Operational and compliance New paradigms for synergy

May 2019 Reflecting on an optimal framework

Many financial institutions, consistent with where synergies may be garnered from regulatory expectations, organize their risk the existing capabilities of Why do potential management framework into a model with and compliance. For the purposes of this three lines of defense (LOD): paper, we will discuss the first and second synergies between 1. The business line, which generates, lines of defense. Further, we will explore operational and owns, and controls the risk the activities performed by each risk 2. The support functions, which provide discipline and the capabilities where compliance risk oversight to the first line, and include the synergies may exist. disciplines exist? risk disciplines of operational risk and Operational risk and compliance functions compliance, among others For a simple and have a shared mandate to provide oversight 3. Internal audit, whose remit is derived to the first line and challenge the execution obvious reason: if from the board to process-audit the first of their practices. and second lines of defense there is a breakdown But depending on how the functions are The global financial crisis generated years organized, this may create some challenges in process, a of significant spend on the remediation of that result in inefficient processes. For compliance breach identified regulatory (and, at times, internal example, operational risk and compliance audit and risk management) issues. In may request that the first line perform may occur, and response to addressing these issues and the same or similar activities (e.g., risk vice versa. executing their oversight responsibilities, identification, risk assessment, controls operational risk and compliance may have testing, issue identification, and issues created multiple functions and activities, reporting). So today, some institutions are and in certain cases, generated duplicative exploring ways to optimize the execution of requests for the first line of defense. their risk management activities at both the first and second lines of defense. With the global financial crisis behind us, institutions now have an opportunity to Figure 1 illustrates different regulatory reflect on what an optimal operating risk definitions of operational risk and management model may look like—and compliance risk and the implication of each.

2 Figure 1. Operational risk and compliance definitions

Operational risk and compliance risk regulatory definitions The Basel Committee on Banking Supervision (BCBS) Federal US regulators

•• Operational risk:1 Operational risk is defined as •• Operational risk:3 The failure to establish a system the risk of loss resulting from inadequate or failed of internal controls and an independent assurance internal processes, people, and systems or from function—one that tests the effectiveness of external events. This definition includes but internal controls and exposes the to the excludes strategic and reputational risk. risk of signification fraud, defalcation, and other operational losses. •• Compliance risk:2 The risk of legal or regulatory sanctions, material financial loss, or loss to •• Compliance risk:4 The risk of legal or regulatory reputation a bank may suffer. Usually, this is the sanctions, financial loss, or damage to reputation result of failure to comply with laws, regulations, resulting from failure to comply with laws, rules, related self-regulatory organization standards, regulations, rules, other regulatory requirements, and codes of conduct applicable to banking activities. or codes of conduct and other standards of self- regulatory organizations applicable to the banking organization (applicable rules and standards).

•• Important to note: Tension can exist between the definitions of BCBS and the federal US regulators, as BCBS takes a measurement approach to risk. This includes compliance as a sub-risk category, while in the United States, regulators definecompliance as its own discrete risk discipline.

•• However, there is consensus among these regulators on the importance of maintaining the integrity of each risk discipline and recognizing the need for separate operational risk and compliance functions.

1 BCBS: Principles for the Sound Management of Operational Risk (June 2011). 2 BCBS: Implementation of the compliance principles—A survey (August 2008). 3 OCC Comptroller’s Handbook: Corporate and Risk Governance (version 1.0, July 2016). 4 US Federal Reserve: SR 08-8/CA 08-11 (October 2008).

3 Drivers for change

Many institutions are reevaluating their risk management operating models across lines of defense. Now they are looking to transform their risk management processes to address specific challenges as outlined in figure 2.

Figure 2. Drivers for change

Process/cost inefficiency Outdated technology Inability to assess/quantify risk

Challenges, post–global financial Segmented data sources, Challenges in providing management crisis, arising from inefficiencies along with a historic and the board with data that due to siloed risk management underinvestment of transforms into information. Data practices of the same or similar disparate legacy systems, that is concise, on-point, timely, activities across various risk and sometimes impede the and comprehensive for them compliance functions and business capture, measurement, and to be advised and make informed lines. These may be the result of reporting of data. decisions. a historic tactical response vs. strategic response to regulatory remediation and associated increases to headcount.

