This is adapted from an earlier article that appeared in a McKinsey & Company publication.
The tougher compliance environment has not only multiplied the various regulations that financial institutions must follow, but has also made it necessary for banks to think about compliance in an entirely different way. Those that throw out the old playbook and adapt to this new reality may enjoy a distinct competitive advantage.
Since 2009, regulatory costs have increased dramatically relative to banks' earnings and credit losses. More importantly, the scope of regulators' focus continues to expand with new issues emerging and getting more attention. They include conduct risk; the quality of banks' corporate and risk culture; the next generation of anti-money-laundering; and third-party risk management. Banks, as they must, have continued to respond to these immediate pressures.
But the industry also needs to implement more structural changes in their compliance processes to make their risk and internal control frameworks more effective and sustainable over time.
The traditional bank compliance model was designed in a different era for a different purpose. An institution's compliance professionals would operate largely in an advisory capacity, having less to do with actual risk identification and management. Rather they would lend their insight to higher-level executives, resulting in inconsistent influence on actual business practices.
Under this model, the compliance team has limited understanding of business operations and underlying risk exposures. As a result, many banks still operating this way struggle with fundamental control issues in the first line of defense, such as compliance literacy, accountability, performance incentives and risk culture. Compliance activities tend to be isolated, lacking a clear link to the broader risk management framework, governance and processes. More often than not, the net result is a dramatic increase in compliance and control costs with either limited or unproven impact on a bank's lingering risks.
To turn the page and enable a more sustainable compliance model, banks should consider these four principles:
Own the Risk Control Framework
In most cases, banks need to transform the role of the compliance department from serving in an advisory function to having direct influence on risk management and monitoring. In practice, that means becoming an active co-owner of risks and providing independent oversight of the control framework. Given this evolution, compliance specialists now much focus on these four responsibilities: having an independent and objective perspective on the quantum of residual compliance risk; translating laws, rules and regulations into specific operational requirements; requesting and approving remediation activities; and shaping the bank's overall risk culture and literacy.
These expanded responsibilities require an unprecedented level of insight into business practices, necessitating new compliance practices such as incorporating process walk-throughs into risk assessments, monitoring significant operational changes, and developing residual risk metrics and markers.
Integrating a common compliance vision into an institution's separate business units is also increasingly important. Institutions should stop thinking about different compliance risks as being embedded just within individual business units. That silo model should shift to one where business-unit-coverage is combined with horizontal expertise around key compliance areas.
Focus on What's Getting Through the Cracks
A common compliance practice is to mandate business-led identification of "high-risk processes," as well as "all risks" and "all controls" that pertain to them. But this approach falls short of achieving transparency into all material risk exposures. It often becomes merely a mechanical exercise, resulting in lengthy, qualitative and indiscriminate lists of risks and controls instead of identifying material risk exposures and their root causes. Essentially, this model means a bank's understanding of the residual risks, which might be getting through the cracks, is insufficient.
The new compliance approach needs to focus instead on residual risk exposures in order to ensure that no material risk is left unattended, and then enable effective corresponding oversight and remediation. It should tie regulatory requirements directly to specific process breakpoints by defining which risks apply to a given business process, identifying exactly where they could occur and why, and defining objective key risk indicators in the areas where a process creates material residual risk exposure.
Tie Compliance to Operational Risk Concerns
A modern compliance framework must be integrated with the bank's operational risk view of the world.
Integrating the management of these risks offers tangible benefits. It ensures a comprehensive coverage of risks, lessens the burden on the business and the control functions, and facilitates a more efficient allocation of enterprise resources and management attention.
Banks can start this journey by developing an integrated inventory of operational and compliance risks; standardizing risk, process, product and control taxonomies; coordinating risk assessment, remediation, reporting methodologies and calendars; and clarifying roles and responsibilities among control functions for each material risk type to ensure there are no gaps or overlaps.
Some banks are also making changes in the organizational structure and placement of the compliance function. A few global banks have moved compliance under the supervision of the risk department, which reinforces the view of compliance as a control rather than an advisory function and facilitates an integrated view across all risk types.
Monitor and Measure Progress from the Top Down
The three previous principles help execute a multi-faceted compliance transformation. But banks can maximize the impact of a new compliance approach by rigorously monitoring how progress is meeting desired outcomes. A clear tone from the top and active board oversight in measuring the success of a more structural compliance system is important. An institution should monitor progress in raising the stature of compliance; creating an integrated view of all risks; achieving a strong risk culture; risk ownership; a risk-based program to assess compliance risks; use of quantitative metrics and qualitative markers to measure compliance risk; and evidence of the first line of defense taking action and owning compliance and control issues.
Piotr Kaminski is a senior partner and Kate Robu is a partner in McKinsey & Company's Global Banking Practice.