In this blog I discuss the hangovers experienced by financial crime professionals; the drivers behind the symptoms; and whether the industry needs more painkillers (controls) or instead a more proactive preventative approach that instead addresses the root cause of the disease; better vitamins (the BWRA). I recognise, some organisations have already any expended significant resource on developing their Financial Crime Business Wide Risk Assessment (BWRA) methodologies and approach and in some instances have invested heavily in GRC tools to support. Recent fines, however, suggest that issues persist in this space. Through this blog I aim to analyse some obstacles which may be limiting our ability to transition away from the painkillers that mask the pain to ensure our fitness as an industry.
The Regulatory Hangover and drivers of the headache
Firms have spent significant sums managing regulatory change since 2017 with large investments made in compliance policy units often resulting in the stand up of long transformations across the first line of defence. Those accountable and responsible for implementing and embedding these frameworks and controls; quite fairly feel fatigued, at worst hungover.
The estimated value of financial crime grows; which as we know may reflect improvements made to organisations’ detection capabilities, but so too merely serves to highlight financial crime is a far bigger problem than we originally thought. Challenging economic times are leading to tightening of financial crime budgets, whilst regulatory change persists. Changes seek to drive greater accountability within management and corporations and drives a need to demonstrate more clearly at a threat level their effectiveness in mitigating financial crime. A perfect storm.
More Painkillers or get a diagnosis?
When you’re in pain and perhaps a little hungover too, we know we don’t make good decisions. All these reports and blogs that focus on buzz terms; “w e need advanced data analytics ”, “ we need AI ”, “ we need machine learning” ; “ we need automation ”, “ we need more specialist resource ” etc. We don’t blame organisations for following the crowd thinking they need more controls to manage the pain. Taking a moment first, to diagnose why you have the pain and hangover in the first place, may be a better decision under the circumstances.
Neglect the cause of the hangover, develop a disease?
Organisations may often experience symptoms of pain indirectly via downstream controls often, but is it those pains that shout the loudest that should get the attention? How many of us have turned to consider the role of the Business Wide Risk Assessment (BWRA) as a root cause of the pain? Based on the conversations I’ve had, it appears to be a control that is the least mature, very inefficient and many are not fully confident in present effectiveness.
Driven by initial regulatory requirements and designed based on guidance which has its own limitations; they are often performed as a side of the desk, ad-hoc activity that bleeds resource. Basic manual solutions are adopted like spreadsheets and poorly designed questionnaires (asking questions like “who is the MLRO”) combined with intra-line workshops frustrate those who are just trying to “get stuff done” with what little they have. It’s not surprising the BWRA can feel like a tick-box compliance exercise, with first line of defence feeling “done to”. Time taken to perform the process and achieve meaningful outputs, analysing these and transforming them into actions, often means by the time reporting arrives they are already out of date. A state of “riskitis” develops.
Prevention rather than cure; Get your vitamins!
Acuminor believe in the mantra that prevention is better than cure. Could the vitamin we’re looking for be the transformation of the Business Wide Risk Assessment (BWRA) to stem the hangovers and prevent the disease?
Acuminor believe organisations need to reposition the purpose of the BWRA from a retrospective, archaic process into a modern and functional financial crime orchestration process. I’d go one step further here, and I’d say it must be matured as a priority. From this position organisations will not only cure the pain but have the confidence to fend off the regulators, even better generate strategic competitive advantage through their control frameworks. This I believe will help organisations achieve the real difference they are seeking to improve their financial crime effectiveness. So, what’s stopping them?
-
Organisational Perceptions of the role of the BWRA
The perception of BWRA for the wider risk-based financial crime control framework varies from one institution to another. Some organisations view it as a cornerstone of their risk management efforts, recognising its importance in identifying and mitigating financial crime risks. However, others regard it as a compliance tool, completing it perfunctorily rather than integrating it as an integral part of their risk management strategy. Regulation is only one part of the BWRA, which needs to be supported by intelligence inputs. These key disconnects; can facilitate a subjective rather than objective approach ranging from strategy through to control design and operation; and perpetuates a focus limited to compliance and downstream controls as key priorities.
