Exploring the Relationship Between Risk & Compliance Presented By: John Cyriac CEO ComplianceTrack.Com 100 Pall Mall, London SW1Y 5NQ Presented To: Compliance Asia 2009 May 26,27, 2009 Grand Hyatt Singapore

Agenda Objectives of Compliance Approaches to Compliance & Risk Case Study – how to involve risk management in compliance management Management Tool – Information is power Summary Q & A References

Objectives of Compliance

Approaches to Compliance & Risk

Case Study – how to involve risk management in compliance management

Management Tool – Information is power

Summary

Q & A

References

Objectives of Compliance Reasons behind operational failures What is the basic function of compliance? What is the objective of a compliance function? Compliance Risk – Definition Operational Risk – Definition

Reasons behind operational failures

What is the basic function of compliance?

What is the objective of a compliance function?

Compliance Risk – Definition

Operational Risk – Definition

Problem False feeling of being in control It's human to err & miss checking the possibility of failures. Fraud Implication Major operational risk events (Example- WorldCom, Enron, Parmalat, Satyam etc) Reasons behind operational failures Objectives of Compliance

Problem

False feeling of being in control

It's human to err & miss checking the possibility of failures.

Fraud

Implication

Major operational risk events (Example- WorldCom, Enron, Parmalat, Satyam etc)

Solution Regulations impose checking to mitigate operational failures (Example - Sarbanes-Oxley Act of 2002 , other local regulators) Implementing the Solution Compliance department reports adherence to various regulatory requirements to the corresponding regulator – mitigate Compliance Risk What is the basic function of compliance? Objectives of Compliance

Solution

Regulations impose checking to mitigate operational failures (Example - Sarbanes-Oxley Act of 2002 , other local regulators)

Implementing the Solution

Compliance department reports adherence to various regulatory requirements to the corresponding regulator – mitigate Compliance Risk

What is the objective of a compliance function? No/Wrong Implementation Compliance Risk Expected Benefit – Intended objective Mitigate operational risk Objectives of Compliance

No/Wrong Implementation

Compliance Risk

Expected Benefit – Intended objective

Mitigate operational risk

Compliance Risk - Definition “ Compliance risk is the risk of legal or regulatory sanctions, material financial loss, or loss to reputation a business may suffer as a result of its failure to comply with laws, regulations, rules, related self-regulatory organization standards, and codes of conduct applicable to its business activities” (together, “ compliance laws, rules and standards ”) Basel Committee on Banking Supervision (April, 2005) Objectives of Compliance

“ Compliance risk is the risk of legal or regulatory sanctions, material financial loss, or loss to reputation a business may suffer as a result of its failure to comply with laws, regulations, rules, related self-regulatory organization standards, and codes of conduct applicable to its business activities” (together, “ compliance laws, rules and standards ”) Basel Committee on Banking Supervision (April, 2005)

Operational Risk - Definition “ Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk, but excludes strategic and reputational risk.” Basel Committee on Banking Supervision (June, 2004) Item 644 Objectives of Compliance

“ Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk, but excludes strategic and reputational risk.” Basel Committee on Banking Supervision (June, 2004) Item 644

Agenda Objectives of Compliance Approaches to Compliance & Risk Case Study – how to involve risk management in compliance management Management Tool – Information is power Summary Q & A References

Objectives of Compliance

Approaches to Compliance & Risk

Case Study – how to involve risk management in compliance management

Management Tool – Information is power

Summary

Q & A

References

Approaches to Compliance & Risk Approach focusing on compliance risk alone Integrated approach COSO –Enterprise Risk Management COSO – ERM – 4 Categories

Approach focusing on compliance risk alone

Integrated approach

COSO –Enterprise Risk Management

COSO – ERM – 4 Categories

Approach focusing on Compliance Risk alone In many organizations, the compliance function is used for just “tick in the box” regulatory reporting. This is known to mitigate Compliance Risk Does the job of avoiding the “failure events” targeted by a rules based regulator such as SEC/SOX May not work for risk/principle based regulators Approaches to Compliance

In many organizations, the compliance function is used for just “tick in the box” regulatory reporting.

