Tying compliance and operational risk

Herve Humbert, ClauseMatch: the right mix of people skills, process implementation and product capabilities is needed

How financial institutions can effectively operate in the ever-changing regulatory space – Hervé Humbert at ClauseMatch investigates.

Christian Hunt, head of compliance and operational risk control EMEA at UBS, wrote a really insightful article that looked at the benefits of integrating compliance and operational risk. Christian argues that there are three main reasons why compliance and operational risk should be combined.

In short, these reasons are:

• Regulatory risk is essentially a form of operational risk. The consequences of non-compliance with regulatory requirements can be extremely serious
• Many operational risk issues are actually very similar to issues that compliance professionals have to deal with on a daily basis. Therefore, combining compliance and operational risk makes considerable sense. It also sends a message to the regulatory authorities that regulations are built straight into the first line of defence.
• Regulation is changing in nature with regulatory requirements becoming less “rules” based and more “principles” based, leaving interpretation up to senior management and compliance professionals.

This last point is expanded upon in greater detail in another excellent piece “A risk-based approach to compliance” by the same author. In the second article, Christian looks at the challenges that compliance professionals are facing in interpreting new principles-based regulation.

Is there a new challenge?

The above-mentioned points got me thinking about the concerns that many financial institutions have in relation to regulatory interpretation.

The fact that so much regulation is open to interpretation has introduced a whole new set of challenges for compliance professionals. One such challenge is being able to justify the rationale used to interpret and implement a specific regulation in an audit situation. This is not always straight forward. Often, it’s hard to trace the communication regarding a regulatory judgement call. Much of the communication may have been left off email chains or key decision makers may have even left the organisation. So, how can financial institutions eliminate this operational risk?

Using smart documents in compliance

One thing that can be done to increase efficiency and reduce operational risk is to eliminate the so-called “dumb” documents and replace them with “smart” documents. Despite advances in technology in recent years, in 2018, many financial institutions are still using basic word processing software to create, edit and maintain key compliance and enterprise risk framework documents. These documents are not connected to each other meaning that policies and controls are not connected to the relevant risks and regulatory requirements. This lack of organisational system creates risk and ends up costing firms time and money when they need to update their policies and ensure that they are in line with regulation and internal controls.

The absence of “intelligence” in their policy and risk documentation is one of the reasons financial institutions look into regulatory technology. They want the process of locating key documents and important content in them considerably less stressful and time consuming and want to tool up their SMEs. For instance, ClauseMatch enables policy documents to be linked both upstream (to a regulation) or downstream (to a control), meaning that it’s much easier to quantify the impact of regulatory change. The platform also learns from the decisions and approvals made on documents and their mapping to other content so that over time such decisions become consistent and (ultimately) automated.

Capturing the interpretation process

With regulation becoming less rules-based and more principles-based, firms also need to adapt to a principles-based regulatory environment. UBS’s Hunt uses an interesting example about corporate hospitality and the possible conflict of interest that can arise. This example highlights that the onus is put on the industry participants to interpret the rule. And the fact, as he rightfully says compliance experts “can no longer give definitive answers as to what is or isn’t permitted”.

As the certainty of the regulation is gradually fading away, as “the call on how to handle this new form of regulation has to belong to the business”, the need to capture the interpretation process and documenting the rationale behind key decisions is crucial. If the decision-making process is recorded, it’s much easier to prove to regulators that fundamental principles have been taken into account in policies and controls and due consideration was given to the regulatory requirement.

The key here is eliminating “human risk”. It’s important to remember that interpretation is human based. People’s thought processes and decisions can vary depending on a number of factors and over time, the specific rationale behind a key decision may be forgotten.

It’s essential for a financial institution to have the capability to capture the regulatory interpretation process and have a record of all conversations, the context, the personnel involved and the key decisions. This should all be captured as a by-product of the various workflows around policy or control documents. In the past, essential data points were almost impossible to trace. An issue that banks want to address via regulatory technology.

The process and capabilities that compliance and business use need to adapt to the change of approach from the regulator. These changes will be addressed with the right mix of people skills, process implementation and product capabilities – to ease the compliance burden and eliminate operational risk.