XLOD London 2024: The view of risk and control from the Board

The leading compliance industry event assembled a strong panel from Standard Chartered, NatWest, Deloitte and UBS for this discussion.

This session at the premium surveillance event for finance featured expert practitioner comment from: Paul Day, Group Chief Internal Auditor, Standard Chartered Bank; Nick Curle, Chief Audit Executive, NatWest Group; Tom Spellman, Partner Risk Advisory, Deloitte; Natasha Meaney, Head of Group Investigations & Compliance, UBS.

The session opened on the theme of constant change and the concern that sitting still only leads to falling behind as technology advances. Panellists felt the next 10 years demand a radical transformation that will affect data, analytics, AI and automation. Finance is increasingly data-driven and requires excellent governance to ensure security, control and compliance.

Infrastructure must have the flexibility to meet multiple needs, and this must be future-proofed as the environment evolves. Human resource with appropriate skillsets are still needed to oversee, interpret and question the systems and approach. Action and judgment will also still be human duties.

The agility of systems was lauded and connectivity must be aligned with proper analytics of past incidents. Something like the CrowdStrike incident can be extended to be relevant to other similar incidents so that a proper response can be developed and put in place. 

The last 15 years has seen a huge change and various developments such as the pandemic, fintech advance, crypto rise (and fall) that now demand a pragmatic view of risk.

The panel were asked if the second line is in a sweet spot or can expect change ahead. They felt that it has to change and evolve. The last 15 years has seen a huge change and various developments such as the pandemic, fintech advance, crypto rise (and fall) that now demand a pragmatic view of risk. The second line is well placed to use tools and techniques that can help with this evolution.

The requirement to comply with sanctions related to Russia asked for a more enterprise-wide perspective where a wider set of counterparties became potential sanctions candidates (employees, vendors etc). This asked for collaboration between the first line and the third to validate what the second was doing and this approach is essential to evaluate and qualify new risk.  

The moderator asked the executives there if AI and analytics was being widely and well used. The response is that everyone wants to and is just starting to (for example credit underwriting), and testing is under way to establish vulnerabilities. This testing is not to compare historically but to be safe as it gets rolled out. There is eagerness to get ROI for this but more patience is required.

Some firms have legacy organizational structures that make it tricky to transform significant tech debt but it does represent an opportunity to gain data, improve systems and deliver better control/analytics. Retrofits like this require some ‘untangling of the spaghetti‘, and it does not pay to be too entrepreneurial. The panel talked painfully of scar tissue and firefighting when describing this challenge which needs a strong business case.

Risk management framework

The session moved to an audience survey poll – my organization is not planning much change to its risk management framework?

  • agree – 36%;
  • disagree – 64%.

The moderator asked the panel what key changes they would like to see to the risk management framework. The focus was on the substantial journey ahead for each line of defence where the step change is these different lines merging their models/validation and approach to collaborate more effectively – this will include people, data, analytics, AI and validation.

Skillsets and functionality will start to meld here. The curious compliance head in the second line wants to understand the business front to back. Models plus data plus AI will result in fluidity between the lines. A big change in process should result in transaction monitoring, conduct monitoring and payments all using data, analytics and AI to better effect. 

The panel considered to what extent jurisdictional barriers are restrictive here. Globalization is on pause as national interest trumps international cooperation. Organizations are looking inward to try and ensure resilient supply chains. This is also a theme in data management where some regions are restricting the movement of PPI data. The third line is often limited by the unavailability of the data it needs – many organizations are still hobbled by data not being in one place (data puddles as opposed to one lake). 

The moderator touched on the changes in each line – has the emergence of a 1.5 line using analytics and machine learning resulted in the second line dwindling and the first growing? The reaction was that more is going into the first line now, and the second is not shrinking but needs to enable the first to make the right decisions. It needs to get more conversant with new technology and data and the way that is best used.

