pwc compliance operational risk management

8/17/2019 Pwc Compliance Operational Risk Management

1/25

fs viewpoint www.pwc.com/fsi

02 10 13 21 23

Point of viewCompetitiveintelligence

A frameworkfor response How PwC can help Appendix

Let’s make a difference:Managing complianceand operational risk inthe new environment

Forward


2/25

2 FS Viewpoint | Let’s make a difference Point of view

Banks have beenmanaging compliance

since the first loan

application was signed. But today, expandingcompliance expectationsare pushing compliance programs to the brink.

Today the scope of compliance is muchbroader and its impact on business fargreater than ever before.

The scope and nature of compliance have

evolved from a series of rules-based bankingregulations to a much broader, grayer areathat now includes operational and customerexperience risk—areas that are more difficultfor banks to monitor and control. Thisregulatory environment poses new challenges:

• Operational and compliance risks havebecome more complex and entwined,increasing the potential for failedprocesses that cause customer confusionand compliance control breakdowns(such as with mortgage foreclosures andpayment stripping).

• Banks must identify unfair, deceptive, orabusive acts or practices (UDAAP), requiring:

– New approaches to fair lending anddisparate impact analysis.

– Customer complaint identification,management, and analysis.

– Control over vendors that havecustomer impact.

• An expansion of rules- and principles-basedsupervision is raising the level of overall risk.

Meanwhile, compliance functions atmost banks haven’t been built to copewith these emerging operational andcustomer experience risks.

In particular:

• The role of compliance in the customerexperience continues to be limited. In theline of business (LoB) domain, we haveobserved a lack of resources, communication,and capabilities with which to meaningfullyaddress compliance issues in these key areas.

• Lack of operational business expertise andtalent is making it difficult for compliancegroups to provide constructive input and“credible challenge” to the lines of business.

• Current “check-the-box,” rules-based testingprocesses do not provide adequate coverageover operational and customer risk—particularly since that risk is poorly defined, which requires a strong understanding ofend-to-end business processes.

Point of view

Soaring costs

Without a new approach tocompliance and operational riskmanagement, many banks willcontinue to face high costs and lossesin the form of escalating litigation, penalties, and staffing needs.

Home


3/25


For most of our clients, thecurrent state of compliancehas led to inconsistent

application of compliancerules and a customerexperience that is anythingbut seamless.

We see examples of compliance challenges in three key areas—products, saleschannels, and customers—due in part to a lack of ownership of compliance risksand responsibility.

The broader source of compliance risk now more than ever is embedded throughout business

activities where customer experience, sales, products, and processes meet.

Expanding

sources of

compliancerisk

Customerexperience

Saleschannels

Productmanagement

Customer experience

• Inconsistent customer salesand servicing experiencesacross channels.

• Products vary in how they utilizechannel-specific features.

• Multiple handoffs or manual activitieswhen transitioning between channels.

Sales channels

• Definition of primary characteristics,preferences, and behaviors fortargeted customer segmentsdiffers between products in thesame category.

• Limited tracking of usage and channelmix variations within and acrossproducts for each segment.

• Inconsistent fee treatment and

product availability across customersegments, especially in comparisonwith demographic characteristicsdescribed in the Equal CreditOpportunities Act.

• Differing communications, sales, andservice approaches for customersegments using similar products.

Product management

• Unclear or complex disclosures,terms, and conditions. Inconsistentfees and product availability acrosscustomer segments, especiallywhen compared with characteristicsdescribed in the Equal CreditOpportunities Act.

• Overlapping products that meetthe same customer need without

clear differentiation.• Differing communications, sales, and

service approaches for customersegments using similar products.

• Large number of product variants,leading to errors in applicationprocessing and difficulties maintainingand managing changes.

Home


4/25


In our work with bankingclients, we have witnessed

first hand the challenges

posed by the expanding scope of compliance.

Fragmented compliance groups

At most banks, compliance responsibilities arespread throughout the organization and havedeveloped independently over time, leading to

varying processes for risk assessment, testing,and reporting. Some program areas—notablycompliance with the “alphabet” regulations(such as Regs CC and Z )—are very mature, buthaven’t taken advantage of the newer analyticscapabilities used by their peers working withthe Anti-Money Laundering/Bank Secrecy Act(AML/BSA) to identify higher-risk areas andstreamline testing.

Inadequate focus on emergingtalent needs

Several banks are already revamping theircompliance systems and programs to address

changing compliance expectations.

However, we’ve found that complianceenhancement efforts focus too narrowlyon compliance functions (the second lineof defense), often failing to cultivate newcompetencies needed to address emerging risks(such as customer impact risk).

Unclear scope of rolesand responsibilities

The most widespread obstacle we’ve seen isthat the scope of the compliance function’sdomain—versus that of the lines of business(the first line of defense)—has not beenredefined. As a result, roles and responsibilitiesfor managing emerging sources of compliancerisk are not clear.

Program

elements

Operational risk

programs1 AML/BSA Rules-based

compliance

(Reg CC, Z, etc.)

Broader

sources of

compliance risk

Policy

Analyticsreporting

Training

Riskassessment

Maturity level–represents typical state of development

: High : Medium : Low

Our experience tells us that compliance requirements are supported by multiplegroups across the bank, and at varying levels of maturity. Compliance processes,systems, and reporting are fragmented and in silos.

