In a recent article by Pjotr Kaminski and Kate Robu both working for McKinsey&Company an outline is given for a more structural solution to deal with ever increasing regulatory requirements and compliance challenges <
The title of the article is “A best-practice model bank compliance” but if all recommendations are implemented much more would be achieved than “bank compliance”. The framework will lead to what I’d like to call ‘compliant banking’ in the true sense of the
word. So let me try and summarize the article and make some observations.
The article starts with the observation that “many banks still struggle with the fundamental issues of the control environment in the first line of defense…” we can’t agree more! On a daily basis we work with our clients to improve the behavior of the front
office, but it’s still a long way for most institutions. Moreover the authors talk about the increased spend on compliance related programs often with little effect.
These and several other challenges can according to the article be addressed by following 3 principles:
- an expanded role of compliance and active ownership of the risk-and-control framework.
The idea here is that a compliance team should not just issue policies and give ad-hoc advice, the compliance function should be much closer to the business, manage risks and even have an eye for operational efficiency. Something we wrote about exactly a
year ago <
http://i-kyc.com/English/About-Us/blog/top-five-priorities-for-the-risk-and-compliance-function-2015.html >. In such a role a compliance team can actually be much more effective in building a compliance culture and be of more added value to the institution.
- Transparency into residual risk exposure and control effectiveness.
Most risk frameworks nowadays start from assessing inherent risk, followed by measuring the effectiveness of implemented controls, leading to insight in the residual risk exposure and subsequently deciding on actions to be taken if the residual risk is not
within appetite. Most organizations know this in theory, but the whole framework is rarely implemented to the full. The article further suggests that the use of Key Risk Indicators – measuring the residual risk – would be much more effective than checking
all the controls on a regular basis. If applied properly this all would give the institution a truly comprehensive view of its portfolio of risks and facilitates a risk-based allocation of resources
- Integration with the overall risk-management governance, regulatory affairs and issue-management process.
Not only would this enhance the overall risk view of senior management it would also lessen the burden on the business.
The article concludes with a 10-point scorecard to measure progress in the transformation of the compliance function. I’m not going to get into the detail of all these points, the most important is that institutions should realize there’s still a lot of
work to do to make the compliance function the efficient and effective function it can be. Organizations can perform better, at lower costs and with better management of risks if the topics pointed out in the article are implemented.
Complacency is not the right answer to all the challenges, the framework in the article might be.
If you want more information or a discussion on how your organization is doing in this aspect let us know.