Each year, most financial institutions spend significant time and resources on the compliance risk assessment process. However, many executives still feel that they repeat the same labor-intensive process for marginal benefit.
- As a Compliance lead, does the risk assessment help you meaningfully prioritize activities across businesses and corporate functions?
- As a senior executive, does the assessment help you formulate a view on the organization’s top areas of regulatory concern?
We believe that at many banks the answer to these questions is “no.”
In this paper, we discuss recent progress made by the industry as well as key remaining challenges facing many institutions. We provide recommendations for how to address these common hurdles and unlock greater benefits from the compliance risk assessment process. Specifically, we provide ideas for how firms can further leverage data to increase automation, foster stronger engagement from senior leadership, gain a better understanding of emerging risks and control strength, and ensure the assessment process drives action.
In our experience, the most effective compliance risk assessments are those optimized to work within the institution’s unique set-up and circumstances, not necessarily ones with the most advanced features
With some practical adjustments, we believe that most compliance risk assessments can be made more robust and shed more light on where to focus time and attention. It should also improve the chances of preventing incidents, or at least detecting them earlier.
1SUPPORT THE WORKFLOW WITH DATA
We recommend that relevant data such as results of control testing, audit results, internal and external loss events are pooled into an interface that is considered by the risk assessor. Start small and focus on the data that can be easily extracted from control systems (e.g., control testing results), but then expand this information to include indicators that are more difficult to gather (e.g., external loss events).
2ELEVATE THE CONVERSATION
For the results to be meaningful, compliance risk assessments should be completed at a sufficient level of seniority in the organization.
3PERFORM “WAR-GAMING” AS PART OF THE REVIEW AND CHALLENGE PROCESS
We recommend taking the review and challenge process to the next level by including “war-gaming” – either in existing review-and-challenge sessions or as separate workshops designed to dig deeper into a theme of interest (e.g., data privacy or sales practices). In these sessions, difficult what-if questions should be asked of the assessors.
4BE THOROUGH WHEN ASSESSING CONTROL ADEQUACY
A robust rules and controls inventory can greatly improve the assessment. Analysis of this data set can then support the compliance assessment ratings and narrative.
5MAKE SURE RESULTS DRIVE ACTION BASED ON RISK APPETITE
Based on the rating results and supporting narratives, reporting should include clear, action-oriented implications for the business. We recommend supporting the reporting with remediation plans created by the business to either lower the risk by enhancing the controls, limiting certain business activities or adopting a risk transfer mechanism such as insurance.
Our paper offers simple no regret moves you can implement this year to get the assessment to work for you. With the right construct and role, the compliance risk assessment can act as the spotlight that guides you to focus on the highest areas of compliance risk.