4 mins reading time
Front to Back (F2B) OpRisk network finding up to 6x more missing controls in support functions
The Acin OpRisk network consists of just under 10,000 clause level regulation-to-control mappings (including risks and controls, that is 160,000 connections pertinent to this analysis), so knowing that nearly half of all missing FO controls relate to just 2 of the 18 regulatory regimes we currently support may come as a surprise. Counting the top 4, that is 519 (72%) of unique missing controls across the FO with the Global FX code at 27%, followed by FINRA, SEC and MiFID.
These same regulations also account for the highest numbers of non-documented controls, which when combined with missing, not only undermines the RCSA process, ownership, and testing responsibilities, but also prevents firms from evidencing completeness to Regulators. Following any loss event, this would likely result in additional fines.
A more quantified view of a firms exposure – relating to the above missing controls – is available to members who have entered their residual risk weightings against their network subscription. This allows them to model the effect that remediating each offending control has on their overall residual risk.
On the flip-side – some of the risk types that are covered well within the Support Functions include Theft and Fraud (Internal and system security; Systems security). For Support Function vs. Front Office analysis, see (6x missing controls in Support Functions).
Throwing a little more insight onto where all those missing controls are concentrated, the following list comprises the top 10 risks that might need attention, ranked accordingly:
These risks sit within the following regulations, in no particular order:
The data also shows that the Support Functions have many of the same risk types with the most preliminary missing controls. For example, Regulatory Breach has the highest number of preliminary missing controls across the middle and back office, and is the 2nd highest risk with missing controls mapped to regulations in the Front office. Inappropriate Employee Behaviours is the 3rd highest. Some examples of missing controls linked to the top 2 risks from above would be:
Risk: Improper Market Practices
Controls: Supervisory Hierarchy Review, Supervisory Responsibilities Review, and End-User Computing Review
Risk: Regulatory Breach
Controls: Darkpool or Systematic Internaliser Review, New Supervisor Training, Remote Booker Population Review, and Governance Forum Review
It’s only when seeing these risks and controls connected up across the enterprise, that a firm is able to identify where their weaknesses might be, compared to best practice in the market or indeed the latest regulations.
Knowing that non-documented controls exist, precisely what the regulation control gaps are, and where your top risks are weakest front to back requires a multi-dimensional view of your OpRisk landscape. The dynamic application of alerts, changes and other events then allows your firm to quickly move to a more efficient trigger based RCSA. This is what Acin does.
If you’re interested in how all this works to further reduce residual risk, or remediate faster, please reach out to our practitioner teams in the US or Europe, or myself directly.
Kieron Sambrook-Smith, CRO