Modernizing Governance, Risk and Compliance Strategy

Financial services organisations are under pressure to significantly transform processes related to areas of governance, risk and compliance (GRC). Managing responsiveness under a proliferation of IT systems, as well as exploding volumes and a variety of data, has become a high-stakes balancing act. In an increasingly complex landscape, addressing data management head-on helps not only create a working GRC strategy, but build a better overall business. 

 

GRC consists of separate functions with different requirements and different individuals tasked with managing them. Why are people looking to address these as part of a greater whole, and what are the challenges associated with doing it that way?

Ken Krupa, MarkLogic: I am asked this question a lot internally. Each letter of GRC is interrelated. If you dial down compliance you increase risk—that’s an observation most of us can agree on. It’s almost like a law of conservation for risk and compliance. The fewer safety governors there are, the greater the chance of going off the rails, and we saw that in 2008. 

And then governance is this crosscutting, over-arching set of functions to manage the other two, whether you are heavily compliance-driven and hope managing the compliance will in turn manage the risk, or you take it from a more balanced perspective, seeing compliance as a necessary evil but choosing to be more proactive at de-risking things. 

 

Where are firms’ regulatory compliance strategies right now, and where can they get to in practical terms?

Christian Hunt, UBS: In an ideal world, everybody would sit at the point where they were ready for every single regulation, where they knew whether it was coming down the line, had the systems and controls in place to deal with them, and a full embedded understanding of that within the business. In an ideal world we all sit at the top. In a more realistic world, we recognise the volume of regulation—especially for those global firms dealing with a multiplicity of different jurisdictions and regulations—makes that much more challenging. 

But the ask from a regulatory and a broader stakeholder perspective is to get as close to the top as possible. There is, of course, a danger in front-running regulation, especially in Europe, where regulation takes a long time to bed down and the detail takes a long time to flesh out. But I think one needs to be as on top of the game as possible. 

So I would err on the side of being ready rather than not ready. Regulators sometimes introduce things and need time to work out what they mean. Sometimes they have a political imperative to make things happen, which can result in rushed regulation. We’ve seen this during the crisis but, equally, afterwards when politicians want to be seen to be doing things that take time and may morph in terms of substance. 

So it’s a very challenging topic. I think it’s a well-raised question, but clearly the exam answer needs to be at the top of the chart. I recognise that, if people are being honest, they may well find themselves further down than they would like to be. 

 

Do the dangers involved relate to the scope of regulation changing and invalidating work already done? Or more to sitting on a sunk cost for longer than you would like? Is it a question of compliance or cost of investment? 

Christian Hunt: I think it’s all of those. Typically regulations err on the side of not allowing things, but forcing you in certain directions, which typically means you stop doing things in a certain way, do it in a different way or stop doing it completely. There is a danger of putting oneself in a position where competitors aren’t necessarily as far advanced; that can lose you short-term business, which is a challenge in a cost-constraint environment where everybody is chasing every single dollar they can find. 

But there is also a risk that you run in the wrong direction, investing in things that go either too far in one direction or miss the point of the regulators’ pivot slightly. All that said, a tremendous business imperative is to be ahead of the curve because many of the regulations nowadays are driving, especially in the conduct arena, towards what customers are going to be looking for anyway.

Therefore, and to a certain extent it will depend on the type of regulation, there is a benefit to being an early adopter when one can use that for commercial advantage. 

Robert Paolino: Most individuals will respond with a wait-for-the-regulators approach or anticipate the regulatory approach. The anticipation or acting in advance of potential new regulations has its challenges. You’re sinking costs in, you’re spending money, but you might be putting resources in place that may take you in the wrong direction in terms of

overall regulations. 

Part of the challenge is that each regulator has its own unique take; specifically, we’ve seen the US taking a very individualistic approach within its regulations and a very prescriptive approach. Some of the challenges within the countries that follow Basel regulations quite closely is that we see it’s more principles-based. And the principles-based nature of those regulations requires, depending on the size and type of your organisation, more thought in developing data programs, practices, policies and approaches to handle the upcoming regulations.

By fostering that regulatory approach where you’re working very closely with the regulatory agency, you can anticipate and foresee what will be implemented. Many regulatory bodies provide draft formats that open up commentary and discussion around regulations, but one challenge is waiting too long. You may not have time to implement or you might be overly rushed. And, in terms of anticipating it, you could be going in a slightly incorrect direction from what the regulators are expecting. 

Ken Krupa: There is a balance between front-running the regulation and waiting too long, and then reacting. We live in a multi-jurisdictional world and every jurisdiction has its unique take. That said, there are some fundamental data management perspectives we can bring to regulation, whether you’re looking at Dodd-Frank, the Markets in Financial Instruments Directive (MiFID) II, or very principles-based regulation such as BCBS 239. 

There is a common thread around the need to be transparent, particularly when things get very complex. The easy-to-understand stuff will always be easy to understand; so let’s report on very simple types of instruments where the exposure is very well understood. But that’s not really the problem most regulators are facing. They’re not just saying, “Hey, give us this information,” or for MiFID II, “Hey, give us 40-odd more pieces of data around a trade.” 

But the guidelines of BCBS 239 are saying: “Also prove to us how you got to those particular results.” So it’s important to consider lineage, provenance and how the data got to a certain state, or asking if a similar question from two different lines of business will get the same answer, and whether it’s a regulator or internal risk and compliance asking. Those are good things to do anyway. 

