Here is the article converted to Markdown format:

Risk Identification and Assessment Processes: A New Era of Compliance

In today’s increasingly complex regulatory landscape, financial institutions must prioritize risk-identification and assessment processes to ensure compliance with ever-changing laws and regulations. The traditional approach of testing individual controls has given way to a more efficient and effective method of monitoring key risk indicators (KRIs) for residual risk.

A New Best-Practice Model

Exhibit 3 outlines the emerging best-practice model for regulatory risk management, which focuses on delivering disclosure letters to customers at the time of application. This process is controlled by seven key controls that ensure accuracy and timeliness of Good-Faith-Estimate (GFE) disclosures.

Quantitative KRIs: A Game-Changer

The traditional compliance approach involves ongoing testing of individual controls. However, monitoring KRIs for residual risk provides a more efficient and effective way to identify potential issues. Two key metrics can be measured directly through testing:

The percentage of initial GFEs not issued timely
The percentage of initial GFEs not accurate

Integration and Governance

To effectively address integration challenges, financial institutions must define clear roles and responsibilities between risk and control functions. This includes developing integrated training programs, establishing clear governance processes, and involving senior compliance stakeholders in determining action plans.

Measuring Progress: Outcomes That Matter

A multifaceted transformation of the compliance function is required to achieve successful integration. A ten-point scorecard can be used to measure progress, including:

Demonstrating a focus on compliance
Integrating market risks with operational risk
Establishing a risk-based compliance-risk-assessment program

Archetypes of Compliance Organizations

The organization chart (Exhibit 4) outlines three common archetypes for compliance organizations: legal-led, risk-led, and stand-alone. Each archetype has its own strengths and weaknesses, and financial institutions must carefully consider which structure best aligns with their organizational goals.

Conclusion

As the regulatory environment continues to evolve, it is essential for financial institutions to prioritize risk-identification and assessment processes. By implementing targeted changes to their operating model and processes, compliance functions can deliver better oversight while increasing efficiency. Those that successfully make this shift will enjoy a distinctive source of competitive advantage in the foreseeable future.

Authors

Piotr Kaminski, Director, McKinsey’s New York office
Kate Robu, Associate Principal, McKinsey’s Chicago office