1 Operational risk programs typically are designed and

implemented based on regulatory guidance. Examples

include information security, business continuity planning

(BCP), and vendor risk.

The most widespread obstacle

we’ve seen is that the scope of thecompliance function’s domain hasnot been redefined. As a result, rolesand responsibilities for managingemerging sources of compliance riskare not clear.

Home


5/25


Leading banks are rethink-ing their organizational

structures, adopting new

competency models, andtaking a fresh look atnew approaches.

We see leading banks shifting froma narrow, rules-based, technicalfocus to one that extends to businessacumen, improvement of the

customer experience, and operationalunderstanding.

Given today’s higher stakes and broader sourcesof risk, industry leaders are now looking tothe business to take on more responsibility formanaging compliance risk.

Banks are also expanding the role ofcompliance to include collaboration withexternal stakeholders and a new focus onconsumer interactions. In leading banks, thatrole may now include working with regulators,customers, the community, and advocacygroups to propose and support solutions andreduce product complexity.

Leaders are leveraging analytics to doa better job of preventing compliancefailures and to manage risk moreefficiently and cost-effectively.

The power of analytics includes both preventive

control and providing management with trendsand fact patterns that assist firms with moreeffective and cost-efficient risk management.

Financial institutions can use data mining andanalysis software to:

• Monitor consumer risk and prevent UDAAP.

• Proactively manage compliance risk andinform business decisions.

• Drive efficiency and quality and betterutilize forensic testing, by linking analyticalplatforms to compliance-testing programs.

Banks are streamlining complianceprocesses and testing to reducereliance on “brute force” and toenable smarter testing that leads toactionable insights.

Leaders are standardizing compliance processesacross the organization to boost productivityand promote greater cross-functional insights.Process standardization and design, utilizingan output-driven approach, limits wasteand enables implementation of more value-added activities.

Technologies are being deployed to increasecoverage and focus on anomalies through

automated testing and forensic testingtechniques. Shared platforms are alsoimproving the efficiency of the compliancemanagement process through automatedissue tracking, streamlined reporting,storage and retrieval of work products, andknowledge management.

Home


6/25


Given the major changesin the compliance andregulatory landscape

and the resulting long-term impact on banks,incremental adjustments

will simply not be enough.

Banks should design a newapproach that integratesoperational and compliance

risk programs.

Area of change Current state New, integrated approach

Approach • The operational and compliance riskprograms operate individually anduse separate system platforms for

scenario assessments, risk and controlassessments, issue tracking, and testing.

• Customer experience programs aregenerally disconnected from compliancerisk programs.

• Efforts in implementing processes toaddress new compliance requirementsare focused on initial compliance with lessattention paid to sustainability, resultingin quick fixes that become “businessas usual.”

• Reporting is primarily prepared at theenterprise level and focuses on historicalevents. Line-of-business (LoB) reporting is

not standardized, limiting the ability to drawcross-LoB insights.

• The operational and compliance riskprograms are coordinated and follow aconsistent standard and single platform.

Integrated reporting and analytics providecompliance and LoB management with amore constructive, single view of risk.

• Products and channels are continuallyassessed from multiple perspectives—customer experience, businessperformance, operational, and complianceperformance—and adjustments are madewhen needed.

• Compliance risk management processesare subject to continuous improvementand are evaluated based on aligning value(outputs and outcomes) with activities.

• Analysis of structured and unstructured

data is forward-looking and shapes thecompliance agenda for upcoming riskassessments, monitoring, and otherframework components.

Team • The organizational structures supportingthe compliance and operational riskprograms are separate and siloed andnot consistent across LoBs. Roles,competencies, and level of focus also arevariable. The current level of resourcescommitted is not sustainable.

• Operational risk and complianceorganizations are rationalized, and rolesand competencies are defined and filled. Amore efficient and effective team deliversimproved results.

• The LoB leads the compliance riskmanagement effort, with centralizedcompliance functions providing supportand oversight. The end-to-end compliancerisk team includes operational and

customer experience competencies.

Scope • Centralized compliance functions oftenhave a narrow view of compliance riskthat is disconnected from the broaderoperational risk picture.

• Compliance testing is siloed withinindividual lines of business, and as aresult, provides inconsistent application ofcompliance policy and procedures.

• Teams and tools may be integrated toobtain a broader view of sources ofoperational and compliance risk, includingbusiness practices, customer interactions,and products and channels.

• Standardized compliance testing allows thebank to gain greater insight into complianceissues and increase productivity ofcompliance efforts.

Home


7/25


ComplianceMeeting the challenge

Integrate risk

Simplify

products &

channels

Leverage

analytics

Standardize

compliance

testing

Adopt lean

principles

Manage

change

We recommend that banks take a look at these six innovative approaches to drivechange and meet the game-changing requirements of today’s operational andcompliance risk environment.

Relying on “business asusual” just doesn’t cut itanymore. In our view, banks

need to incorporate freshthinking, new systems, andinnovative approaches to

produce the expected results.

Approach What is it? Benefits

Integrate risk Integration of operational and compliance riskfunctions to address gaps in risk coverageemerging from different products, channels,and customers.

• Addresses rising regulatory expectations.

