As Above, So(x-lite) Below:​ ​RegPain, is the remedy combined assurance & self-demonstration?

Our fourth virtual event was the 19th GRC Supper Club in total and began with our host Lee raising a toast with a glass of his homebrew cider. He’s clearly embracing the country life and would love you to try some, so give him a shout – although no one is quite sure how strong it is.

Rather than waiting for Boris to relax the lockdown rules further, so we could chew the GRC fat in person again, we decided to jump on Zoom one last time. The title might sound a little over-engineered, so here’s what we were trying to achieve in a nutshell: to understand if a combination of Sox-lite, combined assurance and self-demonstration will help you reduce regulatory pain.

Suzanne Calcagno – Global Head of Regulatory Response and Oversight, HSBC
Suzanne began by highlighting a common trend that has gathered pace over the last couple of years: the evolving sophistication of the regulators is increasing their expectations for business to comply and respond. They automatically expect that GRC models are mature and that firms can identify, escalate and remediate issues as they arise.

Regulators are now using reporting submissions beyond just validating compliance with reporting requirements; they are also using them to drive their market surveillance and prudential supervision and to explore market trends. The focus has subsequently shifted to improving the quality and utility of the data being reported.

To demonstrate the effectiveness of their processes and oversight, banks are establishing frameworks that define minimum standards for the individual controls they operate that can be measured and validated – promoting continuous monitoring. These standards typically address the scope of the control, the frequency it’s run and how they manage the output in terms of escalation and resolution. The framework also allows banks to identify what they don’t do, so when the auditing process occurs, they can be completely transparent.

The use of a common assessment framework across all regimes lets them gauge the relevant risk posed by each regulation and provide a consistent assessment of whether their operational control environment mitigates that risk. This has enabled them to create a set of central data quality controls for use across the organisation.

Such a framework takes time to develop, socialise and launch, meaning Financial Services Institution’s (FSI’s) need to stay nimble to absorb and respond to the regulator guidance and trigger enforcement actions in a way that lets them embed recommendations.

Sonja Jackman – 1LOD Controls Office, BNY Mellon / member of WiR&C
Sonja kicked off with a spot of attendee participation, by conducting a poll.

Question 1: Where in your organisation is regulatory pain experienced most acutely?
a)In the compliance department (2LOD) = 10%
b)In the front office and supporting operations and technology functions (1LOD) = 25%
c)In your change and project teams = 25%
d)All the above = 40%

To overcome this, she highlighted the importance of the 1LOD and 2LOD working together, having agreed and clearly defined their roles and responsibilities. This makes it clear where one starts and the other stops, preventing overlaps and inefficiency.

Question 2: At which stage of the regulatory change life cycle do you experience the most regulatory pain?
a)During horizon scanning – identifying relevant upcoming changes in time = 10%
b)During implementation – meeting regulatory deadlines = 45%
c)Post-implementation – embedding and evidencing compliance with the regulation = 45%

Sonja expected to see a larger response for post-implementation as the most painful stage in terms of regulatory change. Each stage presents unique challenges. For example, it’s easy for things to slip through the net at the horizon scanning stage, due to exposure to multiple jurisdictions. Some companies have recently addressed this by implementing triaged approaches, which offer greater collaboration using different SMEs to help with horizon scanning interpretation.
There are benefits to be gained from integrating Sox-lite within risk and control environments and frameworks. The Senior Managers and Certification Regime (SMCR) has helped drive ownership and accountability in the UK market and other jurisdictions that have rolled out Sox-lite. Risks and controls are naturally aligned to processes and IT systems, providing an understanding of regulatory compliance.

Paul Thomas - Assurance SME currently working for a prominent public service body
Paul kicked off by explaining the catalyst of the Brydon Report: an independent review into the quality and effectiveness of audit was born out of the failure of Carillion and BHS, which raised questions about the role of external auditors and caused the public to lose faith in the audit process. These concerns were recognised by the Institute of Chartered Accountants who commissioned Donald Brydon to conduct a review.

