One may argue that risk and compliance isn’t simple, but rather both complex and complicated.
In today’s world environment when so many things are up in the air with much unpredictability, simplification is key for success in execution.
Over the years, I have read various studies claiming that people tend to overestimate their ability to influence events that, in fact, are heavily determined by chance. We tend to be overconfident about the accuracy of our forecasts and risk assessments and far too narrow in our assessment of the range of outcomes that may occur.
We also anchor our estimates to readily available evidence despite the known danger of making linear extrapolations from recent history to a highly uncertain and variable future. We often compound this problem with a confirmation bias, which drives us to favour information that supports our positions (successes) and suppress information that contradicts them (failures).
We typically manage our regulatory compliance using a long list of obligations from a plethora of regulations that is difficult to associate to an organisation’s systems and processes. Any adjustments to existing systems, processes or regulations sees a tectonic shift that then takes a massive effort to coordinate and manage.
One of the most prominent messages over the last couple of years since the Banking Royal Commission is the need for a risk-based approach to regulatory compliance. This means identifying and assessing any risks associated with non-compliance to obligations, i.e. the importance of the compliance obligations that have been breached, conduct in the context of the breach and following the breach and the impact of the breach. Managing events and aligning them to compliance, legal and regulatory risks is vital to have the right conversations at executive and board levels.
Whilst a compliance-based risk approach is effective for preventable risks, strategic and external risks need a different approach. Strategic risk taking is desirable for the organisation's growth and external risk management requires detailed senior executive conversations. Having said that, all three categories are known risks – meaning that a great deal of the risks we manage we already know of, or have experienced along with standard controls that can be used to mitigate.
Using standardised risks and controls get the ball rolling faster and more efficiently. This reduces the effort that goes into interpretation, effective communication, systems integration and related skill building along with reducing bias. This leaves us with sufficient headspace to manage the unknown unknown when they arise.
Use automation to keep abreast of regulatory changes and keep informed of events around the world. In the past, most risks were not identified let alone managed and mitigated as the awareness associated to consequences and practical application is almost always missing.
In today’s social media age, risk information is available at your fingertips to easily digest and transform risk and compliance culture. Also, automated linkage of responsibilities to regulations, internal control frameworks and further into operational systems carries the promise of enabling faster response times with much less effort for every regulatory change.
An integrated view of risks, policies, procedures, regulations, controls framework to responsibilities and accountabilities is needed to prepare for Financial Accountability Regime (FAR). Further, new age automation technologies are largely AI-driven and heavily reliant on accurate data. For example, anti-money laundering as well as transaction processing are both done post-facto.
Instead, a proactive approach allows real-time client alerting on payments providing the ability to question in-flight transactions. Data collection has traditionally been an afterthought. Instead, the use of automation to match data to key risk indicators and risk appetites will enable timely and simpler decision making.
Implementing a "standardised risks" risk-based approach to regulatory compliance, automation and data harvesting will significantly help manage the challenge of balancing budgets in the wake of ever-increasing compliance costs and dealing with a high volume of regulatory change expected in 2021 - therefore, making all things risk and compliance simpler, easier and quicker.
2021 will be the year of risk & compliance - there is no better time to start!