first-line ownership of compliance risk - oliver …...ownership, their current iteration has had...

FIRST-LINE OWNERSHIP OF COMPLIANCE RISKEASIER SAID THAN DONE

AUTHORS

Allen MeyerTammi LingElena BelovStefano Boezio

INTRODUCTION

Financial institutions are increasingly discussing the growing need for the business to take more

responsibility for compliance risk management – that is the ownership of complying with laws,

rules and regulations.

However, these conversations rarely answer three fundamental questions:

1. Why should the business own compliance risk?

2. What does it mean for the business to own compliance risk?

3. How do you achieve business ownership?

While regulatory expectations are a good catalyst for the “Why?”, the more convincing reason

is that greater front line accountability leads to more successful compliance risk management,

and results in material risk reduction and cost efficiency.

What makes the “What?” and the “How?” questions difficult to answer is that they present a

multi-dimensional challenge to adequately clarify:

• The role of the Compliance department (“second line”) and the first line for managing compliance risk; and

• The roles and responsibilities within the first line, which includes front office and intermediary control functions (“Line 1b”)

In the financial services industry today, we observe that business line managers often

rely heavily on intermediary control functions or the Compliance department to manage

compliance risk, sometimes with ad hoc management structures that result in substantial

differences between business lines even within the same organization. In our experience, the

current approach has often led to significant expense in building up these functions without

a commensurate reduction of compliance risk. To reduce risk and control escalating costs,

compliance risk management must become intrinsic to running the business, like managing

market and credit risk. This is a transition that takes effort, commitment, and some investment

to develop a target state and design the strategic roadmap to accomplish the journey.

If financial institutions do not embark on this journey soon, it is likely that their cost of

compliance will continue to rise or that they will make tactical cost decisions that could weaken

the control environment. It is, therefore, key to accelerate and focus current efforts by defining

the “Why”, “What,” and “How” for your organization – which is the focus of the rest of this paper.

Compliance risk management must become intrinsic to running the business, like managing market and credit risk.

“”

Copyright © 2018 Oliver Wyman 1

WHY SHOULD THE BUSINESS OWN COMPLIANCE RISK? THE CASE FOR CHANGE

Increased regulatory expectations

Regulators expect greater ownership of risk management by the front line. In the United States,

the Federal Reserve Board’s (FRB) proposed guidance provides further clarity on the role of

the front line. It assigns ultimate responsibility for risk management to senior management

and calls out business line risk ownership for identification, measurement, and management

of risks, narrowing the activities expected from independent risk management functions. This

proposed guidance amplifies requirements already set forth by the Office of the Comptroller of

the Currency (OCC) as part of its heightened standards.

The regulatory expectations in Exhibit 1 apply directly to compliance risk. In action, these

principles can be witnessed in many recent enforcement cases, where front line oversight has

been called out as a major weakness.

Exhibit 1: Regulatory guidance related to risk ownership

REGULATOR EXCERPTS FROM REGULATORY GUIDANCE

Board of Governors of the Federal Reserve System

Proposed supervisory guidance

• Under the board’s oversight, a firm’s senior management is responsible for managing the day-to-day operations of the firm and ensuring safety and soundness and compliance with laws and regulations, including those related to consumer protections, and internal policies and procedures.

• Business line management is expected to execute business line activities consistent with the firm’s strategy and risk tolerance, identify and manage risk within the business line, provide sufficient resources and infrastructure to the business line, ensure the business line has appropriate system of internal control, and ensure accountability for operating within established policies and guidelines and in accordance with laws and regulations, including those related to consumer protection.

• Expectations for a firm’s IRM […] include evaluating the firm’s risk tolerance, establishing enterprise-wide risk limits and monitoring adherence to those limits; identifying, measuring, and aggregating risks; providing an independent assessment of the firm’s risk profile; and providing risk reports to the board and senior management.

Office of the Comptroller of the Currency

Guidelines establishing heightened standards

• The risk governance framework should include delegations of authority from the board of directors to management committees and executive officers as well as the risk limits established for material activities.

• Front line units should take responsibility and be held accountable by the Chief Executive Officer and the board of directors for appropriately assessing and effectively managing all of the risks associated with their activities.

• Independent risk management should oversee the covered bank’s risk-taking activities and assess risks and issues independent of front line units.

