Post-Event Summary BBA Annual Risk Management Conference 2012

7/30/2019 Post-Event Summary BBA Annual Risk Management Conference 2012

1/6

Post event summary

www.lombardrisk.com Managing collateralised trading. Enabling regulatory compliance

Lombard Risk at the British

Bankers Associations annual

risk management conference:

27th November 2012

Introduction

On November 27th

2012 the British

Bankers Association (BBA) held its

annual risk management conference.

The event was attended by a

combination of BBA members, regulators

and representatives from firms associated with the financial

services industry.

Speakers included:

Jo Paisley, Director, Risk Specialists Division,

Financial Services AuthorityThe FSA on banking

in the new financial landscape

Michael McKee, DLA Piper - Legal update on risk

management

Alain Stangroome, Head of Group Capital Planning,

HSBC Holdings plcRisk and bank capital

Christopher Blake, Senior Manager, Liquidity Risk

Group Asset & Liability Management, HSBC

Holdings plcThe relationship between liquidity

and risk management

Conor MacManus, Head of Prudential

Requirements, HM Treasury- Measuring the

impact of Basel 3 on banks

Annemarie Durbin, Group Head, Corporate

Governance, Property, Environment and Security,

Standard Chartered - How can non-executive

directors (NEDs) be supported in their oversightfunction?

The BBA Annual Risk Management

Conference highlighted the considerable

changes in the regulatory landscape and

the challenges ahead for risk andcompliance professional. David Wilford

Lombard Risk at the BBA risk conference

Lombard Risk sponsored, exhibited and presented at the

BBA annual risk conference.

John Wisbey - CEO, John Shield - Advisor to the CEO,

Rebecca Bond - Group Marketing Director, James Phillips -

Director Regulatory Strategy, Tony Glover - Business

Development Manager Lombard Risk attended the risk

management conference and were on hand to discuss

delegates regulatory and risk issues.

ComplianceASSESSOR

Lombard Risk

announced

Compliance

ASSESSOR at the

event a solution

that provides firms

with a centralised,

secure and dynamic

means of assessing,

evidencing and

recording

compliance against

an unlimited library

of regulations.

Lombard Risk ComplianceASSESSOR

addresses regulatory risk

being the risk of non-compliance

and the penalties andreputational risk that follow.


2/6

Post event summary


Introducing David Wilford

David Wilford

Director Compliance Productat

Lombard Risk

Email:[email protected]

David Wilford has over 35 years

experience, primarily in the area of

credit risk management and

regulation. Over the last 10 years he has been involved in

the interpretation and implementation of the Basel II/III

Accord as reflected in the EU CRD and subsequently the FSA

Prudential Sourcebooks. He has been advising banks on the

adequacy of their risk governance frameworks to address

these and other regulatory requirements and

implementation issues.

David Wilford, Director of Compliance Product at Lombard

Risk presented at the event:

The challenges of

compliance in the new

regulatory framework

The biggest challenge banks now face

Why banks remain exposed to compliance

issues

A new approach to compliance?

Transcript

As you are all aware, the banking sector is currently subject

to a plethora of regulations governing every aspect of an

institutions business. As a result, even the smallest

institution is now subject to thousands of regulations. This

may appear to be an exaggeration but the FSAs GENPRUand BIPRU alone contain in excess of 5,000 regulations and

guidance that banks are expected to comply with. Add to

these SYSC, COBS, Internal Regulations governing KYC and

TCF not to mention the Data Protection Act, Consumer

Credit Act, AML legislation and other applicable laws and

regulations and the number of regulations can soon be

counted in their tens of thousands.

Cross border organisations are further faced with European

and other directives, complicated in some cases by the

application of National Discretions by individual regulators,

increasing substantially the number of regulations and

therefore the complexity of ensuring compliance in the

various jurisdictions.

It is therefore not surprising that many of the smaller

institutions are now having difficulty in even keeping track of

new and amended regulations, never mind ensuring

adequate compliance.

