Tue, May 28, 2019
In theory, a financial services firm’s compliance program should be an extension of the firm’s larger efforts in mitigating risk and protecting investors. In reality, however, a firm’s risk management function is limited in its resources like any other corporate function, and therefore must pick its battles. More often than not, for obvious reasons, risk management ends up being largely shaped by the compliance requirements set by regulators.
But just as generals fight the last war, regulators tend to focus on preventing problems of the past from reoccurring rather than preemptively mitigating against new and future crises. We can see this in the themes that have dominated the global regulatory compliance landscape over the last decade. Risk management at banks has largely been defined by the global banking regulatory reform that occurred in response to the excessive leverage and “shadow banking” exposed by the 2008 financial crisis. Similarly, firms that trade in over-the-counter derivatives have had to implement the transparent trading, clearing, and reporting required by regulations put in place after the crisis. In addition, institutions along the financial services spectrum have spent considerable effort complying with increasingly complex regulations designed to combat longstanding threats from money laundering, terrorist financing, and tax evasion.
However, while regulators and firms have been focused on these concerns for the last decade, new risks have been emerging. Many of these emerging risks tend to fall into one or more of the following four categories:
A disconnect has widened in places between the risk agendas of regulators and the actual risks that industry faces–a disconnect that is itself a significant risk.
These emerging risks have not yet caused crises or made headlines; they remain discrete challenges at individual firms. As such, they are still making their way onto the regulatory agenda, which by definition is focused on establishing rules that can apply to the entire industry (or at least a defined subset of it) rather than on creating specific solutions to specific problems. But these issues are very much on the minds of firm risk managers and strategic decision makers.
To be sure, regulators and financial institutions alike are starting to identify and plan around these risks. There are rigorous processes for onboarding new technologies. Due diligence of third parties is becoming more extensive, expanding beyond financial and legal matters to encompass a larger sense of the counterparty’s business practices and business relationships. There is a greater awareness of the role that recruiting, training, and retention play in human capital.
However, most firms will admit that they are far from being out in front on these issues. And this is likely to remain the case so as long as firm risk management follows regulatory priorities, and those regulatory priorities are primarily focused on preventing past crises from reoccurring.
In other words, a disconnect has widened in places between the risk agendas of regulators and the actual risks that industry faces. This disconnect is itself a significant risk, increasing the probability that a crisis could emerge from the range of issues currently brewing. Industry should not wait for regulators to solve this problem. Instead, industry needs to become more proactive in setting a risk management agenda that starts with regulatory compliance but then goes beyond it to include the systematic and collective examination of risks in their earliest stages. This will require collaboration between firms and the sharing of data and experience–including vulnerabilities and what has and has not worked in countering them.
For all its limitations, the strategy of letting regulators set industry’s risk agenda can also become somewhat comfortable. Financial services firms need to break out of that paradigm, both to solve the problems in front of them and to strengthen the foundation for the financial system’s long-term stability.
End-to-end governance, advisory and monitorship solutions to detect, mitigate, drive efficiencies and remediate operational, legal, compliance and regulatory risk.