit from the advances that technology has to offer. A prerequisite here is that such tooling offers integration to ensure that the total context is being preserved.
- Stakeholder Involvement and Skills Gap
Another primary hurdle identified is the gap between in-house skills and the skills required to exploit technology innovations and to keep up to date with the massive amount of new regulations and the required responses. In addition, a lack of clarity regarding roles and responsibilities makes it difficult to accurately assess which functions require what level of knowledge – especially where disciplines converge.
Fix: Clear definition of roles & responsibilities
Any new regulatory-ready operating model needs to include a clear definition of roles & responsibilities, not only around process ownership but also at the individual risk level. This provides clarity for stakeholders, clear insight into the skills gap, and ultimately reduces the burden on the business. By clearly defining and documenting roles, it is possible to prevent duplicate risk assessments and remediation activities. On the control side it also helps by preventing duplicate reporting, training, and communication.