Indeed, the pressure on compliance functions was borne out

in a Thomson Reuters survey earlier this year when over500 compliance professionals were surveyed. The results

indicated (quote) that the deluge of new rules, regulations

and enhanced vigour of regulators coupled with a lack of

additional internal resources and headcount has pushed

compliance departments to the breaking point.

Unfortunately, the situation is set to deteriorate further

from a compliance perspective, as the regulatory landscape

is now undergoing a radical change in response to political

and regulatory pressures and demands designed to restore

economic and financial stability, both here and abroad.

Clearly a major challenge is the need to increase both capital

and liquidity to levels deemed by the regulators to be

sufficient to weather another financial crisis no easy task

given the increasing scarcity of high quality capital in a

deteriorating economic climate, particularly in Europe.

And in the case of those firms deemed too big to fail, these

challenges are further complicated by demands to

restructure or even ring fence their retail and investment

activities whilst remaining compliant with all applicable

regulations.

In addition, firms are also facing the challenge of both

restoring and promoting the sectors reputation andintegrity, helped in no small measure by the regulators who

are demanding propriety, transparency, better risk

management and perhaps most important of all,

accountable governance.

And finally, as we heard this morning, the new Prudential

Regulation Authority intends to exercise a more judgemental

approach to supervision aimed at promoting the safety and

soundness of financial institutions whilst the new Financial

Conduct Authority intends to exercise a similar approach

with regard to conduct in the financial market place. On the

face of it, the application of a more judgmental approachthat will no doubt be based on empirical evidence may be

welcomed by many in the belief that such an approach

provides firms with more flexibility in the interpretation of

the underlying regulations. However, as many of us know

from past experience, the application of such an approach

can lead to differences in opinion as to the interpretation of

the evidence, leading to even more challenges for firms

when trying to justify their interpretation to the authorities.

And no doubt there will be even more regulations - and

differing approaches - as politicians and regulators seek to

further refine and tighten their control over the banking

sector as a means of protecting individual economies.
mailto:[email protected]:[email protected]:[email protected]


3/6

Post event summary


In conclusion, it is clear that the situation for many

compliance functions is extremely serious, especially given

the lack of investment in appropriate resources that many

firms have experienced.

I would therefore venture that given the enormous task

faced by compliance functions in ensuring compliance in anever changing and demanding regulatory environment, the

biggest challenge firms now face is REGULATORY RISK that

may be defined as the risk to earnings, capital and

reputation associated with a failure to comply with

regulatory requirements and expectations; or to put it more

bluntly, the risk of non-compliance.

There is obviously no way to avoid these changes or the

challenges they pose.

The question therefore is How are compliance personnel

consisting of Risk, Compliance and Audit officers - going to

ensure compliance with the current and future regulations

that under pin these regulatory demands?

And I include Risk officers as their duty is not only to identify

and mitigate risk but to ensure that the methodologies and

approaches they use comply with the underlying regulations

that are designed to ensure minimum standards of

acceptability and integrity in the output of their

deliberations and computations.

To answer this question, I believe that we first need to

examine current practices and then the challenges to

understand the enormity of the problem..

If we go back approximately 20 years, the approach to

auditing changed significantly from a tick box approach to a

risk based approach, the latter identifying high risk business

operations and processes and auditing them on a more

frequent and comprehensive basis than low risk areas. While

this approach had the benefit of utilising more efficiently

audit and compliance resources, there were two

consequences. First, simple, straightforward businesses

and processes within the institution were effectively

removed from the radar; and conversely, compliance and

audit became focused on specific, high risk areas and

processes, the risk being measured in terms of risk to the

bottom line. And this was in the days when institutions were

required to follow the spirit of the regulations and

regulations could be measured in a couple of thousand

rather than tens of thousands.

