Exploring Relationship Between Risk & Compliance


Published on

• How to identify compliance risks in the business
• How to involve risk management in compliance management
• Integrating compliance risks with useful management tools

Published in: Business, Economy & Finance
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Exploring Relationship Between Risk & Compliance

  1. 1. Exploring the Relationship Between Risk & Compliance Presented By: John Cyriac CEO ComplianceTrack.Com 100 Pall Mall, London SW1Y 5NQ Presented To: Compliance Asia 2009 May 26,27, 2009 Grand Hyatt Singapore
  2. 2. Agenda <ul><li>Objectives of Compliance </li></ul><ul><li>Approaches to Compliance & Risk </li></ul><ul><li>Case Study – how to involve risk management in compliance management </li></ul><ul><li>Management Tool – Information is power </li></ul><ul><li>Summary </li></ul><ul><li>Q & A </li></ul><ul><li>References </li></ul>
  3. 3. Objectives of Compliance <ul><li>Reasons behind operational failures </li></ul><ul><li>What is the basic function of compliance? </li></ul><ul><li>What is the objective of a compliance function? </li></ul><ul><li>Compliance Risk – Definition </li></ul><ul><li>Operational Risk – Definition </li></ul>
  4. 4. <ul><li>Problem </li></ul><ul><li>False feeling of being in control </li></ul><ul><li>It's human to err & miss checking the possibility of failures. </li></ul><ul><li>Fraud </li></ul><ul><li>Implication </li></ul><ul><li>Major operational risk events (Example- WorldCom, Enron, Parmalat, Satyam etc) </li></ul>Reasons behind operational failures Objectives of Compliance
  5. 5. <ul><li>Solution </li></ul><ul><li>Regulations impose checking to mitigate operational failures (Example - Sarbanes-Oxley Act of 2002 , other local regulators) </li></ul><ul><li>Implementing the Solution </li></ul><ul><li>Compliance department reports adherence to various regulatory requirements to the corresponding regulator – mitigate Compliance Risk </li></ul>What is the basic function of compliance? Objectives of Compliance
  6. 6. What is the objective of a compliance function? <ul><li>No/Wrong Implementation </li></ul><ul><li>Compliance Risk </li></ul><ul><li>Expected Benefit – Intended objective </li></ul><ul><li>Mitigate operational risk </li></ul>Objectives of Compliance
  7. 7. Compliance Risk - Definition <ul><li>“ Compliance risk is the risk of legal or regulatory sanctions, material financial loss, or loss to reputation a business may suffer as a result of its failure to comply with laws, regulations, rules, related self-regulatory organization standards, and codes of conduct applicable to its business activities” (together, “ compliance laws, rules and standards ”) Basel Committee on Banking Supervision (April, 2005) </li></ul>Objectives of Compliance
  8. 8. Operational Risk - Definition <ul><li>“ Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk, but excludes strategic and reputational risk.” Basel Committee on Banking Supervision (June, 2004) Item 644 </li></ul>Objectives of Compliance
  9. 9. Agenda <ul><li>Objectives of Compliance </li></ul><ul><li>Approaches to Compliance & Risk </li></ul><ul><li>Case Study – how to involve risk management in compliance management </li></ul><ul><li>Management Tool – Information is power </li></ul><ul><li>Summary </li></ul><ul><li>Q & A </li></ul><ul><li>References </li></ul>
  10. 10. Approaches to Compliance & Risk <ul><li>Approach focusing on compliance risk alone </li></ul><ul><li>Integrated approach </li></ul><ul><li>COSO –Enterprise Risk Management </li></ul><ul><li>COSO – ERM – 4 Categories </li></ul>
  11. 11. Approach focusing on Compliance Risk alone <ul><li>In many organizations, the compliance function is used for just “tick in the box” regulatory reporting. </li></ul><ul><li>This is known to mitigate Compliance Risk </li></ul><ul><li>Does the job of avoiding the “failure events” targeted by a rules based regulator such as SEC/SOX </li></ul><ul><li>May not work for risk/principle based regulators </li></ul>Approaches to Compliance
  12. 12. Integrated approach <ul><li>Integrated approach towards compliance </li></ul><ul><li>Mitigate Compliance Risk – “tick the boxes” – avoid the “failure events” targeted by the regulation </li></ul><ul><li>Have to comply with the spirit of the regulation – onus on you to prove this – harder than rules based regulation </li></ul><ul><li>Combine efforts with Operational Risk Management – create a holistic approach </li></ul><ul><li>Benefit of an integrated approach if used with an ERM strategy </li></ul><ul><li>Resilient enterprise </li></ul>Approaches to Compliance
  13. 13. COSO –Enterprise Risk Management “ 41% are using a COSO-based approach for ORM”. Chartis Research (2007) Approaches to Compliance: Integrated Approach
