Does the market expect too much from a Chief Compliance Officer ?
I would like to meet the Chief Compliance Officer who answers “no” to this question but, that said, let us look deeper…..
You are a Compliance Officer so what is the minimum that you feel you need to do?
- Review, and as required, strengthen, Governance
- Encourage senior management to review and document the firms Culture
- Enforce the 3 lines of defence model highlighting that the 1st line, the business, owns the risk, the 2nd line, Compliance, advises on the rules to be followed and how well the risk programme meets the requirements, not forgetting the independent 3rd line, Audit, critiquing the quality of regulatory risk management as a whole – to include budget, skill set, staffing levels and completeness of coverage
- Run and end-to-end regulatory risk programme – 2 programmes, general compliance, and financial crime that covers all jurisdictions (as appropriate) and all business nuances e.g., regional versus single country i.e. in the UK, alone
- FCA Handbook
- LSE exchange rules
- Liquidity rules
- Company Home State Rules as they apply
- Best market practices……….
- Horizon scanning – Identify new and modified/obsolete rules and update the risk/control programme
- Include corporate policy requirements in the risk programme
- Create and maintain approportionate and comprehensive polices and procedures
- Create, maintain, and deliver a comprehensive training programme across all areas to include record management
- Design and run a comprehensive Monitoring programme
- Ensure there is an appropriate Surveillance programme run in the 1st and 2nd lines of defence as needed
- Create risk reports that are succinct, accurate and meaningful and deliver them to senior management and the board – the reports being based on a formalised, numerical, risk based model distinguishing high, medium and low risk
- Ensure corrective actions are identified, actioned, followed up and closed in a timely fashion
- Deliver the programme within “budget”
- Have a good working rapport with all heads of business
- Make sure that the individual business silo programmes are complete
- Manage up and manage down
- Be commercially aware
- Produce results without owning the budget to do so
- Have good working relationships with all regulators, as applicable, that impact the businesses
- Understand all the businesses, in all the countries, across all the legal entities you are responsible for
- Make the 3 lines of defence model work:
- Ensure the 1st line of defence, owns and manages their regulatory risk i.e., run their own controls programme with published results
- Ensure the 2nd line of defence, Compliance remains independent, advises but does not own “the risk”
- Work with the 3rd line of defence, Audit, to ensure regulatory risk audits
- 1 – occur
- 2 – cover all business lines
- 3 – target risk in order of priority, high first
- Keep abreast of regulatory themes/developments and their impact to the businesses
- Be informed of the firm’s strategic plans and their impact to the programme
- Run, plan and manage regulatory reviews
- Lead by example – be holier than though
- Remember that you are only as good as your last audit or exam – tomorrow is another day!
There are more I hear you say, you missed this and that – one could argue that the list, potentially, is endless.
Stepping back, all the above apply which is why the market expects too much! Culturally, in nearly all firms, The 1st line thinks Compliance is your job – so how do you meet the demand is the response?
Firstly, you are the messenger, and it is your role and responsibility to educate senior management both in the line and at a corporate level that they own the risk, not you, and that strong Governance and Culture is essential.
Secondly, you must present a Risk programme and its deficiencies driving for a commercially viable “near perfect” programme. You must promote to senior management the coverage model required and the staffing levels and resources that need to be employed which must include smart use of technology.
Thirdly, business, and senior management are your friends, and you must work with them to create risk reporting processes such as monthly risk, control and audit committees with quarterly board meetings or branch committees where the regulatory risk programme can report failings and courses of actions for remediation, openly and decisively. That said, there must be demonstrable follow up and closure to all reported items as well!
In conclusion, you need to develop a “4 Eyes” principal working in tandem with the 3 lines of defence model.
The first pair of eyes are the lines of business and senior corporate officers operating controls across their unique risk profiles with the second pair being Compliance advising and monitoring. This will endorse the 3 lines of defence model in which the 1st line of defence, the business(es), own the risk and the 2nd line, Compliance advises. Finally, Audit must operate a true 3rd line of defence regulatory programme.
Mathematically the Risk formula is:
4 Eyes (Business + Compliance) + 3LOD = Strong risk management
Business + Corporate – doing
General Compliance and Financial Crime – advising
3LOD = 3 lines of defence – Business, Compliance & Audit
In summary, strong Governance with a comprehensive Risk and Compliance programme – GRC – partnered with the 4 Eyes principal and 3 lines of defence model means a Chief Compliance Officer can meet the markets expectations and do less! The model is an open collective of all staff in all areas pulling together to identify and manage risk rather than Compliance doing it all and being ignored until it is too late and penalties being handed out.