Jumping forward to the years leading up to and immediately

after Basel II came into force, compliance with the new

regulations was embedded within the implementation

process so that when the projects went Business As Usual,

businesses and their processes were, by default, compliant

with the new regulations. Some institutions went so far as to

develop tools to determine compliance with the Basel IIregulations during implementation. However, most of these

models were mothballed upon implementation or have

subsequently become out of date. And in the case of the

smaller institutions, their size and / or lack of complexity did

not warrant expenditure on the development of such tools.

Whether tools were employed or not, the same process of

ensuring compliance with new regulations within the

implementation process has persisted over the years.

The result is that even today reliance is placed upon the

majority of simple business operations being inherently

compliant with applicable regulations and therefore off the

radar as far as a detailed examination - to determine the

state of compliance - is concerned. Yet the majority of fines

and settlements this year alone have been in respect of

these exact same simple operations. Take for example the

back office processing of payments to and from countries on

the U.S. embargo list, lack of due diligence on the source of

funds when processing payments, the simple processing of

mortgage applications prior to securitisation or indeed the

reasonable business model of selling insurance products toexisting customers. All of these processes were no doubt

deemed simple and straightforward and as a consequence,

only warranted the occasional cursory review, yet the

financial and reputational impact on individual banks for

non-compliance with the relevant regulations has been

enormous.

At the other end of the spectrum, compliance and audit

functions still focus on high risk to the bottom line

businesses and areas of operation and undertake specific

audits and investigations at the coal face, usually relying

upon hard copies of the regulations, manual files and Excel

spread sheets. Unfortunately, this focused approach, while

serving a particular purpose, prevents senior management,

auditors and compliance officers from seeing the overall

state of compliance of the institution against the tens of

thousands of regulations applicable to their business. It also

fails to address the fundamental requirement of the

regulators and that is to comply with their regulations,

irrespective of how insignificant an institution may think

they are, because at the end of the day, a regulation is a

regulation and a breach in compliance is not acceptable.

Having said that, Mr Andrew Baileys introduction to the

joint Bank of England / FSA paper issued last month andentitled The PRAs approach to banking supervision stated

that the PRAs approach will be very clearly based on

judgement rather than narrowly rules-based, and it will be

forward looking to take into account a wide range of

possible risks to our objectives. And as mentioned earlier,

the paper then goes on to say that the PRA intends to focus

its approach on the safety and soundness of individual

firms and therefore the stability of the financial system.

Clearly, safety and soundness are the new buzz words,

having been repeated 52 times in this paper alone!

Consequently, on the face of it, we appear to have come fullcircle with the PRA, and indeed the FCA, exercising

judgement rather than imposing a rules-based approach.


4/6

Post event summary


However, there is a catch and a rather large one at that,

which can be found in Clause 69 of the paper.

This Clause states: This requirement, for the firm and those

managing its affairs to be fit and proper, is in addition to

the obvious need for a firms board and senior management,

and in particular its Chair, to have regard to the need for thefirm to comply with all applicable laws and regulations.

These obligations are extensive and not limited to the laws

and regulations enforced by the PRA. This is because other

laws and regulations for instance, conformity with tax

laws could affect a firms fitness and properness, and the

probity and reputation of its management.

Clearly, compliance and audit functions are faced with a

dilemma, particularly given limited resources. Should the

focus continue to be on high risk business areas and run the

risk of non-compliance in what are deemed low risk areas

OR should compliance functions restructure their approach

to try and address both the principles based and rules based

regulatory requirements?

But before answering that question, consider the following.

In the not too distant past, an identified breach in

compliance would have been dealt with quietly by the

regulator, enabling the bank to correct the situation and

contain or at least control any reputational damage.

Unfortunately, the current climate is far more hostile and

unforgiving as banks are now subject to the full glare of

publicity and public opinion. This is certainly the case in the

U.S. where even the slightest hint of non-compliance orimpropriety the two being indistinguishable in the eyes of

the general public attracts head line news, sizable fines or

settlements and immediate reputational damage

irrespective of the validity of any accusation or the extent of

any breach being known.

