FIRST-LINE OWNERSHIP OF COMPLIANCE RISK

Transcription

1 FIRST-LINE OWNERSHIP OF COMPLIANCE RISK EASIER SAID THAN DONE AUTHORS Allen Meyer Tammi Ling Elena Belov Stefano Boezio

2 INTRODUCTION Financial institutions are increasingly discussing the growing need for the business to take more responsibility for compliance risk management that is the ownership of complying with laws, rules and regulations. However, these conversations rarely answer three fundamental questions: 1. Why should the business own compliance risk? 2. What does it mean for the business to own compliance risk? 3. How do you achieve business ownership? While regulatory expectations are a good catalyst for the Why?, the more convincing reason is that greater front line accountability leads to more successful compliance risk management, and results in material risk reduction and cost efficiency. What makes the What? and the How? questions difficult to answer is that they present a multi-dimensional challenge to adequately clarify: The role of the Compliance department ( second line ) and the first line for managing compliance risk; and The roles and responsibilities within the first line, which includes front office and intermediary control functions ( Line 1b ) In the financial services industry today, we observe that business line managers often rely heavily on intermediary control functions or the Compliance department to manage compliance risk, sometimes with ad hoc management structures that result in substantial differences between business lines even within the same organization. In our experience, the current approach has often led to significant expense in building up these functions without a commensurate reduction of compliance risk. To reduce risk and control escalating costs, compliance risk management must become intrinsic to running the business, like managing market and credit risk. This is a transition that takes effort, commitment, and some investment to develop a target state and design the strategic roadmap to accomplish the journey. If financial institutions do not embark on this journey soon, it is likely that their cost of compliance will continue to rise or that they will make tactical cost decisions that could weaken the control environment. It is, therefore, key to accelerate and focus current efforts by defining the Why, What, and How for your organization which is the focus of the rest of this paper. Compliance risk management must become intrinsic to running the business, like managing market and credit risk. Copyright 2018 Oliver Wyman 1

3 WHY SHOULD THE BUSINESS OWN COMPLIANCE RISK? THE CASE FOR CHANGE Increased regulatory expectations Regulators expect greater ownership of risk management by the front line. In the United States, the Federal Reserve Board s (FRB) proposed guidance provides further clarity on the role of the front line. It assigns ultimate responsibility for risk management to senior management and calls out business line risk ownership for identification, measurement, and management of risks, narrowing the activities expected from independent risk management functions. This proposed guidance amplifies requirements already set forth by the Office of the Comptroller of the Currency (OCC) as part of its heightened standards. The regulatory expectations in Exhibit 1 apply directly to compliance risk. In action, these principles can be witnessed in many recent enforcement cases, where front line oversight has been called out as a major weakness. Exhibit 1: Regulatory guidance related to risk ownership REGULATOR Board of Governors of the Federal Reserve System Office of the Comptroller of the Currency EXCERPTS FROM REGULATORY GUIDANCE Proposed supervisory guidance Under the board s oversight, a firm s senior management is responsible for managing the day-to-day operations of the firm and ensuring safety and soundness and compliance with laws and regulations, including those related to consumer protections, and internal policies and procedures. Business line management is expected to execute business line activities consistent with the firm s strategy and risk tolerance, identify and manage risk within the business line, provide sufficient resources and infrastructure to the business line, ensure the business line has appropriate system of internal control, and ensure accountability for operating within established policies and guidelines and in accordance with laws and regulations, including those related to consumer protection. Expectations for a firm s IRM [ ] include evaluating the firm s risk tolerance, establishing enterprise-wide risk limits and monitoring adherence to those limits; identifying, measuring, and aggregating risks; providing an independent assessment of the firm s risk profile; and providing risk reports to the board and senior management. Guidelines establishing heightened standards The risk governance framework should include delegations of authority from the board of directors to management committees and executive officers as well as the risk limits established for material activities. Front line units should take responsibility and be held accountable by the Chief Executive Officer and the board of directors for appropriately assessing and effectively managing all of the risks associated with their activities. Independent risk management should oversee the covered bank s risk-taking activities and assess risks and issues independent of front line units. Internal audit should ensure that the covered bank s risk governance framework complies with these Guidelines and is appropriate for the size, complexity, and risk profile of the covered bank. Sources Copyright 2018 Oliver Wyman 2

