Compliance Risk Assessment
Tim Rooke and Iestyn Evans
23 April 2015
Page 2
► What is Compliance Risk Assessment?
► Components of Compliance Risk Assessment
► Context of Jurisdictional / Business Assessment
► Integration with Other Risk Disciplines / Methodologies
► Benefits of Compliance Risk Assessment
► Development and the Future of Compliance Risk Assessment
► Discussion
Compliance Risk Assessment
Agenda
Page 3 Compliance Risk Assessment
► What is Compliance Risk Assessment?
► Construction of Compliance Risk Assessment
► Context of Jurisdictional / Business Assessment
► Integration with Other Risk Disciplines / Methodologies
► Benefits of Compliance Risk Assessment
► Development and the Future of Compliance Risk Assessment
► CRA – Case Study
► Discussion
Compliance Risk Assessment
Page 4
► A Compliance Risk Assessment (CRA) is an essential part of ensuring a robust Compliance programme
► It provides key insights into the risk profile of the firm and a clear picture of the strength of the control environment
► It also enables assessment of Compliance risks arising from business activities and the strength of infrastructure to mitigate
► Results of the CRA establish the required areas of focus for the Compliance programme, e.g. for monitoring and testing, and can also drive ongoing enhancement of the Compliance framework overall
► Regulators have demonstrated a clear expectation that a robust CRA can be used as the foundation of the ongoing management and enhancement of Compliance programmes
► Expectation that Compliance Leadership are able to articulate their risk profile and key risk areas, with the CRA process providing critical grounding and evidence for reporting accordingly to the CEO and the Board
Compliance Risk Assessment
What is Compliance Risk Assessment?
Page 5
► The CRA is part of a wider Compliance programme, inter-linked with the Annual Plan Framework
Compliance Risk Assessment
What is Compliance Risk Assessment?
Analyse Plan Actions Report
Risk Assessment Annual Plan
Control Remediations
Training
Policies
Monitoring
Testing
Surveillance
Management Information
Subsequent Year’s Risk Assessment
► Annual Plans are primarily based on CRA results; the process should be cyclical
Compliance Officers conduct
CRA
Review with Business Heads
Review by Senior Compliance Management
Finalise results of CRA
Develop Annual Plan
Page 6 Compliance Risk Assessment
► What is Compliance Risk Assessment?
► Components of Compliance Risk Assessment
► Context of Jurisdictional / Business Assessment
► Integration with Other Risk Disciplines / Methodologies
► Benefits of Compliance Risk Assessment
► Development and the Future of Compliance Risk Assessment
► CRA – Case Study
► Discussion
Compliance Risk Assessment
Page 7
► The CRA represents Compliance’s assessment of Compliance and regulatory risks faced by the business
► This process empowers Compliance to honestly and accurately assess the risks that the firm faces while identifying the relative strengths of control factors, and hence areas of control that require improvement
► Multiple components must be defined to subsequently feed into this assessment to measure Compliance risks ► Scope (i.e. business units/desks for inclusion)
► Risk assessment themes
► Rules inventory (and associated mapping to risks and controls)
► Control categories
► Process for assessment
► Reference data
► Technology platform
► A framework should exist to reasonably override some components in certain instances
► The CRA components sit within an overall methodology, ultimately used to compute residual risk ► Quantitative scoring / rating methodology
► Qualitative analysis of inherent risk and (relevant) control strength
Compliance Risk Assessment
Components of Compliance Risk Assessment
Page 8 Compliance Risk Assessment
Components of Compliance Risk Assessment
Technology Platform
Outputs
Reference Data Rules Mapping
Scoring
Assessment
Reports Control
Enhancements
Monitoring &
Testing Plan
Regulatory rules and requirements
are mapped to the risk areas to
support the assessment process
Reference Data is provided to
enable the fact-based assessment
of the risks and controls of the
business units
The results of the CRA are used to
drive ongoing control activities and
to identify enhancements to the
function
Overall business unit results are calculated
quantitatively to provide consistent and
comparable results across the organisation
Compliance Officers conduct their assessment based on their
knowledge of the business and controls while considering the
Rules Mapping and Reference Data
Quality Assurance Reviews
The initial responses are
reviewed by Compliance
Leadership for consistency and
accuracy
1 2
3
4
5
6
Page 9 Compliance Risk Assessment
Components of Compliance Risk Assessment Example: Business Unit Approach to Risk
► Identify risk assessment units:
► Legal entities
► Jurisdictions
► Regulators
► Products and services
► Business unit / division
► Evaluate each assessment unit to confirm key business activities to drive the allocation of relevant rules
