(As published in ABA Banking Journal)
What can compliance and risk management professionals do at this critical juncture to ensure that their institutions are able to weather this latest perfect storm?
Aardvarks and aliens. I don’t remember when I first used that phrase to describe the potential parade of horribles of regulatory or operational risk that were not properly managed—but I do recall that people always smiled. I think they thought that it was an entirely appropriate description because risk can come out of nowhere and is often misunderstood or not anticipated.
One of my most memorable and impactful aardvarks and aliens’ moments was in the months after September 11, 2001. Suddenly there was a whole new body of law and regulation called the USA Patriot Act, and I was to be our firm’s first AML compliance officer. No one could have foreseen the events and aftermath of that terrible day. But I spent the rest of my career working in compliance, became a lawyer somewhere along the way and never stopped imagining the potential risks my institutions faced and how best to mitigate their impact.
I have now been a compliance professional for more than 25 years and I have never had such strong aardvarks and aliens vibes as I am having right now for the financial services industry. Unfettered AI (e.g., ChatGPT), turbulent crypto developments, the risks of unmanaged digitalization, AWOL boards, regulators falling on their swords after bank failures, interest rate and recession fears, etc. It’s a lot all at once.
Regulations and risk management efforts have not really kept pace with the technology demands of customers; the new products and services resulting from those demands; the subsequent partnerships with and, in many cases, nascent third-parties to help deliver those new products and services; and how to keep one’s business units, compliance and risk management departments, internal audit, i.e. one’s three lines of defense, engaged and informed as to these emerging risks.
What can compliance and risk management professionals do at this critical juncture to ensure that their institutions are able to weather this latest and most perfect storm?
Anticipation is key
In my experience, the answer is to harden your overall defenses so that the nature of an emerging risk does not have to be fully understood or anticipated to be properly managed. But what does that look like in practical terms?
First, review the role of your governance bodies (board, senior leadership, compliance and audit committees) to ensure they are truly providing the requisite oversight. It is a crucial aspect of successful institutional control to ensure that your governance bodies are equipped with the information necessary to make informed decisions, especially when it comes to questions of ethics or compliance. For example, are they fully informed about exceptions to the risk appetite framework of the institution and on record as the final arbiters if an exception is made, including on compensation and incentives?
Do the chief compliance officer, chief risk officer and internal audit provide those governance bodies with regular, on-the-record reporting of conditions for their areas of responsibility? Are they informed of and involved in escalation efforts when violations are found, or disciplinary actions are needed? Are there members with experience germane to their role? Have they clearly and unambiguously articulated and demonstrated rigorous adherence to applicable standards? Have they ensured that middle-management reinforces those standards and encourages employees to abide by them?
Finally, look at the larger effects of these efforts. How are they positively impacting the culture of ethics and compliance? Do they provide the necessary resources and empowerment to the compliance and risk management areas to function effectively? Is there at-hire and on-going due diligence of them and all decision-makers?
A deeper dive on risk and compliance functions
Next, look holistically at your compliance and risk management functions. Are the right processes in place when a new or changed law, rule, regulation, product, partnership or service, new location, customer type or other activity impacting the bank’s business model is enacted, undertaken or approved? Is there involvement by all appropriate stakeholders in the creation of appropriate, documented and regularly tested and reported-on controls commensurate with the risk?
Also, are compliance and risk management professionals thinking outside-the-box (a.k.a. aardvarks and aliens) about what might go wrong—and is there a process for escalating their concerns? Is the responsibility for timely and fully addressing internal audit and regulatory examination findings shared by compliance, risk management, the business and governance? Do compliance and risk management personnel have a decision-making role in incentive programs, sales strategies and disciplinary actions?
I think you get the picture. It must be an enterprise-wide effort to holistically recognize and manage risk. It has always been important to avoid siloed activities in business, but it is all the more critical to have an enterprise-wide perspective now. Effective compliance and risk management programs require the active engagement of all levels of personnel in an organization. Concerns voiced by anyone, even those that seem far-fetched and unlikely, should be vetted by appropriate personnel to ensure red flags are not missed.
Consider the ideas discussed above and what effect they may have on compliance and risk management activities at your bank. And don’t forget to ensure that third-party service providers are as equally educated as employees regarding the voicing of concerns, as well as recognition of risk and consequences of acting unethically or contrary to policies.
And finally, while the hope is that your institution has the processes in place to manage the myriad regulatory and operational risks presenting today, there is always help available from your regulators (yes, you can ask them questions), consultants and other industry experts to identify unmanaged regulatory or operational risk and ultimately strengthen your institutions risk profile for years to come.