Compliance Monitoring Object & Subject

Size: px

Start display at page:

Download "Compliance Monitoring Object & Subject"

Jason Elliott
5 years ago
Views:

1 Compliance Monitoring Object & Subject ABN AMRO Wouter Slob & Daniel Haas April, 6 th 2017

2 CONTENT 1. The Evolution of Compliance Risk Assessments 2. Compliance Monitoring as Object - Risk Assessments 3. Compliance Monitoring as Object - Monitoring, Controlling & Testing 4. Compliance Monitoring as Object - Conduct Drivers 5. Compliance Monitoring as Object - SIRA 6. Compliance Monitoring as Subject - Three Methods 7. Compliance Monitoring as Subject - Peer Reviews 8. Topics for discussion 2

3 1. The Evolution of Compliance Risk Assessments

4 The evolution of compliance risk assessments Evolution of risk (self) assessments: Started with facilitation by 3rd line Became facilitation by 2nd line Will end with facilitation by 1st line with independent validation Role of Compliance in Risk Assessments 5

5 Challenges of Global Firms The Complexity of Global Firms with multiple BU s in various jurisdictions Uniform processes Local vs global regulations Independency of 2nd line functions Quality Assurance One global Compliance risk language Governance: responsibilities 6

MC&T(Monitoring Controls & Testing) SRA (Strategic Risk Assessment) SA (Scenario Analyse) Additional assessments demanded by

6 Advanced Measurement Approach of ABN AMRO Assessment from the AMA operational risk framework CRA (Change Risk Assessment) RCSA (Risk Control Self Assessment) ISRA (IT Security Risk Assessment) ELCA (Entity Level Control Assessment) ITCA (IT Control Assessment) MC&T(Monitoring Controls & Testing) SRA (Strategic Risk Assessment) SA (Scenario Analyse) Additional assessments demanded by Compliance SIRA (DNB) (Systematic Integrity Risk Assessment) Compliance Self Assessment / peer review Conduct drivers as part of IMAT (root causes) 7

7 2. Compliance Monitoring as Object Risk Assessments

8 Risk assessements, how does it work? On process level All parties involved (Business Management, Risk Management, Compliance, etc.) Facilitated by operational risk Assessment of risks and controls Quality Assurance by 2 nd line experts Validation by Operational Risk Management Sign off at business MT Inherent risk controls Residual risk 9

9 Risk Assessment, the systematics 10

Defining Compliance Risk ABN AMRO definition of compliance and conduct risk in its Compliance & Conduct Charter: The risk of failure to comply with laws and regulations, self-regulatory

10 Defining Compliance Risk ABN AMRO definition of compliance and conduct risk in its Compliance & Conduct Charter: The risk of failure to comply with laws and regulations, self-regulatory governance and organisation standards, values and business principles, codes of conduct or generally accepted market standards applicable to ABNAMRO s services and activities. Identified Compliance Risks 11

11 Assessing risks Impact Low Medium High Critical Loss Risk = likelihood * impact Different scales of impact: Financial Loss Financial Misstatement Compliance / reputational Rating: Low <> Medium <> High <> Critical Misstatement Compliance / Reputational Likelihood N / A Refer to score sheet Refer to score sheet Refer to score sheet Unlikely Possible Likely Highly likely Expected once every 10 years Expected once every 3-10 yrs Expected once every 2-3 yrs Expected once within 2 yrs (or more often) In addition: Level of concern 1: no concern 2: tolerable Critical M H H C 3: some concern 4: concern 5: highly concerning Refer to Score cards Impact High L M H H Medium L L M H Assessment is as a matter of course subjective Low L L L M Unlikely Possible Likely Highly likely Likelihood 14

12 3. Compliance Monitoring as Object Monitoring, Controlling & Testing (MC&T)

13 RCSA Process Risk & Control Self Assessment / Monitoring Controls & Testing Monitoring Controls & Testing Testing (independent 2 nd line) Monitoring (1 st line management) Risk & Control Self Assessment Control processes Control Business processes Risk 16

Monitoring Controls & Testing Monitoring is a periodic activity performed by the 1LoD, which results in an evaluation whether controls operate effectively.

14 Monitoring Controls & Testing Monitoring is a periodic activity performed by the 1LoD, which results in an evaluation whether controls operate effectively. How to determine the operating effectiveness of the control is defined in a monitoring script. Testing is a periodic activity performed by a 2LoD function (a.o. Compliance, Operational Risk, or Legal), which results in an independent evaluation regarding the operating effectiveness of the control. How to determine the operating effectiveness of the control is defined in a testing script. 17

15 4. Compliance Monitoring as Object Conduct Drivers

Clarity everyone understands what good conduct is. Role modelling everyone sets a good example of good conduct.

