For regulators and senior managers alike, control monitoring and testing within operational and non-financial risk is becoming deeply personal.
The Basel Committee on Banking Supervision’s (BCBS’s) latest consultation, Review of the Principles for the Sound Management of Operational Risk, speaks specifically about the importance of control monitoring and testing for financial services firms. It also explores senior managers’ responsibilities for fostering the right risk culture and ensuring robust transparency and reporting around operational and non-financial risk metrics. National regulators, such as the UK’s FCA are also focusing more on individual accountability among senior managers too.
The BCBS paper’s take on controls monitoring and testing, when coupled with new senior manager accountability regimes, can create significant risks for executives who lack quality and timely controls monitoring and testing information. In the UK, for instance, the FCA’s intention through its Senior Managers and Certification Regime (SMCR) is to foster cultural change within firms, as well as facilitate individual regulatory enforcement actions. For example, key senior management roles are assigned to individuals, and these have formal responsibilities and attestations attached to them. Actions can be delegated, but accountability remains with the senior manager. The FCA could decide that a senior manager—who did not take what the regulator believes are reasonable steps to meet the requirements around controls monitoring and testing—falls foul of SMCR and should be individually sanctioned.
As the pressure rises, senior managers are growing increasingly concerned that they lack quality and timely controls monitoring and testing information in order to make decisions. The result is that they find it difficult to analyse the effectiveness of controls. Many of these data quality issues are the result of manual processes, the lack of a data governance framework for operational risk information and an inability to benchmark their own controls against peers.
As a result, they find themselves trying to drive down a road with one headlight broken and the other caked with mud, while attempting to meet the requirements from regulators.
This final blog in our latest operational risk and resilience series explores how improved data quality, robust data governance, and enhanced industry collaboration could support senior executives.
The BCBS Sound Practices paper highlights a dual challenge
Overall, the paper makes clear that senior managers are responsible for implementing and maintaining the operational risk programme, as well as shaping its governance structure. More specifically, the regulators are asking for “a structured approach to the evaluation, review and ongoing monitoring and testing of key controls. The analysis of controls ensures these are suitably designed for the identified risks and operating effectively. The analysis should also consider the sufficiency of control coverage, including adequate prevention, detection and response strategies.”
These revised requirements highlight a twin challenge: how are senior managers meant to determine that they have best practice controls in place, and that they are functioning properly?
Meeting the challenge
There are three key ways in which senior managers can address this:
· Benchmark controls and control performance against your peers – Firms should validate the kinds of controls they have in place and their performance by engaging with an industry-standard taxonomy, and with data best practices around controls benchmarking. For example, this taxonomy of risks and controls could help senior managers understand what is considered to be best practice for placing controls in relationship with risks. Data best practices include housing all of a firm’s risks and controls in one place, making it easier to benchmark control presence and performance against other firms.
· Discuss controls best practices with other operational risk executives – Engage with a network of operational risk professionals from financial services firms that convenes regularly to discuss important issues, such as best practices for control identification, implementation, and testing. By working with such a group, which can bring under the same ‘roof’ decades of combined experience in ensuring optimal control performance, individual firms can deepen their knowledge of controls monitoring and testing considerably.
· Provide evidence of control monitoring and testing to stakeholders – Implement technology that delivers essential information about controls governance. For example, a report should be able to show when controls are added and removed, both for individual firms, and for the industry taxonomy as a whole. The technology should also provide alerts when a firm has controls missing from its framework, versus the industry taxonomy. Controls information should be shared with the firm’s GRC system through an API. As well, intuitive dashboards and automated reporting will improve the timeliness of controls information for all senior managers, the board, and regulators.
By taking a new approach to today’s challenges it’s now possible to improve the quality and timeliness of controls data and make data governance more robust. For senior managers this is more of a necessity than ever before.
For more information on how Acin can help, contact us.