Reflections on the role of the chief compliance officer in managing regulatory change & engagement


Reflections on the role of the chief compliance officer in managing regulatory change & engagement

The financial industry is, we believe, at a crossroads in terms of how banks address the challenge of navigating regulatory compliance and managing a
myriad of diverse stakeholders with ever-increasing expectations. We can see from the tsunami and velocity of regulatory change and from the deluge of fines and other penalties levied by regulators in recent times, that the past and traditional approaches of managing regulatory change and engagement have not served the Industry well and are simply not sustainable, especially in a cost constrained market place.

Taking operational risk as an example, it is evident that because of its complexity and uncertainty – in that it is a function of failed people, failed processes, and failed technologies – only a subset of operational risks are being effectively and efficiently managed as Known Knowns. This is happening even though it is an endogenous risk category and the data already is, or can be made easily, available to manage it. Taking conduct risk, it is evident that many aspects of Wholesale Conduct Risk, Retail Conduct Risk, Personnel Conduct Risk, Third-Party Conduct Risk and so on, are manageable as data on risk events and factors are available. Given the present pronouncements of Basel Committee on operational risk and the World Economic Forum on conduct risk, firms will have to focus more on managing these two major sources of risk exposure. For example, the World Economic Forum report on The Role of Financial Services in Society: Understanding the Impact of Technology-enabled innovation on Financial Stability stated that conduct risk is ‘likely the largest single source of technologically driven risk’


So what are the Consequences for Chief Compliance Officers?
The role of the CCO is formidable, for several reasons. An effective CCO conveys a potentially strategic advantage to firms as they can help fully leverage the business benefits of balancing risks. Hopefully the industry has ditched the once common perception of CCOs as ‘business prevention officers’. This scenario led to CCOs being marginalised, ignored and disempowered. We can see from recent history how risky marginalising a CCO can be; however, it is questionable e.g. LIBOR, PPI mis-selling etc., etc., as to whether appropriate lessons have been learned. So how can a CCO assist their firms in better managing Regulatory Change and Engagement? We believe that the answer to this is found in data and information at his or her disposal and how this is managed. The CCO is, however, currently disadvantaged when it comes to the management of data and information on risk, in comparison to, for example, the CFO’s data and information of financial matters in a typical bank. The CCO has to balance the need to be objective and independent, with the requirement to collaborate with the business. To be a credible agent for change across the enterprise, it is vital for the Compliance function to be adequately informed, and it is here that information technology is, and will increasingly be, a vital source of hard data and intelligence. Unfortunately, the CCO and the Compliance function is typically not as well-served in this regard as other colleagues in the C-suite, such as the COO or the CFO

Problems with Information Systems Support for the Compliance Function
Financial, accounting and transaction processing information systems in banks are highly mature in terms of their support for information and decision making in the disciplines of finance and management. Such systems also help automate and enable reporting according to accepted standards such as GAAP and IFRS. Thus, the CFO typically has at his/her fingertips the ability to determine the provenance of financial data and information through all levels and across functions in a bank, retail, commercial or investment. The CCO is not as E-nabled, in terms of informational resources, as the CFO, as IT-enabled enterprise risk management systems are extremely immature and comprehensive enterprise-level dashboard capabilities practically non-existent.

Next Generation Compliance Risk Management
It could therefore be argued that a CCO needs to possess similar strategic capabilities as those of a CEO, to understand Business Operations as does a COO, to navigate financial risk similar to a CFO, to exhibit the same technical knowledge as a CIO, and understand risk data at the level of a CDO. Given the regulatory forces and business drivers that currently shape their environment, financial institutions will need to rethink and transform not only their risk and compliance functions, but the status and role of the CCO. CEOs need to reorient their C-level teams to accept the Compliance function as a core business partner, and the CCO as business risk leader, if they are to transform and ready their banks to face not only current challenges, but the all too certain future challenges and make their banks, as Nassim Taleb would say, Anti-fragile. Information technology’s ability to transform organisations by automating their business process and informating their people is a key enabler here.

Informating and Automating Business Processes
Banks are no strangers to the transformational power of IT. IT-enabled software applications are being used to automate risky business processes such as client on-boarding, KYC, and other customer-facing activities. Innovations in the FinTech and RegTech sector offer enhanced capabilities to informate and automate their activities across business lines. Digital innovations in ebanking/online/mobile banking, and so on provide new avenues for automation and elimination of operational risks such as failed people in anti-money laundering (AML). Utilities and RegTech vendors offer a range of services to banks that can augment or replace inefficient and risky operations with tried and tested solutions, with the support of regulators. These are examples of the use of IT to minimize the need for manual processes across business activities and lines across the organisation. Predictive analytics and machine learning to address a range of operational risks, from fraud, to insider threats, front running, and so on, along with semantic technologies, are also being used to help legal, risk and compliance teams deal with the mountain and complexity of regulations, supported by global standard-setting attempts by the likes of the Object Management Group and Enterprise Data Management Council, who are fostering concrete Industry developments through the application of the Financial Industry Business Ontology (FIBO), such that meaning travels with data. Such technologies (as shown in the diagram below) can assist COOs to capture subject matter expert knowledge of a domain, allowing technologists to create efficient and fit-for-purpose applications by bridging the gap between the regulatory knowledge on one side with the formal knowledge modelling on the other. Mercury is a regulatory compliance interpretation methodology consisting of a regulatory natural language, Mercury-SE, and an XML schema, Mercury-ML; while Ganesha is the software tool that guides the subject matter expert in transforming regulations while following the Mercury Methodology. Both are being developed in the GRCTC. Without such initiatives, CCOs will we believe, as with Sisyphus of Greek Tragedy infamy, be consigned to rolling the compliance boulder up and down the regulatory mountain for evermore!

Peter Cowap
Centre Director, GRCTC
Leona O’Brien
Researcher, GRCTC