Regulators such as the PRA and the ECB are increasingly pushing a strong risk and control culture. The need is for technology to be tested, checked and well governed so that it is spread fluidly across the three lines. 

A focused and proactive second line should sit squarely with outcomes-based measurement of the decisions that were made in the first line.

The moderator asked what risk management will look like in five years. With data and technology at the centre a key component is how best to challenge that – models are key to that challenge. A focused and proactive second line should sit squarely with outcomes-based measurement of the decisions that were made in the first line. Digitisation and the pervasiveness of data will be in full swing and the interconnectivity of markets will serve up considerable institutional risk.

The panel dealt with the challenge of navigating risk management to identify the risks that their business is prepared to accept (based on their level of risk culture). The execs focused on what stays the same and what is evolving and changing in terms of risk.

The material risks are usually institution-specific and driven usually by individual activity. The challenge is how fast incidents occur and the interconnected vulnerability – CrowdStrike was a good example of this where code was deployed into institutions’ own infrastructure without sufficient testing. There is always some residual risk that has to be accepted – not all risk can be mitigated. The key is to develop holistic scenario planning that is plausible – this is far from being the mature discipline it needs to be.

The drive from regulators on resilience and impact tolerance is really helpful in creating better risk management. There needs to be a regular gathering of the technology teams, cyber teams, insider threat, compliance and internal audit at the same table. Scenario testing should also now include geopolitical events. Service provision from critical third parties should include due diligence on their operations, ownership and governance. Technology and models require oversight from internal experts that understand them. Threat situations can be simulated so that some of the procedures can be witnessed by the audit team.

Impact tolerance

By March 2025, operational resilience effectiveness will be more established in relation to impact tolerance. DORA will drive this and by then firms will have declared their compliance, but this is far from a ‘one and done’ exercise as this is only the beginning. Regulators will then start their supervision and evaluation of compliance. This interaction with regulators will be the best guide to their tolerance and their view of best and necessary practice.

The session moved to an audience survey question – my organization considers the wide range of risks from market interconnectivity?

  • 38% agreed;
  • 62% disagreed.

The panel focused on ESG risk and the extent to which has been integrated into the three lines or sidelined. One of the panel asked if it was viewed as a risk, a transversal risk or an aspect that requires a taxonomy. The feeling was it probably demands a taxonomy and needs to be viewed as a transversal risk. Most firms are now comfortable with their approach here that covers suitability, marketing and disclosure, so that a firm can establish who it wants to work with and who it does not.

Suitability and market conduct are both pervasive risks now and identify as key risks with distinct policies. ESG is tougher to deal with, but data analytics can be useful and the control environment can lead to the right policies here. The ECB and regulators are starting to get up to speed in this area and are closer to market practice. Firms are not cost cutting in ESG and the endgame is to include the approach in a modified risk management framework. Climate sustainable assessments from clients for risk managers are part of the current process.

It does seem that the focus is on climate and disclosure to the loss of the social and governance elements. This is all very byzantine.

Disclosure does not tend to be at all consistent and the impact is that people often then lose sight of what they are trying to achieve. The key question is how much work is needed for this in comparison with the many other risk priorities, so that it is then integrated into existing processes. PRA is due to release leverage ratios in 2025, while 2024 brought massive climate events (cyclones; wildfires; floods; hurricanes) that have and continue to have a huge impact on the finance industry and society.

The session finished with a prediction on the future of Line 1.5: the panel felt it will increase in size and importance, there will be great investment in it and scrutiny of it. It is an enabler for the business. But it might no longer be called Line 1.5 as it is subsumed into the first line. This is the right place for effective risk management control.

This summary is not a full transcription of the session, but contains the sense of it as interpreted and reported by the GRIP subject matter expert who attended who is an ex-compliance officer and regulator.

  • Detailed coverage of all the key panels at XLOD London 2024, along with in-depth reports from other leading compliance and regulation events, can be found under our Resources menu.