FIVE KEY RISKS FOR 2014

Transcription

1 FIVE KEY RISKS FOR 2014

2 CONTENTS 1. KEY SKILLS CAPACITY.4 3. CONDUCT RISK.5 4. INFRASTRUCTURE.6 5. TOO-BIG-TO-FAIL...7 CONCLUSION..8 2 FIVE KEY RISKS FOR 2014 JANUARY 2014

3 The biggest risk influence on firms in 2014 will be the practical implementation of changing regulatory expectations. Changes to hard-and-fast rules are one thing but changes to expectations regarding culture, tone from the top and conduct risk put firms in a much less certain place about what they are supposed to do and then, critically, how they provide evidence of compliance with the qualitative expectations. No two firms are the same thus no two firms will ever run exactly the same risks. The same is true for culture. Culture and its practical manifestations are firm-specific and in the brave new regulatory world each firm has, in line with supervisory expectations, the unenviable task of working out what good looks like for them in terms of risk culture. While the detailed risks run by firms are unique there are a series of high-level risks which all financial services firms, no matter what their sector or geography, need to consider. The detailed practical ways in which the risks will affect each firm and the precise risk mitigation and evidence approach required will vary, but the high-level risks remain relevant. In no particular order there are five high-level significant risks which all firms need to consider: 1. KEY SKILLS The heightened focus on senior individuals in firms has also increased their vulnerability if they do not have the appropriate skill set; basically, the capability to discharge their regulatory obligations. On one level, senior managers need to manage their own personal regulatory risk but on another, a direct line is beginning to be drawn between the skills and knowledge of directors and the assessment of the quality of the corporate governance (with all the potential regulatory ramifications) in the firm. In August 2013 the Hong Kong Monetary Authority published a Dear CEO letter setting out its expectations regarding the skills and knowledge development requirements for the directors of locally incorporated authorised institutions. The HKMA now expects authorised institutions to require directors to submit records of the training, development and other activities on an annual basis, and that this will be used as part of the supervisory assessment of the firm. At a global level the Financial Stability Board is leading the way in delineating the role, remit and job description for key senior positions as part of its work on risk governance. By association the skill set of the individuals occupying those roles has also been further defined. Firms would be well-advised to institute a regular and comprehensive skills audit for all senior managers. Unless it is their specific role, senior managers themselves are not expected to be risk and compliance experts. They are, however, expected to be aware of the nature of changing regulatory expectations and to be able to discuss with all relevant supervisors their understanding of their regulatory obligations and their capability and capacity to discharge their personal liability. The proposed new UK regime for senior bankers takes this one stage further, advocating detailed agreed job descriptions and documented handovers for any changes in regulatory obligations. 3 FIVE KEY RISKS FOR 2014 JANUARY 2014

4 The board of directors and senior management are the starting point for setting the financial institution s core values and risk culture, and their behaviour must reflect the values being espoused. As such, the leadership of the institution should systematically develop, monitor, and assess the culture of the financial institution. Financial Stability Board consultative document, Guidance on Supervisory Interaction with Financial Institutions on Risk Culture, November Firms must understand the need to invest in skills and knowledge, and the need to keep it refreshed. It is not just a question of knowledge of financial services rules and requirements but also, say, a working knowledge of the pros and cons of different types of controls, the ability to challenge risk decisions constructively and to understand the implications of the assumptions made in generating management information. Any skills audit should not just catalogue the skills in place but should also consider what skills are needed (and indeed expected by regulators) for the current and future development of the business and identify any gaps. Firms should not shy away from challenging discussions as to whether or not the right people with the right skill sets are in the right roles. As has become repeatedly clear, individuals without an appropriate skill set are vulnerable as never before. In a post-financial crisis world, regulators are sharpening their focus on the role, skills and activities of all senior managers and are intensifying the supervision applied to individuals. 2. CAPACITY A critical issue for firms faced with no let-up in the volume of regulatory change is the sheer capacity to implement all the required changes. Firms need to face up to the possibility that, say, their entire IT capacity might be absorbed by the need to implement forthcoming rulebook changes. In practical terms, this could mean that the changes needed to advance business strategies or to eliminate manual work-arounds have to be moved back in the schedule or even cancelled altogether. One temptation for firms may be to skimp on the follow-up, post-implementation review work which tests whether the changes made actually do enable them to be compliant with any new requirements. Firms would be well-advised to consider their position carefully before cutting any corners in the implementation of new requirements. The current changes to the global (but specifically U.S. and EU) requirements to report and clear OTC derivatives are one case in point. The other changes with even wider applicability are those to transaction reporting requirements likely to arise out of the next iteration of the Markets in Financial Instruments Directive. The original MiFID came into effect in November 2007 and changed the existing transaction reporting requirements extensively. In the aftermath a series of firms were fined by the then-uk regulator the Financial Services Authority for myriad breaches. 4 FIVE KEY RISKS FOR 2014 JANUARY 2014

