Compliance Risk Assessment Process Overviewstatic1.squarespace.com/static/559fb5d6e4b0b8eb00f70a64/...Page 3 Compliance Risk Assessment What is Compliance Risk Assessment? Construction

Compliance Risk Assessment

Tim Rooke and Iestyn Evans

23 April 2015

Page 2

► What is Compliance Risk Assessment?

► Components of Compliance Risk Assessment

► Context of Jurisdictional / Business Assessment

► Integration with Other Risk Disciplines / Methodologies

► Benefits of Compliance Risk Assessment

► Development and the Future of Compliance Risk Assessment

► Discussion


Agenda

Page 3 Compliance Risk Assessment


► Construction of Compliance Risk Assessment





► CRA – Case Study

► Discussion


Page 4

► A Compliance Risk Assessment (CRA) is an essential part of ensuring a robust Compliance programme

► It provides key insights into the risk profile of the firm and a clear picture of the strength of the control environment

► It also enables assessment of Compliance risks arising from business activities and the strength of infrastructure to mitigate

► Results of the CRA establish the required areas of focus for the Compliance programme, e.g. for monitoring and testing, and can also drive ongoing enhancement of the Compliance framework overall

► Regulators have demonstrated a clear expectation that a robust CRA can be used as the foundation of the ongoing management and enhancement of Compliance programmes

► Expectation that Compliance Leadership are able to articulate their risk profile and key risk areas, with the CRA process providing critical grounding and evidence for reporting accordingly to the CEO and the Board


What is Compliance Risk Assessment?

Page 5

► The CRA is part of a wider Compliance programme, inter-linked with the Annual Plan Framework


What is Compliance Risk Assessment?

Analyse Plan Actions Report

Risk Assessment Annual Plan

Control Remediations

Training

Policies

Monitoring

Testing

Surveillance

Management Information

Subsequent Year’s Risk Assessment

► Annual Plans are primarily based on CRA results; the process should be cyclical

Compliance Officers conduct

CRA

Review with Business Heads

Review by Senior Compliance Management

Finalise results of CRA

Develop Annual Plan









► Discussion


Page 7

► The CRA represents Compliance’s assessment of Compliance and regulatory risks faced by the business

► This process empowers Compliance to honestly and accurately assess the risks that the firm faces while identifying the relative strengths of control factors, and hence areas of control that require improvement

► Multiple components must be defined to subsequently feed into this assessment to measure Compliance risks ► Scope (i.e. business units/desks for inclusion)

► Risk assessment themes

► Rules inventory (and associated mapping to risks and controls)

► Control categories

► Process for assessment

► Reference data

► Technology platform

► A framework should exist to reasonably override some components in certain instances

► The CRA components sit within an overall methodology, ultimately used to compute residual risk ► Quantitative scoring / rating methodology

► Qualitative analysis of inherent risk and (relevant) control strength


Components of Compliance Risk Assessment


Components of Compliance Risk Assessment

Technology Platform

Outputs

Reference Data Rules Mapping

Scoring

Assessment

Reports Control

Enhancements

Monitoring &

Testing Plan

Regulatory rules and requirements

are mapped to the risk areas to

support the assessment process

Reference Data is provided to

enable the fact-based assessment

of the risks and controls of the

business units

The results of the CRA are used to

drive ongoing control activities and

to identify enhancements to the

function

Overall business unit results are calculated

quantitatively to provide consistent and

comparable results across the organisation

Compliance Officers conduct their assessment based on their

knowledge of the business and controls while considering the

Rules Mapping and Reference Data

Quality Assurance Reviews

The initial responses are

reviewed by Compliance

Leadership for consistency and

accuracy

1 2

3

4

5

6


Components of Compliance Risk Assessment Example: Business Unit Approach to Risk

► Identify risk assessment units:

► Legal entities

► Jurisdictions

► Regulators

► Products and services

► Business unit / division

► Evaluate each assessment unit to confirm key business activities to drive the allocation of relevant rules

Risk Assessment Unit

There are 4 key concepts that determine the scope and review of a rules and controls mapping exercise:

► Risk Assessment Unit

► Rule & Regulations Inventory

► Themes

► Control Inventory

► Evaluate and compare each rule against the business activities for each risk assessment unit to determine which rules apply to the business unit

► Relevant rules should be aligned to Themes. A Rule may apply to more than one Theme

Rule & Regulation Inventory

► A Theme is a collection of similar or complementary regulatory requirements grouped as ‘sub-topics’ so categories of risk and related controls are reflected consistently throughout the risk assessment framework

Themes

► Controls are mapped to relevant rules and are identified as critical to mitigating both inherent business risk and reducing residual risk

► A rule may be mapped to many Controls, and a control may apply to more than one rule

► Key controls include:

