Risk and reward: the compliance department comes of age

March 12 2007

Compliance departments in financial services institutions are increasingly facing three challenges. They must support executive managers by taking their place at the centre of the risk management and business decision-making processes of their organisations. They must respond to regulatory and business changes without creating massive standalone compliance initiatives. Finally, they must be efficient: the days of limitless recruitment in an industry that relentlessly seeks the benefits of automation are well and truly over.

Compliance, in effect, needs to become a risk management function. Large, complex firms can undertake three steps to achieve this:

• Agree with senior managers on a framework for characterising what are essentially reputational risks which the compliance function must then address.
• Organise compliance work into discrete activities can help to offset risk. The organisation can use software to constantly update its risk map and ensure that risks are tackled quickly and effectively.
• Create a compliance infrastructure that delivers a risk framework and integrated compliance programme across the organisation.

This article is an introduction to a series that addresses these challenges. It presents the regulatory drivers for change, describes the challenges facing compliance officers, then sets out the practical steps that they should take to bridge the gap. Each subsequent paper will discuss these steps in greater detail.

The forthcoming articles in this series will cover:

• Setting risk appetite: how to present information to managers that identifies key risks and provokes acceptance or mitigation.
• Getting started: how to create compliance processes that facilitate efficiency, rigour and risk reporting across product, country and legal entities.
• Rules, policies and procedures: workflows and information.
• Training, monitoring and investigation: workflows and information.
• Compliance advisory: workflows and information.
• Making life easier for everyone: an integrated approach to controls.
• Linking it all together: tying the compliance department's presentation of risk to other risk management functions.
• Case studies: learning lessons from organisations that are addressing these challenges.

Compliance — a risk management function?

I touched on the topic of compliance as a risk management function in an earlier Complinet article in January. Speeches from the US Securities and Exchange Commission, the Federal Reserve Board and the Office of the Comptroller of the Currency in 2006 focused on the ability of brokers, banks and asset managers to incorporate the wider regulatory agenda into their risk management process, in particular compliance with rules on AML and the conduct of business with customers. In April 2006, former Fed governor Mark Olson discussed market timing before the Fiduciary & Investment Risk Management Association:

'Our review of best practices and an analysis of the experience of other industries suggests that organisations need to supplement their enterprise-wide compliance-risk management systems with strategic and dynamic thinking. To prepare for what might be ahead, organisations should draw not only on past experience but employ quantitative and qualitative scenario analysis and planning.'

UK firms that are subject to treating customers fairly provisions would quickly comprehend Olson's point, and increasingly US banking compliance officers would nod sagely, but he was speaking a language that many of the SEC-regulated firms in the audience were unfamiliar with. Even the SEC has, however, begun to make speeches on the need for compliance risk management.

The Basel II process taught banking regulators the value of getting managers to worry about the risks that are relevant to them and to factor consideration of them into business and control decision-making. It is an axiomatic truth that a regulator has to rely on senior executives and sound governance to manage the regulated firm. Basel II provides simple models and processes for identifying, managing and providing capital requirements for market, credit and operational risk.

Smaller, simpler, less sophisticated firms will use these, but even firms taking that option are caught by the 'use test'. This requires a firm's managers to consume the data produced by these models and factor it into their decision making. For example, managers must consider the risk and capital implications before expanding a business. The large, complex firms have developed their own models, for review and approval by the regulator, but remain caught by the use test.

Put simply, if the regulator wants firms to embed work towards specific outcomes — for example, avoiding abusive practices like market timing — then it must encourage managers to prioritise and focus their efforts on the areas where those outcomes are most at risk. It must also urge managers to make informed business decisions and direct compliance activity to offset that risk. The extreme alternative is a world where managers step aside and leave compliance to exhaustive box-ticking within pre-defined safe-harbours — a world in which it is possible to have ticked every box and attained compliance yet failed to have delivered the outcome.

Likewise, by becoming risk-based, as the SEC will advocate, Sarbanes-Oxley will not die, it will just become better business value and be absorbed into business management. That is exactly what has happened with credit and market risk management: no executive team in a bank would now make a significant business decision without going through the kind of thinking and reviewing the kinds of information that regulators originally required. Except now it does not feel like a regulatory requirement; it feels like normal management practice. This is what has happened with the areas compliance departments look after: anti-money laundering and conduct with customers and the marketplace.