• Integrates current operational risk silos andimproves coverage of emerging sources ofcompliance risk.

Simplify

products &

channels

A proactive, customer-centric approach tosimplify products/channels and improvethe customer experience while easingcompliance burdens.

• Facilitates compliance with regulationsthrough standardized products.

• Reduces potential compliance issuesarising from product development, salesteam, and customer confusion.

Leverage

analytics

The use of new technology and dataanalysis techniques to provide an improvedunderstanding of business practices andactivities across product/channel features,how they impact customers, and how theycompare to peers.

• Prevention of UDAAP and disparate treatment.

• Improved reporting and transparencyto stakeholders.

• Better understanding of regulatory impacts andability to influence future changes.

Standardize

compliance

testing

Standardizing compliance testing processesacross the organization while boosting returnon investment and quality through newforensic testing techniques.

• Reduces time spent manually searchingfor compliance exceptions, enabling morefocus on deriving insights.

• Supports banks’ ability to meet growingregulatory requirements with a moresustainable model.

Adopt lean

principles

Lean principles create a mindset ofcontinuous improvement and eliminatenon-value-added activities/outputs acrosscompliance activities.

• Improves quality and effectiveness byfocusing efforts on increasing value andeliminating unnecessary work.

• Reassesses organizational structures andcapabilities to boost productivity.

Manage change A set of program and project managementmethods that helps drive more sustainableresults by making new compliancerequirements “stick” in business operations.

• Meeting project and program objectivesfaster with improved quality.

• Increased financial discipline to get moreout of resources invested.

Home


8/25


Change is not easy. Effective changemanagement requires

both transformationalleadership and strongteamwork acrossthe organization.

Banks must overcome many hurdles in order to keep pace with an expanding volume of regulatory requirements while balancing impacts on people, processes,and technology.

Here are some of the most common issues we’ve heard from our clients, and how we’ve worked

with them to overcome them.

The compliance risk program should be managed holistically across the organization,with definition of scope as a prior ity. Current efforts should be properly planned andintegrated with operational risk programs.

Leverage and extend existing forensic tools set in place (such as those used for AML/BSA) to reduce initial investments. Once initial wins have been demonstrated,a business case can be developed to expand the analytics toolset as part of a largercompliance testing strategy.

Because of the widespread impact of risk integration across the bank, it’s moreimportant than ever to enlist broad executive-level ownership and support. The projectteam should include key individuals from the LoB, compliance, and operational risk.

The LoB should lead the effort by developing end-to-end business process mapsthat go beyond transaction flows to include customer interactions, third parties, andproduct variations.

With appropriate input from operational and compliance risk, the LoB can identifykey risk points in the business process. Data and technology expertise can help drivethe design of analytics and system changes that are needed to support and evaluate

operational risk.

“We just don’t havethe resources to make

big investments innew tools and testing

approaches now.”

“We don’t want tointerfere with related

in-flight projects that arealready tackling changes

to the compliancefunction.”

“It’s difficultto get the buy in

needed from multiplegroups to integratethe risk functionsand supporting

processes.”

Home


9/25


In a risk and regulatoryenvironment that isconstantly evolving,

to stand still is tomove backwards.

Banks that take a backseat approach face significant risks:

• Inability to grapple with the continuedcomplexity in complying withregulators’ expectations.

• Continued rising cost of non-compliance, which is now measured in the billions ofdollars, resulting from litigation, penalties,and the cost of remediation. This increasingcost is also reflected in increased staffing infirst, second, and third lines of defense.

• Compliance failures continuing to increasereputational risk and threatening toimpose a significant drag on overall

business performance—both for individualinstitutions and the industry as a whole.Consider the business impact of:

– Negative news on customer satisfactionand retention.

– Higher opportunity costs andslower growth.

– Heavily publicized non-compliance—

fueling a cycle of public and legislativedemand for enhanced regulationand enforcement.

Home


10/25

10 FS Viewpoint | Let’s make a difference Competitive intelligence

Most banks are not equipped to meet the expectations of today’sregulatory environment in a sustainable way. There are many

steps they can take to begin evolving their programs.

Current state Transition state Target state

Integrate risk

• Compliance riskaggregation andreporting

• Risk assessment,monitoring, andtesting

• New products

• Training• Policies and

procedures

• Aggregating and reporting compliance risk in ameaningful way is a challenge. Most reportingis high-level, qualitative information based onunderlying compliance activities.

• The second line of defense has assumed primaryresponsibility for designing the risk assessment,monitoring procedures, and testing approach, buthas had challenges implementing these processesin the lines of business (LoB), where mostcompliance risk resides.

• The scope of compliance is being reshaped tocover new compliance risk sources and definitions(customer, product, and operations risk).

• Traditional compliance functions have beendesigned to detect non-compliance with rules, andare not equipped to detect broader risks emergingfrom operations and customer interactions.

• The LoB take the lead in shaping the approach,setting priorities to focus on new sources ofcompliance risk, and implementing standardizedcompliance and risk management proceduresin the business. The organization commitsappropriate expertise to project teams.

• LoB leadership begins integrating complianceand operational risk programs. This includesorganizational alignment as well as rationalizationof the risk assessment, monitoring, andtesting efforts.

