Compliance and risk operations at financial services companies suffer a range of problems stemming from organizations’ efforts to achieve regulatory compliance while adjusting strategies, business models and approaches to risk. The current moment presents a real, and perhaps time-limited, opportunity to transform compliance and risk operations.
Why sponsor risk management transformation?
Is your organization experiencing:
- regulatory violations, fines and compliance exceptions and deficiencies
- processing errors, operational problems and customer complaints
- losses due to risk events and other unpleasant surprises
- increasing operating costs due to complexity and inefficiency
- shortcomings in the control environment and risk management infrastructure
- inability to identify risks worth taking and risks to avoid
These issues indicate a need for greater integration of compliance and risk operations and the need to begin moving toward performance-driven risk management. Risk management transformation aims to achieve and maintain a performance-driven risk management approach that uses risk management to drive revenue growth as well as cost savings. Integrated risk management is both an intermediate stage of maturity and a necessary precursor to performance-driven risk management.
Integrated risk management moves operations beyond the compliance-driven stage and delivers the following benefits:
- fewer regulatory violations, fines, compliance exceptions and deficiencies to remediate
- fewer processing errors, operational problems and customer complaints, and reduced rework
- fewer losses due to risk events, and smaller losses when they do occur
- lower operating costs due to efficiencies resulting from streamlined business processes
- enhanced effectiveness of the entire control environment and risk management infrastructure
- visibility into the entire enterprise on a risk-based approach basis
- enhanced ability to identify risks worth taking and risks to avoid
Move beyond compliance to performance driven risk management
Why now is the ideal time for transformation?
Financial services companies are emerging from a decade in which regulatory requirements seemed to suck the air out of the room. While some risk may have been bled out of the financial system, many organizations are now living with serious side effects. These include operational problems, customer complaints and losses in some lines of businesses.
While financial institutions have long been regulated, the demands of the past decade have reached the point where they typically divert resources from risk management to compliance. Redirecting those resources back toward business-oriented risk management will take some effort.
The case for integrated risk management (IRM)
The management wants better risk management so they can innovate faster and bring new products to their customers. In addition, the board, the audit committee, the risk committee and regulators want to make sure that there is appropriate oversight. Yet too many risk management functions remain primarily compliance-focused or quite simply backward looking.
While most leadership teams grasp the distinction between risk management and compliance, it can become moot when compliance traditionally demands so many resources. Moreover, some teams have not truly distinguished between the two, yet the distinctions are well worth making:
- risk management can enable the business strategy, while compliance cannot (business agenda vs. compliance agenda).
- risk management centers on decisions and conduct, while compliance centers on examination and verification.
- risk management serves the business agenda, while compliance serves the regulatory agenda.
- risk management activities are integral to achieving high performance, while compliance activities can put a drag on performance.
To achieve goals, enhance efficiency and effectiveness and drive superior performance, compliance and risk management, capabilities must be integrated across the organization. But how? First, it means determining where current problems, such as customer complaints, excessive costs, and increased risks exist. Second, it means developing an approach to identifying, prioritizing, and addressing specific problems. Third, it means integrating compliance and risk management into an overall risk governance and management framework.
Many organizations have desires to develop a rationale for transforming their risk and compliance operations and charted a path toward achieving that transformation but few have taken the necessary steps to move forward. Therefore, here we offer a broad outline of that rationale and path, and related challenges to address:
Start at the top
Integrated risk management starts with the organization’s value proposition, strategy and culture—and with the senior leadership.
Develop an effective risk management culture
In the minds of some in financial services, organizations have become “cultures of compliance”—to the extent where some have deliberately created such cultures. While this is understandable, a culture of compliance will not deliver on the value proposition or achieve strategic goals. However, an effective risk management culture will.
Use formalized change management programs
Close partnerships among the businesses and risk management and compliance, with Internal Audit standing ready to provide advice and, eventually, assurance, are critical.
Analyze and prioritize issues, needs and activities
Key methods for implementing an end-to-end transformation include process flow mapping, root cause analysis and other process improvement methodologies. These assist the organization in identifying and prioritizing sources of operational losses, compliance errors and customer complaints.
Use technology as the enabler
Although many organizations view compliance only as a cost center, the function creates tremendous amounts of information, much of which has value in risk management and decision-making. That is also true of other functions and processes within the organization. This has hampered their efforts to integrate risk management in an industry that runs on financial, factual, transactional and risk-related data.
Getting to performance-driven risk management
The number of compliance-related processes, controls, and reports—and related manual processes, headcounts, and costs—would themselves justify a risk operations transformation. Add to that an expected period of reduced regulatory demands, and you have a true window of opportunity.
An operations transformation sets the stage for the organization to move toward performance-driven risk management. In addition to enhanced effectiveness and reduced costs, performance-driven risk management generates strong alignment between business strategy and risk strategy, and between risk management and risk culture.
However, integrated risk management, achieved through an end-to-end risk operations transformation, is a necessary step toward performance-driven risk management. Now is the time to take that step.