Integrating Compliance into Risk Management: A Path to Operational Excellence

Introduction

In today’s increasingly complex regulatory environment, banks face significant challenges in managing operational risks while ensuring compliance with ever-changing laws and regulations. Effective integration of compliance into risk management governance, regulatory affairs, and issue-management processes is crucial for reducing operational risks, lessening the burden on business and control functions, and facilitating a risk-based allocation of enterprise resources.

Practical Actions for Integration

To achieve this integration, banks can take the following practical actions:

Develop a Single Integrated Inventory of Operational and Compliance Risks

• Create a comprehensive inventory of operational and compliance risks to ensure a unified understanding of potential threats.
• This will enable informed decision-making and resource allocation across business lines.

Standardize Risk, Process, Product, and Control Taxonomies

• Establish a centralized taxonomy for risk management to facilitate communication and consistency across functions.
• This will help identify and prioritize key risks and ensure alignment with regulatory requirements.

Coordinate Risk Assessment, Remediation, and Reporting Methodologies and Calendars

• Align risk assessment, remediation, and reporting processes to ensure a cohesive approach to managing operational risks.
• Establish clear timelines for completion of risk assessments and implementation of remediation plans.

Define Clear Roles and Responsibilities between Risk and Control Functions at the Individual Risk Level

• Clarify roles and responsibilities within risk management teams to avoid confusion and overlap.
• Ensure that each risk is owned by a specific individual or team, promoting accountability and swift action.

Develop and Jointly Manage Integrated Training and Communication Programs

• Create comprehensive training programs for risk management personnel to ensure they are equipped with the necessary skills and knowledge.
• Regular communication across functions will facilitate collaboration and effective decision-making.

Establish Clear Governance Processes and Structures with Mandates that Span Across Risk and Support Functions

• Develop governance structures that transcend functional boundaries, enabling informed decision-making and resource allocation.
• Clearly define roles and responsibilities within these structures to ensure accountability.

Consistently Involve Senior Compliance Stakeholders in Determining Action Plans, Target End Dates, and Prioritization of Issues and Matters Requiring Attention

• Engage senior compliance stakeholders in the risk management process to ensure alignment with organizational goals.
• Collaborate on prioritizing issues and developing action plans that address key risks.

Establish a Formal Link and Coordination Process with Government Affairs

• Develop a formal relationship with government affairs to facilitate effective communication and coordination.
• Ensure that regulatory updates are promptly communicated and addressed within the organization.

Organizational Structure Considerations

Banks may also consider changes to their organizational structure, including:

Archetype A: Compliance Reporting to Legal

• Compliance reports directly to the legal department, ensuring alignment with regulatory requirements.
• This structure is suitable for organizations with a strong focus on compliance and regulatory risk.

Archetype B: Migration of Compliance to Risk Organization

• Compliance is integrated into the risk organization, enabling a unified approach to risk management.
• This structure is ideal for organizations that prioritize operational risk management.

Archetype C: Elevating Compliance to a Stand-Alone Function

• Compliance operates as a standalone function, reporting directly to the CEO or Board of Directors.
• This structure empowers compliance teams to take ownership of risk management and regulatory affairs.

Measuring Progress

To ensure successful integration, banks can use a ten-point scorecard to measure progress:

1. Demonstrated Focus on the Role of Compliance: The organization recognizes the importance of compliance in its overall strategy.
2. Integrated View of Market Risks with Operational Risk: The organization has a unified understanding of market and operational risks.
3. Clear Tone from the Top and Strong Risk Culture: Senior leaders emphasize the importance of risk management and compliance.
4. Risk Ownership and Independent Challenge by Compliance: Compliance teams are empowered to own and challenge risks within the organization.
5. Compliance Operating Model with Shared Horizontal Coverage of Key Issues: The organization has a comprehensive compliance operating model that addresses key issues.
6. Comprehensive Inventory of All Laws, Rules, and Regulations: The organization maintains an up-to-date inventory of laws, rules, and regulations.
7. Use of Quantitative Metrics and Specific Qualitative Risk Markers to Measure Compliance Risk: The organization uses data-driven metrics to measure compliance risk.
8. Compliance Management-Information Systems Providing an Integrated View of Risks: The organization has a robust compliance management information system that provides real-time insights into risks.
9. Evidence of the First Line of Defense Taking Action and Owning Compliance and Control Issues: Frontline teams are empowered to take ownership of compliance and control issues.
10. Adequate Talent and Capabilities to Tackle Key Risk Areas: The organization has sufficient talent and capabilities to address key risk areas.

By implementing these changes and regularly measuring progress, banks can maximize the impact of their transformation and ensure that audit plays an essential role in this process.