Risk professionals from across the three lines of defense are grappling with an increasingly complex risk environment, stretched resources and serious structural shortcomings in regulation, and there is a need to acknowledge that “the compliance edifice built over the past 10 years implies a fundamental rethink of data and everything that rests on it“.

Those are just some of the conclusions set out in a report published by risk intelligence outfit 1LoD on its XLoD Global event in London late last year.

The gathering of 630 senior practitioners drew experts from first line risk and control functions, second line compliance and third line audit teams, and over the three days of the event there was much conversation about the need to embed significant cultural change across the board.

Some of the other takeaways from a survey conducted among those attending are:

• 30% expect regulation related to non-financial risk management will be unsustainable in between three and five years;
• 54% identify the need for significant changes to people, processes and technology in order to properly manage emerging risks;
• 78% say risk and control change management is not appropriately resourced;
• 88% report gaps in comms surveillance because of the proliferation of channels.

Practitioners from all three lines said managing emerging non-financial risks would mean “significant adjustments” relating to people, processes and technology were necessary. Key risks came with ESG issues, reflecting discussion elsewhere in the compliance industry about how products sold on the basis of non-financial risks and metrics can be successfully incorporated into the robust framework needed to deal with financial data.

Digital assets

But those present did say that the risks associated with ESG were being embedded in their organisation’s product life cycle. The same was not true of digital assets. Some 74% of those attending said “board level executives do not understand the risks of digital assets and so are unable to appropriately challenge risk functions”.

The view that more resources were needed was especially strong among those dealing with first line risk and control, 60% saying the function in their firm was too small, and 78% believing the function was under resourced. And there’s not much optimism the situation will improve because the focus is always likely to be on financial, rather than non-financial, risk.

One attendee summed up the problem. “People’s thinking tends to be: it hasn’t happened, therefore it’s not as big a risk. However, when things do happen, everyone says: ‘How on earth did that happen, and why did we not prevent it?’” That approach was said to stem from a view that non-financial risks more often tend to be about potential scenarios, rather than events that have actually happened.

People’s thinking tends to be: it hasn’t happened, therefore it’s not as big a risk. However, when things do happen, everyone says: ‘How on earth did that happen, and why did we not prevent it?’

The problem of securing sufficient resource is compounded by the fact that the first line can often spend significant amounts of money without being able to show the benefit fast enough to satisfy those running the main business they will see any return on investment.

Pretty much everyone was agreed on the need to commit to innovation in technology, with investment in artificial intelligence (AI) and machine learning (ML) frequently referenced. The reports says that: “Successful innovation helps to break through traditional linear growth models that assume that twice the work requires twice the resource. One example is the recent investment many firms have made in supervisory platforms. At their best, these bring disparate data sources together in a single, dynamic view that allows supervisors to assess risk, identify early warning flags and be much more proactive in discharging their supervisory duties.”

Asked about technological priorities, professionals at the event focused on simpler matters, with 41% of those working in first line risk and control picking out better monitoring tools for supervisors, and 27% choosing automated controls.

Data capture

The need to focus on solving some of the simpler problems was highlighted by some of the big fines imposed for inadequate data capture. While there is plenty of focus on sophisticated analytics, the basics of data capture are too often not being addressed. The report says it found “Core messaging channels from apps and venues are not captured, voice recordings from legacy infrastructure are poor in quality and reduce the effectiveness of voice surveillance, and new audio, text and video streams from collaboration tools such as MS Teams are the next capture challenge.”

And the report is blunt in saying that “banks’ core compliance data is increasingly unfit for purpose”. The conclusion after three days of conversation with professionals in the field is that “what is needed is a root-and-branch clean-up of existing data and a re-engineering of how new data is captured”.

For big banks, the report’s authors estimate this will take at least three years and cost millions of dollars. And they say smaller institutions have even more complex issues. The conclusion drawn is unequivocal. “Regulators seem content right now to pile new obligations onto the three lines of defence without prescribing better data capture, management and governance. At what point do they and the industry accept that the compliance edifice built over the past 10 years implies a fundamental rethink of data and everything that rests on it?”

There was much talk of the need for better collaboration between risk and control functions, and indeed throughout the business. It was felt that risk functions across the three lines were often chasing the same resources and that there was a need for organizations to take a much more holistic approach.

At what point do regulators and the industry accept that the compliance edifice built over the past 10 years implies a fundamental rethink of data and everything that rests on it?

Worryingly, 90% of those questioned said the proliferation of comms channels left potential gaps in surveillance coverage, with more than half confirming they either hadn’t incorporated most of the channels the business demanded into their recording and monitoring solutions, or didn’t know whether they had or not.

There was also a widely expressed view that voice was the least useful of the surveillance channels, despite the chatter around the subject. “You would never start with voice if you wanted to detect, say, market abuse. The false positives would be huge and even when a human listens to original voice recordings, the signals are so subtle that even they can miss them when they know what they are looking for because of a trade alert,” said one surveillance chief.

Attendees said basic record-keeping enforcement in the US has got noticeably tougher, while in Europe there’s been a rise in fines for basic failures of the risk assessment process. US regulators are seen as sticking rigidly to examination and enforcement templates, while European regulators are perceived as being better and providing continuous guidance.

There’s a general sense that regulators are tightening up on existing regulation, and that “policy and attestation are no longer enough; obvious disregard for the rules will be punished; and repeat offending will annoy the regulators”. But inconsistent enforcement priorities were said by 64% of those asked to be “ a key obstacle to creating a non-financial risk management program”, and 30% of banks are predicting an increase in the regulatory burden in this area over the next three to five years.