Drivers for change

Stakeholder Need for clarity and Cost reduction Data and expectations transparency Increasing pressure on technology (management, The need for first and second LOD opportunities board, and second LOD risk and to find new ways to High potential for regulators) compliance functions reduce costs, increase automation and The need for more to break down silos efficiencies, and still emerging technologies effective and efficient that often appear to control risk. (such as artificial communications overlap in roles and intelligence, the and reporting to responsibilities. use of bots, etc.) to stakeholders of an help improve risk integrated view of risk. effectiveness.

4 Opportunities for synergies

In transforming risk management operating models, many institutions are beginning to identify potential synergies across their risk management efforts. These synergies can bring greater transparency and higher-value intelligence to management and the board. Synergies can also provide greater transparency of issues and , and their potential impacts. Figure 3 illustrates a selection of discrete capabilities of operational risk and compliance, as well as opportunities for potential synergies between these risk disciplines.

Figure 3. Operational risk and compliance capabilities

Operational risk Potential synergies Compliance

•• Operational risk appetite/metrics •• Governance and interaction •• Compliance risk appetite/metrics model •• Risk measurement (e.g., scenario •• Obligations library and regulatory analysis, stress testing, and •• Framework and methodologies change management calculation of ) •• Taxonomies •• Regulatory interaction and •• Operational risk monitoring coordination •• Challenge and oversight process •• Operational risk domain activities •• Code of conduct •• Evaluation of controls (e.g., third party, business •• Compliance monitoring (e.g., resilience) •• Tools and technology complaints, whistleblowing, and •• Effective challenge and oversight •• Reporting (e.g., data collection, allegations) content analysis, and aggregation) •• Compliance risk domain activities •• Issue management (e.g., anti–money laundering, privacy) •• Training program •• Effective challenge and oversight •• New business initiative process content

To realize the opportunities of synergies, a common and consistent taxonomy is foundational for effective risk management. A definition of terms is considered a leading practice to advance the consistent interpretation, measurement, execution, and reporting of issues and risks within the two risk disciplines. There are five critical data elements where a common and consistently applied taxonomy is crucial:risks, controls, processes, policies, and obligations. Synergies become most evident when performing a risk assessment, regardless if it is a self-assessment at the first LOD or a compliance assessment performed by the second LOD. The ability to map processes from obligations to policies, and then to risks and controls, can assist in the identification, reporting, and escalation of issues. Figure 4 highlights specific opportunities for synergies.

5 Figure 4. Key opportunities for synergies

Governance Evaluation of controls The rationalization of governance A shared services unit for committees and risk management conducting second LOD testing that frameworks that support the promotes single testing of controls organization model across the first and effective challenges for both and second LOD. operational risk and compliance.

Issue management Reporting Holistic issue management that Comprehensive reporting that enables effective identification and aggregates operational risk and aggregation of systemic issues, compliance metrics and issues along with the prioritization and to produce, where possible, an coordination among functions to integrated risk report. achieve single issue remediation that is sustainable.

Governance Evaluation of controls Issue management Reporting

There may be opportunity A common taxonomy enables Issues identified in isolation This process can be more to rationalize governance effective evaluation and across operational risk and comprehensive when committees to allow risks measurement of controls compliance may create collaborative analysis by and issues pertaining to associated with key risks and inefficiencies regarding issue operational risk and compliance operational risk and compliance obligations. Potentially, a shared management and remediation, create common risk and to be addressed by the same services unit for conducting specific to solving for the same performance indicators and committee. Such committee second-line testing could be or like issues twice. A centralized metrics to produce shared and consolidation could lead to established to promote single system of identification, analysis, insightful reports. Centralized greater collaboration between testing for both disciplines, reporting, and tracking of issues reporting across operational risk the first and second LOD including validation and may promote the successful and compliance can bring about on policy interpretation and oversight of the first-line systemic identification and a reduction of overlaps. execution, issue management, testing results. prioritization of issues. reporting, and so forth.