5 Barclays was fined 2.45 million in August 2009 and in April 2010 Credit Suisse was fined 1.75 million, Getco Europe was fined 1.4 million and Instinet Europe was fined 1.05 million. Credit Suisse, for instance, failed to report properly around a quarter of its transactions on the London Stock Exchange for two years as it had not checked that its external reporting mechanism was working as expected and this breach was compounded by a series of reporting errors such as using the wrong unit price and wrong time. Compliance with regulatory obligations is not an optional extra for firms and they must make sure that changes implemented actually do deliver the required change. The transaction reporting example is a pertinent one as firms have the opportunity in 2014 to make sure that history does not repeat itself. Any firm which does fall foul of the future transaction or indeed other reporting obligations can expect exponentially harsher treatment from all regulators. As a means of mitigating the issues associated with what will often be limited capacity to change, firms may wish to ensure that they have sufficient skilled in-house risk and compliance resources both to assess the impact of regulatory changes and to review the overall project management process including sign-off and critical post-implementation review. 3. CONDUCT RISK A new year, and a new regulatory expectation. For 2014 conduct risk and risk culture should be seen as the next step in regulatory evolution. Given the deliberate lack of precise detailed rules and prescriptive requirements from the regulators it might even be considered a revolution. The crux of the challenge for firms and senior individuals lies in this lack of a detailed rulebook and associated comfortable safe harbour. Firms and, critically, those who run them, need to be able to consider, build and measure for themselves what good looks like in terms of culture, customer outcomes and the way business is undertaken. In other words, senior individuals need to choose for themselves how to approach the new regulatory expectations and then lead their firms in the management and evidenced mitigation of conduct risk. There are a number of next steps for all firms to consider. Doing nothing is not an option. It may be that, having assessed all elements of conduct risk, a firm is happy that its business is being done in an appropriately customer-focused, risk-aware way and that no changes to the identification and, where needed, the mitigation of conduct risks is required. Even in this, unlikely, scenario, however, firms will need to still take action by implementing a suite of management information and reporting to provide the evidence required by the board that conduct risks continue to be managed appropriately in line with the their own risk culture criteria. There are five main steps for firms to consider: define, assess, reform, measure and evidence. The precise nature of the detailed work required will vary but it is likely that each of the steps will need to be broken down into numerous other activities. The one thing that firms should be particularly careful to do is to document their work. Indeed, the 5 FIVE KEY RISKS FOR 2014 JANUARY 2014

6 Key components of conduct risk FSB has gone so far as to recommend that a firm s willingness to document in detail the elements supporting its risk culture should, in itself, form part of the regulator s overall assessment of risk management in the firm. Comprehensive documentation for all elements and steps in the definition, assessment, reform and measurement of conduct risk may seem like undue bureaucracy but it is a critical if a firm is to be able to prove to itself and to its regulators that it has not only done the right things but it has also done them in the right way. Regulators have made it clear that their expectations of firms and senior individuals have changed and that conduct risk is the new normal. Not all regulators around the world have badged conduct risk as such but the changing expectations placed on firms by supervisors, and equally on supervisors by the supranational bodies and governments, with regard to risk culture are universal. 4. INFRASTRUCTURE Firms have traditionally focussed on the risks posed to their business activities if their own internal infrastructure is compromised, whether through a systems and controls failure or cyber attack had reported attacks, or system failures, at numerous banks, exchanges and other non-financial services firms, and while firms have not had a perfect record in preventing such incidents the issue is one which many firms review regularly. What may not be under such careful and regular review is the potential impact on firms if any external infrastructure is compromised. In the financial crisis one of the few bright spots was that the payments service infrastructure held up remarkably well, but the current swathe of rule changes are shifting the potential risk concentrations and creating new critical infrastructures. It is now widely acknowledged that, for instance, the newly created central clearing counterparties built to clear over-the- 6 FIVE KEY RISKS FOR 2014 JANUARY 2014