  14. 14. COSO – ERM – 4 Categories <ul><li>Strategic – high-level goals, aligned with and supporting its mission </li></ul><ul><li>Operations – effective and efficient use of its resources </li></ul><ul><li>Reporting – reliability of reporting </li></ul><ul><li>Compliance – compliance with applicable laws and regulations. </li></ul>Approaches to Compliance: Integrated Approach
  15. 15. Agenda <ul><li>Objectives of Compliance </li></ul><ul><li>Approaches to Compliance & Risk </li></ul><ul><li>Case Study – how to involve risk management in compliance management </li></ul><ul><li>Management Tool – Information is power </li></ul><ul><li>Summary </li></ul><ul><li>Q & A </li></ul><ul><li>References </li></ul>
  16. 16. Case Study- Overview <ul><li>Institution: A UK financial institution </li></ul><ul><li>Regulatory body: Financial Services Authority (FSA) </li></ul><ul><li>Process: Trade Settlement </li></ul><ul><li>Regulation: “Dealing and Managing (COB 7)”section of the FSA Handbook. </li></ul><ul><li>Details of COB7 is available at: http://fsahandbook.info/FSA/html/handbook/COB/7 </li></ul>Case Study
  17. 17. Policy Management <ul><li>Policy/Procedure development </li></ul><ul><li>Manage affirmation to policy/procedure </li></ul><ul><li>Training/Competence </li></ul><ul><li>Changes to policy/procedure </li></ul><ul><li>Case Study – Policy/Procedure Management </li></ul><ul><li>Develop a procedure in line with “Dealing and Managing (COB 7)”section of the FSA Handbook </li></ul><ul><li>Ensure affirmation, competency, conduct testing of understanding if needed </li></ul>Case Study: Step 1
  18. 18. Trade Settlement Procedure Cont.. <ul><li>For some accounts, the operation person should communicate the trades to the client directly; the client has the responsibility to instruct the custodian. </li></ul><ul><li>The operation person should add any new security identifier to the system using an identifier. This will capture price, price history, rating information from Bloomberg on the nightly feed. </li></ul>Case Study: Step 1
  19. 19. <ul><li>Faxes to custodians should include the number of trades in the fax and for each account; a sequential numbering system is used for each trade batch. On some accounts, the custodian provides the firm with reference numbers to be included on each ticket batch. For some accounts the operations person sends an email to notify the recipient that the trades were faxed and retain copies of the fax sheets and fax transmittal as proof of instruction. </li></ul>Trade Settlement Procedure Cont.. Case Study: Step 1
  20. 20. <ul><li>The custodian is responsible for matching broker confirms with advisor confirms and instructing each if there is a mis-match by T+2. Most trades settle T+3, except UK Gilts and US Treasuries that typically settle T+1. </li></ul><ul><li>Generally, the appropriate custodian settles trades through the Euro Clear depository service. In limited cases, tickets are sent to clients for communication to the custodian. </li></ul>Trade Settlement Procedure Case Study: Step 1
  21. 21. Case Study: Step 2 Identify Risks Clients, Regulators, Suppliers, Competitors External dependency Quantity (system capacity), Quality (incorrect market information), Criticality (critical application), Failure (infrastructure breakdown) Technology Quantity (existing process can handle all instances), Quality (appropriate processes), Criticality (appropriate process unavailable), Failure Process Quantity(Sufficient Staff), Quality (Competent Staff), Criticality (key staff), Failure (unauthorized behaviour) People Risk factor Risk Driver
  22. 22. Identify risks in the process Case Study: Step 2 This could be the first activity. Steps mentioned in this presentation is only for clarity. Delayed Settlements Direct financial loss Inability to settle deal in planned market parameters Clients, Regulators, Suppliers, Competitors External dependency KRI Loss Risk Risk Factor Risk Driver
  23. 23. Document the risks <ul><li>Risk: “serious delays in settling trades” - inability to conclude the deal in the specified market parameters </li></ul><ul><li>Control Procedure: Trades are matched to broker confirmations. Any unmatched trades are bought to attention. </li></ul><ul><li>Probability/Severity/Assessment: Low/High/Medium </li></ul><ul><li>Frequency: Every Trade </li></ul><ul><li>Compliance Formal Review frequency: Monthly </li></ul><ul><li>Risk Owner: First Name, Last Name </li></ul>Case Study: Step 2
  24. 24. Compliance Management <ul><li>Create tests to ensure compliance with policy/procedure </li></ul><ul><li>Plan frequency of tests </li></ul><ul><li>Resource allocation </li></ul>Case Study: Step 3
  25. 25. Compliance Management <ul><li>Policy: COB 7.6 </li></ul><ul><li>Compliance Test - “ Were there any delays in effecting the trades? If so, what are the reasons for the delay documented?”. </li></ul><ul><li>Test Objective: To ensure timely execution of trades </li></ul><ul><li>Test Method: Check date in Deal book & Errors and discrepancy file </li></ul><ul><li>Evidence: if needed </li></ul>Case Study: Step 3