Whether the substantial increase in litigation in the U.S. is

an attempt to be seen to be doing the right thing and / or

perhaps taking advantage of the political climate for a

regulator to stamp their mark within their peer group is

difficult to tell. What is certain is the impression that the U.S.

regulators have a tendency to litigate first and ask questionslater with serious consequences for the institution

concerned in terms of retained earnings and reputation.

Fortunately, on this side of the pond, any response to

wrong doing is a measured response to identified breaches

in compliance. And may this approach ever continue!

Clearly, one of the major problems, particularly in the U.S., is

that many firms appear unable to evidence the fact that they

have at least endeavoured to comply with, what are often

very complex and constantly changing, regulations.

Obviously, endeavouring to comply is not the same ascomplying and will not prove to be a defence if a regulator

really wants to punish a firm, for whatever reason. However,

it may sway public opinion and help to restore confidence in

the sector if the enormity of the task facing compliance

officers is better understood and firms are at least seen to

be doing their very best to comply with the regulations.

The answer may therefore be to adopt a more transparent,

dynamic and comprehensive approach to compliance thatevidences a concerted effort to comply. This may in the

future enable a firm to at least evidence to a regulator that

all reasonable action had been taken to comply with the

regulations at the time of the apparent offence. And

hopefully, this may even sway public opinion and help to

restore confidence in the sector.

There is also another reason to take this type of approach.

Going back to the speech this morning from the FSA,

regulators are clearly going to place more and more reliance

on a firms compliance and audit functions to enforce

compliance and where necessary, justify partial or non-

compliance. There is therefore a compelling argument to

manage compliance more dynamically and evidentially in a

centralised fashion.

Ultimately, the Board of Directors and senior management

will be held responsible possibly at a personal level - for

any failures in compliance. It is therefore imperative that

compliance and audit functions, senior managers and

executives have the ability to clearly and easily determine

the state of compliance with all relevant regulations

throughout their institution, identifying any deficiencies and

areas of concern for appropriate action.

Ensuring full compliance with every applicable prudential

and non-prudential regulation is obviously an impossible

task given the dynamics of any financial institution and the

resources available to compliance and audit functions who,

historically, have suffered from a lack of investment. The

answer may therefore be to assess regulations not only in

terms of the impact on the bottom line but also in terms of

the regulatory consequences of non-compliance. In other

words, a regulation may be deemed low risk if the institution

believes that the consequences of non-compliance would be

a disapproving look from the regulator whilst non-

compliance with a high risk regulation may prompt a Pillar2 capital levy or drop in share price as a result of

reputational damage. Determining what regulation is low

risk and what is high is obviously subjective. However, the

simple task of determining the appropriate risk may focus

attention on areas of the business previously deemed to be

of little concern from a compliance perspective.

Certainly, it would be inappropriate to focus simply on high

risk regulations for exactly the same reason as focusing on

high risk business areas diverted attention from areas that

subsequently proved to be costly when breaches in

compliance were uncovered. However, combining the two

approaches may assist an institution in avoiding the same

mistakes made by some institutions this year.


5/6

Post event summary


In summary, compliance and audit functions are caught

between a rock and a hard place, having responsibility for

compliance with thousands of regulations but often

restricted as to appropriate resources, on the grounds of

cost. Indeed, it is fair to say that these functions have in the

past been deemed to be a necessary evil, costing an

institution money to run but with no apparent benefit.Unfortunately, it is failures in compliance that are head

lined, not the success of ensuring compliance.

A new approach to compliance

Having examined the past approach to compliance, the

current environment and the proposed New World, what

else can be done to address the problems of compliance,

going forward.

As detailed in many articles recently, and in fact headlined in

City AM just last week, risk, compliance and audit experts

are in high demand as a direct result of the new regulatory

landscape and the challenges it brings. However, I would

suggest that increasing headcount cannot be considered the

sole answer for a number of reasons.

