Today, corporations and government agencies are facing an unprecedented wave of regulatory obligations and increased penalties for non-compliance. The financial services sector, as an example, needs to comply with a myriad of prudential regulations, federal privacy, AML/CTF, consumer credit and protection laws to name a few. Obligation registers now contain over 1,000 entries for compliance teams to deal with. In smaller organisations, these teams are often under-resourced due to compliance being a cost centre.
In this blog, we will discuss issues around some of the complexities of effective compliance risk management.
At Protecht, we believe a risk-based approach to compliance obligation management is crucial to avoid becoming too bogged down in the volume of obligations. However, organisations can run into immediate difficulty here, in trying to determine what is the risk event associated with the obligations even before an assessment of the obligation and its associated risk occurs. Let’s work with a subset of core AML/CTF obligations, courtesy of LexisNexis, as a practical example to explain:
We must first make a decision as to what we want inserted in our risk event library in relation to these obligations.
We often see the following examples:
For those of you that read my recent blog (Risk Event Libraries – Sanity Check), you will recognize a potential problem here, in that these are failed controls. If we take a step back and think about what the legislation is doing, it is imposing a control framework on organisations to mitigate the key underlying risk event:
Therefore, that is the starting point for your risk event library. David Tattam and I have had numerous robust discussions about whether we need to go more granular in the risk event library. For example another risk could be “AML/CTF regulatory reporting requirements breach”, arising when we fail to report suspicious transactions. Maybe… what do you think? I personally do not want my risk event library being cluttered with sub components of the true underlying risk event, as typically, these will either be failed controls or impacts.
Protecht.ERM ScreenshotKeeping the underlying risk event at a high level reduces the complexity of the risk event library, allowing you to quickly do an inherent risk assessment of this core risk. We would expect most financial services and betting companies to have a high to extreme risk for money laundering and CTF due to the inherent likelihood of it occurring, and extreme potential impacts – reputation and extremely punitive regulatory fines. Once the high risk rating has been determined we can direct our initial energies to this obligation set. You might also like the article What is the definition of Compliance?
Continuing with our AML/CTF example we are now faced with the following tasks for each core obligation:
Other issues to consider are:
There is no escaping the hard yards to do compliance risk management properly; It takes time, dedication and the appropriate resources. Our recent collaboration with LexisNexis to deliver plain English content through the ERM platform is helping organisations to get better at compliance risk management.
If you are interested in learning more, please send an email to firstname.lastname@example.org.
David Bergmark consults on a variety of market and enterprise risk management issues and is actively involved in the development and implementation of Protecht's risk management software (ERM and ALM). David started out in the audit division of Price Waterhouse in 1990, handling clients such as Macquarie Bank and Bankers Trust. By 1994 he was Risk Controller for Carrington Securities - a financial markets trading company. In 1996 David left Carrington to head up the Risk Management Department at IBJ Australia Bank (IBJA) where he was responsible for the development of all risk disciplines at the bank – market, credit, liquidity and operational.