• Internal audit should ensure that the covered bank’s risk governance framework complies with these Guidelines and is appropriate for the size, complexity, and risk profile of the covered bank.

Sources https://www.gpo.gov/fdsys/pkg/FR-2018-01-11/pdf/2018-00294.pdf, https://www.occ.treas.gov/news-issuances/news-releases/2014/nr-occ-2014-117a.pdf


Effectiveness and efficiency

The business is closer to the risk exposure and hence best positioned to manage its own

compliance with laws, rules and regulations. This is akin to the driver of a car being best

positioned to monitor whether they are speeding. Those closest to the activity can anticipate

and more efficiently manage potential breaches of laws, rules and regulations – better than

those in a different department (e.g., Compliance department) or an intermediary control

function. These other functions are sometimes in a different location, have limited access to

business leaders, and less knowledge of the business and what is happening minute-to-minute.

We believe that greater ownership of compliance risk by the first line will lead to a reduction in

damaging and expensive regulatory and reputational outcomes. Similarly, the need for large

and expensive control processes to monitor the risk would be reduced. Having said this, some

investment will be required to improve the tools and information provided to line management.

Overall, however, the potential effectiveness and efficiency benefits should more than offset

the investment.

The business is closer to the risk exposure and hence best positioned to manage its own compliance with laws, rules and regulations. This is akin to the driver of a car being best positioned to monitor whether they are speeding.

“

”


WHAT DOES IT MEAN FOR THE BUSINESS TO OWN COMPLIANCE RISK? DEFINING THE END STATE

Compliance risk ownership has progressed substantially since the financial crisis – but more needs to be done

Over the last few years, and in response to the increased regulatory expectations, financial

institutions have tried to increase business responsibility for compliance risk, migrating certain

activities from Compliance to the first line and clearly improving the tone at the top. However,

much of this migration has been focused on creating quasi-Compliance intermediary control

functions to help business managers with compliance risk management activities. Although

these intermediary control functions were (and are) a critical part of front-line compliance risk

ownership, their current iteration has had two major drawbacks:

• Senior business managers have been kept isolated from taking true responsibility for the identification, measurement and management of compliance risk, making this transition marginally effective

• Many compliance risk management activities currently reside in the “Line 1b,” a setup that has required an investment in processes to collect and synthesize information for business managers that is largely inefficient

Many financial institutions find themselves with the following paradox: while there has been

a significant investment in intermediary control functions, there is a lack of technology and

targeted information capabilities to feed line managers (for example, key risk metrics) as the

investment has not been executed to support compliance risk owners.

In the target state, we believe senior business managers must know the key compliance risks

that apply to their business and associated internal policies, material rules and regulatory

expectations. They must understand the key components of the control environment applicable

to their business, and own the design of specific controls to manage the business.

For example, senior managers must actively participate in the risk assessment process and not

delegate this critical analysis to someone else. It is also essential that they develop oversight

procedures, business-specific escalation processes, and tools and management reporting that

enable them to actively manage compliance risks.

Currently, while business leaders may set the right tone and execute or delegate oversight

activities that others have created for them, they do not truly own the management of

compliance risk. Making compliance risk management intrinsic to the business will require

changes for both the first and second line.


HOW DO YOU ACHIEVE BUSINESS OWNERSHIP FOR COMPLIANCE RISK? 3 CRITICAL STEPS FOR MOBILIZATION

To begin shifting your organization from today to the future state we believe there are three

critical steps.

1. Define principles for front-office, first-line control function, and second-line ownership

We recommend starting with a set of first principles to help define what first-line (i.e., business

managers and “Line 1b”) and second-line ownership means for your organization. In some

financial institutions, some of these principles may already exist (usually as it relates to first and

second line). At a minimum, the principles should include those outlined in Exhibit 2. These

principles are illustrative and each institution will need to develop its own principles which fit

within its enterprise risk, compliance, and operational risk management frameworks.

