By Mason Advisory Director for Financial Services & Insurance, Jon De’Ath and Senior Consultant, Kaustubh Ambavanekar

Never far from the mind of Financial Services leaders, regulatory compliance requires considerable (and increasing) financial investment, man-hours and processes, but compliance and innovation do not have to be competing forces. Instead, we can change the mindset to one where compliance and risk are seen as drivers, not blockers, to progress. This lays the right foundations to better understand risks and opportunities, get on the front foot when it comes to business agility, and achieve a bigger win of the market share.

For a Financial Services professional, the PRA’s March 2021 Statement on Operational Resilience and Outsourcing Risks offers welcome guidance in a market increasingly defined by change and disruption. And, in this context, the reputational, operational, and commercial risks of compliance failure are more critical than ever. Failure exposes a vulnerability to sanctions, fines, reputational damage, and ultimately loss of license to operate. What’s more, the sector has a moral – and statutory – duty to assure the safety of customers’ hard-earned assets. However, these same customers also expect innovation. In our experience, the sector needs to embrace the new opportunities that continue to emerge from this changing compliance landscape.

Resilience by design

The last eighteen months have been extraordinary. In many respects, the financial sector has stood at the forefront of supporting the population – delivering creative, end-to-end digital solutions to protect customers’ resources through a global crisis. The flip side is an increasing commercial focus on agile strategies for rapid digital transformation. There remains a tension between this priority – essential for rolling out new ventures – and the strategic and operational necessities of satisfying regulations. There is no need for a tug of war between the two, however. Instead, the sector has an opportunity here.

Compliance should be celebrated as a driver that sharpens your business focus, and in doing so promotes your competitive edge. This transformation requires a mindset shift. A deep dive into what really constitutes business-critical – both inside the organisation and across the complex supplier ecosystem – sets the stage for an informed operational foundation, from which future innovations can flow.

Re-thinking the notion of impact tolerance

The four cornerstones of the PRA’s updated regulations – governance, operational risk, business continuity, and outsourced relationships – are not new concepts. The imperative to protect customer security and business continuity has always been a non-negotiable priority for financial services to be able to operate and build their reputation. But we cannot deny the time and cost involved. In early 2020, a third of banks globally were spending 5% of revenue on compliance, with 20% identifying that spend as their number one concern[i]. COVID-19 only added to the load. The lockdown response exposed those who were not geared up to port IT governance structures into a new work from home scenario. This highlighted a landscape fraught with increasingly sophisticated cyber-threats. By and large, financial services have reacted quickly to come out on top, but as the high street dwindles and digital transformation gathers pace, the balance between compliance and innovation becomes ever more critical to master.

Solving the puzzle means revisiting how to define areas of threat and acceptable levels of impact tolerance.  Maintaining a low risk profile across multiple outsourced services demands the right balance of best practice controls and an intelligent, targeted perspective. Too often, high-impact threats to business continuity become blurred with low to mid-impact operational issues. An informed, structured, and disciplined approach to analysing business-critical scenarios equips organisations to target exactly the right risks, identify tolerances, and embed appropriate actions. Treating the four compliance cornerstones as a driver to examine the business with fresh eyes can create robust operational conditions. That in turn lays a sustainable foundation to protect and innovate the services you offer to customers moving forwards.

Advocating for the change – challenging up and across

For Financial Services executives, this approach requires a healthy dose of courage and no small commitment. Every business has its way of doing things and, when those conventions are challenged, resistance can rise to the surface. Compliance processes are no exception. Changing the culture at executive level is challenging enough. When we throw in increasingly complex internal and outsourced ecosystems, often with legacy factors at play, this becomes a multi-faceted conversation that takes time and both emotional and commercial intelligence. Recognising that compliance and controls are not best served by a ‘one size fits all’ approach allows organisations to focus precious resources where they will have most impact for the customer, from both a resilience and an innovation perspective.

If successful, that cultural shift can inspire new blueprints for how people, process and technology come together. As a whole, these can achieve the right blend of governance, risk mitigation, business continuity, supply chain management and that all-important innovation. This is not a blank slate scenario. Thankfully, for Financial Services in the UK, a forward-thinking regulator is leading the way towards an innovation-powered sector. This sets the stage for organisations to learn from industry peers – accelerating best practice, balancing compliance with innovation, and future-proofing the conditions needed to stay one step ahead.

Through having a clear understanding of their critical business services and applying a compliance controls framework as a change portfolio tool, Financial Services organisations can put focus and resources where it matters most and:

• establish a stronger alliance between strategic, financial, and operational resilience
• build more confidence and loyalty to generate positive interest from investors
• provide an enhanced view of business-critical services and their technology dependency mapping
• improve positioning for future mergers, acquisitions, transactions, and carve-out
• achieve quick business wins with rapid, targeted health check measures
• streamline the view of operational risks to reduce costs and divert revenue to business-winning ventures
• reduce disaster recovery costs and design fast, effective strategies to avoid operational outages
• set the stage to revisit legacy relationships, in particular outsourced supply chains, to improve benefits
• enhance cyber resilience.