7 counter derivatives transactions are a key element in financial stability, and as such will remain under review by many regulators. Firms themselves need to be aware of the shifting risks to the infrastructure upon which they rely for the smooth conduct of their business. In particular those firms which are required to produce living wills need to incorporate their links to key infrastructure expressly into all stress and scenario testing. 5. TOO-BIG-TO-FAIL One of the abiding issues arising from the financial crisis was the emergence of the concept of too-big-to-fail, mostly applicable to banks which were able to take excessive risks without the moral hazard of failure due to an implicit underlying guarantee from governments. The bill for the governmental guarantees and resulting bail-outs was paid by local taxpayers, the result of the global in life, local in death scenario. As a means to tackle too-big-to-fail, politicians and regulators have sought ways to make big complex firms easier to resolve and thereby allow them to fail in an orderly fashion without undue stress on the rest of the financial system, and without the taxpayer having to pick up the tab. The main way in which banks are to be made easier to resolve is through structural reform. The precise means of structural reform has, despite the declared need for international cooperation, ended up being jurisdictionspecific, although banks are trying to separate out the riskier business from the more day-to-day or utility banking activities. In the U.S. the Volcker rule will, among other things, force a separation of proprietary trading. In the UK, the Vickers Report is being implemented and retail banking will become ring-fenced from the rest of firms activities, and in Europe the debate is still being had as to exactly what structural reforms will be implemented. Structural constraints on banks proposed by a number of countries aim to address the too-important-to-fail problem by reducing the risk that these institutions will fail and by simplifying their resolution if they do fail. International Monetary Fund Staff Discussion Note, May 2013, Creating a Safer Financial System: Will the Volcker, Vickers, and Liikanen Structural Measures Help? For banks themselves there are several risks inherent in the structural reforms. First and foremost is that any too-bigto-fail bank is actually likely to become more complex given the differing jurisdictional approaches being taken, and hence potentially more difficult to resolve in an orderly fashion. For all other firms, which will by definition have some sort of relationship with a bank, careful consideration needs to be given to the changing nature of the relationship in a post-structural reform world. The political and regulatory resolution to the toobig-to-fail issue may well end up having numerous unintended consequences for both banks and other firms, with a new range of risks arising as firms endeavour to deal with an ever-more complex set of regulatory and legislative requirements. 7 FIVE KEY RISKS FOR 2014 JANUARY 2014

8 CONCLUSION By any standards 2014 will be a challenging year for risk and compliance. Ever more complex rules and requirements overlaid with increasing levels of qualitative expectations will require many firms to invest in the skills and resources available to their risk and compliance functions. Equally senior managers need to understand the implications of risks facing their firms, what needs to be managed, what can be mitigated and what risks firms choose to run. Only firms that grasp the fundamental importance of strong risk management will thrive in the ever more challenging world of financial services regulation. The downside for those that fail is no longer simply a loss of business but potentially career ending for those senior managers found to have breached risk and compliance requirements. 8 FIVE KEY RISKS FOR 2014 JANUARY 2014

9 To speak to a advisor about how Thomson Reuters can help you contact us on: NORTH AMERICA: Eastern U.S or Western U.S ; UK & EUROPE: +44 (0) ; MIDDLE EAST & AFRICA: +971 (0) ASIA PACIFIC: or us on: accelus@ thomsonreuters.com THOMSON REUTERS ACCELUS The Thomson Reuters Governance, Risk & Compliance (GRC) business delivers a comprehensive set of solutions designed to empower audit, risk and compliance professionals, business leaders, and the Boards they serve to reliably achieve business objectives, address uncertainty, and act with integrity. Thomson Reuters Accelus dynamically connects business transactions, strategy and operations to the ever-changing regulatory environment, enabling firms to manage business risk. A comprehensive platform supported by a range of applications and trusted regulatory and risk intelligence data, Accelus brings together market-leading solutions for governance, risk and compliance management, global regulatory intelligence, financial crime, anti-bribery and corruption, enhanced due diligence, training and e-learning, and board of director and disclosure services. Thomson Reuters has been named as a category leader in the Chartis RiskTech Quadrant For Operational Risk Management Systems, category leader in the Chartis RiskTech Quadrant for Enterprise Governance, Risk and Compliance Systems and has been positioned by Gartner, Inc. in its Leaders Quadrant of the Enterprise Governance, Risk and Compliance Platforms Magic Quadrant. Thomson Reuters was also named as Operational Risk Software Provider of the Year Award in the Operational Risk and Regulation Awards For more information, visit accelus.thomsonreuters.com