DEVELOP critical ingredients for success• Technology capabilities• Metrics reporting

• Incentives system• Training through change

DEFINE principles for front-o�ce, first-line control function, and second-line ownership

APPLY principles to compliance risk management activities

Exhibit 2: Illustrative principles for division of responsibilities for compliance risk management

HISTORICAL WEIGHT DISTRIBUTION IN COMPLIANCE RISK OWNERSHIP

Front o�ce(first line)

Coverage gap

Intermediary controlfunction (“Line 1b”)

Compliance(second line)


Intermediarycontrol function

(“Line 1b”)



Intermediarycontrol function

(“Line 1b”)


• Lack of focus on compliance risk management by supervisors

• Focus of Compliance on advisory and operations

• Expansion of “Line 1b” responsibilities

• Reinforcementof Compliancefunction

• Ownership transferto front o�ce

• Realignment of linesto post-financial crisis aimed goals

Pre-financial crisis Current state Future state

FUTURE STATE OWNERSHIP PRINCIPLES

Overall set up of the compliance risk management frameworkIndependent risk-based monitoring and testing of control designIndependent assessment of risks, controls, and residual risksAdvice on controls and questions related to policy and rule

Overall accountability by senior managementOwnership of identification and assessment of compliance risksDay-to-day compliance risk managementOwnership of controls for managing identified compliance risksMonitoring of operation and activities within risk appetiteDesign of controls needed to manage identified compliance risksPrimary escalation of material breachesReporting to senior management based on metrics/KRIs

Limited delegated responsibilities from front o�ceSupport front o�ce with Regulatory, Compliance & Audit requestsDraft and manage procedures in line with Compliance policies


ILLUSTRATIVE APPLICATION OF PRINCIPLES

RISK ASSESSMENTSRisk assessments can be re-configured to align with the principles of intra-first and second compliance risk management

ownership. The Risk and Control Self-Assessment (“RCSA”) process – typically a first-line assessment of its operational

risks – should be harmonized with the Compliance risk assessment (“CRA”) – typically sponsored by the second line

and largely executed by them to identify compliance risks in the business. In the target state, both risk assessments

need to be aligned so the first and second-line roles are clear. Namely, the business needs to specifically assess its own

compliance risks and the second line can check and challenge this self-assessment.

Since risk assessments are critical processes to identify risk, it is essential that business managers lead this process

and engage directly with it to identify material risks and responsive actions. Due to its importance, this is not a process

that is appropriate to delegate to “Line 1b.” While “Line 1b” can collect relevant information that might help business

managers make appropriate judgments or seek clarifications on the process from Compliance or Operational Risk, the

risk assessment exercise should not be delegated by business-line managers as is often the case today.

Additionally, to unlock efficiencies, the RCSA and CRA should be harmonized in a way that removes duplication and is

more geared to understanding and addressing compliance risks. Using a common platform, taxonomy, and approach

can lead to greater efficiency, as well as, a more clearly aligned first and second-line view of compliance risk.

2. Apply principles to compliance risk management activities

The second step is to apply the agreed principles to the compliance risk management

framework and activities within the organization, which is typically closely tied to the Federal

Reserve Board’s SR 08-8.

For each of the elements in Exhibit 2, it is important to understand how they currently apply

across the first and second line, as well as within the first line; and how they should apply in the

target state considering a firm’s principles defined in the first step.


3. Develop critical ingredients for success

The most important ingredient to a successful transition is commitment from senior

management, given the effort, and associated time and funding required to accomplish these

changes. The realignment of responsibilities between lines of defense and within the first line

requires a highly organized effort. It also entails dedicated workstreams focused on design and

the implementation of technology and metrics reporting, and the right set of management

incentives for adequate stakeholder involvement.

It is better to have practical solutions consistent with the spirit of the exercise rather than rigid

outcomes that cause dislocation and potentially new risks. A pilot program for a select business

is an effective way to test the principles and apply any lessons learned for the broader roll-out.

In this program, the goal must always be to have risk owners increase their accountability for

managing compliance risk.

Technology capabilities

For the transition to be successful, technology investment is critical to enable effective

business-line management of compliance risk and better documentation of these efforts.

The quality of tools and information available to front-office managers is a primary driver of how

they can efficiently take more responsibility for compliance risk management. In the current

state, while there may be dashboards and checklists for business managers, they are rarely

supported by automated reports that efficiently enable managers to conduct reviews or query

data within a tool. Similarly, insufficient process automation reduces the potential for the front

line to seamlessly manage risk as part of their business-as-usual activities. “Line 1b” functions

have developed to fill this gap.

Technology is an enabler for reducing the time burden for the business managers. It will

increase the automation of currently highly-manual compliance-related processes; manage the

ever-increasing complexity of compliance data; and provide better insights through enhanced

analytics on the data. Overall, these capabilities will enable more preventive versus reactive

controls and actions.