First and foremost, given the lack of investment in

compliance functions in the past and therefore a lack of

appropriate training in compliance and the interpretation of

regulations, it must be questionable as to whether there is a

sufficiently large pool of appropriately experienced

personnel available to meet demand. Certainly, firms that do

not have a large enough budget to recruit these experts are

going to lose out, with possibly severe consequences.

Secondly, even if a firm does recruit additional risk,

compliance and audit experts, are they really going to be

able to ensure compliance with the tens of thousands of

regulations and the interpretation and application of new

regulations and approaches in supervision? Very doubtful.

Clearly, more needs to be done than just increasing

headcount and hoping for the best. The answer may lie in

better utilisation of existing staff by appropriate training

within an enforced culture of compliance throughout the

firm. Perhaps then firms may avoid the reputational and

financial damage suffered as a consequence of non-

compliance with even the simplest of processes, as

discussed earlier. However, it is all very well increasing

headcount and training front-line officers to be more vigilant

in what they do. They also need the right tools to do their

job.

It cannot be denied that many compliance and audit

functions still operate in a very labour intensive environment

with spread sheets and hard copy files of regulations that

are often in different filing cabinets or even different

departments within the bank. As a consequence, one of the

problems many firms face is the easy identification ofapplicable regulations to a particular business area or

authoritative body. Considerable reliance is therefore placed

on the knowledge of individuals as to which regulations are

applicable.

Another major problem is that compliance and audit

information relates to specific exercises and consequently

senior management and executives are unable to appreciate

the overall level of compliance or identify weaknessesthroughout the whole firm, a serious issue given the PRAs

intention to hold senior officers collectively and individually

responsible for non-compliance.

It is therefore essential that compliance functions are armed

with appropriate tools that can assist in addressing these

issues. To address these and other issues, Lombard Risk has

developed a powerful web-based compliance and audit

application - ComplianceASSESSOR - that not only assists

institutions to determine, manage and achieve compliance

with applicable regulations but provides senior

management, audit and compliance functions with

comprehensive reporting and a multi-functional dashboard

that identifies the state of compliance with any and all

regulations at company, division and business unit levels.

To overcome decentralisation of applicable regulations,

ComplianceASSESSOR accommodates an unlimited and

searchable library of multi-jurisdictional prudential and non-

prudential regulatory books applicable to the firms

businesses, including internal regulations. For example, the

FSA Prudential Sourcebooks, European Directives, Sarbanes

Oxley and even the various UK laws applicable to in this

case - the financial sector.

Once loaded and the regulations assessed for applicability, it

then becomes very easy to search and identify all regulations

applicable to a particular subject or business area and the

state of compliance against those regulations.

But the library is not limited to regulations applicable to the

business. Those appertaining to corporate governance may

also be added; in other words, regulations governing the

conduct of Boards of Directors, committees and specific

functions within the institution. There are also two further

categories of book: staff training material; and even

Consultation and Discussion Papers, each category having itsown security access arrangements. Staff training material

may therefore be made available firm-wide whilst

consultation and discussion papers may be restricted to

selective officers or even made available for assessment in

order to determine the degree of current compliance with

potentially new regulatory requirements.

Clearly, it is essential that new and amended regulations are

assessed in a timely manner, especially given the current

climate. ComplianceASSESSOR therefore highlights these for

review and / or possible assessment, thereby avoiding

inadvertent breaches in compliance.

Conversely, a change to a policy or procedure also poses a

threat as the change may inadvertently result in a breach in


6/6

Post event summary


compliance. One of the features of ComplianceASSESSOR is

the ability to map policies, procedures or indeed any

documents to the relevant regulations in order to evidence

compliance with the relevant regulations on the

assumption that policies and procedures are adhered to in

practice. Providing that the institution maintains strict

version control over such documents, any changes to themapping are identified and the relevant regulations

highlighted for review and possible re-assessment.

