Late last month, I had the pleasure of attending and facilitating a couple of on-demand panels for the American Banking Association’s (ABA’s) first-ever Risk and Compliance Virtual Conference.Needless to say, there were quite a few differences from attending in person – namely the missed opportunity to spend time with industry friends and fellow risk and compliance enthusiasts. And while there’s no re-creating the power of face-to-face interaction, the ABA did a phenomenal job of pulling together topics and experts on a very condensed timeline.
In “normal” times, the Risk Management Conference and Regulatory Compliance Conference are two separate conferences, held at different times of the year. For as long as I can remember, the former was historically a broad-ranging event (with a smaller, targeted audience) that focused more heavily on financial risk and, in recent years, began to branch out to include more sessions on non-financial risk types – like operational risk. The latter was a larger event (growing larger and larger each year) that was hyper-focused on compliance risk.
As I attended this year’s combined virtual conference, I started to think about how appropriate it was to combine the two, since more and more often we’re seeing the convergence of compliance risk program elements with operational risk and other non-financial risk types, such as reputation risk and strategic risk. This is in large part due to companies’ increasing focus on building and maintaining enterprise risk management programs – and it makes a lot of sense, based on my own experience. Banks typically tend to have more mature compliance risk programs, as compared to operational risk, so I can see a clear opportunity to leverage elements of one to fortify the other.
As these risk types begin to converge, it’s critical to establish common taxonomies. In some cases, risk programs have been built in silos and are often managed in disparate systems. Banks should be working toward system-wide reporting and creating an aggregated, holistic view of their risk profile. But this effort becomes labor intensive if you don’t have a risk-type-neutral framework in place to establish the shared risk classification.
The effort to create one is necessary, though, because it’s imperative that your risk programs are able to “talk” to one another. The alternative opens up a whole new set of risks: first, an inability to produce meaningful, actionable reporting; and second, aggregating risk across the enterprise becomes cumbersome, leading to difficulties in adequately identifying, measuring and controlling your risk.
As I reflect on this year’s wonderful live and on-demand sessions, a few key themes are resonating with me. In many ways, the pandemic has desensitized us to words and terms like “unprecedented,” “record-breaking,” “new normal,” and “shifting priorities” – they’ve become part of our everyday vernacular. But as I look at those words in reflection to the work I love, they can and should be applied to the way we think about existing risk and compliance management programs.
It’s a paradigm we must adjust to meet the demands of this “new normal.” While many organizations shifted their focus at the beginning of this crisis, we’ve reached a point where it’s time for all of us to address key issues and continue to ensure compliance, manage risk, and keep the business going. Right now, I’m looking at this through a few lenses:
Technology particularly in the regtech/fintech spaces will continue to play an increased role in our risk programs as we explore opportunities to migrate from manual processes and controls toward automation. Ultimately, this will provide a huge lift in efficiency and risk mitigation. I see real opportunity for this in the monitoring and testing spaces.
Automated monitoring allows for real-time insights, which will help financial institutions identify issues sooner and make remote teams more nimble. Automation also will make testing more representative, enabling banks to move away from small samplings to a situation where they could test an entire population, leading to increased accuracy and greater coverage by no longer relying on just representative populations.
As a first step in this transformation, it’s imperative that organizations take the time to find a single source of truth for their data. As operational risk and compliance risk converge and we move toward enterprise risk management programs, organizations must ensure they have a single source of information to support the various elements of their risk management program (i.e., key performance and key risk indicators).
In these uncertain and unprecedented times, it’s easy to get overwhelmed. I had so many great takeaways from the virtual conference that added to all the thoughts already swirling in my mind … but you can’t tackle everything all at once. No matter where you are in your risk management program journey, it’s crucial to review your existing framework now and ensure it’s in order and as strong as it can be. Only then can you start your renovations and prepare for what’s next in this “new normal.”
If you’ve spent any time in the last ten years in or around compliance, you’ve likely heard about the “three lines of defense” (3LOD) model – business units are primarily accountable for compliance and are considered the first line; the compliance team is the second line, checking the work for the first line; and internal audit operates as an independent third line assessing the first two lines. While the model has been widely accepted (and in most cases expected by regulators), the approach has been gaining some critics. The growth of the FinTech industry has caused many to question how viable and applicable the 3LOD model is for smaller organizations. While the concept is solid, it’s time to adapt the model to account for the wide array of organizations now operating in Financial Services.
Risk Management & Regulatory Compliance 2 minute read
Every year, tens of thousands of pages are published in the Federal Register, with a good chunk of themdetailing what banks need to deliver in serving their customers. In the past decade, the Dodd-Frank Wall Street Reform and Consumer Protection Act came in at the equivalent of nearly 1,000 pages and prompted several thousand more pages of rules and regulations, including, as just one example, the TILA-RESPA Integrated Disclosure (TRID) rules. Tack on relatedregulations published as a result of the Dodd-Frank Act,other more recent regulatory amendments likethose made to the Fair Debt Collection Practices Act (FDCPA), as well as state-specific requirements, and you’ve got enough paperwork to fill a library.
Risk Management & Regulatory Compliance, Compliance, Operational Efficiency 6 minute read
Ask Elizabeth Snyder what her preferred form of transportation is, and she’d be hard-pressed to decide between a horse and her vintage Volkswagen convertible Bug. A second-generation rider, Elizabeth today prefers trail riding on American Saddlebreds, one of the first domestic horses bred specifically to help Kentucky doctors ride to patient homes. Similar to how a successful rider needs be attuned to the horse’s experience, effective risk leaders use customers’ perspectives to proactively manage risk.
Risk Management & Regulatory Compliance, Issue Management, Risk Management 1 minute read
Like how we think? Subscribe to have our articles delivered direct to your inbox each month.
Headquarters: 8000 Franklin Farms Drive, Suite 100, Richmond, VA 23229
©2021 Spinnaker Consulting Group. All rights reserved.