Within the financial services industry, one of the conventional wisdoms since the global financial crisis goes like this: Regulators imposed new regulations that forced financial institutions to introduce policies, controls and other risk-management-related activities to minimise risk and be compliant. Having lived through a few of these major exercises ourselves, we know first-hand how dominant this topic has been in the past. Financial institutions instantly responded to every new regulatory requirement or major industry incident by layering on yet more controls, policies, governance and other rules – without considering the impact across the business or what was already in place.
Internal controls became the critical component of risk and regulatory projects and a major investment in themselves. Budgets were allocated generously and transferred from strategy- and business-related projects.
These days, the same institutions are going through tough cost-cutting exercises touching all aspects of the bank and its business, with risk and compliance no longer exempt. Improving the efficiency and effectiveness of controls without increasing the risk profile is now one of the greatest challenges and opportunities a financial institution has to face. The key to success is to respond to escalating regulatory demands wisely by optimising the necessary controls while reducing or at least containing costs.
The first hurdle to overcome when addressing this topic is a reticence when it comes to reducing or re-engineering control activities. Despite the high pressure to reduce the cost of controls, the cost of non-compliance is still prohibitively high in many cases. A key success factor to any control streamlining exercise is to demonstrate that you’re able to do so safely and within your risk appetite. We recommend opening the narrow focus of a division or risk taxonomy and concentrating on a broader front-to-back view of controls. The goal is to establish an efficient separation of duties, determine and invest internal control resources in top priority issues, and increase reliance on automated and system-supported controls.
We encourage everyone to dive deep into the topic right now, starting by asking…
Some key questions related to controls:
- Does your control landscape reflect your current risk appetite?
- How can the effectiveness and efficiency of controls be measured and made transparent?
- Have you struck the right balance between preventive, detective and reactive controls?
- Are there too many control layers?
- Are controls performed by the right resources, functions and locations?
- What controls-related activities can be automated or outsourced?
The drivers for a control review vary, but typically include improving client experience by shortening lead and lag times, and streamlining the effort that goes into controls-related activities in all parts of the organisation while remaining within risk appetite. The key is to determine the right balance between the cost of controls and the cost of being non-compliant − or in other words the cost of execution, monitoring and testing, and the frequency of events and their financial impact. The following four-step approach will give you some guidance once you’re ready to start improving your controls efficiency and effectiveness:
Objectively analyse and score the current state
The first step is to identify the controls that are currently in place and understand how they map to the underlying front-to-back process selected for review. This is not always easy, as many institutions organise their controls by other dimensions such as risk taxonomy or regulatory requirement. The controls identified are then assessed and scored based on their importance, efficiency and effectiveness. On the basis of this analysis you can identify the opportunities for improvement and state the case for change.
Design the future state and work out opportunities for improvement
One key aspect has to be considered before starting with the design: As soon as the various opportunities have been identified, the respective stakeholders should be involved to recognise the opportunities as such. Only once you have a common understanding of the opportunities does it make sense to start designing the future state and analysing the cost/benefit relation by including the current baseline and the expected benefits case. As a result, every opportunity gets its own ‘mini initiative business case’, to be considered when follow up decisions are made the opportunities are finally prioritised.
Define the necessary measures and activities
When preparing descriptions of the initiatives, you need to clearly define ownership and responsibilities right at the beginning. As every control streamlining initiative is a little project in itself, the underlying goals and KPIs for measuring the initiative’s success have to be confirmed by its owner. After this step, the activities and the corresponding timeline, as well as any change-management-related activities and communication, can be planned, and the immediate next steps initiated.
Implement the changes
Implementation should follow a roadmap that considers the prioritisation of activities and divides delivery into the short and medium term. Typically, a tight timeline will be chosen to ensure that any improvements in control efficiency and effectiveness are rapidly visible. Obviously you have to differentiate between mandatory changes or quick wins and more complex, long term improvements that contain technical adjustments or the automation of manual procedures.
Last but not least, there must be enough time to lead the people involved through the improvement- related transformation phase and ensure that they start acting according to the new standards and procedures.
In this kind of exercise it’s important to make sure that interests are aligned across divisions, the people affected are involved early on, and that everything is communicated properly. This way you’ll be able to generate demand, be in a position to replicate the approach, and establish a systematic and continuous process of improving controls efficiency and effectiveness.
Dr. Milena Danielsen
+41 58 792 44 47