Nearly half of all FO missing controls relate to just 2 sets of regulations

The Acin OpRisk network consists of just under 10,000 clause level regulation-to-control mappings (including risks and controls, that is 160,000 connections pertinent to this analysis), so knowing that nearly half of all missing FO controls relate to just 2 of the 18 regulatory regimes we currently support may come as a surprise. Counting the top 4, that is 519 (72%) of unique missing controls across the FO with the Global FX code at 27%, followed by FINRA, SEC and MiFID.

These same regulations also account for the highest numbers of non-documented controls, which when combined with missing, not only undermines the RCSA process, ownership, and testing responsibilities, but also prevents firms from evidencing completeness to Regulators. Following any loss event, this would likely result in additional fines.

A more quantified view of a firms exposure – relating to the above missing controls – is available to members who have entered their residual risk weightings against their network subscription. This allows them to model the effect that remediating each offending control has on their overall residual risk.

On the flip-side – some of the risk types that are covered well within the Support Functions include Theft and Fraud (Internal and system security; Systems security). For Support Function vs. Front Office analysis, see (6x missing controls in Support Functions).

Top risks with missing controls mapped to regulations

Throwing a little more insight onto where all those missing controls are concentrated, the following list comprises the top 10 risks that might need attention, ranked accordingly:

1. Improper Market practices
2. Regulatory Breach (our v2.0 data model brings further precision to this category)
3. Unauthorised Trading
4. Market Manipulation
5. Data Entry or Capture Error
6. Inappropriate Employee Behaviours
7. Inappropriate Risk Monitoring
8. Execution Error
9. Unintended Risk Positions
10. Exchange or Market Rule Breach

These risks sit within the following regulations, in no particular order:

• PRA Operational Resilience: Impact Tolerances
• PRA Outsourcing and Third Party Risk
• Securities and Exchange Commission
• Commodity Futures Trading Commission
• Markets in Financial Instruments Directive
• Benchmarks Regulation
• Market Abuse Regulation
• FMSB Statement of Good Practice
• Financial Industry Regulatory Authority
• Global FX Code

The data also shows that the Support Functions have many of the same risk types with the most preliminary missing controls. For example, Regulatory Breach has the highest number of preliminary missing controls across the middle and back office, and is the 2nd highest risk with missing controls mapped to regulations in the Front office. Inappropriate Employee Behaviours is the 3rd highest. Some examples of missing controls linked to the top 2 risks from above would be:

Risk: Improper Market Practices
Controls: Supervisory Hierarchy Review, Supervisory Responsibilities Review, and End-User Computing Review

Risk: Regulatory Breach
Controls: Darkpool or Systematic Internaliser Review, New Supervisor Training, Remote Booker Population Review, and Governance Forum Review

In conclusion

It’s only when seeing these risks and controls connected up across the enterprise, that a firm is able to identify where their weaknesses might be, compared to best practice in the market or indeed the latest regulations.

Knowing that non-documented controls exist, precisely what the regulation control gaps are, and where your top risks are weakest front to back requires a multi-dimensional view of your OpRisk landscape. The dynamic application of alerts, changes and other events then allows your firm to quickly move to a more efficient trigger based RCSA. This is what Acin does.

What next

If you’re interested in how all this works to further reduce residual risk, or remediate faster, please reach out to our practitioner teams in the US or Europe.