A Framework for Assessing Regulatory Maturity
In the current regulatory environment, banks find it complex and challenging to interpret and assess regulatory requirements on conduct risk. In this this article, experts from Tata Consultancy Services suggest a robust approach for assessing the level of maturity attained by a bank in conduct risk vis-à-vis regulatory requirements and a remediation plan to bridge gaps.
with co-author Sasidharan Chandran
Conduct risk is a key emerging risk and has been defined by the Financial Conduct Authority (FCA) as “the risk that firm behaviour will result in poor outcomes for customers.” Conduct risk has evolved over the years from being an underestimated and unattended risk to one of the major risks faced by banks.
In addition to sizeable regulatory fines and costs of remediation, banks consider reputational damages as a prominent cost of conduct risk. With the digital landscape evolving and changing the way how businesses are run, digital conduct and analytics has been one of the major areas of focus for banks in the recent years. This has been underscored by the FCA in its annual business plan 2017/18, where it has identified technological development as one of the forward-looking areas.
Conduct Risk Challenges Faced by Banks
In this dynamic and complex regulatory environment, banks are finding it challenging to interpret and assess the requirements to implement conduct risk regulations. Factors contributing to the challenges include inadequacies in risk governance structures, lack of clarity about various components of conduct risk, ambiguities in clearly separating conduct risk from operational risk, deficient approaches to estimation and ill-defined metrics of conduct risk.
Though there are frameworks present in the market to assess conduct risk maturity, they lack aggregation of maturities at desired levels. The need of the hour is to put in place a unified and flexible framework to address multiple dimensions of conduct risk. The suggested conduct risk assessment framework would help manage some of the highlighted challenges.
Conduct Risk Capability Assessment Framework
The Conduct Risk Capability Assessment Model provides banks with an approach to assess gaps in conduct risk maturity, their root causes and remediation of gaps at granular levels. In other words, this is a tool for assessing the level of maturity attained by a bank vis-à-vis regulatory requirements.
The core purpose of the framework is to assess and quantify the level of maturity in complying with regulatory requirements. Maturity is measured by comparing the gap between current and target maturities. For the identified regulatory rules, key performance indicators were developed and used to derive the gap between current and target maturities. The rating model implemented in the framework enables a rollup of gaps at various levels, including lines of businesses, legal entities and banking groups.
The methodology involved the following steps:
- Derive conduct risk components and sub-components. Conduct risk regulations from various geographies were analyzed at length before formulating the conduct risk components and sub-components.
Example – A non-exhaustive list of components are product governance, marketing and selling, customer care, misuse of information, complaints management, market manipulation and insider trading.
- Map regulations to relevant conduct risk components and sub-components. The regulatory rules obtained from multiple sources are interpreted and mapped into relevant conduct risk components and sub-components that were derived based on analyzing conduct risk drivers.
Example – The Financial Conduct Authority’s Conduct of Business Sourcebook was interpreted and mapped to conduct risk components – product governance, customer care and marketing and selling. The risk components were further divided into conduct risk sub-components.
- Formulate Key Performance Indicators (KPIs). The key performance indicators spell out the criteria for compliance with the regulatory requirement and gather relevant evidence for assessing compliance
Example of a KPI belonging to the product governance component – Provide evidences for the presence of senior management approved detailed procedures and processes for product information preparation.
- Standardize root causes. Root causes are reasons for presence of gaps between current and target levels of maturity in a bank.
Example – All in-scope KPIs were mapped to the predefined and standardized root causes. A non-exhaustive list of root causes are board-level policies, board articulation, customer complaints, SLA violations, etc.
- Use rating model to derive gaps. The rating model will help convert the qualitative observations of current and target maturity into quantitative values; then gap percentage is computed.
Example: The current maturity of the KPI mapped to “early stages” (requirements gathering has been completed. approach, methodology and implementation of the gathered requirements are being discussed/debated) and target maturity mapped to “fully integrated” (1.Policies, processes, evidences and other documentation required for the capabilities are with necessary approvals and are covered fully 2.Metrics for measurement, monitoring and remediation are in automated form).
- Perform remediation activity. The remediation plan reflects top gaps to be addressed to bridge the gaps to an acceptable level.
Example – The framework provides a high-level plan to achieve higher levels of maturity (fully integrated state) from the lower levels of maturity (early stages state).
The assessment framework adheres to a set of standards with a view to supporting banks in their conduct risk journey, regardless of their current position.
Adherence to the Three Lines of Defense (LoD) Model
The three lines of defense model ensures coverage of all levels, namely business lines (first line), risk and support functions (second line) and internal and external audits (third line). For example, assume a regulatory requirement mandating avoidance of misselling of banking products to clients. This was approached from all three lines of defense and key performance indicators (KPIs) were formulated.
The KPIs check for:
- Presence of procedures to prevent misselling of a product as an example of compliance in the first LoD.
- Availability of policies that help identify the risk of misselling as an example of adherence in the second LoD.
- Availability of internal/external audit reports on the effective functioning of the system to prevent misselling as an example of compliance in the third LoD.
Highly Objective Taxonomy
To avoid subjectivity creeping into the model, each technical term has been defined. Criteria to determine the level of maturity was defined through the presence or absence of certain attributes. By following this, each capability, sub-capability, stages in the maturity of compliance and measures used in KPIs were defined.
Aggregation of Gaps through Standardization and Rating Model
Use of standardized root cause category was instrumental in grouping together similar causes. This enables comparison among various conduct risk components and sub-components. The rating model used in the framework completely preserves gaps at granular levels even when they are aggregated. With this unique feature of aggregation, the framework can co-exist with and can supplement GRC systems of banks in analysing gaps in compliance.
Structured Approach to Remediation
Based on the desired level of maturity, a high-level plan to gradually move from lower levels of maturity to higher levels is made available as part of the framework. For each root cause category, a list of tasks to be initiated and milestones to be reached have been indicated. With the adoption of the three LoD model, remediation covers all three lines in a judicious manner.
Key recent regulatory development is focused on improving risk culture; revamping remuneration and rewards; and fit and proper regimes. Global standard setters are also currently examining the systemic nature of the conduct risk with a view to mandating globally acceptable but locally relevant standards. This is expected to change the conduct risk landscape further, necessitating consistent and ongoing review of regulatory maturity at granular levels.