Rules Navigator

XLOD London 2024: Assessing the risk and control landscape for 2025

City of London skyline
Photo: Getty Images

Alex Viall

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

The first of a series of reports from XLOD London features a panel discussion with experts from Standard Chartered, Lloyds Bank, and Citigroup.

This session at the premium surveillance event for finance featured expert practitioner comment from Tracey McDermott (Group Head, Conduct, Financial Crime & Compliance, Standard Chartered Bank), Laura Needham (Group Chief Internal Auditor, Lloyds Bank) and Paul Rayson (COO Markets and Security Services, Citigroup).

The session started with a survey for the audience asking them to pick their top three key risk and control priorities for 2025 – these were the results:

  • managing regulatory change and regulatory risk – 47%;
  • enhancing risk data management and reporting – 50%;
  • managing risk in digital transformation – 26%;
  • addressing deficiencies in operational risk and risk management – 32%;
  • reducing complexity and the manual nature of the control environment – 65%;
  • enhancing non-financial risk governance – 25%;
  • cost control in non-financial risk management – 17%.

One of the panel said that it is often hard to differentiate between what is needed internally and what regulators want from an institution. But key priorities right now are change management, operational resilience (encompassing cyber, IT, system availability, vendor control/risk) and there are the perennials which include compliance and financial crime.

External threats are growing and there is no way we can control those, and they can have ana alarming systemic impact. This alarm is not something that has been cooked up by regulators – it is real. As a result, firms need to rethink their approach to risk management, and to address the new threats we need different skills to be effective in a complex system. Compliance people are all spending considerably more time now with their colleagues in technology and operations as a result. It is a big learning curve for us as compliance folks, as well as for regulators.

Regulatory priority

The big challenge is the tension and balance between a regulatory priority and an internal need (eg cyber risk).

Another panellist continued the external control thread, and stated that the focus is on the things that a bank can control. Regulators ultimately want to see that those institutions they regulate are well run – this is a reasonable requirement. How we react to regulatory feedback can be extreme and can cause excessive cost and not always the best outcome. Many are starting to shift to risk management from process management. This is all done through a risk lens – how much risk is there in the matter at hand?

The last panellist said that the approach now is looking at risk priorities on a quarterly basis, rather than annual, a level of dynamism that is new but necessary. This provides more comfort to the board and regulators. It provides a better chance to identify real and emerging risk.

The next survey question asked what is the most significant data in your organization. Answers were:

  • Core data hygiene and availability – 74%.
  • Data visibility and understanding of its lineage – 43%.
  • Technology silos and connectivity challenges – 25%.
  • Lack of formal data governance framework – 18%.
  • Disagreement over ownership of data priority – 23%.

One of the panellists stated that data is fundamental and that many finance businesses have suffered as it took so long to recognize its value as an asset. But data needs to be rich and personalized in order for it to maximize its use. The three lines of defense have been impinged by a lack of data availability and its fragmented nature. Data quality is key too, and this is an endemic problem at all firms.

Their line has invested heavily in people who really understand data. All of this team is given extensive data literacy training, and they are strong advocates of this across the organization and each line of defense to ensure knowledge sharing. Senior management are demanding upskilling here.

Not all data is equal

Another panellist said that the data may rest in the second line, but this line has no control over its origination. Data tends to be considered collectively as this big amorphous blob. But not all data is created equal and this makes it imperative for institutions to tag data according to standards, quality, and lineage. What attributes does it have and how is it going to be used and why? The biggest challenge is how we best use it. The advances in technology create risks but also opportunities for data.  

An excellent point made related to the challenge that the creation of very effective control environments has delivered. These are now very expensive to run, too manual, data intensive, and historically built in silos to address individual risks – usually of a regulatory nature. These controls are usually trying to do the same thing in 90% of these cases. But how can they be aggregated now? Risk professionals need to sacrifice some of these hard-held controls to accommodate consolidation. The individual picture looking at each area silo by silo can convey a healthy outlook but there is often still a new risk or a gap that has been missed.

The moderator asked the panel to talk to emerging risk. One of the panellists said that a good place to look is what topics come up in internal focus groups at their bank, the HR analysis of reasons that people are being let go involuntarily as this can signal new risk. 

Tech tide

Another added that we need to be very careful in trying to stem the tech tide that is happening outside the work environment. People will always go around controls that limit their habits outside work. It is essential that firms stay current with technology change and adapt to it, manage the emerging risks of it, but not ban it. Don’t force people to go back to using quill pens! Additional risks we need more attention on included the climate, and third-party dependency. Regulators do not know how to control the likes of AWS and Azure so they will seek to do that through the firms that they regulate.

The final question was whether the CCO has enough resource right now! One panellist said no CCO would ever say they had enough. But it is not a question of quantum, it is more the quality and the skillsets across all the lines of defense.

Due to Chatham House restrictions, this summary does not attribute any comments to the individuals. It is also not a full transcription of the session, but contains the sense of it as interpreted and reported by the author.

, , , , , , , , , , , , , , , , ,

You may also like