As regulatory bodies continue to increase their focus and investment and focus on risk management, financial institutions of all sizes must cope with continuous, often overlapping, examinations and dissections of their operations, controls, and customer interactions. With scrutiny high, penalties for non-compliance often severe, and no regulatory relief in sight, it’s critical that financial service firms build long-term, sustainable capabilities that move them from a constantly reactive state to one of proactive risk management.
“Banks are under assault. We have five or six regulators coming at us on every issue. It’s a hard thing to deal with.” These words, spoken by JPMorgan Chase & Company’s CEO Jamie Dimon during a January 2015 call with reporters to discuss the company’s fourth-quarter, reverberated across the financial services landscape and resonated with not just bank executives, but also government leaders. Dimon’s characterization of the regulatory situation as an assault served as somewhat of a wake-up call, causing examination of the system in place, the effectiveness of the Dodd-Frank Act, and the widespread impact of potential over-regulation.
In assessing the landscape since the financial crisis of 2008, it quickly becomes clear that regulatory concerns are starting to eclipse all other issues for financial institutions. Consider this:
- CG estimates that “Too Big to Fail” banks have paid regulator fines and penalties of $258B.
- More than one in three banks spend one working day per week tracking and analyzing regulatory change.
- The CFPB Supervision and Enforcement Program’s FTE growth between 2014 and 2016 is estimated to be around 18%.
- In total, CG estimates that the top banks have 20% to 25% of their operating budgets aligned to risk and compliance activities—and this percentage is likely to increase.
Clearly, the big banks have been struggling and spending for years, and they will continue to do so if the environment (and their response) doesn’t change. Tier-two banks are not immune, either; their time for intense regulatory examination is coming. What is perhaps most frightening is the varying degrees of readiness and wildly different approaches to managing risk and regulations across the industry. Order and advancement must prevail over chaos—but how?
Understanding the risk management continuum
In examining key risk dimensions (controls, governance, etc.) across banks, CG has taken a close look at how banks are performing. Specifically, we look at where banks are versus where they should be in dealing with regulatory aggressiveness. We call this the Risk Response Program Maturity Model, and it spans three broad categories:
Running behind. Reactive and variable approaches to regulatory compliance issues lead to unreliable data, loose frameworks, little structure, manual and hard-to-track processes, limited investment in technology, and inaccessible and poor quality data.
Running in place. Costly and inconsistent compliance pursuits don’t gain organizations much ground because controls are basic and fragmented, focused on process-level governance, low scalability and costly processes, patchwork technology, and unintegrated data issues.
Running ahead. Proactive and predictable systems for anticipating, addressing, and maintaining regulatory compliance provide organizational sanity in regard to the time, money, and attention spent on these issues. Controls are present and stable due to cleaner data, governance is at the enterprise level, processes are robust and transparent, technology is highly automated and integrated, and data is integrated accessible and predictive.
It is essential for financial institutions to move out of their pure reactionary mode of response to today’s risk and regulatory environment. Solutions need to be practical to implement, economical to run, and unwavering in terms of quality assurance and customer experience. As the industry moves away from reactiveness and into proactivity, organizational change becomes simpler and easier to govern.
Post Date: 1/12/2016