What does it mean for your business to own compliance risk? Over the last few years, financial institutions are increasingly discussing the need to take more responsibility for compliance risk management -- that is the ownership of complying with laws, rules and regulations.
However, these conversations rarely answer three fundamental questions:
- Why should the business own compliance risk?
- What does it mean for the business to own compliance risk?
- How do you achieve business ownership?
While regulatory expectations are a good catalyst for "Why" the business should own compliance risk, the more convincing reason is that greater front-line accountability leads to more successful compliance risk management, and results in material risk reduction and cost efficiency.
To make compliance risk management intrinsic to the business—as it is today for credit and market risk—requires changes for both the first and second line.
While this is easy to say, in our experience, it is a challenge to achieve and few banks have done so. We observe that business line managers often rely heavily on intermediary control functions or the Compliance department to manage compliance risk. Embedding true first-line ownership will take effort, commitment, and investment in technology. If banks do not embark on this arduous journey soon, it is likely that their cost of compliance will continue to rise or they will make tactical cost decisions that could weaken the control environment.
Our new paper, First-Line Ownership of Compliance Risk, focuses on required changes in the operating model, processes, analytics, and provides tangible recommendations to institutions embarking on this journey.
How do you achieve business ownership for compliance risk?
There are 3 critical steps to make the transition
1DEFINE WHAT FRONT-LINE OWNERSHIP MEANS FOR YOUR ORGANIZATION
• Overall accountability by senior management
• Ownership of identification and assessment of compliance risks
• Day-to-day compliance risk management
• Design and ownership of necessary controls
• Monitoring of operation and activities within risk appetite
• Primary escalation of material breaches
• Reporting to senior management based on metrics/KRIs
2APPLY AGREED PRINCIPLES TO COMPLIANCE RISK MANAGEMENT ACTIVITIES WITHIN YOUR ORGANIZATION
• The compliance risk management framework is typically tied closely to the Federal Reserve Board's SR08-8.
3DEVELOP CRITICAL INGREDIENTS FOR SUCCESS
• Technology capabilities
• Incentives system
• Metrics reporting
• Training through change