Metrics reporting

Harnessed by new technology capabilities, metrics and reporting will support compliance risk

management within the business and with senior management. Similar to credit and market

risk management, automated reporting and strong quantitative risk metrics enable front-office

managers to take more control over compliance risks. Providing adequate information in an

effective way is one of the essential steps to making compliance risk management intrinsic to

the business. Currently, much of the management information is provided by “Line 1b” groups

or Compliance in a disconnected way, following a very qualitative format.

Incentives system

Banks must evolve from a system where only affirmative mistakes, breaches or regulatory

violations lead to a diminution in pay. First-line compliance risk ownership must be embedded

into evaluation, pay, and promotion decisions of senior and line managers. Without a clear

linkage between the strong management of compliance risk and incentives, there is a high

probability that business lines will continue to operate under the status quo – due to their

incentives primarily aligned to business growth and revenue objectives that have negative

consequences only when something goes wrong.

Training through the change

The transition of roles and responsibilities has consequences on stakeholders across

both the business lines and Compliance. This includes execution risks as well as cultural

resistance to these types of changes, which must be managed thoughtfully. It is essential

that these transitions are documented and business-line managers are trained on their new

responsibilities. It is also critical for institutions to ensure that the stature and effectiveness of

the Compliance function is maintained throughout the changes. As such, it is important that all

stakeholders are trained on the new accountability framework, emphasizing the Compliance

function’s responsibility for establishing a framework that is operated by the first-line business

leaders on a day-to-day basis.

In the transition, Compliance will emerge from being a hybrid quasi-supervisory, operational,

and risk management function to a true risk management function – ultimately serving as the

guardian of the financial institution’s reputation by focusing only on the areas with the most

compliance risk.

Providing adequate information in an effective way is one of the essential steps to making compliance risk management intrinsic to the business.

“

”Copyright © 2018 Oliver Wyman 8

CONCLUSION

Successful compliance risk management at a financial institution cannot be the responsibility

of the Compliance function or a “Line 1b” function, and must be owned and led by the business.

Support from Compliance and intermediary control functions should not shield the business

from full ownership of compliance risk. Continuing with the current approach, which focuses

predominantly on building up the Compliance function and setting up intermediary control

functions makes it difficult to effectively manage compliance risk and attain efficiency goals.

However, the re-alignment journey takes substantial effort, commitment and investment in

technology, reporting, incentives, and training to make a meaningful transition. It is, therefore,

important to begin the journey as soon as possible by defining the “Why,” “What,” and “How”

for your organization.


Oliver Wyman is a global leader in management consulting that combines deep industry knowledge with specialized expertise in strategy, operations, risk management, and organisation transformation.

For more information please contact the marketing department by email at [email protected] or by phone at one of the following locations:

AMERICAS EMEA ASIA PACIFIC

+1 212 541 8100 +44 20 7333 8333 +65 6510 9700

ABOUT THE AUTHORS

Allen MeyerPartner in the Finance & Risk and Corporate & Institutional Banking Practices [email protected]

Tammi LingPartner in the Finance & Risk and Public Policy Practices [email protected]

Elena BelovPrincipal in the Finance & Risk and Organizational Effectiveness Practices [email protected]

Stefano BoezioPrincipal in the Finance & Risk Practice [email protected]

www.oliverwyman.com

Copyright © 2018 Oliver Wyman

All rights reserved. This report may not be reproduced or redistributed, in whole or in part, without the written permission of Oliver Wyman and Oliver Wyman accepts no liability whatsoever for the actions of third parties in this respect.

The information and opinions in this report were prepared by Oliver Wyman. This report is not investment advice and should not be relied on for such advice or as a substitute for consultation with professional accountants, tax, legal or financial advisors. Oliver Wyman has made every effort to use reliable, up-to-date and comprehensive information and analysis, but all information is provided without warranty of any kind, express or implied. Oliver Wyman disclaims any responsibility to update the information or conclusions in this report. Oliver Wyman accepts no liability for any loss arising from any action taken or refrained from as a result of information contained in this report or any reports or sources of information referred to herein, or for any consequential, special or similar damages even if advised of the possibility of such damages. The report is not an offer to buy or sell securities or a solicitation of an offer to buy or sell securities.

This report may not be sold without the written consent of Oliver Wyman.

first-line ownership of compliance risk - oliver …...ownership, their current iteration has had...

Documents