• Compliance risk reporting is improved throughenhanced qualitative information as well as theintroduction of analytics to measure and monitorhigh-impact risks.

• The first line of defense, the LoB, leads thecompliance risk management effort, while thesecond line of defense, the compliance function,provides oversight and support. Working as awell-coordinated team, they provide consistentend-to-end management of compliance risk. Thecompliance risk team includes operational andcustomer experience competencies.

• Compliance is not just rules-based, butencompasses operating, product, channel,and customer experience risk. Compliance riskprograms are integrated with the operational riskprograms and support the organizational modelacross LoBs.

• Risk aggregation and reporting is driven byanalytics, key risk indicators (KRIs), and dynamicrisk assessment, monitoring, and testing. Thereporting uses the new definition of compliance riskand provides actionable information at the LoB andenterprise levels.

Simplify products

& channels

• Multi-competencyteams

• Productrationalization

• Simplificationof channelsand customerinteractions

• A rules-based approach to product managementand sales channels has focused on customer

disclosures and transaction handling.• New product compliance risk assessments have

focused on rules-based compliance, with improvingconsideration of unfair, deceptive, or abusive actsor practices (UDAAP) and disparate treatment.

• The existing product portfolio has not beenconsistently assessed for compliance risk and ismore reactive to emerging industry issues.

• The LoBs begin to priorit ize products and channelswith the greatest operational and compliance risk—

those that are the most complex. They identify andplan for simplification efforts.

• A multi-competency team is formed to drivechange for selected products and channels. A teamwith a winning strategy and early success storiesdemonstrates what can be achieved.

• A case for simplification change, supported by aproject charter, is developed. The effort is backedby a proven approach: team, method, standards,and tools.

• A broad-based organizational team, made up ofteam members with competencies in operational

risk, compliance, product, channel, and customerexperience, collaborates to continually assess,plan, and drive simplification.

• Scenario-modeling capabilities are employedto monitor for potential compliance issuesemerging from business operations andcustomer experiences.

• A bank-wide simplification program drives changethrough product rationalization and simplification,channel and customer interaction simplification,and technology simplification.

Competitive intelligence

Home


11/25



steps they can take to begin evolving their programs (continued).


Leverage analytics

• KRI dashboards

• Scenario modeling

• Predictive analytics

• Statistical analysis

• Most compliance reporting exists at the enterpriselevel and is non-standard at the LoB level.Reporting is qualitative in nature and is derivedfrom a variety of compliance risk activities.Quantitative metrics and KRIs for compliance donot exist or are not widely used.

• Aggregation methodologies are largely judgmentaland are not consistently applied acrossthe organization.

• Reporting attempts to bring together a horizontalview for issues which cut across LoBs (such asFlood or Anti-Money Laundering).

• Scenario analysis of business impacts is nottypically performed or is ad hoc in nature.

• Reporting mechanisms and KRIs are inventoried toidentify the spectrum of aggregation methodologiesand tools.

• Compliance risk reporting is improved throughenhanced qualitative information as well as theintroduction of analytics to measure and monitorhigh-impact risks.

• A KRI dashboard provides compliance views byLoB and enterprise-wide. The dashboard has bothvertical and horizontal drilldown capabilities.

• Quantitative information is available utilizing“big data” type methods to search and analyzestructured and unstructured data sources.

• Analysis is forward-looking and shapesthe compliance agenda for upcomingrisk assessments, monitoring, and other

framework components.• Scenario modeling is utilized to identify the impact

of emerging regulations and macroeconomicevents in concert with stress testing andother initiatives.

Standardize

compliance testing

• Standard testingapproach

• Integrate complianceand operational risktesting

• Increase forensictesting

• Compliance testing is non-standard across theenterprise and relies primarily on manual methods.

• Compliance and operational risk testing areperformed in silos.

• Strong forensic testing capabilities are establishedin selected compliance areas (such as fairlending, call monitoring for suitability, Anti-Money

Laundering/Bank Secrecy Act (AML/BSA) fortransaction monitoring). Forensic testing is used onan ad hoc basis for most other areas.

• A standardized and integrated compliance andoperational risk testing framework is developed.

• The most critical compliance risks are identifiedand used to implement a proof of concept forforensic testing.

• Mid- and long-term transition plans are created forlower compliance risk areas to leverage a standard

testing approach.

• Existing forensic technologies that can beleveraged (data sources, “big data” tools, casemanagement workflow, electronic discovery/ computer forensic tools) are inventoried to create atemporary center of excellence.

• A compliance testing center of excellence ismaintained (approach, methods, tools, datasources) to support consistent testing standardsbank-wide.

• The LoBs adopt forensic testing techniques toanalyze structured and unstructured data. Thesetechniques enable them to cover a much wider

range of compliance and operational risks in acompressed timeframe.

• Compliance testing strategies are used to identify,plan, and execute testing in a more sustainableway by matching the scope, extent, and method oftesting to the risks.

Home


12/25



steps they can take to begin evolving their programs (continued).


Adopt lean principles

• Value-addedactivities andoutputs

• Continuousimprovement

• Compliance risk management processes havebeen built up over the years at the enterpriseand LoB levels. These processes are often notstandardized and a significant level of resources isneeded to support them. Often, it is unclear howthese activities align to compliance goals and howthey create value.

