When the Numbers Are No Longer Enough: Demonstrable Governance
- Brian Gregory, vice president of non-financial risk/GRC at Wolters Kluwer
- 16.10.2017 03:00 pm undisclosed
The increased number of rules and regulations issued by both domestic and international regulators has become overwhelming. Many financial services firms have solved for this by implementing one or more technology platforms to allow for an organized and deliberate method to meet the requirements. But is this IT solution enough? Here Brian Gregory, vice president of non-financial risk/GRC for Wolters Kluwer in London, examines the importance for banks to quickly demonstrate to regulatory bodies that they have strong, effective governance.
In 2016, Wolters Kluwer processed over 12,000 change items for the UK and EU alone. It’s an incredible figure but won’t come as a surprise to many in financial services compliance, risk and related IT departments. Many firms have solved the upswing in both the sheer number and nuances of regulations by implementing one or more platforms to allow for an organized and deliberate method to meet the requirements.
And while this has certainly created a more streamlined approach to reporting, it is by no means enough, because, as we’ve seen, in an effort to resolve the two most widely acknowledged failures leading to the financial crisis – governance and accountability – responsibility has more and more been placed at an individual level. This is several steps above the historical imperative of providing quantitative compliance reports to prove requirements are met.
The Importance of a Defined Regulatory Change Management Program
To be able to display mastery over submitted data and the interpretations used in this onslaught of regulatory change requires more than the amalgam of disparate processes and systems. It also requires that regulatory changes are captured and managed, that their impact on areas of the business and reporting requirements are understood and documented and that interpretations of regulations that directly affect submitted data are captured and governed properly. Only then can a responsible party raise their hand to their regulators to explain how and why data value x appeared in line 100.
To be able to display mastery over submitted data and the interpretations used in this onslaught of regulatory change requires more than the amalgam of disparate processes and systems.
Every financial services organization needs a defined regulatory change management process—to assimilate the intake of relevant information, track accountability on who needs to perform what actions, model the potential impact on the organization, establish priorities, and determine if the organization’s policies, procedures, and controls need to be adjusted to address the change.
Not only do firms have to define, record and maintain their interpretations of each of their legal entities for each of the data points in each of their regulatory report submissions, they must also track changes, refinements and analysis on each of these data points in an efficient manner while exposing themselves to minimal risk and maintaining demonstrable governance over each change item.
As global financial business becomes more complex and compliance failures have continued to plague the industry, the governing bodies are now requiring assurance that both the quality and qualitative nature of what firms are reporting are beyond reproach.
Once the body of regulations applicable to a business have been identified, a regulatory monitoring program has been established, and an actionable program has been implemented, regulators still require evidence that every business unit is actively complying with current and emerging regulatory obligations.
Without knowing which regulations apply to a business and which controls (policies, training, surveillance, and IT systems) ensure compliance with these regulatory obligations, it is simply impossible to accomplish this.
Although technology and vendor choices have become leaps and bounds more sophisticated in the intervening years since 2008, firms can no longer delegate assurance to a 3rd party—regulators expect to be shown the logic of interpretation and judgment behind the numbers, supported by a full audit trail and approval from senior management and the Board.
Creating your Compliance Story
It is, of course, no longer seen as viable to simply submit ‘what you believe to be’ the correct numbers to a data foundation layer to allow those numbers then to be pushed through to your reports. On submission of the reports each institution must understand what each of the regulations are, how the firm has interpreted them, and how these link together to inform the numbers used in the reports. But how do organizations exhibit governance? How do they show that they are ‘on top of’ the regulation and their interpretations?
By treating compliance holistically as a program rather than as individual projects, organizations can reap savings from more efficient governance and processes, decreased testing and documentation costs, and reduced capital allocations through the rationalization of infrastructure that supports regulated activities.
Content acquisition should not be a dominant player in your time allocation. Systematizing your process allows you to concentrate on the pieces that matter, creating action plans, managing tasks and generating management reports. And more details on this can be found in our new whitepaper on the subject, available on the WoltersKluwerFS.com website.
While the cadence of change is not predictable, the steps firms can take to ensure compliance have become slightly more so. So many have graduated from the unmanageable process of tracking changes manually via spreadsheets and other homegrown systems. As more sophisticated technology takes root at firms, the story behind the numbers will be easier to tell as less time will be spent on the mechanics of change management and more time will be spent on validating the choices that were made.
As more sophisticated technology takes root at firms, the story behind the numbers will be easier to tell as less time will be spent on the mechanics of change management and more time will be spent on validating the choices that were made.