The growing maturity of op risk and compliance

No-one could ever accuse operational risk or compliance executives of having too little to worry about. From Basel II to anti-money laundering to the looming Markets in Financial Instruments Directive, the list of challenges continues to grow. But while the responsibilities continue to pile up, spending on initiatives to deal with them remains under a tight budget – pointing, perhaps, to a growing lack of awareness about just how much it will cost to respond to these new challenges.

But the fields of op risk and compliance are also ‘growing up’. More and more firms consider effective op risk and compliance to be a strategy to help them improve their bottom line, and not something done just to please the regulators.

These are some of the conclusions of our most recent global compliance survey conducted in September and October of this year, in conjunction with Lawlex, the op risk technology and consulting firm. The survey drew respondents from financial firms around the globe. Some 43% came from Europe; 23% came from North America; and 22% came from the Asia-Pacific region. Considered institutionally, 16% came from commercial banks, 14% from retail banks, 7% from investment banks and 12% from integrated financial services firms, at the group level.

Our survey results revealed that compliance and op risk were, for the vast majority, two separate departments, controlled by different individuals. Op risk was, however, less likely to have a separate head. While 63% reported that their firm had a head of compliance, only 33% said they had a head of op risk – a result that reflects the relative immaturity of op risk as a field, compared with compliance. Op risk is still being folded under the responsibilities of the head of risk management or chief risk officer, according to 41% of respondents.

Our survey also revealed a deep split between those firms that had firmly embarked on an op risk and compliance strategy and those still starting the process.

Nearly half of those surveyed revealed they either hadn’t started the process, or they were still in the early stages of identifying risks and controls. Some 7% said they hadn’t yet started implementing a strategy, while 21% said they had identified or were identifying risks, and another 21% said they had identified controls or were doing so.

Meanwhile, the other half of our respondents said they had already started implementing their strategy. Indeed, some were in the later stages of monitoring the controls they had in place. Some 32% reported they had either implemented or were implementing technology to accomplish their op risk and compliance strategy, while 18% said they had gone a step further and were doing performance monitoring of their controls.

Survey participants revealed that new initiatives were supplanting old ones as their top concerns. While last year’s survey showed that Basel II op risk and Basel II credit risk were highest on the list of important initiatives, these two have been replaced by concerns over more mundane, detailed rules. Audit and accounting rule scored 74% in importance, while corporate governance regulations ranked 72%. Anti-money laundering regulations were another important area, scoring 70% in importance, while data protection rules and legislation also scored 70%.

Ann Wootton, general manager of Lawlex, says anti-money laundering may have moved up in concern because of growing concerns over terrorism and the funding of it. "The recent wave of terrorist attacks have made people more sensitive to anti-money laundering," she notes.

This doesn’t mean, however, that compliance executives are unconcerned about Basel II. Basel II op risk scored 61% in importance and Basel II credit risk ranked 60%. Wootton speculated, however, that many firms may have already dealt with Basel II and were simply moving on to the next initiative. Indeed, 63% reported they had already implemented or were implementing technology to take care of Basel II credit risk, while 74% said they had done the same for Basel II op risk.

Op risk and compliance executives, the survey showed, were least concerned with complex structured product rules, the US Patriot Act and the Markets in Financial Instruments Directive (MiFID). The lack in interest of the US Patriot Act may simply reflect the geographical make-up of the survey, as only 12% hailed from the US.

MiFID, meanwhile, may not appear high on the list of priorities as the fine points of the EU directive are still being hashed out and the deadline for firms to comply is April 2007. Some 66% revealed they had no intention of implementing a technology-based solution to MiFID in the next 18 months. Moreover, according to Gary Wright, managing director of City Compass, the consulting firm, the monumental changes proposed by MiFID are so overwhelming that many companies have not yet figured out how to react to them.

But despite the variety of ongoing projects and new initiatives to incorporate into their op risk and compliance strategy, spending remains low. In the past 18 months, the bulk of those surveyed spent in the price range of $1-250,000 in consulting, technology, change management, auditing and training.

In consulting, for example, 42% spent between $1 and $250,000, while in the very next price band of $250,000–500,000, only 10% reported spending this amount. The story was the same in other areas, with the majority of the spending falling between $1 and $250,000. In technology, 37% reported spending between $1 and $250,000; 33% spent between this amount in change management, 44% spent this sum on auditing and 53% spent this on training.

Survey respondents were also not entirely thrilled with the effectiveness and the return on investment of these various activities in helping them achieve better compliance and reducing op risk. Indeed, all the areas – consulting, technology, change management, auditing and training – received average marks.