• Efforts in implementing processes to addressnew compliance requirements are focused oninitial compliance with less attention paid to

sustainability, resulting in quick fixes that become“business as usual.” Selected complianceprocesses may improve in subsequent years (suchas AML/BSA processes).

• Outcomes and outputs of compliance riskmanagement are inventoried and defined at theenterprise and LoB levels. Activities are mapped tothe organizational resources consumed to assessthe cost of generating value.

• Focus is placed on the most critical, complex, and/ or costly processes to provide immediate benefits.Key compliance risk processes are selected topilot lean principles by aligning value (outputs andoutcomes) with activities, and then rationalizing

non-value-added activities.

• Compliance risk management processes aresubject to continuous improvement and areevaluated based on aligning value (outputs andoutcomes) with activities.

• The operational impact of new compliancerequirements is considered to manage criticalpath efforts, redeploy workflow, and reduceprocess variability.

Manage change

• Programmanagement

• Project management

• Organizationalchange management

• Enterprise project management approachesfor compliance-related projects are utilized;however, a program management approach is lessconsistently applied.

• Project teams often do not have the requisiteoperations, customer, or sales channel experienceto fulfill project goals.

• Projects have difficulty transitioning from

implementation mode to sustainable operations.Organizational change management is consideredbut not consistently applied.

• Projects are assessed to determine whether teamshave the right capabilities and are using effectiveprogram, project, and change managementapproaches. Issues identified are addressed on aprioritized basis.

• A business transformation approach helps toestablish that compliance initiatives have giventhorough consideration to operational andcustomer impacts. Operational sustainability isachieved on day one of project completion.

• Compliance programs are formally definedand managed as a portfolio. This enablesbetter management of business impacts,

interdependencies, timelines, and budgets.• Organizational change management is leveraged to

drive compliance initiatives and promote readinessfor sustainable and effective operations.

Home


13/25

13 FS Viewpoint | Let’s make a difference A framework for response


Integrate risk

Simplifyproducts &

channels

Leverage

analytics

Standardize

compliance

testing

Adopt lean

principles

Managechange

New thinking is needed todesign and implement theright approach to meet the

challenge. Real change, notmore of the same, is needed.

Each of the six approaches discussed inthis framework has the potential to make asignificant impact alone or as part of a broaderplan. Banks should assess their current

capabilities and develop a tailored strategy.

Banks can position themselves for successby designing their strategy in the center andexecuting on opportunities in the business.

Key success factors include:

• Broad executive-level ownership and visible support for change, includingleaders representing a cross-section of the

organization committing time, resources, andsubject matter expertise to the effort.

• A shared vision for stakeholders that includesorganizational change and agreement on thenew scope of compliance risks.

• A change in mindset and competencies within the compliance management function.

• An actionable plan that demonstrates a clearunderstanding of gaps, outlines a roadmap to

the future state, and is supported by a soundbusiness case.

Make the case for change

Based on our experience, atransformational strategy thatincorporates the six approaches inthis framework can most effectively

drive meaningful change.

A framework for response

Home


14/25


Moving to the future state A clear roadmap can identify near-term improvement opportunities and set fortha longer-term strategy for developing an appropriate compliance capability withthe tools, data, skills, and processes to support it.


Integrate risk

Simplify

products &

channels

Leverage

analytics

Standardize

compliance

testing

Adopt lean

principles

Manage

change

Establish new scope of compliance and

evaluate compliance management model Analyze current capabilities and needs Identify and prioritize opportunities

• Establish a broader definition of compliancerisk that aligns with stakeholder expectationsand evaluate integration with operational riskprograms.

• Evaluate compliance organizational model toassess alignment with the bank’s business andrisk management model (first and second linesof defense).

• Evaluate current end-to-end compliance

processes and use of technology.

• Assess current compliance managementapproaches and capabilities.

• Evaluate how new and innovative approachesshould be incorporated into the strategy tomeet new demands.

• Identify short- and long-term opportunities toimprove compliance capabilities and approach.

• Develop a future-state compliancemanagement model.

• Develop a business case to support theimplementation plan that includes:– Benefits and costs.– Implementation plan.– Key success factors and project structure.

– Resource plan.

Home


15/25


Integrate risk

Governance

Programelements

Operationalrisk programs1

AML/BSA Rules-basedcompliance

(Reg CC, Z, etc.)

Broadersources of

compliance risk

Lines of defense | Risk appetite | Reporting | Culture

Policy

Analyticsreporting

Training

Riskassessment

Lines of businessRisk assessment, monitoring, and testing (RCSA)

Bottoms up risk appetite

Loss data Scenarioassessment

Modeling Reporting

Operational risk capital (BASEL, CCAR)

1 Operational risk programs t ypically are designed and

implemented based on regulatory guidance. Examples

include information security, BCP, and vendor risk.

Maturity level–represents typicalstate of development

: High : Medium : Low

Define scope and content of compliance risk


Integrate risk

Simplifyproducts &

channels

Leverage

analytics

Standardizecompliance

testing

Adopt lean

principles

Managechange

The current fragmented approach to managing operational and compliancerisks at most banks means that they are not well-positioned to address newlyrecognized sources of compliance risk emerging from products, sales channels,and customer interactions.