6 Options for realizing synergies

Baseline maturity and sustainable processes officers with a single interface to the first for both operational risk and compliance line. In addition, some institutions are functions are needed before real efficiencies opting for a managed services model and synergies can be considered. A defined where they outsource selected risk vision—one shaped by tone from the top—is a management processes. critical factor for a successful transformation. ––Potential advantages: Reduction in Also crucial to transformation are identified overall effort and cost of activities, and effectiveagents of change with requisite greater consistency in results and skill sets. applied methodologies, and streamlined coordination with first line and alignment to As financial institutions explore different the enterprise risk strategy and vision. ways to realize synergies and touchpoints ––Potential disadvantages: Regulatory between operational risk and compliance, some constraints and possible dilution of subject examples of organizational construct include: matter expertise specific to each respective risk discipline. 1. Coordination between operational risk and compliance. Streamline processes for 3. Singular ownership for operational risk risk management requests of the first LOD and compliance. Some institutions have while having the two risk disciplines remain considered merging the two risk disciplines independent functions. under one organization to take advantage of ––Potential advantages: Minimal disruption the synergies between exposures. to people, process, and technology to ––Potential advantages: Strategic alignment reduce redundancies and costs and of visions and objectives with limited or no maintain desired independence and conflicting requirements and processes, authority of respective risk discipline, and reduced burden and touchpoints with which enables them to continue to meet the first line. regulatory requirements and expectations. ––Potential disadvantages: Different ––Potential disadvantages: May not result approaches and perspectives to in optimal long-term operating model managing risk, which can cause inherent objective of supporting cost reduction conflict between the two functions. For associated with risk management. Also, example, operational risk often anchors there is potential to create confusion risk management activities to a process, between operational risk and compliance whereas compliance manages risk to an roles and responsibilities with the first line obligation. Further, compliance must unless communicated properly. manage regulatory requirements and expectations for legal obligations 2. Centers of Excellence (CoE). Some (e.g., laws and regulations), which institutions are considering, or have already does come under an operational risk established, a shared service model across mandate. Requisite knowledge and operational risk and compliance using understanding of such is generally not CoEs for same or similar risk management resident in an operational activities. This includes controls testing, risk function. issue management, reporting, etc. The CoE may have a dual reporting line to both operational risk and compliance senior

7 Conclusion

With the global financial crisis in the past, financial institutions can now revisit their organizational construct and required capabilities across the first and second LOD. In doing so, these organizations can optimize risk management processes and create efficiencies. The transformation of the risk management operating model and culture may be warranted based on potential synergies. But it is also important to retain the integrity of each respective risk discipline, consistent with regulatory definitions. For success in this transformation, it is critical to establish a clear, well-articulated, and communicated vision combined with an appropriate tone from the top.

Contact us:

Monica O’Reilly Vikram Bhat Alok Sinha Principal Principal Principal Deloitte Risk and Financial Advisory Deloitte Risk and Financial Advisory Deloitte Risk and Financial Advisory Deloitte & Touche LLP Deloitte & Touche LLP Deloitte & Touche LLP +1 415 783 5780 +1 973 602 4270 + 1 415 783 5203 [email protected] [email protected] [email protected]

Peter Reynolds Edward Appert Yana Parfenyuk Managing Director Managing Director Senior Manager Deloitte Risk and Financial Advisory Deloitte Risk and Financial Advisory Deloitte Risk and Financial Advisory Deloitte & Touche LLP Deloitte & Touche LLP Deloitte & Touche LLP +1 212 313 1660 +1 212 436 7511 +1 201 685 5283 [email protected] [email protected] [email protected]

Joanna Connor Arun Chandra Akalamkam Param Gupta Senior Manager Manager Senior Consultant Deloitte Risk and Financial Advisory Deloitte Risk and Financial Advisory Deloitte Risk and Financial Advisory Deloitte & Touche LLP Deloitte & Touche AERS India Pvt Ltd. Deloitte & Touche LLP +1 215 982 6535 +1 404 487 7449 +1 212 436 3283 [email protected] [email protected] [email protected]

As used in this document, “Deloitte” means Deloitte Tax LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of our legal structure. Certain services may not be available to attest clients under the rules and regulations of public accounting.

This publication contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.

Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.

Copyright © 2019 Deloitte Development LLC. All rights reserved.