This is known to mitigate Compliance Risk

Does the job of avoiding the “failure events” targeted by a rules based regulator such as SEC/SOX

May not work for risk/principle based regulators

Integrated approach Integrated approach towards compliance Mitigate Compliance Risk – “tick the boxes” – avoid the “failure events” targeted by the regulation Have to comply with the spirit of the regulation – onus on you to prove this – harder than rules based regulation Combine efforts with Operational Risk Management – create a holistic approach Benefit of an integrated approach if used with an ERM strategy Resilient enterprise Approaches to Compliance

Integrated approach towards compliance

Mitigate Compliance Risk – “tick the boxes” – avoid the “failure events” targeted by the regulation

Have to comply with the spirit of the regulation – onus on you to prove this – harder than rules based regulation

Combine efforts with Operational Risk Management – create a holistic approach

Benefit of an integrated approach if used with an ERM strategy

Resilient enterprise

COSO –Enterprise Risk Management “ 41% are using a COSO-based approach for ORM”. Chartis Research (2007) Approaches to Compliance: Integrated Approach

COSO – ERM – 4 Categories Strategic – high-level goals, aligned with and supporting its mission Operations – effective and efficient use of its resources Reporting – reliability of reporting Compliance – compliance with applicable laws and regulations. Approaches to Compliance: Integrated Approach

Strategic – high-level goals, aligned with and supporting its mission

Operations – effective and efficient use of its resources

Reporting – reliability of reporting

Compliance – compliance with applicable laws and regulations.

Agenda Objectives of Compliance Approaches to Compliance & Risk Case Study – how to involve risk management in compliance management Management Tool – Information is power Summary Q & A References

Objectives of Compliance

Approaches to Compliance & Risk

Case Study – how to involve risk management in compliance management

Management Tool – Information is power

Summary

Q & A

References

Case Study- Overview Institution: A UK financial institution Regulatory body: Financial Services Authority (FSA) Process: Trade Settlement Regulation: “Dealing and Managing (COB 7)”section of the FSA Handbook. Details of COB7 is available at: http://fsahandbook.info/FSA/html/handbook/COB/7 Case Study

Institution: A UK financial institution

Regulatory body: Financial Services Authority (FSA)

Process: Trade Settlement

Regulation: “Dealing and Managing (COB 7)”section of the FSA Handbook.

Details of COB7 is available at: http://fsahandbook.info/FSA/html/handbook/COB/7

Policy Management Policy/Procedure development Manage affirmation to policy/procedure Training/Competence Changes to policy/procedure Case Study – Policy/Procedure Management Develop a procedure in line with “Dealing and Managing (COB 7)”section of the FSA Handbook Ensure affirmation, competency, conduct testing of understanding if needed Case Study: Step 1

Policy/Procedure development

Manage affirmation to policy/procedure

Training/Competence

Changes to policy/procedure

Case Study – Policy/Procedure Management

Develop a procedure in line with “Dealing and Managing (COB 7)”section of the FSA Handbook

Ensure affirmation, competency, conduct testing of understanding if needed

Trade Settlement Procedure Cont.. For some accounts, the operation person should communicate the trades to the client directly; the client has the responsibility to instruct the custodian. The operation person should add any new security identifier to the system using an identifier. This will capture price, price history, rating information from Bloomberg on the nightly feed. Case Study: Step 1

For some accounts, the operation person should communicate the trades to the client directly; the client has the responsibility to instruct the custodian.

The operation person should add any new security identifier to the system using an identifier. This will capture price, price history, rating information from Bloomberg on the nightly feed.

Faxes to custodians should include the number of trades in the fax and for each account; a sequential numbering system is used for each trade batch. On some accounts, the custodian provides the firm with reference numbers to be included on each ticket batch. For some accounts the operations person sends an email to notify the recipient that the trades were faxed and retain copies of the fax sheets and fax transmittal as proof of instruction. Trade Settlement Procedure Cont.. Case Study: Step 1

Faxes to custodians should include the number of trades in the fax and for each account; a sequential numbering system is used for each trade batch. On some accounts, the custodian provides the firm with reference numbers to be included on each ticket batch. For some accounts the operations person sends an email to notify the recipient that the trades were faxed and retain copies of the fax sheets and fax transmittal as proof of instruction.

