The stakes are getting higher for CROs and compliance officers. Brenda Boultwood of MetricStream details why it’s increasingly imperative that risk and compliance professionals work hand in hand to address ongoing risks and strengthen organizational GRC efforts.
While risk and compliance functions have run on parallel tracks for years, 2019 is likely to witness a new level of synergy between the two groups as they collectively seek to help their organizations drive performance while preserving integrity.
Partnering in this effort will be the Chief Risk Officer (CRO) who, by virtue of his or her bird’s-eye view of organizational processes and hierarchies, is well-positioned to understand how compliance ties back to risk, where key issues or concerns might lie and how risk frameworks can be integrated with compliance to optimize value.
Some large banks have organizationally integrated their operational risk management functions with their regulatory compliance functions (or are in the process of doing so), but this is less important than understanding the synergies.
With that in mind, here are four specific areas where I believe the CRO can impact compliance in 2019:
1. “Operationalizing” Compliance Management
Regulatory compliance functions have long been staffed by lawyers and paralegals, who are likely to believe that each interaction with the business or external stakeholders is unique and depends on their specific expertise. Just as market, credit and operational risks were “operationalized” under Basel I, II and III, compliance and other types of enterprise risks can be brought into the same framework, consisting of identification, assessment, measurement and monitoring.
Essentially, compliance risks should be treated no differently, although they may be managed at a higher level of business process given the consistency in controls required to ensure compliance. As with market, credit and operational risks, compliance risks will be risk assessed, compliance events will be consistently captured and compliance risk levels will be monitored.
2. Applying the Operational Risk Management (ORM) Data Model to Regulatory Compliance
The Basel Committee of Banking Supervision (BCBS) 239 transformed the way banks manage risks and make decisions by instituting 14 broad principles around risk data aggregation and reporting. It’s a model that must be applied to data across functional groups, including regulatory compliance, IT and third-party management. The underlying idea is that a company’s ability to make effective decisions around business performance, growth or compliance is only as good as the quality of the data that drives those decisions.
For too long, many compliance functions — like their counterparts in risk — have focused primarily on process engineering, procedures and assessments to meet the required regulations. Yet with regulatory data volumes swelling, compliance has increasingly become a data science problem. New regulations, updated regulations, policies, control test results, compliance risks, issues, incidents, complaints and key compliance indicators are just some of the data types compliance officers have to manage. How do you structure all this information to form a clear, cohesive view of the organization’s true compliance posture at any given point in time?
This is where the CRO can help: by advocating for and even spearheading the implementation of an aggregated compliance data model based on BCBS 239 principles. For example, principle 3, Accuracy and Integrity, can be interpreted as building a single source of truth for compliance data with consistent, common taxonomies. Principle 6, Adaptability, can be used to ensure that compliance data aggregation is flexible enough to adapt to the constantly evolving regulatory landscape as well as on-demand or ad hoc reporting requests. Principle 5, Timeliness, can help ensure that compliance data reports are kept up to date to reflect changing risks and regulations.
However, it is principle 4, Completeness, that I believe underlies the others. It requires that companies be able to capture, consolidate and map all relevant data (in this case compliance data) in such a way that stakeholders can effectively identify risk exposures and issues at various organizational levels.
The first step in putting together this data model is to build out the compliance universe, including compliance areas, standards, requirements, policies and controls. These data elements can then be mapped to the risk universe, including risk events, key risk indicators (KRIs), key control indicators (KCIs) and scenarios. Then comes the business universe, comprising processes, products, assets, functions, business lines, legal entities, industries and geographies. Rounding it off is the audit universe, consisting of audit entities, plans and findings.
The result of this data mapping is a tightly knit, cohesive and transparent framework with a common taxonomy that provides the business with an aggregated view of compliance that allows the organization to make better-informed decisions.
3. Integrating ORM Framework Components in Compliance
While traditional approaches to compliance have revolved around the enforcement of regulations and policies, the emphasis today is on risk: how to identify, assess and monitor compliance risks effectively.
The CRO can support this effort by bringing ORM best practices and frameworks to compliance. For instance, ORM risk assessments or risk-control self-assessments stipulated by Basel II should be used as a model for compliance risk assessments. Typically, that would involve building a comprehensive inventory of compliance risks, assessing inherent risks in terms of likelihood and losses, identifying and implementing controls, assessing and testing those controls and finally measuring the residual level of compliance risks.
Similarly, compliance deficiencies and incidents could be recorded and addressed based on the loss event management principles of ORM. It would mean logging compliance violations from various sources, tracing and investigating their root cause, implementing corrective action and finally tracking their progress to closure.
A centralized issue management mechanism can help by providing a single point of reference to capture and track compliance deficiencies across business departments, groups and operational geographies. Analytics can add further value by highlighting issue trends and patterns and enabling organizations to minimize overall compliance issues, rather than dealing with each one in isolation.
Key risk indicators can also be established for compliance in collaboration with the risk function; scorecards are another useful risk tool to weigh residual compliance risks and to provide metrics on the relative ranking of the control environment.
Many of these practices may already be operational in the compliance function. However, the CRO can further optimize their repeatability, efficiency and usefulness. For example, redundancies and duplication of effort can be minimized by facilitating greater collaboration, data exchange and re-use of risk information across compliance and risk functions. Likewise, risk communication and reporting can be strengthened by enabling a common, consistent risk and control language.
To bolster these efforts, it helps to have a common GRC platform that can provide a holistic view of risk and compliance data across the three lines of defense. With that level of visibility, stakeholders can better understand which compliance and risk areas they should be focusing their attention on and providing vigorous challenge to.
4. Strengthening Compliance Awareness, Identifying Trends
The CRO, in collaboration with compliance officers, can help establish a pervasive culture of compliance risk awareness across the enterprise. Training programs, for instance, can be organized to help employees understand the risk implications of noncompliance, as well as the importance of calling out red flags or suspicious behavior. Employee incentives and bonuses can be aligned with compliant behavior to strengthen accountability.
Another way the CRO can add value is by bringing a fresh perspective to compliance by raising questions and helping identify potential trends: What potential regulatory examination areas are likely to be investigated, and what documents will be requested? Based on compliance attestation data, can it be surmised that all GDPR data privacy requirements have been met by Legal Entity X?
These kinds of questions help teams refine compliance reports and arrive at a more accurate understanding of the organization’s compliance status. Analytics-based reporting tools and dashboards provide further value by enabling users to slice and dice compliance data from various parameters and swiftly draw out insights to support key findings.
Onward and Upward
Going into 2019, the stakes for both CROs and compliance officers are high. Escalating data breaches, geopolitical tensions, diminishing consumer trust, record-high regulatory fines – all legacy issues from 2018 are likely to extend into this year, making it imperative for risk and compliance functions to work together seamlessly toward strengthening governance, compliance and risk awareness.
The Chief Risk Officer will be a chief collaborator in this endeavor, bringing best practices from risk into compliance (and vice versa), strengthening communication between the two functions and ironing out any remaining inconsistencies or redundancies. These efforts will go a long way toward enabling the truly integrated GRC program that is increasingly becoming the hallmark of a successful, resilient organization.