By Helen Pykhova, Director, The OpRisk Company, and Meredith Gibson, Head of Legal Risk, Santander UK.
The reader will agree that we live in the age of regulation. There is an enormous amount of change coming out of the new legislative and regulatory publications and the sheer number, scale and complexity of the initiatives due for implementation in 2016 and 2017 represent the single largest risk to the financial services industry.
Transatlantic regulatory reform
But are we managing change effectively? Or do institutions lack a structured approach to this tsunami of change, addressing each initiative as a project in its own right?
Change management is one of the 11 key principles mandated by the Basel Committee for the sound management of operational risk, requiring “senior management to ensure that there is an approval process that fully assesses operational risk for all new products, activities, processes and systems”.
The recent review of how 60 systemically important banks in 20 jurisdictions have implemented the 11 principles highlighted that, overall, we haven’t yet mastered the operational risk management side of change, as it had one of the lower average ratings.
In particular, the review found:
- Risk and control assessments for change were implemented only by two thirds of respondents
- Absence of a holistic definition of ‘change’ led to the governance framework not covering all types of change
- Decentralised management of change with processes not completely aligned
- Operational risk taxonomy was not consistently applied to various changes
- ‘Second Line of defence’ roles and responsibilities were inadequately structured
- Lack of monitoring of risks following the approval of the initiative
- Absence of formal post-implementation reviews.
Management of operational risk in regulatory change initiatives
As the majority of change is driven by regulation, let’s focus on the challenges of implementing effective operational risk management practices around regulatory change, in particular, conducting a risk and control assessment (frequently called operational risk assessment or ‘ORA’) of regulatory initiatives. The purpose of the assessment is to understand how the initiative affects the existing operational risk profile of the firm. Does it increase any existing risks? Will it introduce new risks?
To address the points highlighted in the review, it is important to have:
- A definition of a ‘significant change initiative’ to adequately capture what falls into the change governance framework and warrants an ORA. This can be expressed using a set of parameters, including, for example, duration, budget and impact (financial, regulatory, client, etc.)
- Governance and oversight of ‘significant change initiatives’, ideally by a central function (commonly, Central Change or Project Office), to ensure completeness and consistency in handling the initiatives
- Defined roles and responsibilities, including who conducts the assessment – business (first line of defence), with the group/central operational risk department reviewing and approving is recommended.
Below are some of the common challenges arising when conducting an ORA for regulatory change initiatives.
Timing of the assessment
It is difficult to get the timing right. The assessment is likely to be made at an early stage of the project when a full consideration of the complexity of the relationship with BAU processes and interdependencies is not yet possible. Frequently, the final text of the directive or regulation has not yet been published which means that only the direction of travel is known and not the myriad of details – and, as we all know, the devil is in the detail!
Inability to fully understand and reflect upon the text and its interdependencies with other initiatives must inevitably lead to an imperfect view of the panoply of risk inherent in each initiative.
To address this, some firms conduct assessments at two stages – an initial assessment at the start of the initiative and an amended, more detailed, assessment prior to going live.
Project versus horizontal view
Some financial institutions started experimenting with a transversal approach to regulatory change, using themes, rather than individual projects, to cope with the tsunami. Each new regulatory initiative is analysed and broken into its component parts. Each part is given to the team specialising in that particular theme. Accordingly, the client classification problems in MiFID II, for example, will be slotted into the general approach to client onboarding and classification/preservation of client data.
This thematic approach permits a more flexible and agile treatment of regulatory requirements. It assumes that each theme will evolve over time as various initiatives manifest. It is questionable, however, whether risks identified in each initiative are treated holistically, and whether the risks are assigned to the right ‘owner’ who is best placed to understand and mitigate them.
One of the possible solutions is for the ‘risk owner’ to formally accept residual risks of the initiative prior to the project ‘go live’, thereby acknowledging that these risks will now be managed on a BAU basis, as part of the overall portfolio of risks.
An ORA usually employs the firm’s operational risk taxonomy to classify the risks. As the review discussed above discovered, the taxonomy may not be employed consistently. The efficacy of the assessment is reliant on the ability of the taxonomy to accurately capture the full range of risks the firm faces. Generally speaking, the specific risks inherent in regulatory change are not addressed in firms’ taxonomies. One example is the risk that a firm develops and builds an IT system based on draft text which then changes in final form. The obvious response is to say that a firm should wait until the text is in final form before developing its systems. Unfortunately, the timing of many regulations (which become immediately effective in all Member States on the date of publication in the Official Journal) is such that the gap between the date of the final text and the go live date is insufficient to design, build and test a system. Capturing this kind of uncertainty would require a new category in the taxonomy.
Another example is the conflict in requirements between one piece of legislation and another. This is frequently the case with requirements to report various data items to the regulator (sometimes using a third party) under one initiative and the imperatives of data privacy. As it is not possible to comply with both sets of requirements simultaneously, firms have to decide how best to mitigate the reputational risk and the risk of regulatory fines for non-compliance. Again the taxonomy would need to encompass these kinds of risk specifically.
At the time when the Basel Committee was writing its ‘Principles for the sound management of operational risk’, it almost certainly did not have our current intensive regulatory change environment in mind. The Principles are, nevertheless, valid, and an operational risk assessment of change initiatives, including regulatory change initiatives, must be undertaken, despite the challenges. Firms should consider how best to modify current risk assessment processes and practices. This may entail the creation of new categories in firms’ risk taxonomies, the revision of the timing of the assessment (or possibly revisiting the original assessment later in the project cycle) and consideration of project versus horizontal view, to ensure the risks inherent in regulatory change are evaluated and managed. Post-implementation reviews conducted in 2016 and 2017 on implemented regulatory initiatives will establish whether we have succeeded.