-
Enforcement Action
While regulatory fines are a potent motivator for financial institutions to enhance their compliance efforts, most focus is on control failures downstream from the BWRA, without sufficient focus on the significance of the BWRA and perhaps it’s lack of maturity or effectiveness as being a contributory factor to the failures. Organisations digesting these enforcement actions tend to undertake separate gap analyses or bespoke risk assessments; e.g. the HSBC fine leading to transaction monitoring gap analyses and risk assessments at many larger institutions. This perhaps demonstrates they too are grappling with a lack of confidence in their existing BWRA processes. However, the lack of emphasis by the regulator on the importance of an effective BWRA process may by no surprise be part of what is perpetuating organisations’ focus on tactical fixes as opposed to re-imaging their BWRAs.
-
Industry Guidance
Industry guidance contributes significantly in organisations’ blindness for the need to change. References to and at worst images of, spreadsheets, imply this is an acceptable mechanism through which to perform a risk assessment. Guidance should be agnostic of mechanism; rather provide more guidance on the method and expectations, and what good looks like. All organisations should seek to achieve higher levels of risk maturity; albeit I recognise the approach adopted to achieve this may differ depending on their risk exposures. Whilst resource available differs from one organisation to another and is not endless; the BWRA should not be overlooked. Resource expended here; may in fact enable pain alleviation downstream. Whilst we continue to support a stance that it wouldn’t be appropriate to name specific technology vendors; industry bodies should more closely assess the limitations of these archaic manual approaches and articulate some of the benefits technological solutions may bring such as;
-
Streamlining the process and breaking down silos to generate a holistic understanding Financial Crime Risk Areas, Threats and Risks
-
Enhancing the design, implementation and embedding of a control framework that is underpinned by intelligence and defendable through its traceability back to the threats and risks the organisations faces
-
More dynamic and real time risk assessment practices that enable more proactive risk management decisions and better allocation of resource to optimise controls.
-
Scalability of intelligence – Many Tier 1 and Tier 2 Banks already recognise the importance of intelligence. For those who may not have the resource availability for such a function, can they afford to overlook intelligence? If they do not outsource this or use intelligence enabled solutions; how should they manage?
-
Fear of change
I observe financial crime as a risk discipline being more mature in its expectations while we continue to see new or less mature risk areas springing up and playing catch up. Expectations on the approach to risk assessment for one area may therefore be more advanced than for others.
So too, where tools are deployed to support the risk assessment process; these may not be primarily designed with financial crime risk assessment in mind, instead acting as a catch all. This can create challenges for those accountable for financial crime and persons responsible for the risk assessment for instance having to compromise on their expectations.
Where these solutions do provide inputs such as suggested risk indicators; these will often be static and do not keep up with the evolution of the financial crime environment which is dynamic. This generates the need for additional horizon scanning, threat intelligence, as well as risk and control teams which are expensive specialist capabilities; but often spring up in a siloed manner.
Conclusion
Maturing the BWRA using a specific financial crime solution will bring about greater awareness of threats, risks and identification of areas for improvement. This doesn’t have to be achieved in one big bang, although solutions are available that can help you to step change your maturity quicker than others. What is most important that this is driven from a traceable starting point; intelligence; rather than a subjective approach. The fear of disruption and the costs associated with change management, deter some organisations from taking the leap to mature their BWRA.
Regulators, guidance bodies and industry must address these obstacles collectively to strengthen their fitness to prevent a state of riskitis; and achieve our ultimate goal of preventing and detecting financial crime. While regulatory fines and industry guidance may have limitations currently, organisations should consider the strategic value of the BWRA as a proactive risk management and orchestration platform. Being bold and brave, to prioritise the vitamins instead of the painkillers that merely mask the pain, will be important to realise longer term benefits.
Technology may be the approach your organisation perceives to be the best way to achieve effectiveness, efficiency and step a change in maturity; but a vital ingredient must be the foundation; an intelligence led approach. The road to maturity may be paved with challenges, but the benefits in terms of enhanced compliance and risk mitigation, make it a journey worth undertaking.
Got a question or a comment? Do not hesitate to drop me a line on the email address below. Curious about our platforms? Read about Risk assessment Pro and ThreatView here.