Compliance must agree with senior managers on a framework for characterising what are essentially reputational risks which the compliance function must then offset. The first step towards compliance risk management is for compliance departments to provide managers with more than just a pretty 'dashboard'— essentially a graphic representation of the quarterly or monthly compliance essay. Reporting is needed that is driven by real-time compliance work, with a common way of scoring risk, driven by a varied data set.

Firms must first identify their compliance risks. It is tempting to do this rule by rule, but a better approach is to create 'themes' that apply across the enterprise and then report on problems according to severity or by business unit. A theme such as 'customer dealing' would encompass a variety of requirements, ranging from best execution to allocation. Themes should engage managers' attention. The compliance department should then paint different degrees of failure for each theme (e.g., red, amber and green).

Market risk can use a value at risk model (and at worst a spreadsheet) to crunch trade and pricing history data and present a view of market risk in a business unit. Some institutions will develop an in-house methodology to prioritise different tasks and projects. Few, however, possess a developed compliance risk model that was agreed with managers and is supported by quickly available data derived from a robust compliance infrastructure that can help managers understand the regulatory risk they run. Too many compliance departments are, therefore, still presenting their managers with a monthly or quarterly essay: out of date, inaccurate and almost impossible to drill down from to find underlying problems. Solving problems requires an effective risk model linked to robust compliance infrastructure and supported by the right software.

Successful models should:

• Identify thematically the different types of risk to the regulatory agenda that the business is running using a group-wide standardised approach.
• Assess and score the impact of each theme on the business being assessed.
• Create measures based on the work compliance departments undertake (to inform the likelihood of regulatory failure occurring).
• Set targets which reflect the risk appetite of the organisation
• Establish risk mitigation plans to move the organisation from its current score to that which has been targeted.

Organising compliance work into discrete activities can help to offset risk. The organisation can use software to constantly update its risk map and ensure that risks are tackled quickly and effectively. The second step is to organise the activity of the compliance department in terms of information and processes so that it can be automated, where possible, and integrated so that risk reporting can be driven by the entire programme.

Each of the activities shown in this model can be discretely mapped in terms of workflow and information. Compliance work can be captured electronically, performed efficiently, and exposed to risk reporting.

A significant point to note here is interdependency. When investigating a problem thrown up by a monitoring routine you need access to workflow and data in other parts of the business. You will need to examine the original rule requirement, the way policy was implemented and negotiated, and perhaps the training records relevant to the business unit and issue at hand. You would also want to see other failures within the business unit that might be relevant when forming a judgement. Compliance advisory work (which in the closed loop model is part of risk-based decision making) is always dependent on the adviser having a sound understanding of all the other compliance activities that affect the unit she advises. These interdependencies are what make robust compliance programmes so difficult to achieve without a sound model that promotes integration.

When running a Markets in Financial Instruments Directive programme, life will be easier if you can quickly navigate the links between identified rules, policies and procedures, training programmes, monitoring routines and case workloads. Business and regulatory change is now a constant, yet compliance departments are trapped in a world of special projects to manage change. The predictability of this compliance model makes it possible to design systems that enable more effective responses to change. Through a well-integrated system that supports clearly designed processes, a company can identify and escalate any potential problem areas.

Creating a compliance infrastructure that delivers a risk framework and integrated compliance programme across the whole business is the third step for any large, complex organisation. The aim is to maintain a compliance platform that can be sliced and diced according to local country requirements and the needs of different management teams, such as business unit, legal entity, group and so on.

Compliance departments need to organise their presentation of risk and their underlying compliance programmes to reflect complex organisational structures. A large, complex group can be managed by product, legal entity, geographic region and, of course, at group level. A particular problem may, however, require escalation along a variety of different reporting lines. Being able to map the organisational structure and cut data as required is therefore an integral part of a system that supports a global business.

This necessitates an investment in robust enterprise-wide software. Well-ordered filing cabinets or even electronic folders will not do for an organisation of any real size and complexity. These challenges, and the steps required to meet them, are significant but they are not beyond us. Compliance departments are mature functions that cry out for the kind of rationalisation that will be discussed in this series. I look forward to a healthy debate.