Compliance Risk Assessments: How To Get It Right
Senior Vice President - Risk and Compliance Manager
Published: Tuesday 14 September 2021
The Financial Conduct Authority (FCA) recently issued another Dear CEO letter to retail firms, detailing the common control failings identified when creating anti-money laundering frameworks. One of the common weaknesses identified by the FCA was the quality of business-wide risk assessments, describing them as “generally poor” and providing “insufficient detail” on the financial crime risks to which the businesses are exposed.
While the contents of the letter are focused on financial crime risk assessments, the warnings within it can also be applied to other risk assessment programmes, including the more general/ broader Compliance Risk Assessments (CRA). This article will explore what steps you can take to address the failings identified, while also ensuring the CRA is more robust and can better identify your top compliance risks.
What is a Compliance Risk Assessment?
A Compliance Risk Assessment is the identification of all existing or potential risks that could lead to financial penalties, regulatory action and/or reputational damage. The constantly changing regulatory environment has increased the need for a broader view of compliance risk across the financial services industry. This complexity, coupled with the penalties for non-compliance and the focus of the regulators, means it is extremely important for firms to act now to ensure they have a comprehensive compliance risk assessment process in place.
Top tips for creation/ revamp of your CRA:
Category & Regulatory Mapping
Firms need to consider developing a robust rules and controls inventory and then look to map those controls to the regulatory categories which are assessed as part of the CRA. Creating these inventories allows for greater connectivity to other internal programmes which require this information and might assist in greater automation.
Granularity of the CRA
The Dear CEO letter highlights a failure by firms to individually risk assess their UK businesses, with firms often wrapping it up into the assessment conducted at group level. When constructing the assessment framework, those responsible will need to consider what level of assessment is appropriate for their firm - global, regional or country level? This feedback from the FCA indicates the latter might be the most acceptable approach, but it is important to consider if this will create an undue execution burden on the risk assessors.
Completing the CRA can be a time-consuming exercise for any risk assessor. Having to manually obtain data from different sources can slow down this process and increase the administrative burden for the assessor. We recommend that relevant data such as audit and testing findings, regulatory sanctions and control inventories (mapped to the relevant categories) are collated together and shared with the risk assessor prior to the assessment. Such data packs should be easy to navigate and draw their attention to key drivers of risk.
Focus on Commentary
The assessment needs to be clear, easy to understand and actionable. Avoid the use of complex legal jargon and acronyms. Using examples to explain your rationale will be useful (e.g., a reference to the recent regulatory action taken against one of your peers will shed some light on the potential impact of a violation in a particular area). It needs to be understood by third parties, such as Internal Audit, who may not be familiar with your business activities.
The FCA also highlighted that, in some cases, firms have not adequately evidenced their assessment of the control environment designed to mitigate the inherent risk. Assessment of the control environment is extremely important and, if not done correctly, could lead to residual risk ratings being understated. It is not enough to simply state that a policy exists in a particular area – risk assessors need to assess the adequacy of that policy:
Does the policy cover the applicable regulation?
Has its audience been clearly identified?
Are employees aware of its existence and content?
When was the policy last reviewed and/or updated?
Are there any ongoing corrective actions tagged to the policy?
All of the above questions should be considered when assessing the design and implementation of a particular control.
Robust Quality Assurance Function
Establishing an independent quality assurance function (QA) to review the ratings/commentary completed by the risk assessors will ensure greater accuracy and completeness of results. The QA function should feel empowered to identify discrepancies and provide sufficient challenge to the risk assessors as and when required.
Data Analysis & Reporting
Completing the risk assessment is only the beginning. Once all assessments have been completed, the results should be scrutinised and should be used to identify trends and patterns (e.g., Year on Year changes, emerging risks, control deficiencies). Firms are using more quantitative data to support the results of the CRA and are hiring data analytics professionals to enhance the use of data in compliance activities.
Reporting provides different views of compliance risk and helps to inform resource allocation, development of action plans and assists in business decision-making The information extracted from the assessments should be presented to the stakeholders in an easily digestible format, leveraging data visualisation techniques as much as possible to draw attention to the key drivers of compliance risk.
Embracing Technology: Technology helps to support the CRA process and can include an in-house system to guide users through the CRA process. Connecting the CRA with other aspects of the Compliance programme (for example, hosting the regulatory inventory and corresponding controls) is equally important and can significantly reduce execution burden on the risk assessors.
How can FinTrU help?
By 17 September 2021 all relevant firms must have conducted a gap analysis against the content of the Dear CEO letter. If you need any independent expertise when conducting the gap analysis or would like to discuss how we can help your firm in designing a more robust, effective risk assessment programme, please contact the FinTrU Business Development team.
Some of our services in this area include:
Founded in December 2013, FinTrU is a multi‐award winning RegTech company in the Financial Services sector that is committed to giving local talent the opportunity to work on the global stage with the largest International Investment Banks. FinTrU works with clients to design solutions to help them meet their regulatory obligations in areas such as Legal, Risk, Compliance, KYC, Operations, Consultancy and Technology. FinTrU’s clients are all global Investment Banks, based in North America, Europe and Asia and the company’s business model is to provide technology enabled solutions to clients to augment and support their existing internal functions.