Oct 06, 2021

Compliance professionals these days have a to-do list that is so long that they can barely see to the end of it. From personal trading and marketing and distribution issues to monitoring client portfolios, the end of the list seems to be just a distant vision and the cycle continues like the tide of quarterly and annual compliance tasks.

Expanding on Cutter’s July 21, 2021 blog post, Why You Should Thank and Support Your CCO, this post explores ways that compliance professionals can reduce regulatory risk, increase efficiency, demonstrate value to the firm, and (hopefully) have a life.

What to Do

One of the essential responsibilities of compliance professionals is a risk assessment ─ even if your firm is large enough to have a risk department. A compliance risk assessment identifies the major inherent risks with the business and factors in established processes and procedures to control or mitigate those risks. When done properly, the risk assessment gives the CCO a road map for the year and, when combined with the correct GRC tools, compliance professionals can hit all of the responsibilities listed above.

As part of the compliance risk assessment (which is everything in the firm - literally, everything is a compliance risk!), it’s important to take the following steps:

First, identify all the risks in each area of the firm and evaluate the inherent risk (i.e., the amount of risk that exists in the absence of controls), so you can get to the end state, or what is called residual risk - the amount of risk that remains after controls are included in the evaluation of the risk.

The second step is to evaluate the controls for each risk, including the following:

  • Firm-wide policies and procedures: Are they current and clearly stated? This is a factual question for each department as to whether they are accurate, and your compliance department may need assistance from other departments that are experts in the process.
  • Training: Do employees understand your firm’s policies and procedures? One way to evaluate the quality of the training is to ask the question: Are people following the process? If employees are not following established procedures, you have a gap in the overall process and two places to look is either in the drafting of the process itself or in the training. It’s most likely one or the other.
  • Monitoring: Do you have a process in place to monitor the daily operation regarding the procedures and the associated risk? This is the daily review of transactional/operational types of processes.
  • Testing: Does your testing program confirm that employees understand and follow policies and procedures? The testing process generally requires a longer review period for each aspect of your firm’s policies and the procedures. The testing program provides a good view into how well your employees are adopting your firm’s policies and procedures, and testing a policy’s many different facets is vital to the assessment.
  • Audit: How frequently has audit tested the procedures? (Depending on your firm’s size, you may or may not have an internal audit function.) Audit provides a third line of defense to review the work of the compliance and business oversight of policies and procedures.

Each of these component parts should have a numerical assessment, making it possible to calculate the residual risk and plot your risks (sorted by residual risks) using a data visualization tool, which can quickly demonstrate overall firm risks as well as risks by department.

How to Do It

Trying to create these programs using Excel may work for smaller firms, but larger firms taking this approach may be making it harder than it needs to be. Developing or looking for technological solutions are imperative if your firm is very large and/or complex. GRC solutions that provide a good front-end to input risks and controls will make the process more efficient for the users. Combining this type of technology solution with a data visualization tool (e.g., dashboards) provides a powerful image that can quickly convey the message of your firm’s highest and potentially most severe risks.

How to Use the Results

Once the risk assessment is complete, the compliance department can use the results in many ways. First, compliance can use a risk ranking to review and assess the firm from an overall risk perspective. Compliance also should view the risk results as a good start for the testing program. Second, the results will form the backbone of your firm’s annual compliance report. A properly developed risk assessment can dramatically reduce the time to produce your annual report, potentially by up to 25%.

Most importantly, the risk assessment results give your CCO the opportunity to present those results to the senior leadership team from a company-wide perspective, and quickly convey to each department how they can reduce their regulatory risk. In today’s world, senior management wants to consume information using data, and your ability to produce it in the format that they need it is vital to getting buy-in for your compliance program. And you’ve given senior management a roadmap to follow to reduce your firm’s regulatory risks.

At the end of the day, reducing regulatory risks makes your firm stronger and more viable. The management team with the right information from the CCO can drive that success and truly demonstrate an ROI for compliance.

All of this said, running an efficient compliance team continues to pose challenges. Cutter members can tune into the next CutterCast: Get Rid of the Noise and Fine-Tune Your Compliance Program, on Thursday, October 21, where best practices will be shared to refine your firm’s process, data, and technology to reduce false positives and improve your compliance program.

If you are not yet a Cutter member, and interested in learning more, contact us at [email protected].