The custodian is responsible for matching broker confirms with advisor confirms and instructing each if there is a mis-match by T+2. Most trades settle T+3, except UK Gilts and US Treasuries that typically settle T+1. Generally, the appropriate custodian settles trades through the Euro Clear depository service. In limited cases, tickets are sent to clients for communication to the custodian. Trade Settlement Procedure Case Study: Step 1

The custodian is responsible for matching broker confirms with advisor confirms and instructing each if there is a mis-match by T+2. Most trades settle T+3, except UK Gilts and US Treasuries that typically settle T+1.

Generally, the appropriate custodian settles trades through the Euro Clear depository service. In limited cases, tickets are sent to clients for communication to the custodian.

Case Study: Step 2 Identify Risks Clients, Regulators, Suppliers, Competitors External dependency Quantity (system capacity), Quality (incorrect market information), Criticality (critical application), Failure (infrastructure breakdown) Technology Quantity (existing process can handle all instances), Quality (appropriate processes), Criticality (appropriate process unavailable), Failure Process Quantity(Sufficient Staff), Quality (Competent Staff), Criticality (key staff), Failure (unauthorized behaviour) People Risk factor Risk Driver

Identify risks in the process Case Study: Step 2 This could be the first activity. Steps mentioned in this presentation is only for clarity. Delayed Settlements Direct financial loss Inability to settle deal in planned market parameters Clients, Regulators, Suppliers, Competitors External dependency KRI Loss Risk Risk Factor Risk Driver

Document the risks Risk: “serious delays in settling trades” - inability to conclude the deal in the specified market parameters Control Procedure: Trades are matched to broker confirmations. Any unmatched trades are bought to attention. Probability/Severity/Assessment: Low/High/Medium Frequency: Every Trade Compliance Formal Review frequency: Monthly Risk Owner: First Name, Last Name Case Study: Step 2

Risk: “serious delays in settling trades” - inability to conclude the deal in the specified market parameters

Control Procedure: Trades are matched to broker confirmations. Any unmatched trades are bought to attention.

Probability/Severity/Assessment: Low/High/Medium

Frequency: Every Trade

Compliance Formal Review frequency: Monthly

Risk Owner: First Name, Last Name

Compliance Management Create tests to ensure compliance with policy/procedure Plan frequency of tests Resource allocation Case Study: Step 3

Create tests to ensure compliance with policy/procedure

Plan frequency of tests

Resource allocation

Compliance Management Policy: COB 7.6 Compliance Test - “ Were there any delays in effecting the trades? If so, what are the reasons for the delay documented?”. Test Objective: To ensure timely execution of trades Test Method: Check date in Deal book & Errors and discrepancy file Evidence: if needed Case Study: Step 3

Policy: COB 7.6

Compliance Test - “ Were there any delays in effecting the trades? If so, what are the reasons for the delay documented?”.

Test Objective: To ensure timely execution of trades

Test Method: Check date in Deal book & Errors and discrepancy file

Evidence: if needed

Compliance Data mapping [1] Indicator below Threshold is scored 1 = acceptable. Indicator above Threshold, but below Limit, is scored 2 = acceptable, but to watch. Indicator above Limit is scored 3 = unacceptable. Case Study: Step 4 1 2 48 24 5 2 0 8 Delayed Settlement Weight Scores [1] Limit Threshold Evolution (%) Value Above limit Above threshold Indicator

Quantify the Risk: Forward looking Identify the weightings for each of the indicators for each of the business lines & calculate aggregate loss indicator ( Every indicator is normalized, i.e. expressed on a common [0, 1] range by using a transformation ) (example for the indicator a): Reference: Scandizzo, Sergio (2005) Case Study: Step 5

Quantify the Risk: Backward looking Case Study: Step 6 Event: Deal settlement concluded after the threshold of 48 hours and the risk is materialized The Compliance Officer anyway considers this event in his normal line of duty. However, if the event is recorded in an appropriate manner, that can give the necessary internal loss data

Event Category : ( Payment and settlement ) Cause Type : ( Execution, delivery and process management ) Impact Type : ( High ) Descriptions : ( broker misperformance, non-client counterparty misperformance ) Date and location of event & loss : ( DDMMYY,LON) Loss Amounts Actual loss, potential loss, recoveries : ( 100,000) Currency : ( GBP) Quantify the Risk: Internal Loss Data Case Study: Step 7

