By Richard Pike, Managing Director, KYR Solutions, MyComplianceOffice.
Regulations, frameworks, policies and controls define the day-to-day of Chief Compliance Officers (CCO) and their teams in what can best be described as a world of monitoring spaghetti. At the same time, the teams also need to ensure they are keeping senior executives and the front office engaged and compliant. So how can the CCO set regulatory priorities, identify policy and procedure gaps and interrogate compliance obligations?
The answer lies in a clear approach to a pragmatic Know Your Risk (KYR) strategy. While best practice is still emerging in this area, firms of various types and sizes are making progress, and a three-stage approach is emerging.
The first stage is all about deconstructing your compliance obligations and the best way to solve this complex problem is to make it visual. Humans are visual beings and by mapping obligations to set out and understand the linkages and relationships, we get a much clearer library of the ‘business as usual’ obligation. By visualising the regulatory spaghetti, we are also helping to identify patterns of data and logic.
Of course, not all compliance risks are created equal and compliance risk exposure changes over time, so the once typical annual compliance review isn’t always enough to keep on top of a rapidly evolving regulatory risk landscape. By mapping the current state of compliance obligations we are putting in place building blocks to understanding the policies and procedures in place to uphold them. This will then enable us to find the gaps in compliance programmes so appropriate action can be taken to mitigate risk. It also means we can map changing commitments as they happen.
As for the data mapping of the compliance risks, any firm already collects vast amounts of data, but the question is whether it is the right data, collected at the right time and from the right source. It’s not as big a lift as it first seems – the key is being smart with what data you capture, using data you already have and understanding the interconnectedness of those datasets. This significantly simplifies the scope.
Stage two is all about bringing simplicity and clarity to monitoring spaghetti…and being a little bit ruthless about what we can cut loose. Essentially, at this stage, we need to answer the question: What do we actually need to monitor?
For each mapped obligation there will be a well-defined set of metrics and/or assessment points that are required for oversight. As those data points are recorded the process should also require the attachment of evidence data lineage so that overseers can easily track back to the source. The ability to see demarcation zones between first- and second-line activities is also important – we want to be clear about expectations for each line of defence. In an ‘Oversight Map’ each item can have a clear statement of responsibility to ensure that both 1st and 2nd lines clearly understand what their roles are in the process.
Importantly, simplification and clarity will win the hearts of minds of your senior stakeholders who are all too often suffering from dashboard and report blindness as the previous norm has been for them to spend hours in front of them. More metrics doesn’t equal better compliance. The right metrics at the right time to the right people. This means risk-based decisions are being taken on the right data points and we don’t have to worry about data gaps.
The third and final step is to evidence that compliance. This is a critical step because, as far as the authorities are concerned, without supporting evidence, it’s like it didn’t happen.
CCOs are under every increasing pressure both from the regulators and internal stakeholders and this has often led to evidencing of compliance turning into a beast of burden with a big overhead. However, by focussing on the tenets of simplicity and clarity in the first two steps you are already ahead of the game.
If we take the stance that evidence is everything in compliance then, again, we simplify what’s in and what’s out. Too often, keeping track of data proof points has been a poor cousin to other parts of the compliance process. And technology is your best friend when it comes to making this happen – with clarity from deconstructing our obligations and knowing how we are performing against what matter, it becomes easier to evidence that compliance.
Having technology underpin the recordkeeping part of the compliance function means it is also easily interrogated on a regular basis to ensure everything is being monitored correctly, the data points you are expecting to have are all in place and make it easier to identify data gaps or errors as early as possible.
By adopting this three-step approach and creating the right processes supported by the right compliance technology, CCOs won’t have to waste time hunting and gathering information and can pivot to doing the high-level advisory work that adds real value to their firm while developing that all-important clear and holistic view of compliance risk.
Subscribe to our newsletter