Reducing the cost of regulatory compliance for outsource contracts, part 3
This post is the third in a row in which I write on a methodology I created to improve the effectiveness and efficiency of managing regulatory risk when outsourcing. The first two posts are here and here. Below I write on translating the risk/value ratio’s of the outsource contracts into the optimum control strategy.
The starting point is the contract portfolio in which the value and compliance risk of the outsource contracts are plotted. The position drives among others the resources spend by the compliance function on monitoring a contract. The control and monitor activities are typically described in a so called Compliance Program which is the overarching framework that encompasses the different activities and responsibilities performed by the compliance function.
Compliance cost can be reduced further by applying only a ´golden´ control and monitoring approach when it is really necessary (for example at high risk and value) and select a ´silver´ or ´bronze´ approach elsewhere (see figure).
By strengthening the collaboration of the so called ‘three lines of defence’ and other risk disciplines (for example, operational and information risk departments) even more efficiency gains may be achieved. For example, the department Operational Risk Management (ORM) is usually responsible for controlling the risk related to business and IT continuity. Within the Dutch banking regulation Wft, requirements are stated regarding IT continuity. To comply with this regulation the compliance department may choose to come up with new controls or look into existing assurance measures and add where necessary.
The desired end result is a cooperation in which the lines of defence and risk disciplines make use of a shared set of procedures, risk-control matrices, control measures, reports etc. However, this requires the willingness to put the needs of the group above ones own.
In the figure, the translation is made from the position a regulated object has within a portfolio (see figure in second post) to the corresponding control and monitor strategy. The strategy can be defined in terms of the lines of defence that are involved in the monitoring. This way, the choice can be made only to have the first and second line monitoring in case of a ´bronze´ control and to only give the third line a prominent role in case of a ´silver´ and ´gold´ control.
Removing the discrepancy between the current and desired control maturity can be done by means of an improvement plan or by including actions in the monitoring plan. Optimize the expenses by first of all implementing those improvement actions that have the highest risk reducing effect at the lowest (in)direct costs.
What are the results that can be achieved?
At the compliance department which implemented this methodology a minimum base set has been defined consisting of requirements to which external suppliers have to comply and future suppliers will tested against during the due diligence process. Besides that, together with the retained organization (which acts on behalf of the business as the first line of defence) and existing suppliers, there are talks on creating control frameworks in which a balance is sought between the best practises of the supplier and the requirements and wishes of the bank. Among others, this is a way to try to limit the check related to compliance the supplier submits each month.
In principle all objects (for example products, markets and activities) that are regulated and over which the financial institution runs a reputation risk, can profit from the described approach. The compliance program can be designed both more effective and more efficient than is currently often the case and besides that, by means of continues documenting the steps, a risk-based ´compliance dossier´ for regulated objects is being constructed.
This dossier can be used to indicate to internal and external stakeholders that the organization is ´in control´ and that the organization is acting not only within the law but also in the spirit of the law. Eventually (also in the law) it is about adequately controlling the risk underlying the requirements demanded by the legislator.
The most added value however, is the insight that is gained between the financial value of, for example, a pension product, the compliance risk an organization has and the money that is spent on compliance. This insight will enable management to make a well-informed decision based on possible scenarios that can further optimize the relation between risk and value. No one is waiting for the situation ABN Amro found itself in during 2005 when it had to pay $80 million to the US government because of involvement in money transactions to Iranian and Libyan entities.
The starting point is the contract portfolio in which the value and compliance risk of the outsource contracts are plotted. The position drives among others the resources spend by the compliance function on monitoring a contract. The control and monitor activities are typically described in a so called Compliance Program which is the overarching framework that encompasses the different activities and responsibilities performed by the compliance function.
Compliance cost can be reduced further by applying only a ´golden´ control and monitoring approach when it is really necessary (for example at high risk and value) and select a ´silver´ or ´bronze´ approach elsewhere (see figure).
By strengthening the collaboration of the so called ‘three lines of defence’ and other risk disciplines (for example, operational and information risk departments) even more efficiency gains may be achieved. For example, the department Operational Risk Management (ORM) is usually responsible for controlling the risk related to business and IT continuity. Within the Dutch banking regulation Wft, requirements are stated regarding IT continuity. To comply with this regulation the compliance department may choose to come up with new controls or look into existing assurance measures and add where necessary.
The desired end result is a cooperation in which the lines of defence and risk disciplines make use of a shared set of procedures, risk-control matrices, control measures, reports etc. However, this requires the willingness to put the needs of the group above ones own.
In the figure, the translation is made from the position a regulated object has within a portfolio (see figure in second post) to the corresponding control and monitor strategy. The strategy can be defined in terms of the lines of defence that are involved in the monitoring. This way, the choice can be made only to have the first and second line monitoring in case of a ´bronze´ control and to only give the third line a prominent role in case of a ´silver´ and ´gold´ control.Removing the discrepancy between the current and desired control maturity can be done by means of an improvement plan or by including actions in the monitoring plan. Optimize the expenses by first of all implementing those improvement actions that have the highest risk reducing effect at the lowest (in)direct costs.
What are the results that can be achieved?
At the compliance department which implemented this methodology a minimum base set has been defined consisting of requirements to which external suppliers have to comply and future suppliers will tested against during the due diligence process. Besides that, together with the retained organization (which acts on behalf of the business as the first line of defence) and existing suppliers, there are talks on creating control frameworks in which a balance is sought between the best practises of the supplier and the requirements and wishes of the bank. Among others, this is a way to try to limit the check related to compliance the supplier submits each month.
In principle all objects (for example products, markets and activities) that are regulated and over which the financial institution runs a reputation risk, can profit from the described approach. The compliance program can be designed both more effective and more efficient than is currently often the case and besides that, by means of continues documenting the steps, a risk-based ´compliance dossier´ for regulated objects is being constructed.
This dossier can be used to indicate to internal and external stakeholders that the organization is ´in control´ and that the organization is acting not only within the law but also in the spirit of the law. Eventually (also in the law) it is about adequately controlling the risk underlying the requirements demanded by the legislator.
The most added value however, is the insight that is gained between the financial value of, for example, a pension product, the compliance risk an organization has and the money that is spent on compliance. This insight will enable management to make a well-informed decision based on possible scenarios that can further optimize the relation between risk and value. No one is waiting for the situation ABN Amro found itself in during 2005 when it had to pay $80 million to the US government because of involvement in money transactions to Iranian and Libyan entities.
Comments
Post a Comment