Banks can either drive incremental change to address risk coverage gaps, or view this as a call toaction to drive top-down integration of operational and compliance risk, paving the way for moreeffective compliance and positioning banks for the future.

Key risk integration principles

Getting the

right risk

coverage

• Line-of-business (LoB) management and operation and compliancerisk functions should team to design an integrated approach thathelps to establish risk coverage. LoB management should lead thiseffort, and the second line of defense should provide oversight and

compliance expertise.• Scope, content, and testing of LoB risk and control self assessments

(RCSAs) need to be integrated, validated for risk coverage, andlinked to the risk appetite cascade.

• Enhance current transaction-based process flows to include focuson customer interactions, third parties, and product variation.

• Form the right team—active participation by LoB management,operational risk, and compliance risk will help to establish that theright questions are being asked related to broader sources of risk.

Leveraging

tools and data

• The approach and tools for managing operational and compliancerisks should be standardized and designed to promote usabilityand focus.

• Utilize analytics to gain a fact-based understanding of compliancerisk sources.

Reporting • Integrated reporting and analytics should cover operational andcompliance risks in a dashboard with federal, state, and localaggregation models.

• Operational and compliance risk programs will continue to havespecific regulatory reporting requirements (such as compliance,information security, business continuity planning (BCP), vendor risk,etc.) that the integrated approach should support.

Home


16/25


Framing Data gathering Analysis Rationalization Roadmap ExecutionPhases

Project and stakeholder managementImplement communication plan and perform ongoing project management.

Output • Rationalization candidates.

• Identification of overlaps in product/channel features or functions.

• Calculated marginal compliance and operational cost of complexity and potential savings/benefits.

• Portfolio effect of removing/enhancing products.

• Recommendation on products/channels to grow, maintain, harvest, or retire.

• Define scope

of products,

channels, and

geographies.

• Identify

impacts of

complexity

across value

chain.

• Identify data

required foranalysis.

Key

tasks

• Collect

product/

channel

data and

information.

• Validate data

gathered.

• Perform value

analysis.

• Perform

product

variances

analysis.

• Model cost of

complexity.

• Overlay

lifecycle and

strategicalignment

considerations.

• Score projects.

• Assess

compliance

and

operational risk

(loss model

and costs).

• Identify key

impacts and

risks to be

managed

(brand,

compliance

and

operational

losses,

customer,

people,

process,

technology).

• Recommend

product

strategies.

• Create

integrated

roadmap

including:

– Market

– Product

– Technology

– Platform

– Process

• Tailor

migration

plans by

products/

customer

segment.

Simplify products& channels


Integrate risk

Simplifyproducts &

channels

Leverage

analytics


testing

Adopt lean

principles

Managechange

Banks are using a structured approach with a top-down assessment processthat will enable them to implement a simplification program across multipleportfolios and product types.

Home


17/25


Leverage analytics Analytics should be designed to measure and model the sources of compliancerisk for each business in which sales channels, product management, andcustomer experience meet.

The use of data analytics is not a new concept for banks. Compliance efforts to support fair

lending, suitability, and AML/BSA have employed analytics for years, and these capabilities can beleveraged to extend to new sources of compliance risk.

The power of analytics includes both preventative control and providing management with trendsand fact patterns that assist banks with more effective and cost-efficient risk management.

Key analytics design principles

Compliance key risk indicators (KRIs) User experience

• Promote an end-to-end design that includes riskassessment, analytics, research, and reporting.

• Create risk assessments that consider processand business rules, people interactions, saleschannels, product management, and thecustomer experience.

• Use a broader definition of compliance andoperational risk that focuses on businesspractices, customer impacts, unfair, deceptive,or abusive acts or practices (UDAAP), anddisparate treatment.

• Enable the use of predictive and scenario

analytics, along with detective analysis.

• Incorporate both structured and unstructureddata sources as inputs to the analytic process.

• Design a dashboard user interface with drilldowncapabilities to support effective researchand communication.

• Develop a federal, state, and county aggregationmodel to address governance, monitoring, andreporting needs across the first, second, and thirdlines of defense.

• Use an agile development methodology toaddress the evolving needs of stakeholdersand continuously adapt analytics to futurebusiness needs.


Integrate risk

Simplifyproducts &

channels

Leverage

analytics


testing

Adopt lean

principles

Managechange

Email, word

processing files, PDFs

Social media,

voicemail

Spreadsheets,

database reports

Transaction

databases

Legacy

systems

Analytic environment:

application of

business rules,

statistical analyses,

and predictive

techniques.

• Analysis insights

• Trends and patterns

• KRIs, triggers, and alerts

• Links to testing

• Scenario and predictive modeling

Output

Home


18/25


Standardizecompliance testing

Banks should assess their compliance testing program to identify opportunitiesfor expanding risk coverage, improving efficiency, and standardizing testingapproaches organization-wide.

Enhancements to the testing program should address the components of the compliance testing

framework. We recommend that the effort include several key activities:


Integrate risk

Simplifyproducts &

channels

Leverage

analytics


testing

Adopt lean

principles

Managechange

Compliance testing framework

Vision

strategy & approach

Methods & processes

OperationsSkills

developmentTeam

excellence

KnowledgeQuality &

documentation

ResourcingIT

infrastructure

tools & data

Standardizing

testing

approaches

• Implement a robust compliance governance framework to promotebank-wide consistency and support the future-state complianceoperating model.

