Читать книгу Enterprise Compliance Risk Management - Ramakrishna Saloni - Страница 10

Practitioner's Note: The umbilical cord between business model and compliance

As a regulator and practitioner I have seen that organizations that miss or ignore the vital link between business model and compliance have had higher cost of compliance and lower return on investment, not to mention reduced business opportunities. Like Ms. Saloni Ramakrishna persuasively articulates, it is vital to understand the umbilical cord between business model and compliance.

There are two critical aspects to the business model (BM) of a bank. The first is the strategic business model defining what products, markets, customers, and regions the bank would like to be in subject to the Board's risk appetite. The second underpinning is the target operating model (TOM), which covers governance, decision making, recruiting, technology, human capital, legal structure, and operations. The objective of the bank is to execute its business strategy with an optimal TOM. Compliance lies at the heart of the TOM. The BM/TOM constrained by regulation must maximize its risk-adjusted return on capital (RAROC).

Compliance costs have spiraled upwards across the globe. The estimate is that over 30 percent of costs are spent on compliance. This has lowered revenue/cost ratios significantly, and it is estimated that compliance costs drive down ROE (Return on Equity) by a full six percentage points among the GSIFIs (Global Systemically Important Financial Institutions) and DSIFIs (Domestic Systemically Important Financial Institutions). Hence, it is critical as a long-term strategic imperative to get these costs down through changing the BM and ensuring that a firm has selected the most cost-effective TOM.

There are three core channels of impact on the financials. In simple terms, risk-adjusted profitability equals (R − C)/K, where R is revenues, C is costs, and K is a measure of risk-weighted assets (RWAs). Spending on projects drives up C. Furthermore, if the control framework and risk management are still poor, then the firm will suffer a drop of revenue through fines, penalties, licenses revoked, and lost customers. Firms that are found to have weak governance structures and incompetent risk management will be hit by both pillar one and pillar two capital charges. Finally, the valuation of share price will be lower if any of the aforementioned impacts are volatile. For example, continual penalties (like PPI (Payment Protection Insurance) or AML (Anti–Money Laundering) violations) will create excessive volatility, and profits will not be perceived as sustainable. The proactive compliance driven by business integrity that Ms. Saloni Ramakrishna strongly advocates as the vehicle for value creation is rooted in the impact it has on all of the three variables (R, C, and K) that have a bearing on the risk-adjusted profitability.

Given that compliance is in itself expensive, it makes sense to ensure that money is spent wisely so that major risks are avoided before they become a problem. Prevention is much cheaper than remediation, so choose the areas that give rise to the biggest risks and do not assume that the TOM is a given. It always pays to create a specific blueprint for the industry and firm and implement projects once! The three lines of defense model has its drawbacks. Often, the front office takes no responsibility for operational failures. Regulators are forcing changes in compliance where senior managers are being held accountable and have to self-attest that systems and controls are in order. For example, see the senior managers regime (SMR) in the UK: It is important that every control has an owner, a challenger, and assurance that this process is implemented. The blueprint that Ms. Saloni Ramakrishna details in the How part of the book captures these principles elegantly and fleshes them out through actionable templates.

Firms should adopt compliance as a core strategy, and expenditures should be targeted in the areas that have the largest breach risks such as mis-selling. In a compliance strategy the following three factors are critical. Firstly, a firm must account for compliance in their TOM and the knock-on impact on the BM. Secondly, compliance must not be executed as a box-ticking exercise, but rather project budgets should be aligned with the greatest risks to the bank in an optimal control framework. Finally, given the huge drain of resources, banks should prioritize projects. A bank that desires a stable profit stream needs to ensure that this can be delivered by a compliant target operating model. The new agenda for compliance is to ensure that it is in sync with the risk appetite of the firm, the conduct strategy, and the axis of the BM/TOM. “Active and positive compliance” is the core of sustained healthy growth of a financial organization and the theme of this book.

– Dr. Colin Lawrence

Dr. Colin Lawrence has a PhD in Economics from the University of Chicago. He is a partner with EY LLP, UK; former director of the Risk Specialists Division (FSA and PRA); and former strategic risk advisor to the Deputy Governor, Bank of England. Dr. Lawrence is a well-known practitioner with varied experience as a regulator, a banker (he was managing director in derivative trading at UBS and Global Head of Risk at Barclays), a consultant, and an academic.