Principle 1 – Regulatory responses should be fit for purpose
No matter the regulation or compliance objective a one size fits all approach will not work for every organisation.
Anecdotally, we have found that some companies have been downloading risk frameworks from the web and using these as a guide to address their compliance issues in their organisation.
While it might be tempting to do this – saving on costs and time and using a ‘proven’ guide – this is short-term thinking and may not be appropriate to an organisation’s circumstances. The insurance and accounting needs of a small travel agency and those of a large financial organisation are different, and so are the regulatory frameworks that are needed.
Essentially, the nuances of an organisation need to be considered. This can include its size, the nature of its processes, its customer segments, its distribution and service model, and the organisational structure.
Principle 2 – Adopt a risk-based approach
An organisation’s regulatory framework should direct resources to the highest risk areas in its operations. The strongest regulatory responses demonstrate robust analysis of risk over the problem context. For example, for operational processes this will include mapping out and analysing risk across end to end data flows or for where processes are less defined this will include a data driven diagnostic analysis based on risk metrics. This is typically centred on a risk assessment taking into the impact and likelihood from non-compliance.
Controls should reduce or mitigate the risk of non-compliance to a point where the residual risk becomes acceptable to the organisation, and also help show the framework is fit for its purpose by demonstrating proportionality in a response based on risk.
The risk-based approach should also proactively adapt to its environment, be agile, and respond to changing circumstances. It should not be ‘set and done’ at a single point in time. Underlying risks change with time for which controls need to be adapted, however this is often not the case as for example when organisations implement new technology, controls are often descoped or neglected from the project.
Principle 3 – Technology solutions are as good as its business adoption
There is a growing industry built around technology solutions promising compliance with regulations with the global RegTech market estimated to be worth more than $1 trillion [1]. Technology is only an enabler and on its own will not demonstrate compliance.
For this to occur the technology solution needs to be truly embedded with timely, accurate and complete data capture and transformation for business processes. This is more likely to lead to reliable decision making and outcomes demonstrating compliance.
These gaps in technology solutions are most exposed during acquisitions of new business or a limited scope of a roll-out resulting in an organisation with a technology solution adopted in part with a patchwork framework in other areas.
Principle 4 – End to end consideration of technology, data and processes
The effectiveness of a framework needs to be considered in its entirety – as with many things in life and business a framework is only as strong as its weakest link.
Consider for example a sophisticated screening system for identifying transactions for potential money laundering: its effectiveness would need to be considered alongside the rigour of follow up and investigation of these cases and necessary remediation.
For these reasons a complete regulatory framework would also need elements such as transparent ownership and governance, escalation, monitoring and review. During enforcement actions it’s the weak links in the framework that are typically highlighted.
Principle 5 – Framework outputs needs to impact management decisions
The framework outputs from any rigorous internal regulatory investigation should influence management decisions – otherwise there is no use to putting the framework in place.
As challenging as it may be to make the needed changes, as a framework picks up on a need for remediation, good governance and oversight is critical and management must actively support and act on the necessary decisions.
Unfortunately, executive and senior management claiming they were not aware of any gaps will not work and if there are any breaches or noncompliance they will be held accountable.
For these reasons it is important to have audit trail of evidence showing how management and business process will respond to a regulatory framework outputs.
Final thoughts
Companies are more connected than ever with their customers and clients but as we have been increasing our reliance on technology and data to generate commercial and client outcomes, it brings with it associated long-term risks. As the way we interact with clients has changed forever, so too should the response to essential compliance with regulatory requirements. Risk can be easily addressed for any organisation, but key to this is investing in embedding data-driven, bespoke and agile regulatory frameworks as part of the essential work of every company.
Contact Sulav Saha at sulav.saha@aon.com for more information or to discuss further.
Sources:
[1] Australian Financial Review, January 2020: https://www.afr.com/companies/financial-services/regtech-market-could-become-an-australian-high-tech-fossil-20200124-p53ub6