Financial institutions across the globe today are faced with perhaps an unprecedented multitude of regulatory-mandated compliance requirements, as evidenced by responses to the inaugural compliance survey conducted by Operational Risk magazine and Protiviti. As regulation increasingly focuses on risks outside of credit and market risk, compliance is becoming more of an organisation-wide issue.
Organisations are responding by implementing critical compliance initiatives that require significant investments in infrastructure, human resources and technology. We believe a significant opportunity exists in implementing an integrated approach that addresses multiple compliance initiatives by incorporating them as part of a broader operational risk management programme. Tackling compliance challenges holistically should ultimately optimise speed to benefits, leveraging each dollar and hour invested across initiatives versus a siloed approach that creates redundancy of effort.
In the First Annual Compliance Survey, we found that organisations globally – regardless of size – are focused on a common set of major compliance initiatives that target different yet overlapping areas of the firm. The most frequently cited initiatives were: capital regulation such as Basel II, changes in international accounting regulations such as the proposed IAS 39, and corporate governance and financial disclosure regulations such as the Sarbanes-Oxley Act (see figure 1).
When asked to identify corporate governance initiatives that their firms currently have in place, 80% of respondents identified four or more such initiatives in progress, and 12% identified 10 or more initiatives underway.
The initiatives are far reaching, and they go to the core of how financial institutions operationally manage their businesses, ranging from how capital is allocated across various risk types, to how an institution controls and ultimately reports its financial results.
However, at their core, current compliance activities require the need to identify, measure and monitor risk, along with the controls that mitigate such risks, creating an opportunity for an integrated approach to defining and managing compliance risks.
Greater investment in compliance
Not surprisingly, respondents noted that this unprecedented increase in compliance activity has led to significant increases in corporate investment. More than half of respondents indicated non-technology related compliance costs have increased by 10% or more over the past two years. When questioned specifically on compliance expenditures related to technology investments over the past two years, 48% of respondents saw an increase of 10% or more. And more than 75% of those specific respondents expect their firm's technology costs to continue to increase by 10% or more in 2005. Clearly, technology is being looked to as a means for enabling compliance, especially given the cross-jurisdiction needs of the various regulatory bodies. Approximately 70% of those surveyed noted that achieving compliance in multiple jurisdictions required making a moderate-to-significant resource investment.
Benefits of an integrated management framework
With firms making significant investments to meet compliance requirements, it is imperative that financial institutions receive benefits beyond mere compliance. "Initiatives such as Basel II and Sarbanes-Oxley focus more on enhancing risk management and improving controls, which should ultimately improve the bottom line through reduced operating losses and lower earnings volatility. These results further strengthen the business case for investing in risk-based compliance initiatives," says Randy Marshall, managing director and leader of Protiviti's Financial Risk practice.
As noted earlier, technology is being looked to as a key component in achieving compliance with current regulatory initiatives. We believe an integrated technology platform that supports multiple compliance initiatives best enables financial institutions to move efficiently towards risk-based compliance. Such a tool is being sought in the market-place, as over 60% of survey respondents stated their financial institutions would find an integrated system solution of Basel II operational risk AMA and other compliance requirements desirable.
However, technology alone is not a sufficient solution. If organisations merely automate poorly designed processes, they will only add to the cost of compliance and minimise benefits received. An integrated operational risk management framework leverages the power of risk-based compliance solutions and provides the needed foundation on which to leverage technology. Such a framework includes:
• well-defined and fully engaged governance committees,
• common risk language,
• common process definitions and view of the institution's organisational structure,
• clear ownership of risk,
• well-articulated key risk indicators for tracking compliance exposures, and
• an integrated reporting structure that elevates and prioritises compliance vulnerabilities in a timely and consistent fashion.
"Financial institutions that pursue integrated solutions to meet their compliance needs not only protect shareholder value, but can also enhance shareholder value," notes Marshall. An integrated management framework allows firms to meet multiple overlapping compliance requirements and, according to Marshall, "with integration, these organisations have the opportunity to properly align institutional accountability and transparency, derive holistic and meaningful information for management's decision-making, and achieve optimised and sustainable business processes."
Findings from the survey underscore how pervasive the overlaps are among compliance initiatives (see figure 2). When asked to select compliance initiatives that overlapped the information requirements, methodology, and/or processes used to support operational risk management under Basel II, nearly 60% of respondents were able to identify at least two of the selected compliance initiatives as overlapping Basel. And, one in five respondents were able to identify five initiatives as overlapping their Basel operational risk compliance efforts. Not surprisingly, over 60% of respondents expressed concern about potential conflicts in reporting and disclosure between Basel II requirements and international accounting standards.
Globally, firms are managing a number of overlapping compliance initiatives that are integral to their ability to manage risk exposure. While financial institutions today are required to comply with these regulatory requirements, we believe integration of these initiatives provides an effective way to achieve and maintain compliance while at the same time providing maximum benefits to the organisation.
Financial institutions face a critical choice: they can approach future investments in compliance initiatives merely as a means to comply with regulatory directives, or they will use these investments as an opportunity to strengthen and unify their risk culture and align risk-based practices to protect and enhance shareholder value. We believe the most successful firms worldwide will focus on realising the value inherent in an integrated approach.
Protiviti co-sponsored this inaugural study with Operational Risk magazine to survey compliance professionals and interested parties worldwide to better assess how organisations are managing the multitude of risk-based compliance challenges that institutions currently face. Respondents represent financial services organisations of all sizes and from regions across the globe, with the majority of responses from individuals based in the European Union, North America and Asia.
If you would like to receive a copy of the survey results, please send an email to the authors, care of [email protected]
Protiviti (www.Protiviti.com) is a leading provider of independent internal audit and business and technology risk consulting services. Protiviti helps clients identify, assess and manage operational and technology-related risks encountered in their industries, and assists in the implementation and the processes and controls to enable their continued monitoring
Protiviti, which has more than 35 offices in North America, Europe, Asia and Australia, is a wholly owned subsidiary of Robert Half International Inc (NYSE symbol: RHI). Founded in 1948, Robert Half International is a member of the S&P 500 index
Angela Isaac, director and practice leader, Basel II services
Douglas Stalker, consultant
E-Mail: [email protected]