• Assess current compliance testing practices against industry leadingpractices and adopt enhancements where needed.

• Consider developing a compliance center of excellence to driveadoption of approved testing methods and tools.

Integrating

compliance and

operational

risk testing

• Bring together subject matter specialists across key groups (product,

sales, customer experience) to share knowledge and enhance risk andcompliance organization-wide.

• Conduct workshops and training to increase awareness of emergingsources of compliance risk for the LoBs, compliance, and operationalrisk groups.

Expanding the

use of forensic

testing

• Develop visual analytics dashboards and instruments to supportenhanced data analysis and reporting.

• Assess the current technology environment and develop a businesscase for investing in the tools needed to support enhanced automationand analytics.

• Identify risk drivers through the development of risk segmentation

models and seek opportunities to design a predictive model based onfindings from root cause and trend analyses.

Home


19/25


Adopt lean principles Compliance processes, organizational structures, and supporting technologyhave accumulated over several years in a rules-based environment. We havefound an output-driven analysis using lean principles is effective at identifyingwaste and designing and implementing more value-added activities.

To begin, banks should inventory and define outputs of compliance risk management processes atthe enterprise, LoB, and business-unit levels. By focusing on the most critical, complex, and costlyprocesses first, banks can increase near-term benefits.


Integrate risk

Simplifyproducts &

channels

Leverage

analytics


testing

Adopt lean

principles

Managechange

How do we make our work easier, without sacrificing quality?

Stakeholder valueProcess

efficiency

Performance

management

Organizational

capabilitiesMindset and behavior

• Have a clearunderstanding ofwho the stake-holders are andwhat they value.

• Inventory outputsfrom compliancemanagement;estimate resourcesrequired to produceoutputs and assessalignment of valueand effort.

• Determineoutputs that canbe eliminated,combined withothers, or reducedin scope.

• Identify entirely newapproach to outputs(for example,using a top-downvs. bottom-up approach).

• Design processesfor new approaches.

• Identify and removenon-value-addedactivities (forexample, waste).

• Verify that thework flows withoutinterruption fromobstacles orbottlenecks.

• Design the systemso that it reactsto changingdemand and pullswork through theprocess (flexibilityand agility).

• Make results anddefects easy to see,with performancetied to strategy.

• Collaborate andfoster an opendiscussion ofbusiness problemsand solutions.

• Assign clear rolesand accountabilityfor results.

• Monitor meaningfulkey performanceindicators, andrevise improve-ment plans.

• Rethinkorganizationalstructure, roles andresponsibilities, andcapabilities.

• Empowerprocess ownersfor continuedimprovement toowners’ criticalthinking skillsand the ability toidentify waste.

• Align cross-functional teamsaround end-to-endvalue streams to seethe big picture.

• Shift mindsetsand behaviors toembrace continuousimprovement.

• Create enterprise-wide ownershipfor improvementled by processstakeholders.

• Develop intolerancefor activities that donot add value.

• Challenge thestatus quo byconstantly asking:“Is this as good as itcould be?”

Home


20/25


Manage change


Integrate risk

Simplifyproducts &

channels

Leverage

analytics


testing

Adopt lean

principles

Manage

change

What are the guiding principlesof transformational changemanagement?

Senior level sponsorship

and governance

• Assigning senior-level management ownership and responsibility for the programand creating a governance structure with the proper business and supportingfunction representation.

Creating a strong project

management function

• Creating the management discipline and reporting capabilities to support theexecution of the effort in both the center and the LoBs.

• Constructing strong implementation teams and applying financial accountability on aproject-by-project basis.

Utilizing proper project resources • Helping to establish that there is the appropriate quantity of resources devotedto the project, the essential competencies are fulfilled, and the appropriate mix ofcompliance, operational, and business experience is on the project team.

Intelligent use of information

regarding rules

• Developing a framework matching the relevant rules, jurisdictions, etc. to theorganization; monitoring and assessing the impact of rule changes on the business.

• Determining where compliance efforts should use a global standard and whereaccommodations should be made for local rules.

Managing key stakeholders

throughout the process

• Addressing the needs and expectations of regulators and other key stakeholdersfrom approach to execution.

Helping to establish effective

change management

• Focusing on the readiness to enact sustainable change in human capital andprocesses. The aim is to help to establish that the focus extends beyond just thebuild phase and into the future ongoing operating model.

This new wave of compliance requirements and expectations needs to be metwith efficient and effective methods to promote successful change.

Unprecedented levels of new compliancematters are being addressed concurrently,

many of which have significant businessmodel impacts. Volume, complexities, andinterdependencies across several domesticand global compliance requirements requireprogram-level and project-level management(such as Dodd-Frank, the Consumer FinancialProtection Bureau, BSA/AML, and FATCA).

This degree of change requires program/project management methods commonly usedin business transformation.

In addition, banks have an opportunityto drive more business value out of these

costly compliance initiatives. When planningsystem and process changes needed to meetcompliance requirements, banks should alsoconsider the potential for revenue generationand cost-saving opportunities. Project teamsshould include an appropriate mix of businessand compliance expertise to take advantage ofthese potential opportunities.