Event Category : ( Payment and settlement )

Cause Type : ( Execution, delivery and process management )

Impact Type : ( High )

Descriptions : ( broker misperformance, non-client counterparty misperformance )

Date and location of event & loss : ( DDMMYY,LON)

Loss Amounts

Actual loss, potential loss, recoveries : ( 100,000)

Currency : ( GBP)

Informal reporting lead to failures which lead to regulations like SOX forcing businesses to report risk at a senior level. Compliance reports for various audiences Regulators Relation with internal audit Senior management Ex: The number of delayed settlements (KRI) can be indicative of lack of performance of the trader. Meaningful reporting Case Study: Step 8

Informal reporting lead to failures which lead to regulations like SOX forcing businesses to report risk at a senior level.

Compliance reports for various audiences

Regulators

Relation with internal audit

Senior management

Ex: The number of delayed settlements (KRI) can be indicative of lack of performance of the trader.

Agenda Objectives of Compliance Approaches to Compliance & Risk Case Study – how to involve risk management in compliance management Management Tool – Information is power Summary Q & A References

Objectives of Compliance

Approaches to Compliance & Risk

Case Study – how to involve risk management in compliance management

Management Tool – Information is power

Summary

Q & A

References

Policy Management Management Tool

Policy Creation Management Tool

Policy Distribution Management Tool

Policy Training and Affirmation Management Tool

Policy Reports Management Tool

Compliance Monitoring Management Tool

Compliance Test Creation Management Tool

Compliance Test and Data Collection Management Tool

Compliance Reporting & Traceability Management Tool

Agenda Objectives of Compliance Approaches to Compliance & Risk Case Study – how to involve risk management in compliance management Management Tool – Information is power Summary Q & A References

Objectives of Compliance

Approaches to Compliance & Risk

Case Study – how to involve risk management in compliance management

Management Tool – Information is power

Summary

Q & A

References

Towards a resilient enterprise Integrated Compliance Silo Approach – Compliance Risk Alone Compliance Level Desired level

Towards a resilient organisation Organizations should consider Compliance function as an opportunity to improve shareholder value by minimizing operational failures Instead of creating an isolated compliance function, organizations should leverage existing functions like operational risk and audit to create a resilient organisation Management Tool

Organizations should consider Compliance function as an opportunity to improve shareholder value by minimizing operational failures

Instead of creating an isolated compliance function, organizations should leverage existing functions like operational risk and audit to create a resilient organisation

Agenda Objectives of Compliance Approaches to Compliance & Risk Case Study – how to involve risk management in compliance management Management Tool – Information is power Summary Q & A References

Objectives of Compliance

Approaches to Compliance & Risk

Case Study – how to involve risk management in compliance management

Management Tool – Information is power

Summary

Q & A

References

References Basel Committee on Banking Supervision (April, 2005) Compliance and the compliance function in banks. Available at: http://www.bis.org/publ/bcbs113.pdf Chartis Research (2007) Operational Risk Management Systems 2007 – The second wave has arrived. Chartis Research Limited, London. COSO (2004) Enterprise Risk Management – Integrated Framework The Committee of Sponsoring Organizations of the Treadway Commission (COSO). Cyriac, John (November, 2008) Operational Risk Appetite – Lateral Thinking. Oprisk & Compliance Financial Services Authority FSA Handbook Available at: http://fsahandbook.info/FSA/html/handbook/ Scandizzo, Sergio (2005) Risk Mapping and Key Risk Indicators in Operational Risk Management. [email_address] Q & A

Basel Committee on Banking Supervision (April, 2005) Compliance and the compliance function in banks. Available at: http://www.bis.org/publ/bcbs113.pdf

Chartis Research (2007) Operational Risk Management Systems 2007 – The second wave has arrived. Chartis Research Limited, London.

COSO (2004) Enterprise Risk Management – Integrated Framework The Committee of Sponsoring Organizations of the Treadway Commission (COSO).

Cyriac, John (November, 2008) Operational Risk Appetite – Lateral Thinking. Oprisk & Compliance

Financial Services Authority FSA Handbook Available at: http://fsahandbook.info/FSA/html/handbook/

Scandizzo, Sergio (2005) Risk Mapping and Key Risk Indicators in Operational Risk Management.