About a-team Marketing Services
The knowledge platform for the financial technology industry
The knowledge platform for the financial technology industry

A-Team Insight Blogs

It’s Time to Embrace Risk Profiling for Regulatory Compliance

Subscribe to our newsletter

By Richard Pike, Managing Director, KYR Solutions, MyComplianceOffice.

Regulations, frameworks, policies and controls define the day-to-day of Chief Compliance Officers (CCO) and their teams in what can best be described as a world of monitoring spaghetti. At the same time, the teams also need to ensure they are keeping senior executives and the front office engaged and compliant. So how can the CCO set regulatory priorities, identify policy and procedure gaps and interrogate compliance obligations?

The answer lies in a clear approach to a pragmatic Know Your Risk (KYR) strategy. While best practice is still emerging in this area, firms of various types and sizes are making progress, and a three-stage approach is emerging.

The first stage is all about deconstructing your compliance obligations and the best way to solve this complex problem is to make it visual. Humans are visual beings and by mapping obligations to set out and understand the linkages and relationships, we get a much clearer library of the ‘business as usual’ obligation. By visualising the regulatory spaghetti, we are also helping to identify patterns of data and logic.

Of course, not all compliance risks are created equal and compliance risk exposure changes over time, so the once typical annual compliance review isn’t always enough to keep on top of a rapidly evolving regulatory risk landscape. By mapping the current state of compliance obligations we are putting in place building blocks to understanding the policies and procedures in place to uphold them. This will then enable us to find the gaps in compliance programmes so appropriate action can be taken to mitigate risk. It also means we can map changing commitments as they happen.

As for the data mapping of the compliance risks, any firm already collects vast amounts of data, but the question is whether it is the right data, collected at the right time and from the right source. It’s not as big a lift as it first seems – the key is being smart with what data you capture, using data you already have and understanding the interconnectedness of those datasets. This significantly simplifies the scope.

Stage two is all about bringing simplicity and clarity to monitoring spaghetti…and being a little bit ruthless about what we can cut loose. Essentially, at this stage, we need to answer the question: What do we actually need to monitor?

For each mapped obligation there will be a well-defined set of metrics and/or assessment points that are required for oversight. As those data points are recorded the process should also require the attachment of evidence data lineage so that overseers can easily track back to the source. The ability to see demarcation zones between first- and second-line activities is also important – we want to be clear about expectations for each line of defence. In an ‘Oversight Map’ each item can have a clear statement of responsibility to ensure that both 1st and 2nd lines clearly understand what their roles are in the process.

Importantly, simplification and clarity will win the hearts of minds of your senior stakeholders who are all too often suffering from dashboard and report blindness as the previous norm has been for them to spend hours in front of them. More metrics doesn’t equal better compliance. The right metrics at the right time to the right people. This means risk-based decisions are being taken on the right data points and we don’t have to worry about data gaps.

The third and final step is to evidence that compliance. This is a critical step because, as far as the authorities are concerned, without supporting evidence, it’s like it didn’t happen.

CCOs are under every increasing pressure both from the regulators and internal stakeholders and this has often led to evidencing of compliance turning into a beast of burden with a big overhead. However, by focussing on the tenets of simplicity and clarity in the first two steps you are already ahead of the game.

If we take the stance that evidence is everything in compliance then, again, we simplify what’s in and what’s out. Too often, keeping track of data proof points has been a poor cousin to other parts of the compliance process. And technology is your best friend when it comes to making this happen – with clarity from deconstructing our obligations and knowing how we are performing against what matter, it becomes easier to evidence that compliance.

Having technology underpin the recordkeeping part of the compliance function means it is also easily interrogated on a regular basis to ensure everything is being monitored correctly, the data points you are expecting to have are all in place and make it easier to identify data gaps or errors as early as possible.

By adopting this three-step approach and creating the right processes supported by the right compliance technology, CCOs won’t have to waste time hunting and gathering information and can pivot to doing the high-level advisory work that adds real value to their firm while developing that all-important clear and holistic view of compliance risk.

Subscribe to our newsletter

Related content


Recorded Webinar: Multi-cloud environments – How to maximise data value while keeping on the right side of privacy and security

Multi-cloud environments have much to offer beyond single-vendor cloud setups, including the benefits of access to a variety of best-in-class cloud solutions, opportunities for price optimisation, greater flexibility and scalability, better risk management, and crucially, increased performance and availability. On the downside, multiple cloud vendors in a technology stack can cause complexity, more vulnerabilities, and...


SteelEye Reports Increasing Demand for Integrated Surveillance as Regulatory Crackdown Continues

Demand for integrated trade and communications surveillance among financial institutions has surged by 100% this year following heightened regulatory scrutiny across financial markets, according to recent research by SteelEye. The company’s 2023 Annual Compliance Health Check Report, which surveyed more than 300 senior financial services compliance and risk professionals, found integrated surveillance is now a...


Data Management Summit New York City

Now in its 14th year the Data Management Summit NYC brings together the North American data management community to explore how data strategy is evolving to drive business outcomes and speed to market in changing times.


Regulatory Data Handbook 2023 – Eleventh Edition

Welcome to the eleventh edition of A-Team Group’s Regulatory Data Handbook, a popular publication that covers new regulations in capital markets, tracks regulatory change, and provides advice on the data, data management and implementation requirements of more than 30 regulations across UK, European, US and Asia-Pacific capital markets. This edition of the handbook includes new...