Risk Assessment Unit
There are 4 key concepts that determine the scope and review of a rules and controls mapping exercise:
► Risk Assessment Unit
► Rule & Regulations Inventory
► Themes
► Control Inventory
► Evaluate and compare each rule against the business activities for each risk assessment unit to determine which rules apply to the business unit
► Relevant rules should be aligned to Themes. A Rule may apply to more than one Theme
Rule & Regulation Inventory
► A Theme is a collection of similar or complementary regulatory requirements grouped as ‘sub-topics’ so categories of risk and related controls are reflected consistently throughout the risk assessment framework
Themes
► Controls are mapped to relevant rules and are identified as critical to mitigating both inherent business risk and reducing residual risk
► A rule may be mapped to many Controls, and a control may apply to more than one rule
► Key controls include:
► Governance
► Policies
► Monitoring
► Training
► Testing
Control Inventory
Rules Mapped
Control Inventory
Legal Entity
Regulator
Jurisdiction
Business Unit / Division
Product/ Service
Rules & Regulations
Themes
Page 10
Suitability Market Abuse Conflicts of
Interest Employee
Communications Financial Crimes Cross Border Risk Governance Books and Records
Fixed Income
Research
Equities
Banking
Business Line 1 Business Type 2 Business Unit 3
Risk Areas 4
Ratings 5a Control Remediation 6
Control Ratings 5b
Compliance Risk Assessment Process Steps
1 Business Line is the highest level of classification in the business hierarchy
2 Business Types are types of businesses within the business lines
3
A Business Unit is a single risk entity assessed in the Risk Assessment and comprise the different types of business conducted within a Business Type
4 Risk Areas are a collection of similar or complementary areas of compliance risk
5
Each risk area is assessed for the level of Risk inherent to the business unit and the strength of the Controls currently in place for that risk area
6
When Weak Controls are identified, a Control Remediation is provided to detail the remediation action to be taken to enhance the controls
The compliance risk for each business unit and the strength of the controls to mitigate those risks are assessed for each business unit for various thematic areas of risk, which are designed to encompass the population of compliance risks faced by the firm
Derivatives
Convertibles
Delta One
Prime Brokerage
Swaps
Forwards
Futures
ETFs
High Risk Medium
Risk Low Risk
Strong Controls
Medium Controls
Weak Controls
Risk Rating Control Rating Training
Testing
Policies
Surveillance
Compliance Risk Assessment
Components of Compliance Risk Assessment Example: Investment Bank Compliance
Page 11 Compliance Risk Assessment
Defining the risks relevant to each particular business area is the initial task in building a Compliance Risk Assessment. Different data sources can be used to initiate or validate this exercise. Below are examples of the types of risk that would need to be considered when assessing, for example, a Fixed Income trading area
Off Market Prices
Trades executed at prices which are outside the bid ask spread available at the time or which are inconsistent with trades in the market at that time in the relevant size
Front Running Clients
Trading ahead of orders (or in parallel with orders) that have been left with the bank to execute to take advantage of anticipated price movements to either make a profit or avoid a loss
Best Execution
Trades executed at prices that do not meet the criteria established for best execution when compared to available benchmark prices or rolling average of benchmark prices
Wash Trades
Trades executed with no obvious change in beneficial ownership or for no obvious economic benefit, but purely to artificially impact on perceived market demand or market liquidity
Spoofing / Layering
Placing of artificial orders that are cancelled without being executed in an attempt to impact the perceived demand or liquidity for an instrument and hence the market price
Abusive Squeeze
Trades executed to manipulate the price of an instrument with the intention of distorting the price at which others have to deliver, take delivery or defer delivery to meet their obligations
Front Running the Market
Trading ahead of a market announcement of price sensitive information either in the instrument affected or an associated derivative to take advantage of anticipated price movements to either make a profit or avoid a loss
Grey Market Trading
OTC trading of an instrument the subject of an IPO before the launch of the issue price which could create a reputation risk of use of MNPI to create a false market
Non Standard Transactions
Trades that have unusual features that could indicate unauthorised or manipulative behaviour e.g. excessive AV, restructured trades, historic rate rollovers
Components of Compliance Risk Assessment Defining Risks
Page 12 Compliance Risk Assessment
► What is Compliance Risk Assessment?