► Governance

► Policies

► Monitoring

► Training

► Testing

Control Inventory

Rules Mapped

Control Inventory

Legal Entity

Regulator

Jurisdiction

Business Unit / Division

Product/ Service

Rules & Regulations

Themes

Page 10

Suitability Market Abuse Conflicts of

Interest Employee

Communications Financial Crimes Cross Border Risk Governance Books and Records

Fixed Income

Research

Equities

Banking

Business Line 1 Business Type 2 Business Unit 3

Risk Areas 4

Ratings 5a Control Remediation 6

Control Ratings 5b

Compliance Risk Assessment Process Steps

1 Business Line is the highest level of classification in the business hierarchy

2 Business Types are types of businesses within the business lines

3

A Business Unit is a single risk entity assessed in the Risk Assessment and comprise the different types of business conducted within a Business Type

4 Risk Areas are a collection of similar or complementary areas of compliance risk

5

Each risk area is assessed for the level of Risk inherent to the business unit and the strength of the Controls currently in place for that risk area

6

When Weak Controls are identified, a Control Remediation is provided to detail the remediation action to be taken to enhance the controls

The compliance risk for each business unit and the strength of the controls to mitigate those risks are assessed for each business unit for various thematic areas of risk, which are designed to encompass the population of compliance risks faced by the firm

Derivatives

Convertibles

Delta One

Prime Brokerage

Swaps

Forwards

Futures

ETFs

High Risk Medium

Risk Low Risk

Strong Controls

Medium Controls

Weak Controls

Risk Rating Control Rating Training

Testing

Policies

Surveillance


Components of Compliance Risk Assessment Example: Investment Bank Compliance


Defining the risks relevant to each particular business area is the initial task in building a Compliance Risk Assessment. Different data sources can be used to initiate or validate this exercise. Below are examples of the types of risk that would need to be considered when assessing, for example, a Fixed Income trading area

Off Market Prices

Trades executed at prices which are outside the bid ask spread available at the time or which are inconsistent with trades in the market at that time in the relevant size

Front Running Clients

Trading ahead of orders (or in parallel with orders) that have been left with the bank to execute to take advantage of anticipated price movements to either make a profit or avoid a loss

Best Execution

Trades executed at prices that do not meet the criteria established for best execution when compared to available benchmark prices or rolling average of benchmark prices

Wash Trades

Trades executed with no obvious change in beneficial ownership or for no obvious economic benefit, but purely to artificially impact on perceived market demand or market liquidity

Spoofing / Layering

Placing of artificial orders that are cancelled without being executed in an attempt to impact the perceived demand or liquidity for an instrument and hence the market price

Abusive Squeeze

Trades executed to manipulate the price of an instrument with the intention of distorting the price at which others have to deliver, take delivery or defer delivery to meet their obligations

Front Running the Market

Trading ahead of a market announcement of price sensitive information either in the instrument affected or an associated derivative to take advantage of anticipated price movements to either make a profit or avoid a loss

Grey Market Trading

OTC trading of an instrument the subject of an IPO before the launch of the issue price which could create a reputation risk of use of MNPI to create a false market

Non Standard Transactions

Trades that have unusual features that could indicate unauthorised or manipulative behaviour e.g. excessive AV, restructured trades, historic rate rollovers

Components of Compliance Risk Assessment Defining Risks









► Discussion



Context of Jurisdictional / Business Assessment

► Organisations with a global footprint/multi-jurisdictional presence should consider whether to adopt a Global or Regional approach to CRA

► A centralised approach to completion of a Global CRA may pose difficulties; how do you ensure jurisdictional nuances are captured in standardised approach?

► Regulation specific to each country/jurisdiction covered should be integrated into the CRA and regional Compliance Officers should be included in the assessment to provide a first hand, accurate representation of compliance risk in the region

► Firms must decide whether or not to adopt a Global Standard; gold-plating may result in certain jurisdictions being held to a standard higher then expected by the local regulator and a misrepresentative impression of the control environment

► The ultimate Head of Compliance should be given the capacity to override the results of the regional CRA, if required, to ensure a consistent representation of compliance risk and anomalies/discrepancies are resolved









► Discussion


Page 15

► It is generally considered that the CRA should be integrated with other risk assessment processes where possible, though this has not gained significant traction ► Alignment of results from assessments internally within Compliance (e.g. AML)

► Linkage with other assessments conducted by the organisation (e.g. Operational Risk Assessment)

► This makes it possible to create a holistic view of conduct across the firm, both at an organisational level but also across functions and the business, driven by reliable MI and providing a real-time view and “temperature check”

► Core principles for risk assessment applied throughout an organisation should provide the foundation for effective risk management ► Consistency of risk definition and appetite

► Usage of common standards and practices

► Defined roles and responsibilities, with appropriate and targeted resourcing

► Stable and supportive risk infrastructure which is transparent for board and governance committees, supporting accountable executive management