At the heart of the system is the assessment process where

not only are policies and procedures mapped to the relevant

regulations but action plans may be established to address

deficiencies in compliance, each action plan being

documented where appropriate. The requirement to review

assessments before approval by an independent officer not

only enforces the four eyes requirement but also enables

the application of the three lines of defence adopted by the

larger institutions.

But perhaps the most important feature is the ability to code

the regulations in terms of the consequences of non-

compliance, as mentioned previously. While the concept is

relatively simple, it enables the application to highlight

issues previously over looked by audit and compliance

functions. More importantly, assessments relating to high

risk regulations must not only be approved by an

independent officer but must also be signed off by an

appropriate executive or senior manager who should take

overall responsibility, especially where full compliance is not

possible and partial compliance is accepted. As can be

appreciated, this should prove a useful tool given the PRAs

intended approach to executive responsibility.

This Risk Severity Indicator is also used extensively in the

dashboard to highlight, for example, action plans associated

with the assessment of high risk regulations that exceed

their anticipated completion date or where confidence in

achieving compliance moves to red on a RAG code. As one

would expect, all of this information and much more is

captured and displayed, focusing attention on compliance

issues and enabling senior management to monitor and

manage compliance more efficiently, throughout the

organisation.

As one would expect, all of this information relating to the

assessment of applicable regulations, including all

supporting documentation and reports, is immediately

identifiable and retrieval, saving considerable time and

expense when responding to a query or demand.

Unfortunately, it appears that the frequency of such

requests and demands is most likely to increase in the

months and years ahead.

Finally, ComplianceASSESSOR provides the means of viewing

all regulations, assessments, reviews and approvals, AND all

policies & procedures and even old audit reports within the

organisation on an iPad which must be a first!

In summary compliance functions have a major challenge

ahead but perhaps with additional headcount, a more

instilled compliance culture and of course

ComplianceASSESSOR, life may easier going forward.

Lombard Risk ComplianceASSESSOR

ComplianceASSESSOR is a powerful web-based compliance

and audit application accommodating an unlimited library of

multi-jurisdictional prudential and non-prudential

regulations mapped to internal policies & procedures.

Assessments, action plans, reviews and independent

approval together with dashboards, heat maps, alerts and

reports ensure that appropriate action is taken to

determine, achieve and maintain compliance.

Off the shelf, plug & play facilitates same day set-up, yet can

be tailored to accommodate specific requirements

Ability to load multi-jurisdictional regulations to address cross

border requirements

Searchable, centralised library provides one stop shopping

when seeking applicable regulations

New and amended regulations and amended policies and

procedures identified for review thereby ensuring that new

regulations and changes are not overlooked

Policies & procedures mapped to individual regulations to

evidence compliance and instantly retrievable together

with assessment data in response to regulatory demands and

enquiries

Identified compliance deficiencies addressed through action

plans supported by appropriate documentation

Independent review and approval of assessments enforces

the four-eyes approach to compliance and accommodates

the three lines of defence

Executive sign off required for high risk regulations in terms

of repercussion of non-compliance

Comprehensive dashboard provides an overview at company,

division and business unit level while a heat map identifies

deficiencies in compliance and the degree of impact

Email alerts and reminders ensure the timely processing of

assessments, action plans and approvals Compliance reports

and tailor-made audit reports

against individual assessments produced effortlessly

All actions fully audited and archived to further evidence and

support compliance

View and assess proposed regulations in CP and DP papers to

determine state of compliance and identify deficiencies

Auditors and Compliance officers can view all regulations,

assessments, reviews and approvals, policies & procedures

and even old audit reports even on an iPad!

For more information visitwww.lombardrisk.comand/or

[email protected]
http://www.lombardrisk.com/http://www.lombardrisk.com/mailto:[email protected]:[email protected]:[email protected]:[email protected]://www.lombardrisk.com/

Post-Event Summary BBA Annual Risk Management Conference 2012

Documents

Transcript of Post-Event Summary BBA Annual Risk Management Conference 2012