4 Effectiveness and efficiency The business is closer to the risk exposure and hence best positioned to manage its own compliance with laws, rules and regulations. This is akin to the driver of a car being best positioned to monitor whether they are speeding. Those closest to the activity can anticipate and more efficiently manage potential breaches of laws, rules and regulations better than those in a different department (e.g., Compliance department) or an intermediary control function. These other functions are sometimes in a different location, have limited access to business leaders, and less knowledge of the business and what is happening minute-to-minute. We believe that greater ownership of compliance risk by the first line will lead to a reduction in damaging and expensive regulatory and reputational outcomes. Similarly, the need for large and expensive control processes to monitor the risk would be reduced. Having said this, some investment will be required to improve the tools and information provided to line management. Overall, however, the potential effectiveness and efficiency benefits should more than offset the investment. The business is closer to the risk exposure and hence best positioned to manage its own compliance with laws, rules and regulations. This is akin to the driver of a car being best positioned to monitor whether they are speeding. Copyright 2018 Oliver Wyman 3

5 WHAT DOES IT MEAN FOR THE BUSINESS TO OWN COMPLIANCE RISK? DEFINING THE END STATE Compliance risk ownership has progressed substantially since the financial crisis but more needs to be done Over the last few years, and in response to the increased regulatory expectations, financial institutions have tried to increase business responsibility for compliance risk, migrating certain activities from Compliance to the first line and clearly improving the tone at the top. However, much of this migration has been focused on creating quasi-compliance intermediary control functions to help business managers with compliance risk management activities. Although these intermediary control functions were (and are) a critical part of front-line compliance risk ownership, their current iteration has had two major drawbacks: Senior business managers have been kept isolated from taking true responsibility for the identification, measurement and management of compliance risk, making this transition marginally effective Many compliance risk management activities currently reside in the Line 1b, a setup that has required an investment in processes to collect and synthesize information for business managers that is largely inefficient Many financial institutions find themselves with the following paradox: while there has been a significant investment in intermediary control functions, there is a lack of technology and targeted information capabilities to feed line managers (for example, key risk metrics) as the investment has not been executed to support compliance risk owners. In the target state, we believe senior business managers must know the key compliance risks that apply to their business and associated internal policies, material rules and regulatory expectations. They must understand the key components of the control environment applicable to their business, and own the design of specific controls to manage the business. For example, senior managers must actively participate in the risk assessment process and not delegate this critical analysis to someone else. It is also essential that they develop oversight procedures, business-specific escalation processes, and tools and management reporting that enable them to actively manage compliance risks. Currently, while business leaders may set the right tone and execute or delegate oversight activities that others have created for them, they do not truly own the management of compliance risk. Making compliance risk management intrinsic to the business will require changes for both the first and second line. Copyright 2018 Oliver Wyman 4

6 HOW DO YOU ACHIEVE BUSINESS OWNERSHIP FOR COMPLIANCE RISK? 3 CRITICAL STEPS FOR MOBILIZATION To begin shifting your organization from today to the future state we believe there are three critical steps. 1. Define principles for front-office, first-line control function, and second-line ownership DEFINE principles for front-office, first-line control function, and second-line ownership APPLY principles to compliance risk management activities DEVELOP critical ingredients for success Technology capabilities Incentives system Metrics reporting Training through change We recommend starting with a set of first principles to help define what first-line (i.e., business managers and Line 1b ) and second-line ownership means for your organization. In some financial institutions, some of these principles may already exist (usually as it relates to first and second line). At a minimum, the principles should include those outlined in Exhibit 2. These principles are illustrative and each institution will need to develop its own principles which fit within its enterprise risk, compliance, and operational risk management frameworks. Exhibit 2: Illustrative principles for division of responsibilities for compliance risk management HISTORICAL WEIGHT DISTRIBUTION IN COMPLIANCE RISK OWNERSHIP Pre-financial crisis Current state Future state Front office (first line) Coverage gap Intermediary control function ( Line 1b ) Compliance (second line) Front office (first line) Intermediary control function ( Line 1b ) Compliance (second line) Front office (first line) Intermediary control function ( Line 1b ) Compliance (second line) FUTURE STATE OWNERSHIP PRINCIPLES Overall accountability by senior management Ownership of identification and assessment of compliance risks Day-to-day compliance risk management Ownership of controls for managing identified compliance risks Monitoring of operation and activities within risk appetite Design of controls needed to manage identified compliance risks Primary escalation of material breaches Reporting to senior management based on metrics/kris Limited delegated responsibilities from front office Support front office with Regulatory, Compliance & Audit requests Draft and manage procedures in line with Compliance policies Overall set up of the compliance risk management framework Independent risk-based monitoring and testing of control design Independent assessment of risks, controls, and residual risks Advice on controls and questions related to policy and rule Lack of focus on compliance risk management by supervisors Focus of Compliance on advisory and operations Expansion of Line 1b responsibilities Reinforcement of Compliance function Ownership transfer to front office Realignment of lines to post-financial crisis aimed goals Copyright 2018 Oliver Wyman 5