► Components of Compliance Risk Assessment
► Context of Jurisdictional / Business Assessment
► Integration with Other Risk Disciplines / Methodologies
► Benefits of Compliance Risk Assessment
► Development and the Future of Compliance Risk Assessment
► CRA – Case Study
► Discussion
Compliance Risk Assessment
Page 13 Compliance Risk Assessment
Context of Jurisdictional / Business Assessment
► Organisations with a global footprint/multi-jurisdictional presence should consider whether to adopt a Global or Regional approach to CRA
► A centralised approach to completion of a Global CRA may pose difficulties; how do you ensure jurisdictional nuances are captured in standardised approach?
► Regulation specific to each country/jurisdiction covered should be integrated into the CRA and regional Compliance Officers should be included in the assessment to provide a first hand, accurate representation of compliance risk in the region
► Firms must decide whether or not to adopt a Global Standard; gold-plating may result in certain jurisdictions being held to a standard higher then expected by the local regulator and a misrepresentative impression of the control environment
► The ultimate Head of Compliance should be given the capacity to override the results of the regional CRA, if required, to ensure a consistent representation of compliance risk and anomalies/discrepancies are resolved
Page 14 Compliance Risk Assessment
► What is Compliance Risk Assessment?
► Components of Compliance Risk Assessment
► Context of Jurisdictional / Business Assessment
► Integration with Other Risk Disciplines / Methodologies
► Benefits of Compliance Risk Assessment
► Development and the Future of Compliance Risk Assessment
► CRA – Case Study
► Discussion
Compliance Risk Assessment
Page 15
► It is generally considered that the CRA should be integrated with other risk assessment processes where possible, though this has not gained significant traction ► Alignment of results from assessments internally within Compliance (e.g. AML)
► Linkage with other assessments conducted by the organisation (e.g. Operational Risk Assessment)
► This makes it possible to create a holistic view of conduct across the firm, both at an organisational level but also across functions and the business, driven by reliable MI and providing a real-time view and “temperature check”
► Core principles for risk assessment applied throughout an organisation should provide the foundation for effective risk management ► Consistency of risk definition and appetite
► Usage of common standards and practices
► Defined roles and responsibilities, with appropriate and targeted resourcing
► Stable and supportive risk infrastructure which is transparent for board and governance committees, supporting accountable executive management
► Provision of objective assurance, potentially via an Internal Audit function
► The CRA must not only remain internal to Compliance; the findings must be shared with the business to help them understand and manage their overall risks. The results are very important, with clear articulation of the risks in a manner usable by all members of the firm an essential output of the process
Compliance Risk Assessment
Integration with Other Risk Disciplines / Methodologies
Page 16 Compliance Risk Assessment
► What is Compliance Risk Assessment?
► Components of Compliance Risk Assessment
► Context of Jurisdictional / Business Assessment
► Integration with Other Risk Disciplines / Methodologies
► Benefits of Compliance Risk Assessment
► Development and the Future of Compliance Risk Assessment
► CRA – Case Study
► Discussion
Compliance Risk Assessment
Page 17 Compliance Risk Assessment
Benefits of Compliance Risk Assessment
► A robust and comprehensive CRA provides Compliance Leadership with transparency over risks across the business and a view as to effectiveness of control environment
► A defined methodology and quantitative/qualitative analysis sits behind output moving away from Compliance Officer’s “gut feeling” as to where the risks lie
► Allows senior management to measure relative risks across different disciplines and businesses
► The Compliance Risk Assessment is generally used to feed the Compliance programme of work and determines the focus and intensity of monitoring and testing activity. Visibility over Compliance Risks arising from business activities enables targeted testing and increases efficiencies
► Increased rigour in Compliance reporting to Senior Management/ Board and Business/ Desk Heads and increased credibility
► Increased confidence when reporting to regulators/ discharge of CF10/11 function
► Provides weight to requests for increased funding to remediate control deficiencies identified e.g. surveillance model enhancements, additional resourcing/headcount
► Forward looking dynamic and changes as risks mature or as controls are developed
Page 18 Compliance Risk Assessment
► What is Compliance Risk Assessment?