  26. 26. Compliance Data mapping [1] Indicator below Threshold is scored 1 = acceptable. Indicator above Threshold, but below Limit, is scored 2 = acceptable, but to watch. Indicator above Limit is scored 3 = unacceptable. Case Study: Step 4 1 2 48 24 5 2 0 8 Delayed Settlement Weight Scores [1] Limit Threshold Evolution (%) Value Above limit Above threshold Indicator
  27. 27. Quantify the Risk: Forward looking Identify the weightings for each of the indicators for each of the business lines & calculate aggregate loss indicator ( Every indicator is normalized, i.e. expressed on a common [0, 1] range by using a transformation ) (example for the indicator a): Reference: Scandizzo, Sergio (2005) Case Study: Step 5
  28. 28. Quantify the Risk: Backward looking Case Study: Step 6 Event: Deal settlement concluded after the threshold of 48 hours and the risk is materialized The Compliance Officer anyway considers this event in his normal line of duty. However, if the event is recorded in an appropriate manner, that can give the necessary internal loss data
  29. 29. <ul><li>Event Category : ( Payment and settlement ) </li></ul><ul><li>Cause Type : ( Execution, delivery and process management ) </li></ul><ul><li>Impact Type : ( High ) </li></ul><ul><li>Descriptions : ( broker misperformance, non-client counterparty misperformance ) </li></ul><ul><li>Date and location of event & loss : ( DDMMYY,LON) </li></ul><ul><li>Loss Amounts </li></ul><ul><ul><li>Actual loss, potential loss, recoveries : ( 100,000) </li></ul></ul><ul><ul><li>Currency : ( GBP) </li></ul></ul>Quantify the Risk: Internal Loss Data Case Study: Step 7
  30. 30. <ul><li>Informal reporting lead to failures which lead to regulations like SOX forcing businesses to report risk at a senior level. </li></ul><ul><li>Compliance reports for various audiences </li></ul><ul><ul><li>Regulators </li></ul></ul><ul><ul><li>Relation with internal audit </li></ul></ul><ul><ul><li>Senior management </li></ul></ul><ul><ul><ul><li>Ex: The number of delayed settlements (KRI) can be indicative of lack of performance of the trader. </li></ul></ul></ul>Meaningful reporting Case Study: Step 8
  31. 31. Agenda <ul><li>Objectives of Compliance </li></ul><ul><li>Approaches to Compliance & Risk </li></ul><ul><li>Case Study – how to involve risk management in compliance management </li></ul><ul><li>Management Tool – Information is power </li></ul><ul><li>Summary </li></ul><ul><li>Q & A </li></ul><ul><li>References </li></ul>
  32. 32. Policy Management Management Tool
  33. 33. Policy Creation Management Tool
  34. 34. Policy Distribution Management Tool
  35. 35. Policy Training and Affirmation Management Tool
  36. 36. Policy Reports Management Tool
  37. 37. Compliance Monitoring Management Tool
  38. 38. Compliance Test Creation Management Tool
  39. 39. Compliance Test and Data Collection Management Tool
  40. 40. Compliance Reporting & Traceability Management Tool
  41. 41. Agenda <ul><li>Objectives of Compliance </li></ul><ul><li>Approaches to Compliance & Risk </li></ul><ul><li>Case Study – how to involve risk management in compliance management </li></ul><ul><li>Management Tool – Information is power </li></ul><ul><li>Summary </li></ul><ul><li>Q & A </li></ul><ul><li>References </li></ul>
  42. 42. Towards a resilient enterprise Integrated Compliance Silo Approach – Compliance Risk Alone Compliance Level Desired level
  43. 43. Towards a resilient organisation <ul><li>Organizations should consider Compliance function as an opportunity to improve shareholder value by minimizing operational failures </li></ul><ul><li>Instead of creating an isolated compliance function, organizations should leverage existing functions like operational risk and audit to create a resilient organisation </li></ul>Management Tool
  44. 44. Agenda <ul><li>Objectives of Compliance </li></ul><ul><li>Approaches to Compliance & Risk </li></ul><ul><li>Case Study – how to involve risk management in compliance management </li></ul><ul><li>Management Tool – Information is power </li></ul><ul><li>Summary </li></ul><ul><li>Q & A </li></ul><ul><li>References </li></ul>
  45. 45. References <ul><li>Basel Committee on Banking Supervision (April, 2005) Compliance and the compliance function in banks. Available at: http://www.bis.org/publ/bcbs113.pdf </li></ul><ul><li>Chartis Research (2007) Operational Risk Management Systems 2007 – The second wave has arrived. Chartis Research Limited, London. </li></ul><ul><li>COSO (2004) Enterprise Risk Management – Integrated Framework The Committee of Sponsoring Organizations of the Treadway Commission (COSO). </li></ul><ul><li>Cyriac, John (November, 2008) Operational Risk Appetite – Lateral Thinking. Oprisk & Compliance </li></ul><ul><li>Financial Services Authority FSA Handbook Available at: http://fsahandbook.info/FSA/html/handbook/ </li></ul><ul><li>Scandizzo, Sergio (2005) Risk Mapping and Key Risk Indicators in Operational Risk Management. </li></ul>[email_address] Q & A