3 mins reading time
Risk control 2022: What’s now and what’s next?: It’s scores on the doors with the Regulator…
Many of the world’s biggest banks are being fined for conduct breaches, which being part of the Acin Operational Risk network will help all member firms avoid. Those firms that have joined rapidly benefit from revealing insights after onboarding.
What we’ve learned about the current wave of transgressions is eye-opening to say the least, with tranches of less well configured and missing controls identified for consideration by each individual firm.
What we found in the data narrowed down to four categories to manage the risk of unauthorized communications: Surveillance, Training and Supervision, Employee Monitoring and Business Continuity.
On average, more than 50% of the identified network index controls within those categories were present for new members, with many of the missing controls coming from Surveillance, Training and Supervision.
Of those included in the ‘missing control’ count, 34% were confirmed as ‘Missing, not operated’ or ‘Missing, not documented’. The data tells us these 28 controls map to the following 8 themes: chatroom monitoring, trade surveillance, audio-communications surveillance, supervision, training and procedures, unauthorized trading, segregation of duties and access, and business continuity management.
Furthermore, a fifth of these banks were operating their e-comms controls on a less frequent basis (daily, weekly etc.) than their peers, whilst a third didn’t even define the frequency the control had to be operated at, arguably making it a Non-control!
A few weeks after a firm submits its Risk Control data to the Acin network, they can see what their peers have, where the differences are and what Risk Controls might be considered missing. This is half the battle won, you might be thinking; not quite.
Having just gained the considerable advantage of clear visibility, rapid advances can now be made by a) plugging the gaps with golden controls (an amalgamated view of the highest quality components contained in each of the same repeating controls that all the banks have submitted). And b) making design changes – to controls that need it – to more closely align them to the network consensus; commonly seen as ‘best practice’. This can take just a few months to implement, dependent on the scale of remediation, the speed of internal change and how you prioritize SME (Subject Matter Expert) resources and control owners.
By this point, you have reduced the likelihood of those risks crystallizing, and any consequential losses and fines. You’ve also reduced the residual risk weightings associated with those risks, and made network-driven control changes, which we can quantify within your group risk matrix. Yet the clear decisive victory is only achievable when you know you’re operating all your controls effectively, which we will also enable you to do, via control performance scoring, through the network early next year.
Kieron Sambrook-Smith, CRO, Acin