► Components of Compliance Risk Assessment
► Context of Jurisdictional / Business Assessment
► Integration with Other Risk Disciplines / Methodologies
► Benefits of Compliance Risk Assessment
► Development and the Future of Compliance Risk Assessment
► CRA – Case Study
► Discussion
Compliance Risk Assessment
Page 19 Compliance Risk Assessment
Development and the Future of Compliance Risk Assessment
¹ CP 13/14 Strengthening accountability in banking: a new regulatory framework for individuals.
► Increased automation of CRA processes, e.g. rules mapping update functionality
► The forthcoming PRA Senior Mangers and Certification Regime¹ will require individuals designated as Senior Managers to attest that they have taken “reasonable steps” to ensure that the business of the firm that they are responsible is controlled effectively ► “Reasonable steps” will involve a determination as to the data sets that could be relied upon to
demonstrate effective control
► A robust CRA is a tool that Senior Managers could rely upon to provide greater control
► Will enhancements to the CRA be required for Senior Managers to be comfortable with reliance on output, especially given personal accountability?
► A key objective of the FCA is effective conduct risk management. First line management of conduct risk should be challenged and tested by the second line ► Conduct Risk Assessment, incidents and metrics should drive the Compliance Risk Assessment and the
Firm testing plan
► The Compliance Risk Assessment should be dynamic enough to change in response to lessons learnt programmes or as internal Conduct Risk events / incidents as they happen
Page 20 Compliance Risk Assessment
► What is Compliance Risk Assessment?
► Components of Compliance Risk Assessment
► Context of Jurisdictional / Business Assessment
► Integration with Other Risk Disciplines / Methodologies
► Benefits of Compliance Risk Assessment
► Development and the Future of Compliance Risk Assessment
► CRA – Case Study
► Discussion
Compliance Risk Assessment
Page 21
Rules & Controls Mapping
Compliance Risk Assessment
CRA – Case Study
CIB
Corp IB Wealth
IBD Markets Research
Theme 1 Theme 2 Theme 3 Overall
IR C IR C IR C RR
FX H MC H CG M MC M
Commod M SC L MC H MC L
Equities H CG M MC M MC M
Derivatives L SC M SC H CG M
Research M MC L SC M CG H
Financial Crime Banking
Activities Market Abuse
Sales Practices Conflicts of
Interest
Employee
Communications
Information
Barriers
Regulatory
Reporting Cross Border
2
0
1
2
Procedures
Training
Policy
Financial Crime Banking
Activities Market Abuse Sales Practices
Suitability & Appropriateness
Conflicts of
Interest
Employee
Activities Employee
Communications
Information
Barriers
Regulatory
Reporting
Books &
Records
Operational
Processes
Cross Border Data
Protection
Marketing &
Research
Governance &
Supervision
Targeted Reference Data Dedicated Technology Platform
2
0
1
3
Reporting Capability
2
0
1
4
BANK A
Corporate IB Wealth
Mortgages Cards
Retail
Accounts
Page 22 Compliance Risk Assessment
► What is Compliance Risk Assessment?
► Components of Compliance Risk Assessment
► Context of Jurisdictional / Business Assessment
► Integration with Other Risk Disciplines / Methodologies
► Benefits of Compliance Risk Assessment
► Development and the Future of Compliance Risk Assessment
► CRA – Case Study
► Discussion
Compliance Risk Assessment
Page 23 Compliance Risk Assessment
Discussion
► Is full integration of the CRA with other risk assessment methodologies across the business optimal?
► How can firms build in their Conduct Risk Assessment, and associated outputs, effectively?
► What is the senior management appetite for enhancement of the CRA processes? Has there been specific regulatory scrutiny for your organisation?
► Have firms considered the CRA in relation to developing Conduct Risk Assessment process?
► Is a Global or Regional approach to risk assessment favourable? How do you ensure jurisdictional nuance is capture is standardised approach?
► How readily available is required data in your organisation? Issues encountered?
► What are the different approaches taken to calculating residual risk?
► How do you ensure the inputs to the CRA remain accurate? e.g. rules mapping feeding risk categories
► How widely used and valuable are technological solutions offered by external providers? e.g. MetricStream, Thomson Reuters Regulatory Rule Mapping (RRM) tool