Non-Financial Risk Controls Efficiency – Doing the Right Things Right
The 2008 financial crisis significantly increased the focus on Non-Financial Risk (NFR) for financial services firms. This resulted in increased investment and activity across operational risk, compliance, conduct, and control frameworks. As a result, Risk functions have grown their headcounts and created new policies, systems, frameworks and implemented additional tooling to manage NFR. This rapid and sometimes duplicative expansion has created layers of complexity and cost that firms continue to struggle with. In this blog we discuss the common challenges and potential solution for Financial Services firms targeting Non-Financial Risk Control Efficiency.
Common Control Framework Challenges
New and evolving risk types and increased regulatory pressure has led to duplication and complexity within the NFR Control Framework, compounded by siloed risk management. As a result, many firms struggle to attain an end-to-end view of their control environment making the job of identifying and eliminating inefficiency from control activities across the enterprise more challenging.
An efficient control framework should reduce the operating cost of conducting controls in the first, second, and third lines. There are several levers’ firms can pull to achieve this depending on their circumstances and NFR maturity.
Integrated Risk and Controls Framework
Although addressed by many firms in recent years, it is worth noting that the use of different taxonomies across business functions and territories with overlapping types of risk and controls creates inconsistency, duplication, and inefficiency. Consolidation into a single taxonomy with common definitions and understanding can enable significant reduction in the number of risk types and related controls and enable cross-functional synergies in control best practices to drive efficiency gains.
Rationalise and simplify Procedures
For many Banks, policies and procedures have become numerous and complex. Policies and related procedures should be structured to focus attention on the areas of highest risk while removing redundant requirements and unnecessary red tape.
Ensuring procedures are clear, accurate and simple, articulating detailed activities where necessary can assist organisations in later moves to automate processes and controls. For example, firms trying to develop Policy as Code for their IT and Engineering controls are increasingly rewriting control requirements to facilitate potential codification/automation.
Focus on Process
There is growing interest across financial services firms to develop a process-based view of risks and controls to enable identification of redundant or repetitive control activities and opportunities for greater efficiency. This development has been largely driven by regulatory requirements for a central view on key controls for a specific business or process.
A key challenge to achieving this is a lack of consistent data sources. Risk and control data is typically housed separately to process data. Integrating and creating the relationship between data sources is a significant challenge firms must overcome to reap benefits. In a world of multi-channel sales, support, and services, it’s also difficult to maintain accurate process data for even those seemingly straight-forward processes like account opening and product setup.
Focus on Prevention
A shift from reactive to preventative controls and a move to preventing risks at their source can lead to tangible efficiency gains. For example, moving controls further upstream in the process, such as by ensuring data is obtained from a trusted source rather than relying on a data quality check at a later point removes the need for costly reconciliation and remediation. Because this shift requires proximity to the process, often the first line is best placed to own and deploy these preventative controls and mitigate risks early, especially when clear process owners can be assigned.
Measure and Reward Efficiency
The first line is accountable for managing its risks and controls and it should also be responsible for doing this as efficiently as possible. NFR objectives are often embedded into the first line through balanced scorecards and linked to key risk indicators (KRIs) and key control indicators (KCIs) with clear thresholds which drive behaviors that positively impact risk mitigation. Balanced scorecards can be evolved to include metrics that monitor control efficiency and innovation to encourage the first line to improve control efficiency on an ongoing basis, for example, by tracking the rate of innovation and experimentation against a control and related efficiency gains.
Automation opportunities should be considered across control operation, monitoring and testing. Although they require initial investment automated controls have been shown to reduce the burden on first line, are less prone to error and will ultimately reduce costs. Control Functions should partner with peers in Technology and Data to achieve control automation and leverage advanced data analytics. As mentioned previously, efficiency KPIs can be developed to encourage ongoing control innovation and efficiency.
Centralising control resources or at least visibility of those resources and activity can enable the organisation to reassess and optimise its resourcing model. Ultimately a successful location and workforce strategy can significantly reduce staff costs by pushing work closer to the end-user, aggregating work to gain economies of scale or redesigning roles to remove waste and enhance value-added steps.
Firms Starting Point
The activities required to pursue control efficiencies will depend on the firm’s starting position and their specific circumstances.
BCS, part of Accenture, helps clients on their journey to optimise their control functions with expertise across several key areas including:
- Control Function Target Operating Model Design and Implementation, including offshoring
- Consolidating Control Libraries to reduce duplication and align to industry standards
- Developing Control Libraries for automation opportunities
- Defining KCIs from data sourcing to design, implementation and dashboarding
- Identifying opportunities to leverage technology and analytics, from RPA to AI solutions to support testing, monitoring, and reporting