In 2008 when the question was asked—“What’s our exposure to Lehman Brothers?”—it wasn’t a simple, “Let’s just go to this exposure table and look up all the Lehman Brothers entries and add them up.” As we know, exposure to Lehman Brothers was a complex web of legal entities as well as a sort of cross-asset-class instrument exposure that required a mapping of all the interconnectivity of not just the legal entities that comprised Lehman Brothers, but all the different derivative instruments where you might have exposure, particularly interest-sensitive or debt instruments. 

From the perspective of knowing just how every piece of data pertinent to risk and exposure for the organisation got there, if you take a fundamental look at managing the data from the front office all the way through middle to back to the reporting for regulators, you could do things at a foundational level that will give you the sort of position to react more easily to what the regulators are asking for. 

So instead of taking an outside-in approach, as they are asking for, let’s work our way back from the regulation to the source, taking an inside-out approach. It’s easier said than done, but there are other technologies available today where other technologies and data management strategies that banks can employ to create a more agile kernel of data management to react to what the regulators may be asking for. 

 

In answer to the question “What best describes your firm’s regulatory compliance strategy?” 56.3% of our audience said they anticipate regulatory needs to self-certify with upcoming regulations. But 22% said they had no overall strategy, but deal separately with regulations as they arise. 

Ken Krupa: Some businesses’ exposure to regulation—whether based on size or how and when they participate in the market—limits their need to proactively address it. However, if you’re a
Global Systematically Important Banks (GSIBs), you shouldn’t be in that bucket of addressing each new regulation separately. 

GSIBs don’t have the luxury of reacting to each new regulation as it arises. They are in too many jurisdictions, participate in too many different types of market and with too many counterparties to just react. The complexity is too great, so they should be in that 56.3% that are anticipating regulatory needs. 

Firms need to take a more fundamental approach and ask, “What are the principles that matter?” Transparency and a good understanding of how you get to specific numbers is fundamental to any strategy.  

 

 

To what extent does firms’ preparedness depend on their own internal culture and management philosophy, and how much on compliance as an end in itself, as opposed to being something in which you can exploit the investment you’ve made to create better business ends?

Robert Paolino: Smaller organisations tend to look at their operations as more simplistic and not requiring as intensive a review as the GSIBs, or, as with the seven largest banks in Canada, domestic systemically important banks. Many times, organisations see their operations and their approach as quite simple—it is a “wait and see” what the first-movers will do within the industry. 

This approach tends to leave smaller organisations playing catch-up and they may be rushing a programme that needs to build on the alignment and consistency within data gathering, without getting into the complexities of building out stress testing and modelling programmes, and having a core foundation around the collection of data to determine the responsiveness. 

My outlook has always been to demonstrate the approach in the organisations I’ve worked with, with the regulators. And I think it’s quite important that most organisations take an anticipatory approach with active communication and regularly liaising with the regulators. Many times, some organisations may feel their operations are quite simplistic and take the incorrect approach, not believing that the regulations will cover them similarly to the larger, more complex organisations. 

 

What is the best way to balance the carrot and the stick when convincing people of the value of getting ahead of new regulations? 

Christian Hunt: To touch on the topic I flagged earlier, the combination of compliance and operational risk control. I don’t like the word “compliance” because it sends all sorts of signals and pushes one into traffic-cop territory if one isn’t careful. 

Compliance is about managing regulatory risk and, like any other operational risk, comes in different guises and needs to be thought of in terms of having a risk appetite. There are many examples where regulators are prescriptive and others where they are less prescriptive, but they make hints or make statements
about principles. 

So it’s not a straightforward case of saying, “Here are some rules we comply with and if we comply with those rules we’re fine,” because you have to look at the intent behind them. So one is looking more now at treating regulatory risk as any other risk, which needs to be understood. It needs a coordinated approach, and we need to think quite carefully about managing the challenges that poses. 

Clearly, the more complex one’s businesses are and the more locations one is in, the greater that challenge. It’s undeniable that, whatever business one is in, there is a huge amount of change and that the regulatory agenda continues to be quite aggressive in a number of territories and a number of different ways that challenge the very business model firms have historically undertaken. 

That is a challenge for the people on the front line who must take responsibility for things they never really thought about before. So in the first-second line delineation, we have seen first lines as being quite weak and people in the front line saying, “I’m here to make money, and you guys sort the risk and the compliance issues out.” And that’s clearly not the direction of travel. 

So when I talk about carrot and stick, the combination of compliance and operational risk allows me to use the compliance label as a mechanism for persuading people to do things that actually help mitigate risk. The stick of compliance is saying, “Look, there are consequences for not complying with the rules.” That makes it a unique form of risk in that in many other operational risks you can’t demonstrate as loudly and as clearly the downsides of the full range of activities, whereas everybody knows the costs of non-compliance.

The carrot is that, if one gets ahead of these pieces, manages it well and is seen to manage it well by the regulator, one is sometimes cut some slack. 

But it also puts one in a position of being ahead of the curve when launching new businesses, when you think about which businesses you want to be in, when you are dealing with clients who have their own regulatory concerns. If you can demonstrate that you’re forward-thinking and are answering the 21st-century regulatory questions, that puts you in a much stronger position to generate sustainable business going forward. 

Does one want to be engaged in short-term arbitrage where the rules are changing and one could get away with certain things, or be ahead of the curve and thinking how to use compliance as a business advantage? It’s that business advantage I try and push. 

Hear the full proceedings of the Modernizing Governance, Risk and Compliance Strategy forum

Sponsored content