Only 35% ranked consulting as very effective or above average, while 38% ranked it as average, and 26% found it below average or not at all effective. Technology and change management were seen as even less effective. Only 25% said that technology was very effective or above average, and an even smaller 20% found change management to be very effective or above average. Only training seemed to pay off for survey participants. Some 38% found training very effective or above average, while 30% found it average, and 16% found it below average or not at all effective.

Wootton cautioned, however, that with many firms still in the "throes of implementation", it might be too early for them to determine their return on investment. Still, despite the average marks, firms are planning to increase spending in the next 18 months. Some 66% plan to spend between $1 and $1 million in consulting, up from 58% spending that amount in the past 18 months. Technology will also see an increase in spending. Some 68% plan to spend between $1 and $1 million, up from 56% who said they had spent that in the past year and a half.

Training, auditing and change management will also see an increase in spending. Indeed, training will get the majority of the money. Some 77% of those surveyed said they would spend between $1 and $1 million, up from 66% in the past 18 months.

But, again, respondents signalled that spending would be kept under tight control, with the bulk of future spending being budgeted in the $1–250,000 price band. Some 49% reported they would spend this sum in consulting, 42% in technology, 33% in change management, 47% in auditing and 60% in training.

Scott Gracyalny, managing director of Protiviti, notes that the low spending could be "due to the fact that the op risk and compliance tools market is in a state of flux". He says: "It is possible that many are taking a ‘wait-and-see’ approach before committing to larger spends". He adds: "There may also be an assumption that as more players enter the op risk management tools market, the increased competition will have the effect of driving licensing costs down."

Cory Gunderson, also managing director of Protiviti, adds that for some op risk and compliance projects a budget of $250,000–500,000 is entirely reasonable, especially as the price points for some software are "not on par" with enterprise-wide op risk solutions.

Still, the low budgets seem at odds with the ambitions of those surveyed. For example, 53% said they were planning to implement technology to deal with Basel II op risk, while 42% said they would do the same for Basel II credit risk. Meanwhile, 40% said they were planning on putting technology in place to deal with corporate disclosure and accounting rules, and another 37% reported plans to implement technology for a COSO enterprise-wide risk management framework.

Gunderson also reasons that firms may simply not know the price tag of a project. Gunderson says: "Many times in the early stages of embarking on a project firms can underestimate how much things will cost."

Gracyalny adds that respondents may not have figured on both the fees for the software and the fees for implementing it. He says: "I wonder if the question infers ‘licence’ fees only, or if it is reasonable to assume that implementation fees are included. We would expect implementation fees to be up to twice the cost of the software."

So where do op risk and compliance managers expect the greatest hurdles in the next 18 months? Entrenching a compliance culture within their company came in as the biggest challenge, with 60% of those surveyed listing it as their top concern. The educating of staff – which goes hand in hand with building a compliance culture – came in third, with 56% of respondents finding it very difficult. Respondents also anticipated it would be hard "effectively monitoring the control environment". This response came in second at 57%, just 1 percentage point above educating staff. Meanwhile, the cost of compliance was not far behind the top three most difficult obstacles, with 54% reporting it as very difficult.

Gunderson took these results as a sign that op risk has become more than just ticking boxes. As he notes, for op risk and compliance to be "sustainable and repeatable", employees have to "buy in" to the programme. "If people decide not to follow or even circumvent controls, no technology, no matter how good, will matter. Compliance isn’t just about filling our forms. It’s a behavioural shift that has to happen."

Wootton adds that one way to help incorporate op risk management and compliance at a firm is to ensure that an incentive programme is put into place. This, she says, could be monetary compensation, gift-based compensation or even as a way to measure up for the next promotion. So far, only 36% of firms surveyed had such a programme in place.

Meanwhile, the field of op risk and compliance appears to be maturing, especially in light of what respondents considered motivated them. When asked to rate the business outcomes and benefits that influenced them to roll out their op risk or compliance programme, those surveyed voted reducing their reputational and regulatory risk potential (76%) and improved internal controls as their top influences (76%). More efficient business processes also garnered a high ranking at 67% and improved internal reporting came in at 65%. The least popular answer shows just how much firms have begun to see op risk and compliance as helping improve their business, rather than being an expensive necessity dictated to them by regulators. Only 28% identified this as their major motivator. That and "reduced or rationalised insurance costs" (26%) were the two least important influences.

Meanwhile, those surveyed weren’t above patting themselves on the back for their efforts so far. While respondents recognised that op risk and compliance were fraught with challenges, the vast majority thought they were making excellent progress. Indeed, when asked to rate their firm’s level of assurance, 73% reported that they were "mostly compliant". Another 14% reported that they were "completely compliant". A mere 10% thought they were "barely compliant" and only 4% thought they were "not compliant". OpRisk