7 2. Apply principles to compliance risk management activities The second step is to apply the agreed principles to the compliance risk management framework and activities within the organization, which is typically closely tied to the Federal Reserve Board s SR For each of the elements in Exhibit 2, it is important to understand how they currently apply across the first and second line, as well as within the first line; and how they should apply in the target state considering a firm s principles defined in the first step. ILLUSTRATIVE APPLICATION OF PRINCIPLES RISK ASSESSMENTS Risk assessments can be re-configured to align with the principles of intra-first and second compliance risk management ownership. The Risk and Control Self-Assessment ( RCSA ) process typically a first-line assessment of its operational risks should be harmonized with the Compliance risk assessment ( CRA ) typically sponsored by the second line and largely executed by them to identify compliance risks in the business. In the target state, both risk assessments need to be aligned so the first and second-line roles are clear. Namely, the business needs to specifically assess its own compliance risks and the second line can check and challenge this self-assessment. Since risk assessments are critical processes to identify risk, it is essential that business managers lead this process and engage directly with it to identify material risks and responsive actions. Due to its importance, this is not a process that is appropriate to delegate to Line 1b. While Line 1b can collect relevant information that might help business managers make appropriate judgments or seek clarifications on the process from Compliance or Operational Risk, the risk assessment exercise should not be delegated by business-line managers as is often the case today. Additionally, to unlock efficiencies, the RCSA and CRA should be harmonized in a way that removes duplication and is more geared to understanding and addressing compliance risks. Using a common platform, taxonomy, and approach can lead to greater efficiency, as well as, a more clearly aligned first and second-line view of compliance risk. Copyright 2018 Oliver Wyman 6

8 3. Develop critical ingredients for success The most important ingredient to a successful transition is commitment from senior management, given the effort, and associated time and funding required to accomplish these changes. The realignment of responsibilities between lines of defense and within the first line requires a highly organized effort. It also entails dedicated workstreams focused on design and the implementation of technology and metrics reporting, and the right set of management incentives for adequate stakeholder involvement. It is better to have practical solutions consistent with the spirit of the exercise rather than rigid outcomes that cause dislocation and potentially new risks. A pilot program for a select business is an effective way to test the principles and apply any lessons learned for the broader roll-out. In this program, the goal must always be to have risk owners increase their accountability for managing compliance risk. Technology capabilities For the transition to be successful, technology investment is critical to enable effective business-line management of compliance risk and better documentation of these efforts. The quality of tools and information available to front-office managers is a primary driver of how they can efficiently take more responsibility for compliance risk management. In the current state, while there may be dashboards and checklists for business managers, they are rarely supported by automated reports that efficiently enable managers to conduct reviews or query data within a tool. Similarly, insufficient process automation reduces the potential for the front line to seamlessly manage risk as part of their business-as-usual activities. Line 1b functions have developed to fill this gap. Technology is an enabler for reducing the time burden for the business managers. It will increase the automation of currently highly-manual compliance-related processes; manage the ever-increasing complexity of compliance data; and provide better insights through enhanced analytics on the data. Overall, these capabilities will enable more preventive versus reactive controls and actions. Copyright 2018 Oliver Wyman 7

