Written by Jake Plenderleith on Wednesday July 7, 2021
A recent roundtable on best practice for risk assessment, sponsored by OneTrust and organised by ICA, uncovered some fascinating insight from those on the front line of compliance.
Delegates were invited to share their experiences, as well as the methods and means to help conduct risk assessments that are accurate, effective and efficient.
A natural focus was on some of the obstacles ushered in by the pandemic, but discussion also centred on some of the more pressing current and future challenges for compliance professionals within their organisations and industries.
The result was an engaging and informative gathering that gave voice to a range of compliance professionals from different backgrounds and perspectives.
The breadth of the delegates’ knowledge provided a platform for diverse opinion; what followed was an engaging and informative conversation from which some important themes emerged.
Chair Rob Coxall (OneTrust GRC Strategic Executive) got things under way with an examination of the current risk assessment landscape.
He identified three key streams: consolidation, correlation and communicable insights, before going on to summarise the essence of the challenge facing compliance as being able to ‘to constantly understand the risk landscape’.
Some key issues were highlighted by Rob, including slow assessment processes – which can be overly manual and time consuming – and the different means of attempting to assess regulatory developments.
Of particular interest was his emphasis on consolidation – in other words, obtaining business buy-in and bringing streams together.
On correlation, he looked at the importance of making sense of everything by connecting the dots, whilst acknowledging that this is a difficult process.
Communicable insight, Rob explained, was about asking ‘what do we get from observations?’. He noted that there is usually little or no context and answers with no meaning, where there is a real sense of ‘here today, gone tomorrow’.
‘Assessments are static and immediately out of date – a bit like an MOT’, Rob explained. ‘We don’t learn from our experiences’.
This, he said, fosters a bad relationship in the first line, making it slower and more difficult to assess risk. The aim is to obtain a constant management of risk, not a one-off snapshot.
Rob concluded the first part of the roundtable with a poll, which asked how well delegates were leveraging technology to improve efficiencies in risk assessment.
Not very well was the overwhelming response.
In the breakout sessions, delegates shared compliance problems and solutions with their fellow professionals.
Too many people, one delegate said, are involved in the risk assessment process. On top of this, it was generally agreed that there was too much emphasis on risks that ‘will never happen’.
One delegate explored their concerns on their company’s role as a subsidiary firm, detailing how the parent company expected the same level of risk assessment for the subsidiary.
There was also discussion on the fact that, though firms are scared of doing things wrong, there remained a strong expectation from the group level that risks will be managed.
Concerns were also voiced about convoluted and complex systems that ‘cloud the water’.
One delegate described their firm’s current approach as ‘very numbers focused – their skill and knowledge aren’t as developed around behavioural data’. With money laundering, they explained, ‘it’s all about identifying risk around suspicious behaviour. How do you influence the rest of the business that those are important factors?’
Who owns the risk? The first or second line?
One respondent explained that in their firm, they had clearly established that the risk owners were first line. ‘That’s important, because they’re the ones that understand those risks best, they’re the ones at the forefront of the activity’, they explained.
‘The challenge is that they’re doing other roles within the first line; they wear many hats, so that time to assess those risks isn’t there, and can be put to the bottom of the pile.’
Thinking creatively and being realistic about expectations to help prevent backlogs were proposed as sensible solutions, along with the notion that the first line of defence should not have too many demands placed upon it.
Delegates were then asked to give examples of how they keep up with regulatory change.
One delegate described how they set up a virtual office, and had regular alerts and updates on new regulation.
‘I pull people into project teams and run regulatory change projects. The important thing to get across is how regulatory change affects every aspect of the business’.
Another utilised technology, applying a tool which scans the Bank of England, the FCA, etc., and provides alerts, including what the policy statement is about, before sharing it with colleagues.
‘This is where the manual bit comes in. It’s tracked, so we know who it has been sent out to. Then an area takes accountability for it. We push it out to the business as soon as we can’.
The roundtable concluded with a focus on context.
Rob explained that you must ‘give people the reason why you’re getting this information. When questionnaires are sent out, there’s usually a lack of response. How do you educate the business ‘why we are doing this’?’
Delegates agreed that this was an interesting challenge, and that compliance teams can take a long time to engage properly with the business.
‘We don’t want to tell the business what to do; rather, we must help them understand why they have to do it. This has better buy-in’, one delegate said.
‘My advice is to go and spend time with the relevant areas. Often leaders say ‘compliance have said we have to do this’ and this is frustrating, as we spend a lot of time talking to management explaining the reasons why. We try not to send long-winded emails’.
‘It’s a challenge. When you’re in the second line, there’s always that suspicion’, another delegate explained. ‘As much as we say, ‘we’re all on the same side’, it doesn’t always feel like that. It’s a challenge to get engagement. But they are busy. It’s about delivering messages that get traction’.
To help achieve this traction, the consensus was that context is required, and that there was little utility in handing out questionnaires without giving the reason why.
‘Certain teams say ‘compliance purposes, compliance says this… but it’s not ‘compliance’ – it’s the regulator that regulates the firm. That attitude sets the wrong tone.’
Obtaining business buy-in is vital. It’s a challenge, but one that can be overcome by engaging directly with teams and individuals, by being open and honest, and by working and communicating in a collaborative way.
Automation and technology are of great utility – but don’t overlook the ‘human’ aspect. Getting out there and conveying to teams the importance of regulatory updates remains a key part of compliance professional’s core duties.
Giving the reason ‘why’ helps colleagues get on board. More is achieved by giving context to compliance updates and information, helping staff relate it to their everyday responsibilities.
Think creatively and acknowledge the role of others. Showing that you understand the often heavy duties placed on certain areas demonstrates empathy and helps foster positive, reciprocal relationships.
Share your successes and concerns. Giving voice to issues is the first step towards getting them resolved, whilst illustrating to others effective compliance helps other areas obtain a better picture of what it is compliance does.
This event was sponsored by One Trust.
Thank you. Your comment is awaiting moderation and should appear on the site shortly.
Required fields are not completed, please ensure all required fields (*) have been filled in properly.
You can leave the name empty should you wish to remain Anonymous.
Help and support
Alternatively contact us on: +44(0)121 362 7534 / email@example.com (Course information)
or +44(0)121 362 7533 / firstname.lastname@example.org (Enrolled learners)
or +44(0)121 362 7747 / email@example.com (Membership)
or +44 (0) 121 362 7503 / firstname.lastname@example.org (End Point Assessment)