In a soon to be launched research report that surveyed 104 first line control officers at leading global investment banks, over 52% said that mapping risk controls to regulatory demands was in the top three challenges that they face. Register to get the report here.

A similar number also said providing evidence of the completeness of risk controls to regulators was a major headache.
These failures have real world consequences: in December 2021, a leading tier one bank was fined $200m by US regulators for employees using WhatsApp messaging platform to conduct business, circumventing record-keeping obligations, while a second major institution is also under investigation for similar alleged offences.

Getting on the right side of regulators should be at the top of any bank CEO’s to-do list for 2022.

In this blog we highlight five essential improvements that could help you to avoid the most harmful repercussions of risk control failure.

1. Data

American engineer, statistician and general polymath W. Edwards Deming wasn’t talking about financial services operational risk when he said “In God we trust. All others must bring data,” but he might well have been. Without the fundamental building block of comprehensive data nothing else is possible. Gaps in risk control structures cannot be identified nor can remedies be put in place. The challenge for banks, which traditionally operate in quite discrete business siloes, is to present clean and authoritative data which cover the whole institution. In January, The American Banker wrote about “The top risks facing banks in 2022 are all operational”, based on the Risk Management Association’s recent chief risk officer outlook survey, and it reported that the board of one bank was alarmed when six different total loan numbers were presented to the CRO at the same meeting.

Lesson – The risk control castle is built upon the sure foundations of comprehensive and authoritative data


But all the good and clean data in the world won’t advance the cause of better risk management unless it is harnessed to the most serviceable technology. Remarkably, a lot of banks are still using excel spreadsheets to record data acquired. Not only does this introduce a high likelihood of error, it makes a speedy response to audits or regulatory inquiry impossible to achieve.

Lesson – Without state of the art technology, data cannot be harnessed to create better controls and manage risk

3. Compare

Even if great data and superlative technology is in place, any bank only has a narrow and limited view of operational risk performance without some measure of comparative analysis. Banks need to know how they stand viz a viz their peers and how their controls measure up alongside industry benchmarks. To do this requires more industry collaboration than has hitherto been common but also, once again, enormous quantities of reliable data and the capacity to track that data.

Lesson – Comparative analysis gives a  clear idea of where any bank stands in relation to its peers

4. Map

The average CRO plans to spend twice as much on non-financial risk and financial risk in 2022, according to the RMA’s survey. So everyone is doing the same thing, but it’s clearly important that all this money is spent wisely. Thoroughly automated systems and more targeted use of AI that identify pertinent regulatory changes are needed, so that risk controls can be updated and mapped to these changes  as efficiently as possible. As Mary Clouthier, CRO of the new Texas-based Cornerstone Capital Bank, says in the ABA Banking Journal’s recent piece on the top risks facing banks for 2022, “The risk is that we all need to stay ahead of what the regulators are doing and try to do that to our best ability so we’re better prepared and have our own oversight of our programs.”

 Lesson – AI and automated systems should map controls to regulatory requirements and controls should be updated accordingly

5. Now

Finally, the need for operational resilience has never been more pressing. In the last two years, traditional working practices have been turned upside down and the status quo ante will probably never return. This introduces a new world of hitherto unforeseen technological risks. Moreover, regulatory pressure and oversight is increasing rather than diminishing. Those banks that perhaps hoped the wave of rules that came out of the financial crisis of 2008/2009 would abate have been and will be disappointed.  The new executive director of financial stability strategy at the Bank of England, Sarah Breedon, is given to grilling bank bosses about their operational resilience. And recent events in the Ukraine should indicate that the world remains a very uncertain place.

 Lesson and conclusion – the time is now to build dynamic and responsive controls to scenarios

About Acin

Acin has a comprehensive, pre-built risk and control quick start library of inventories constructed through industry consultation and mapped to regulatory guidance, to provide immediate value and accelerate impact. Easily and proactively demonstrate to the regulator, auditors, investors, shareholders, and boards that you are managing climate risk – ahead of regulatory deadlines.

Popular resources

You may be interested in

Silicon Valley Bank what lessons must be learned
3 mins reading time

Silicon Valley Bank collapse: what lessons must be learned

New Generation Operational Risk Europe Summit 2023
March 9, 2023

Join us at the New Generation Operational Risk Europe Summit

Discover more