9 Metrics reporting Harnessed by new technology capabilities, metrics and reporting will support compliance risk management within the business and with senior management. Similar to credit and market risk management, automated reporting and strong quantitative risk metrics enable front-office managers to take more control over compliance risks. Providing adequate information in an effective way is one of the essential steps to making compliance risk management intrinsic to the business. Currently, much of the management information is provided by Line 1b groups or Compliance in a disconnected way, following a very qualitative format. Incentives system Banks must evolve from a system where only affirmative mistakes, breaches or regulatory violations lead to a diminution in pay. First-line compliance risk ownership must be embedded into evaluation, pay, and promotion decisions of senior and line managers. Without a clear linkage between the strong management of compliance risk and incentives, there is a high probability that business lines will continue to operate under the status quo due to their incentives primarily aligned to business growth and revenue objectives that have negative consequences only when something goes wrong. Training through the change The transition of roles and responsibilities has consequences on stakeholders across both the business lines and Compliance. This includes execution risks as well as cultural resistance to these types of changes, which must be managed thoughtfully. It is essential that these transitions are documented and business-line managers are trained on their new responsibilities. It is also critical for institutions to ensure that the stature and effectiveness of the Compliance function is maintained throughout the changes. As such, it is important that all stakeholders are trained on the new accountability framework, emphasizing the Compliance function s responsibility for establishing a framework that is operated by the first-line business leaders on a day-to-day basis. In the transition, Compliance will emerge from being a hybrid quasi-supervisory, operational, and risk management function to a true risk management function ultimately serving as the guardian of the financial institution s reputation by focusing only on the areas with the most compliance risk. Providing adequate information in an effective way is one of the essential steps to making compliance risk management intrinsic to the business. Copyright 2018 Oliver Wyman 8

10 CONCLUSION Successful compliance risk management at a financial institution cannot be the responsibility of the Compliance function or a Line 1b function, and must be owned and led by the business. Support from Compliance and intermediary control functions should not shield the business from full ownership of compliance risk. Continuing with the current approach, which focuses predominantly on building up the Compliance function and setting up intermediary control functions makes it difficult to effectively manage compliance risk and attain efficiency goals. However, the re-alignment journey takes substantial effort, commitment and investment in technology, reporting, incentives, and training to make a meaningful transition. It is, therefore, important to begin the journey as soon as possible by defining the Why, What, and How for your organization. Copyright 2018 Oliver Wyman 9

11 Oliver Wyman is a global leader in management consulting that combines deep industry knowledge with specialized expertise in strategy, operations, risk management, and organisation transformation. For more information please contact the marketing department by at info-fs@oliverwyman.com or by phone at one of the following locations: AMERICAS EMEA ASIA PACIFIC ABOUT THE AUTHORS Allen Meyer Partner in the Finance & Risk and Corporate & Institutional Banking Practices allen.meyer@oliverwyman.com Tammi Ling Partner in the Finance & Risk and Public Policy Practices tammi.ling@oliverwyman.com Elena Belov Principal in the Finance & Risk and Organizational Effectiveness Practices elena.belov@oliverwyman.com Stefano Boezio Principal in the Finance & Risk Practice stefano.boezio@oliverwyman.com Copyright 2018 Oliver Wyman All rights reserved. This report may not be reproduced or redistributed, in whole or in part, without the written permission of Oliver Wyman and Oliver Wyman accepts no liability whatsoever for the actions of third parties in this respect. The information and opinions in this report were prepared by Oliver Wyman. This report is not investment advice and should not be relied on for such advice or as a substitute for consultation with professional accountants, tax, legal or financial advisors. Oliver Wyman has made every effort to use reliable, up-to-date and comprehensive information and analysis, but all information is provided without warranty of any kind, express or implied. Oliver Wyman disclaims any responsibility to update the information or conclusions in this report. Oliver Wyman accepts no liability for any loss arising from any action taken or refrained from as a result of information contained in this report or any reports or sources of information referred to herein, or for any consequential, special or similar damages even if advised of the possibility of such damages. The report is not an offer to buy or sell securities or a solicitation of an offer to buy or sell securities. This report may not be sold without the written consent of Oliver Wyman.