► Provision of objective assurance, potentially via an Internal Audit function

► The CRA must not only remain internal to Compliance; the findings must be shared with the business to help them understand and manage their overall risks. The results are very important, with clear articulation of the risks in a manner usable by all members of the firm an essential output of the process


Integration with Other Risk Disciplines / Methodologies









► Discussion



Benefits of Compliance Risk Assessment

► A robust and comprehensive CRA provides Compliance Leadership with transparency over risks across the business and a view as to effectiveness of control environment

► A defined methodology and quantitative/qualitative analysis sits behind output moving away from Compliance Officer’s “gut feeling” as to where the risks lie

► Allows senior management to measure relative risks across different disciplines and businesses

► The Compliance Risk Assessment is generally used to feed the Compliance programme of work and determines the focus and intensity of monitoring and testing activity. Visibility over Compliance Risks arising from business activities enables targeted testing and increases efficiencies

► Increased rigour in Compliance reporting to Senior Management/ Board and Business/ Desk Heads and increased credibility

► Increased confidence when reporting to regulators/ discharge of CF10/11 function

► Provides weight to requests for increased funding to remediate control deficiencies identified e.g. surveillance model enhancements, additional resourcing/headcount

► Forward looking dynamic and changes as risks mature or as controls are developed









► Discussion



Development and the Future of Compliance Risk Assessment

¹ CP 13/14 Strengthening accountability in banking: a new regulatory framework for individuals.

► Increased automation of CRA processes, e.g. rules mapping update functionality

► The forthcoming PRA Senior Mangers and Certification Regime¹ will require individuals designated as Senior Managers to attest that they have taken “reasonable steps” to ensure that the business of the firm that they are responsible is controlled effectively ► “Reasonable steps” will involve a determination as to the data sets that could be relied upon to

demonstrate effective control

► A robust CRA is a tool that Senior Managers could rely upon to provide greater control

► Will enhancements to the CRA be required for Senior Managers to be comfortable with reliance on output, especially given personal accountability?

► A key objective of the FCA is effective conduct risk management. First line management of conduct risk should be challenged and tested by the second line ► Conduct Risk Assessment, incidents and metrics should drive the Compliance Risk Assessment and the

Firm testing plan

► The Compliance Risk Assessment should be dynamic enough to change in response to lessons learnt programmes or as internal Conduct Risk events / incidents as they happen









► Discussion


Page 21

Rules & Controls Mapping


CRA – Case Study

CIB

Corp IB Wealth

IBD Markets Research

Theme 1 Theme 2 Theme 3 Overall

IR C IR C IR C RR

FX H MC H CG M MC M

Commod M SC L MC H MC L

Equities H CG M MC M MC M

Derivatives L SC M SC H CG M

Research M MC L SC M CG H

Financial Crime Banking

Activities Market Abuse

Sales Practices Conflicts of

Interest

Employee

Communications

Information

Barriers

Regulatory

Reporting Cross Border

2

0

1

2

Procedures

Training

Policy

Financial Crime Banking

Activities Market Abuse Sales Practices

Suitability & Appropriateness

Conflicts of

Interest

Employee

Activities Employee

Communications

Information

Barriers

Regulatory

Reporting

Books &

Records

Operational

Processes

Cross Border Data

Protection

Marketing &

Research

Governance &

Supervision

Targeted Reference Data Dedicated Technology Platform

2

0

1

3

Reporting Capability

2

0

1

4

BANK A

Corporate IB Wealth

Mortgages Cards

Retail

Accounts

http://www.google.co.uk/url?url=http://en.wikipedia.org/wiki/File:HKMA.svg&rct=j&frm=1&q=&esrc=s&sa=U&ei=KS42VeKSDLG0sAS9q4DwBg&ved=0CBYQ9QEwAA&usg=AFQjCNGi6oCAXnxkCvJCtPjQXsGnpQlQ8A









► Discussion



Discussion

► Is full integration of the CRA with other risk assessment methodologies across the business optimal?

► How can firms build in their Conduct Risk Assessment, and associated outputs, effectively?

► What is the senior management appetite for enhancement of the CRA processes? Has there been specific regulatory scrutiny for your organisation?

► Have firms considered the CRA in relation to developing Conduct Risk Assessment process?

► Is a Global or Regional approach to risk assessment favourable? How do you ensure jurisdictional nuance is capture is standardised approach?

► How readily available is required data in your organisation? Issues encountered?

► What are the different approaches taken to calculating residual risk?

► How do you ensure the inputs to the CRA remain accurate? e.g. rules mapping feeding risk categories

► How widely used and valuable are technological solutions offered by external providers? e.g. MetricStream, Thomson Reuters Regulatory Rule Mapping (RRM) tool

Documents

Compliance Risk Assessment Process Overviewstatic1.squarespace.com/static/559fb5d6e4b0b8eb00f70a64/...Page 3 Compliance Risk Assessment What is Compliance Risk Assessment? Construction