Tying compliance and operational risk

    By Hervé Humbert, VP Sales at ClauseMatch
    on 3 September, 2018
    I recently read an insightful article written by Christian Hunt, Head of Compliance and Operational Risk Control EMEA at UBS, that looked at the benefits of integrating compliance and operational risk. Christian argues that there are three main reasons why compliance and operational risk should be combined.
    In short, these are:

    Regulatory risk is essentially a form of operational risk. The consequences of non-compliance with regulatory requirements can be extremely serious.

    Many operational risk issues are actually very similar to issues that compliance professionals have to deal with on a daily basis. Therefore, combining compliance and operational risk makes considerable sense. It also sends a message to the regulatory authorities that regulations are built straight into the first line of defence.

    Regulation is changing in nature with regulatory requirements becoming less 'rules' based and more 'principles' based, leaving interpretation up to senior management and compliance professionals.

    This last point is expanded upon in greater detail by Christian in another excellent piece entitled "A risk based approach to Compliance." In this article, Christian looks at the challenges that compliance professionals are facing in interpreting new principles-based regulation.

    New challenges
    Christian's points got me thinking about the concerns that many of our clients have in relation to regulatory interpretation. The fact that so much regulation is open to interpretation has introduced a whole new set of challenges for compliance professionals. One such challenge is being able to justify the rationale used to interpret and implement a specific regulation in an audit situation. This is not always straight forward. Often, it's hard to trace the communication regarding a regulatory judgement call. Much of the communication may have been left off email chains or key decision makers may have even left the organisation.

    So, how can financial institutions eliminate this operational risk?

    Using smart documents in compliance and risk
    One thing that can be done to increase efficiency and reduce operational risk is to eliminate 'dumb' documents and emails and replace them with 'smart' documents that contain the decision making process embedded in them.

    Despite advances in technology in recent years, in 2018, many financial institutions are still using basic word processing software to create, edit and maintain key compliance and enterprise risk framework documents. These documents are not connected to each other meaning that policies and controls are not connected to the relevant risks and regulatory requirements. This lack of organisational system creates risk and ends up costing firms time and money when they need to update their policies and ensure that they are in line with regulation and internal controls.

    The absence of "intelligence" in their policy and risk documentation is one of the reasons financial institutions look into ClauseMatch. They want the process of locating key documents and important content in them considerably less stressful and time consuming and want to tool up their SMEs. ClauseMatch enables policy documents to be linked both upstream (to a regulation) or downstream (to a control), meaning that it's much easier to quantify the impact of regulatory change. The platform also learns from the decisions and approvals made on documents and their mapping to other content so that over time such decisions become consistent and (ultimately) automated.

    Capturing the interpretation process
    With regulation becoming less rules based and more principles based, firms also need to adapt to a principles-based regulatory environment. Christian uses an interesting example about corporate hospitality and the possible conflict of interest that can arise. This example concretely highlights that the onus is put on the industry participants to interpret the rule. And the fact that, as Christian rightfully says, compliance experts "can no longer give definitive answers as to what is or isn't permitted". Again, I recommend reading his blog post here.

    As the certainty of the regulation is gradually fading away, as "the call on how to handle this new form of regulation has to belong to the business", the need to capture the interpretation process and documenting the rationale behind key decisions is crucial. If the decision-making process is recorded, it's much easier to prove to regulators that fundamental principles have been taken into account in policies and controls and due consideration was given to the regulatory requirement.

    The key here is eliminating 'human risk'. It's important to remember that interpretation is human based. People's thought processes and decisions can vary depending on a number of factors and over time, the specific rationale behind a key decision may be forgotten.

    It's important for a financial institution to have the capability to capture the regulatory interpretation process and have a record of all conversations, the context, the personnel involved and the key decisions. This should all be captured as a by-product of the various workflows around policy or control documents. In the past, essential data points were almost impossible to trace. An issue that banks want to address via ClauseMatch.

    The process and capabilities that compliance and business units use need to adapt to the change of approach from the regulator. These changes will be address with the right mix of people skills, process implementation and product capabilities. In order to ease the compliance burden and eliminate operational risk.

    If you would like to know how regulated companies use ClauseMatch in their compliance and risk processes, don't hesitate to get in touch.

    Don't miss out on the latest news! Subscribe to our newsletter