Richard Pike, co-Founder and CEO, Governor Software
Despite the perceived complexity of regulating the financial markets, at its heart compliance should be a straightforward function with three main goals; communicate your obligations, understand your status and prove your compliance. However, in a world of ever changing regulation and ever more intrusive supervision, most financial institutions operate a compliance oversight process that is siloed and reactive. This article will argue that in order to change this, and achieve regulatory compliance in a cost and time efficient manner, senior risk and compliance executives need to design their oversight process to be more holistic and agile.
What happens today?
Traditionally, when a new or updated regulation comes onto the radar of a financial institution the compliance team will review it to understand if it is relevant to the organisation, and if so what parts of the firm will be impacted, updating the policies accordingly. Once a policy has been re-issued the business will typically compare it to the current BAU systems, procedures and controls allowing them to update and implement systems where relevant and for manual processes apply procedures and controls.
However, within this traditional setting, when someone requires oversight of the status of compliance with the regulation, obligation by obligation, there is an inevitable scramble to pick out the relevant metrics, control reports and assessments. This process is further complicated when the oversight requirements of a regulation or policy involve elements such as committee meetings or management actions – with proof points found in meeting minutes, emails and presentations.
Not only is this process highly inefficient it is also ineffective as documents including spreadsheets and presentations are very hard to audit. For example there is no definitive trail as to how a particular slide in a presentation came to be or the method of aggregating and collating data may vary from report to report. As a result Board members, who are personally responsible for signing off regulatory compliance, are being overwhelmed with 1,000 page documents detailing their regulatory obligations and status.
What might good oversight look like?
I would argue that compliance teams should use visualisation software to map out a new or amended regulation when they first receive it. This mapping involves breaking down the requirements into specific obligations and for each obligation defining what proof points they need for good compliance oversight.
The policy writing team then takes these regulatory maps and matches their individual policy elements to these obligations. At this stage they also include in their policies the items that will make for good policy oversight. For each of those items they may also define the risk appetite or tolerances that will cause the policy to be in ‘breach’.
When regulatory requirements are presented to the business there is a clear understanding of what information is needed to record and store for compliance oversight to do their job. If this is done well then those items should be the same regardless of the oversight function that needs them.
The finish line is a map of the regulatory obligations, linked to a set of internal policy statements, linked to a set of internal proof points (metrics, assessments, reviews), all of which record and store changes in real time – thus allowing anyone to go back to a point in the past to see the state of compliance.
In turn the benefit of this approach is that senior executives and Board members can be provided with compliance status updates in the format of the policies they have signed off or the regulations they have been made responsible for, rather than an overwhelming pile of paperwork.
The process of compliance oversight is relatively simple in theory but financial institutions have historically made it extremely complex and unwieldy. In order to root out the inefficiencies and make the process more effective and straightforward re-thinking of the practise is needed. This doesn’t mean pulling up the roots and starting again, but defining and mapping the oversight requirements and process upfront. This approach not only supports oversight becoming a standard item but the days of running around looking for old spreadsheets, presentations and emails becoming a thing of the past.