Author: Acin – acin.com
The news that the total number of fines levied on financial institutions for compliance breaches in 2021 was 176 compared to a whopping 760 in 2020 is certainly a cause for relief, but it does not, alas, suggest that operational risk management procedures imposed by banks are working.
For a start, 2020 was a statistical anomaly with a very high number of enforcement actions. Additionally, there was no shortage of large fines last year. The US, for example, imposed fines totaling $1.2bn, $670m of which was to non-US institutions.
The evidence that risk control is failing to keep up with the rapid pace of change in working practices and digital technology is also fairly abundant. For example, one of those fines imposed last year in the US was a joint $200m action taken in December by the SEC and CFTC for employees using WhatsApp to communicate about bank business and circumventing record-keeping rules.
The significant shift to home working over the last two years has brought a new set of hazards, some of which are unlikely to be temporary. Without a wholesale move back to the office, senior managers can no longer monitor what’s going on by strolling between desks on a trading floor.
Yet RCSA obligations remain periodic and static, and seemingly ignorant of shifts in technology and working practice. They come around at generally the same time, while a dynamic review of procedures triggered by unpredictable and irregular internal or external events would be more useful.
RCSAs are not tied to the risk appetite of the institution. They exist in a bubble, to be responded to at the designated juncture, rather than a set of queries the answers to which add value to the business as well as safeguarding senior managers from possible enforcement action.
The time-honoured industry description of RCSAs is that they constitute a box-ticking exercise, something that needs to be done, and the bank needs to show has been done, but remains a redundant chore for all concerned. This is still the case.
Structured data and technology, organized in an orderly fashion, eliciting on the spot reviews should replace current practice whereby masses of data are simply mashed together in multiple excel files.
Key takeaway: Technology and data should connect risk control across the 3 lines, and digital RCSA processes should deliver operational efficiencies to enable continuous assessment.
Furthermore, RCSAs are not standardized throughout one institution, let alone throughout the industry. The language and criteria vary from one business to another. Different areas of the bank often don’t even speak to one another about RCSAs, even when data originated by one business is required by another. Such unstructured data assembly makes peer comparison, benchmarking and internal diagnostics and analysis impossible.
Executive management should be able to see a front-to-back view of the entire institution. It should be possible to look at all asset classes and find RCSAs are conducted in the same way throughout with the same terminology so that operational risk management is intimately tied to fundamental process. Without it, front-to-back collaboration and active rather than reactive risk management is not possible.
Key takeaway: Technology and data should be based on consistent nomenclature that enables peer comparisons, advanced analytics and collaborative engagement.
If RCSAs were fit for purpose, senior managers, who are subject to the SMCR in the UK and similar regulations in other major jurisdictions, would derive comfort from them. They, after all, face the direct consequences if the business for which they are responsible commits a major breach of the rules.
But this is not the case; RCSAs do not provide that comfort because the data they incorporate is generally inadequate and incomplete. Instead, senior managers rely on the compilation of personal reports. This is an indictment of current processes.
Moreover, risk management processes should be linked and mapped to current regulations and also reflect likely changes. Senior managers need to be kept abreast of a currently shifting regulatory landscape.
Not that any of this comes cheap. The erection of a compliance empire and attendant requirements in the years following the financial crisis of 2008/2009 has been enormously expensive for the financial industry. But at the moment participants could be forgiven for asking if they are getting value for money.
Key takeaway: Technology should be used to automatically map risk controls to regulation to monitor exposure, thus assuring that the control environment is complete.
2022 could be and should be the year in which this depressing operational risk cycle of failure and frustration is broken. For that to happen, more complete and more consistent data needs to be harnessed to state of the art technology.