This article was first published on April 2, 2020.
Editor's note: Oliver Wyman is monitoring the COVID events in real time and we have compiled resources to help our clients and the industries they serve. Please continue to monitor the Oliver Wyman Coronavirus hub for updates.
COVID-19 has created unprecedented business and regulatory disruption in a condensed period. There are massive changes to how financial institutions operate, what regulators and supervisors expect, in addition to significant economic impacts on society, businesses and individuals.
The pandemic’s effects have triggered extensive government action including the largest ever peacetime stimulus package in the US — the Coronavirus Aid, Relief and Economic Security (CARES) Act.
Our new paper helps Compliance teams set up a dynamic process for identifying emerging and intensifying risk.
Compliance teams need to quickly pivot and consider the risks and challenges created by these rapid and radical changes.
THE NEW NORMAL
Compliance, like other functions at most financial institutions, are now fully engaged in managing the day-to-day firefighting. However, in periods of disruption, new risks can appear quickly, and existing risks can materialize into real problems as control structures no longer operate optimally.
Compliance teams need to quickly pivot and consider the risks and challenges created by these rapid and radical changes. It is imperative for Compliance to perform a frequent and dynamic (non-formalistic) risk assessment in order to quickly understand the new circumstances and address the risks in a holistic way. This process involves a deliberate assessment of risks based on changes in the environment (for example, business, technological and regulatory) and a nimble way for the Compliance program to manage the changing risks through expedited actions (for example, seeking relief from regulators, updating policies and controls, and escalating issues).
While it is challenging during a crisis to pull together teams and relevant information for informed and structured conversations about new and emerging risks, it is ultimately more costly to rely on ad hoc decision-making in rapidly changing circumstances that, with the benefit of hindsight, do not look well considered.
1PERFORM FREQUENT AND DYNAMIC RISK ASSESSMENT
Compliance needs to set up a dynamic process to consider actions and guidance from regulators and the government; and business strategy and the organization’s crisis response. These dimensions must be executed with more urgency and less bureaucracy. Similarly, the decisions coming out of the risk assessment must be implemented in real time in order to optimize the response.
2SHIFT ACTIVITIES AND FOCUS TO SUPPORT A NEW NORMAL
Compliance needs to think through how to optimally deploy its resources to manage risks in this new environment. Electronic communications surveillance is likely to be heightened given the move towards digital communication channels more broadly. Some teams that perform non-critical functions may have capacity to be redeployed to more risk-driven activities. As resources are shifted, it’s important to take a step back at regular checkpoints and conduct a review of the changes made to adapt to the new normal, adjusting the action plan as needed.
3REFOCUS THE MEDIUM-TERM COMPLIANCE STRATEGY
It will be important to work with business teams to understand changes in business strategy and risk profile, to make sure that Compliance continues to focus on managing key Compliance risks. Given the expansion of remote working, certain plans (for example, further upgrades to electronic communications surveillance, workflow tools) may be accelerated, while others may be deprioritized.
4MANAGE COMPLIANCE IN A NEW REMOTE WORKING ENVIRONMENT
A new normal requires Compliance to make sure its workforce has the appropriate tools and access needed to perform key duties identified through the dynamic risk assessment and maintains connectivity to each other and the business, as co-location is not an option. Productivity management is critical for key areas (transaction monitoring) where backlogs are high risk, and it is important to overcommunicate with Compliance teams to make sure they feel productive and that they are contributing, and also find ways to foster a sense of community and maintain employee morale.
DYNAMIC RISK AGENDA (EXAMPLE)
During these uncertain times, it is critical to be practical and focus on what matters. Compliance will be called upon to make decisions quickly and will need to be flexible in the way it deploys its team and works together with the business. Deploying a frequent and dynamic risk assessment can greatly assist with the ability to respond. Clear and rapid pathways for communication and escalation are also critical as this becomes a new normal.
While regulators have provided relief in many areas to financial institutions during this period, it is essential that Compliance continues to frame its interactions with the business in a manner that supports the firm’s overall culture of compliance. By adapting quickly and planning for the new and emerging risks and challenges, Compliance teams can help mitigate risk and support business strategy for organizations to successfully navigate this crisis.