Home


21/25

21 FS Viewpoint | Let’s make a difference How PwC can help

What makes PwC’s Financial Services practice distinctive.

Integrated global network With 34,000 industry-dedicated professionals worldwide, PwC has a networkthat enables the assembly of both cross-border and regional teams. PwC’s large,integrated global network of industry-dedicated resources means that PwC deploysthe right personnel with the right background on our clients’ behalf whenever andwherever they need it.

Extensive industry experience PwC serves multinational financial institutions across banking and capital markets,insurance, asset management, hedge funds, private equity, payments, and financialtechnology. As a result, PwC has the extensive experience needed to advise on theportfolio of business issues that affect the industry, and we apply that knowledge toour clients’ individual circumstances.

Multidisciplinary problem solving The critical issues financial institutions face today affect their entire business. Addressing these complexities requires both breadth and depth, and PwC serviceteams include specialists in strategy, risk management, finance, regulation,operations, and technology. This allows us to provide support to corporateexecutives as well as key line and staff management. We help address businessissues from client impact to product design, from go-to-market strategy to animproved economic model to proper functional practices across the organization.We excel at solving problems that span the range of our clients’ key issues andopportunities, working with the heads of the business, risk, finance, operations,and technology.

Practical insight into critical issues In addition to working directly with clients, our practice professionals and FinancialServices Institute regularly produce client surveys, white papers, and points ofview on the critical issues that face the industry. These publications—as well as theevents we stage—provide clients new intelligence, perspective, and analysis on thetrends that affect them.

Focus on relationships PwC US helps organizations and individuals create the value they’re lookingfor. We’re a member of the PwC network of firms with 180,000 people in morethan 158 countries. We’re committed to delivering quality in assurance, tax, andadvisory services.

How PwC can help

Home


22/25

22 FS Viewpoint | Let’s make a difference How PwC can help

PwC Advisory We look across the entire organization—focusing on strategy, structure,people, process, and technology—to help our clients improve businessprocesses, transform organizations, and implement technologies needed torun the business.

Client needs Issues we help clients address

Manage risk

and regulation

• Building a risk-resilient organization.

• Managing ERP investment and project execution risk.

• Safeguarding the currency of business; keeping sensitive data out of thewrong hands.

• Helping to establish capital project governance and accountability.

Build effective organizations • Establishing effective strategic sourcing and procurement.

• Realizing competitive advantage through effective sales operationsinventory planning.

• Transforming the close and consolidation process to work for you rather thanagainst you.

Reduce costs • Driving efficiency through shared services.

• Redesigning finance to realize efficiency and competitive advantage.

• Taking control of cost through effective spend management and cashforecasting practices.

Leverage talent • Defining and implementing an effective HR organization.

• Rethinking pivotal talent.

Innovate and

grow profitably

• Reshaping the IT function into a source of innovation.

• Transforming business information to drive insight and fact-baseddecision making.

• Evaluating acquisition and divestiture strategies to position the organization forthe future.

Client

needs

Manage risk

and regulationInnovate

and grow

profitably

Build

effective

organizations

Reduce

costs

Leverage

talent

Home


23/25


24/25

24 FS Viewpoint | Let’s make a difference Appendix

Issues A major US regional bank was encountering significant difficulties in extracting managementinsights from the compliance risk assessments and operational risk assessments performedrespectively by its compliance and risk functions. The bank was unable to take an integrated,portfolio view of its compliance and operational risks along product and organizational lines.It performed a number of overlapping assessment and testing activities at significant cost yet

without meaningful return.

Approach PwC was retained by the risk function to improve the risk assessment process by bettersupporting both the operational and compliance risk assessment needs of the o rganization. PwChelped the institution:

• Design and implement an integrated risk assessment methodology to assess complianceand operational risks by major product and enterprise process, as well as alongorganizational lines.

• Document the value chains supporting major products and enterprise processes, such asmortgages and treasury management. The resulting process flows are used as key inputs intorisk assessment activities.

• Redesign the operating model for testing controls and for managing issues identified throughtesting and other channels.

• Streamline reporting for operational risk and compliance risk management purposes.

Benefits The institution has gained a far deeper understanding of its risks and risk management activitiesend-to-end, across the value chains. In particular, hand-off points between organizationalunits are better understood by the corresponding stakeholders, and regulatory compliance-related and operational controls can be placed in a common process context, therebyfacilitating rationalizations.

Operational andcompliance riskintegration—

US regional bank

Home


25/25

“Let’s make a difference: Managing compliance and operational risk in the new environment,” PwC FS Viewpoint, August 2013. www.pwc.com/fsi

© 2013 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers to the US member firm, and maysometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. This

content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.

NY-14-0073 NH

www.pwc.com/fsiTo have a deeper conversation, please contact:

Daniel Jackett [email protected]

+1 415 498 7559

Dietmar Serbee [email protected]+1 646 471 7270

Jeff Lavine [email protected]

+1 703 918 1379

Kenneth Peyer [email protected]+1 415 498 7061

Richard Reynolds [email protected]+1 646 471 8559

Catherine Zhou [email protected]

+1 408 808 2969

Follow us on Twitter @PwC_US_FinSrvcs

Home

pwc compliance operational risk management

Documents