In the research report that surveyed 104 first-line control officers at leading global investment banks, over 52% said that mapping risk controls to regulatory demands was among the top three challenges they face.

A similar number also said providing evidence of the completeness of risk controls to regulators was a major headache.
These failures have real world consequences: in December 2021, a leading tier one bank was fined $200m by US regulators for employees using WhatsApp messaging platform to conduct business, circumventing record-keeping obligations, while a second major institution is also under investigation for similar alleged offences.

Getting on the right side of regulators should be at the top of any bank CEO’s to-do list for 2023.

In this blog we highlight five essential improvements that could help you to avoid the most harmful repercussions of risk control failure.

1. Data

American engineer, statistician and general polymath W. Edwards Deming wasn’t talking about financial services operational risk when he said “In God we trust. All others must bring data,” but he might well have been. Without the fundamental building block of comprehensive data nothing else is possible. Gaps in risk control structures cannot be identified nor can remedies be put in place. The challenge for banks, which traditionally operate in quite discrete business siloes, is to present clean and authoritative data which cover the whole institution. The American Banker wrote about “The top risks facing banks in 2022 are all operational”, based on the Risk Management Association’s chief risk officer outlook survey, and it reported that the board of one bank was alarmed when six different total loan numbers were presented to the CRO at the same meeting.

Lesson – The risk control castle is built upon the sure foundations of comprehensive and authoritative data


But all the good and clean data in the world won’t advance the cause of better risk management unless it is harnessed to the most serviceable technology. Remarkably, a lot of banks are still using excel spreadsheets to record data acquired. Not only does this introduce a high likelihood of error, but it also makes a speedy response to audits or regulatory inquiry impossible to achieve.

Lesson – Without state-of-the-art technology, data cannot be harnessed to create better controls and manage risk

3. Compare

Even if great data and superlative technology are in place, any bank only has a narrow and limited view of operational risk performance without some measure of comparative analysis. Banks need to know how they stand viz a viz their peers and how their controls measure up alongside industry benchmarks. To do this requires more industry collaboration than has hitherto been common but also, once again, enormous quantities of reliable data and the capacity to track that data.

Lesson – Comparative analysis gives a  clear idea of where any bank stands in relation to its peers

4. Map

The average CRO plans to spend twice as much on non-financial risk and financial risk in 2022, according to the RMA’s survey. So everyone is doing the same thing, but it’s important that all this money is spent wisely. Thoroughly automated systems and more targeted use of AI that identify pertinent regulatory changes are needed so that risk controls can be updated and mapped to these changes  as efficiently as possible. As Mary Clouthier, CRO of the new Texas-based Cornerstone Capital Bank, says in the ABA Banking Journal’s on the top risks facing banks for 2022, “The risk is that we all need to stay ahead of what the regulators are doing and try to do that to our best ability so we’re better prepared and have our own oversight of our programs.”

 Lesson – AI and automated systems should map controls to regulatory requirements, and controls should be updated accordingly

5. Now

Finally, the need for operational resilience has never been more pressing. In the last two years, traditional working practices have been turned upside down, and the status quo ante will probably never return. This introduces a new world of hitherto unforeseen technological risks. Moreover, regulatory pressure and oversight is increasing rather than diminishing. Those banks that perhaps hoped the wave of rules that came out of the financial crisis of 2008/2009 would abate have been and will be disappointed.  The new executive director of financial stability strategy at the Bank of England, Sarah Breedon, is given to grilling bank bosses about their operational resilience. And recent events in the Ukraine should indicate that the world remains a very uncertain place.

 Lesson and conclusion – the time is now to build dynamic and responsive controls for scenarios

About Acin

Acin has a comprehensive, pre-built risk and control quick start library of inventories constructed through industry consultation and mapped to regulatory guidance, to provide immediate value and accelerate impact. Easily and proactively demonstrate to the regulator, auditors, investors, shareholders, and boards that you are managing climate risk – ahead of regulatory deadlines.

Popular resources

You may be interested in

Webinar RCSA Now and the future with Yiorgos Polymeris

Webinar: RCSA – Now and the future with Yiorgos Polymeris

Operational Risk Control challenges that face boards and executives
2 mins watch time

Operational Risk: Control challenges that face boards and executives

Tracy Clarke Interview Operational Risk Completeness
6 mins watch time

Tracy Clarke Interview | Operational Risk Completeness

Discover more