Accountability everyone feels accountable for displaying good conduct and feels no constraints in confronting those failing to display good

) to properly perform their job while displaying good conduct.

16 Clarity everyone understands what good conduct is. Role modelling everyone sets a good example of good conduct. Discussability everyone discusses issues and dilemmas relating to good conduct internally and feels no constraints in doing so. Accountability everyone feels accountable for displaying good conduct and feels no constraints in confronting those failing to display good conduct. Achievability everyone has sufficient resources (time, knowledge, experience, budget, etc.) to properly perform their job while displaying good conduct. Engagement everyone endorses good conduct and is encouraged by the organisation to do so. Transparency everyone perceives the impact of their own conduct and understands the conduct of others. Sanctionability everyone in the organisation is rewarded for good conduct and receives consequences for bad conduct.

17 Conduct Drivers: Who does what? The first line of defence: Integrates the conduct drivers into the existing monitoring activities Formulates an issue and adjunct action plan in the event of Red scores of controls Monitors implementation of the action plan The second line of defence: Integrates the conduct drivers into the existing testing activities Supports the first line in formulating an issue amd adjunct action plan by making recommendations Tests implementation of the action plan What does Compliance & Conduct do with the outcomes? Analysis of results Reporting on trends & patterns Bank-wide results in quarterly Compliance report to Managing Board 21

18 5. Compliance Monitoring as Object Systematic Integrity Risk Analysis

19 Risk Assessment: SIRA SIRA Movie English version 2.mp4 25

SIRA SIRA has a more quantitative approach than AMA, is more granular than AMA, and distinguishes between Money Laundering, Terrorist Financing and Sanctions Circumvention.

20 SIRA SIRA has a more quantitative approach than AMA, is more granular than AMA, and distinguishes between Money Laundering, Terrorist Financing and Sanctions Circumvention. Focus is on Client Risks, Distribution Risk, Product Risk and Transaction Risk. The purpose of SIRA is to ensure integrity in operations. DNB permits a risk-based approach, provided that adequate control measures are in place for operations that involve an increased inherent integrity risk profile. 26

21 The Dashboard: an example Inherent risk data Inherent risk RCSA Proposed inherent risk Control strength RCSA Proposed Residual risk SIRA 2016 Residual risk SIRA 2015 Money Laundering Terrorist Financing Sanctions Bribery & Corruption Tax Evasion Internal Fraud External Fraud Conflicts of Interest Market Abuse Not scored yet Not scored yet Not assessed Not assessed Not scored yet Not scored yet Legend Inherent Inherent Proposed Control Proposed risk data risk RCSA Inherent risk strength RCSA residual risk Low Low Low Effective Low N/A Medium Medium Deficient Evidence Medium Medium High High Deficient Findings High High Critical Critical Deficient Performance Our values in action: building trust together Critical 27

22 6. Compliance Monitoring as Subject Three Methods

23 Compliance as subject of Monitoring 1. Risk Self Assessment by Compliance 2. Compliance Review by Reviews 3. Compliance Review by Audit Our values in action: building trust together 29

24 7. Compliance Monitoring as Subject Peer Reviews

25 Introduction Compliance Quality Assurance Approach The Compliance Quality Assurance (QAA) approach is a management tool aimed at further enhancing professionalism within the Compliance function. It consists of two complementary components: 1) Self-Assessment, 2) on-site Peer Review. The Peer Reviews result in reports with observations, improvement actions and good/ best practices. The improvement actions are tracked centrally to ensure appropriate and timely follow up. The objective of the QAA is to ensure that the Compliance function is well organized and managed. It concentrates on the questions are we doing the right things and are we doing those things right. The CQA provides the opportunity to learn from each other and identify best practices. The scope of the QAA is all ABN AMRO entities. This includes the domestic subsidiaries as well as the entities abroad, Dutch and foreign subsidiaries and joint ventures. 31

26 8. Topics fordiscussion

27 Challenges for a high-quality Compliance Monitoring Does advanced Compliance monitoring require monitoring specialists, or is Compliance Monitoring part of the job of a Compliance professional? Combining Data Driven risk assessments with normative assessments (SIRA). Is it useful, or is it comparing apples with oranges? Does the gain of first LoD Monitoring involvement (RCSA) result in the loss of ownership of Compliance monitoring? Are data driven risk assessments the future or will a combination with normative assessments be required? Who should monitor Compliance? Audit, Compliance, or also the 1st LoD? Building risk management controls upon risk management controls, when does it become a risk itself? 33