In this blog we look at how management of compliance risk, and hence compliance departments, have evolved over recent decades and how they fit into ERM (Enterprise Risk Management) frameworks increasingly expected by regulators.
Financial institutions have always had rules they needed to follow but these have increased significantly since the 1980s. In turn the need for specialists in this area grew commensurately, either because of the complexity of remaining compliant or expectations / requirements from regulators.
within the early days a natural home for compliance risk was the legal department as they had the best skill set to understand regulations.
In some parts of the world (e.g. the US) this ownership by legal is still largely the case. Though elsewhere there has been a move towards compliance being an independent function reporting directly to the CEO or part of the risk function.
Regardless of the ultimate reporting line there has been huge growth in compliance departments and increasing specialisation within them. Financial crime, reporting and conduct being obvious examples of this.
Some compliance staff have a reporting line into a general counsel, chief risk officer or head of legal and compliance. Most compliance staff in larger firms specialise in compliance (or a sub field) with usually only those at quite a senior level having a broader role. For example, it would be unusual for a business facing lawyer to also be the compliance advisor for that business area but both roles could report to a head of legal and compliance.
Most regulators do not specifically mandate the reporting line and instead use more principles-based directives to manage risks appropriately and have appropriate independence for functions such as compliance and risk.
The long list of financial services scandals over the last 20 years plus the ever-growing fines and settlement costs have heightened regulators expectations of what firms need to do to mitigate these risks. This shows up in increased and more prescriptive regulations but also in the way they supervise firms.
Larger firms in the UK increasingly interpret this (or are encouraged to by their supervisors) as requiring an ERM framework in which they set out the key risks (and possibly sub risks) the firm faces and how they manage or mitigate these risks. Increasingly risks are grouped into financial and non-financial risk types.
Some of the risk types covered will be obvious ones such as credit risk, market risk, operational risk, and liquidity risk. Increasingly other types of risk will be included: Climate or ESG risks being very current, with those compliance owns in the second line of defence becoming de rigueur.
For example, a large bank might have compliance, financial crime, and conduct as risk types in its ERM framework. Market risk and conduct risk might appear very different in terms of measurability, but regulators are increasingly expecting financial institutions to apply the more quantitative and operational risk function mindset to compliance risks.
In practice this means breaking down risk types into measurable individual risks. Such as breaching sanctions in your payments business or committing market abuse in your dealing business. Then you should be assessing the gross risk for these issues and the residual risk after controls have been put in place.
These risks will then need to be regularly measured (for example how many suspicious payments there were in the last month) and reported to a governance forum such as a risk committee.
The risks where the residual risk becomes or remains above the organisations risk tolerance will then be escalated for action. It is important to note that this does not make them ‘compliance’s problem’ as these risks should usually have an owner in a first line area however it will be important for compliance to provide challenge on whether residual risk assessments are realistic and whether treatment plans are credible.
It is of great importance that compliance departments have adequate independence, enough resources, and access to senior management. Whilst this does not prescribe a particular reporting line there are some options that create heightened risks of conflicts of interest.
For example, if a compliance officer reports to the business area or desk head of the area she supports this could create pressures to not call out issues that could negatively impact their line manager. Equally a transactional lawyer who is primarily focussed on protecting the interest of his institution might find himself a bit conflicted if he is also required to manage compliance tasks such as fair treatment of customers or employee conduct.
For smaller firms it might be unavoidable to have staff with reporting lines like this or double hatting roles. In such cases it is beholden on senior managers to assess the risks this could create and to put in place mechanisms and controls to mitigate these conflicts.
Whilst I am sure some of the compliance officers we know will roll their eyes about us pointing out the benefits of ERM frameworks the reality is ‘what gets measured, gets managed’. Senior managers and compliance officers should be using these frameworks to get appropriate attention to the compliance risks they face.
There is no right answer to where a compliance department should sit but as we have discussed certain reporting lines can create problems.
Have you seen other structures that work well or create problems? We’re interested in hearing your views and have opened our blog posts so that you can add your own views and comments.