Risk vs. Control - A Paradigm Shift Required
Updated: 2 days ago
How can financial firms spend millions or more a year in process and control improvements and still not get it right?
I (almost) fell of my chair the 1st time I heard how much a former employer spent on control and regulatory compliance improvements every year. The firm was crippled with issues and barely hung onto its regulatory licence despite pouring a colossal amount of money (billion +) at the issue.
If money is not the issue, then what is?
In my experience, the immediate response from executives, compliance / risk officers, auditors, etc. to ensure regulatory compliance or address any incident is to add more controls.
But adding controls – whether to meet regulatory expectations and/or reduce risks – is not always the best solution. More controls mean more costs and complexity, which can turn into more risks. This also makes risk oversight less effective, while not improving an organisation's risk culture. This turns very quickly into a costly vicious circle.
Managing Inherent Risk
An internal auditor told me once that I should be focusing on reducing risk through controls and they did not see the value of removing or reducing the inherent risks.
This comment is an excellent illustration of the strong heuristic at play in Risk and Audit functions. To maintain a firm’s risk profile at an acceptable level, these functions tend to revert to more controls.
But what if the risks should not be there in the 1st place? What if the risks are a direct consequence of a sub-optimal operating model and/or end-to-end process set up? Of broken processes?
I strongly believe there is limited – if any at all - value in fixing or adding controls on top of broken or fragmented processes.
A more holistic and strategic approach to optimise the risk profile is required and it must consider:
both inherent risk levels and control adequacy and effectiveness. Both levers must be used to bring the risk to desirable level; and
the financial trade-off between investing into simplified and scalable processes vs. maintaining “process status quo” by adding more controls.
Automation vs. re-engineering
Firms get exposed to non-financial risks through “WHAT” they do (e.g. managing client money) and “HOW” they do it (e.g. fragmented, complex and manual end to end operating model and process set up). From experience, up to 80-90% of non-financial risks can be driven by the “HOW” especially in those processes that grew and layered “organically” over time.
In that context, automating such activity only leads to embedding the existing weaknesses. Worse; this also gives a false sense of security to management who might feel they have sorted out the problem … until something goes wrong.
Instead, I strongly advocate to judge the quality of a process based on the risks it inherently generates (e.g. fraud or data privacy in a payroll process) and relentlessly seek to eliminate – or at least to reduce to benign level – any other risks. This requires to simplify what people do through business operation reengineering and (then) automation. Here I am talking of process excellence, 6sigma.
Ultimately, the process and control environment will be optimised to enable employees to spend most of their time on the “WHAT” rather than the “HOW”.
The Business Case for End-to-End Process Reengineering
Reengineering end-to-end process environment is difficult and complex. It requires people to change what they do. Some employees may not have a job at the end of the journey and required change funding can make it costly short term. Whilst, opting for more controls yields faster results and is usually much easier to implement.
Broadly, process reengineering should lead to reduced 1) operating costs, 2) need for future build (cost avoidance) and 3) future losses. Here is a list of a few considerations to build an effective business case
number of steps and teams involved in any given end-to-end activity and resulting hands-off between teams;
time spent on data manipulation and transfer. The more teams manipulate data, the more chance there is something going wrong;
time spent on performing reconciliation as a result of manual data processing vs. time spent on value-add activities;
potential estimated financial losses or other impacts (e.g. regulatory, reputational) if something were to go wrong; and
ability to scale up volumes and activities based on current set up vs future needs.
Getting it right!
This is about striking the right balance across investment costs, scalability, agility, efficiency and resiliency. For example, building safeguards allowing human intervention in a process might be desirable despite potential higher costs to enable constant learning / improvements and ultimately establish a resilient platform.
Effective management of inherent risks with a strong focus on eliminating risks arising from the “HOW” is a very attractive business proposition. It has an immediate upfront cost and whilst the benefits won’t always justify the investment, very often, it will. This is especially true when looking at processes that might be the result of years of “organic” design (“we have always done it this way”) which would benefit from management taking a step back and asking themselves
“Would we really set this thing up as is, if we were to start from scratch?” Feel free to share your views on how to effectively reduce overall risks.