Brydon concluded that audit had lost its way and the actors in the process bear some of the responsibility. While he was mainly referring to external auditors, he was also speaking to internal audit functions and compliance departments. The resulting report advocates the concept of UK Sox and directors taking more responsibility around controls within their business.

Brydon highlights five key factors that he believes will promote a more informative audit report that goes beyond just commenting on the numbers in the financial statement:

• Better independent disclosure on risk.
• Fraud – making it more formalised so businesses can highlight the steps they’re undertaking to prevent fraud and auditors can assess if they are appropriate.
• Better commentary about the resilience of the business.
• The external auditor should comment on the culture of the company.
• Better use of technology by auditors, encouraging the business to share their data with the auditors to improve the process.

The report is currently undergoing consultation and it’s expected that many of the recommendations will come to fruition in some form.

Lee then revealed his TMS wheel – not Test Match Special for all you cricket fans – which represents the Team Management Systems approach. This highlights the personas – such as Creator Innovator and Concluder Producer – that you should use across your teams and how they interact to ensure you communicate correctly and achieve the desired results. When it’s not the TMS wheel, it’s Lee’s Barbecue lid minus a few colourful magnets.

Panel Q&A
Still deprived of a proper networking session – which we carefully disguise as a good old knees-up – after the event, we concluded by bringing all three speakers together on screen for a virtual Q&A session with our enthusiastic audience. They were joined by two more special guests: Dhrupal Shah (Financial Services Optimisation and RegTech Lead, Capco) and Ian Max Ewart (Climate Risk Lead, Acin).

Q - Ian was asked: have we reached the tipping point regarding ESG, and is society ready to hold companies accountable and drive that cultural shift?

There are moments when corporate culture catches up with society. For example, when city workers walked past climate activists in the City of London, they began to sympathise with their message – but then we were blindsided by the Covid-19 pandemic. From plastic bags to people thinking creatively around a better way of living, society began to set boundaries and rules through new legislation – which is ongoing and will be expanded on via COP26. We are subsequently putting together a series of societal tendencies – which companies are becoming increasingly aware of – and distilling them so we can better implement relevant legislation.   

Q - Dhrupal was asked: how can you prove what you have done around regulations, and how can you meet the new requirements to an acceptable level?

When the regulatory landscape first started, it was a prescriptive box-ticking exercise. Since then, regulations have become more complex, yet the systems and processes that work in that space have maintained the status quo. As organisations evolve and become more sophisticated, they are realising that the burden of proof is the hardest part of regulation. We are subsequently seeing these organisations address this through emerging regulatory technology like Qserve. This allows them to meet horizon scanning requirements and provides them with the ability to use tools that identify what regulation is coming down the pipe and what impact it has on the organisation. As you go further down the stack, they have tools that enable them to assess how they respond to regulation, making their assurance processes more effective.

Q - How can companies leverage the risk & compliance synergies that already exist within the organisation to strengthen their approach to regulatory challenges?

Lee introduced this question by explaining his past Big 4 consulting experience and how all companies find it difficult to manage their Risk & Control ecosystem. Having the ability to optimise is imperative in today’s fast-moving world e.g., being able to test once and comply to many regulations and the mitigation of your risk universe with a rationalised control framework (based on internal risk exposure tolerance etc).
 
Sonja explained that traceability and regulatory mapping are essential and making sure the one-to-many associations are fully understood. There is no luxury here, you need to demonstrate sustainability and evidencing. She is unsure how you could begin to achieve this without enabling technology.
 
Suzanne built on this mentioning that using market and regulator recognised solutions demonstrates that the business is making an effort. You’re not always going to get it right and you don’t get points for trying – like in 3rd grade baseball - a great American analogy which I hope the UK audience could attribute to their primary school lunch time rounders games :)  
 
However, mitigating credit is given for having proper processes in place or when attempts have been made to comply and continually improve.

Q- Societal developments / expectations are indeed likely to drive regulation, regulation however is still merely an external driver for companies it could be argued regulations are relevant to maintain level playing field but fall short of making material changes to ESG and other areas. That is likely only to come from internal drive i.e., compliance v self-motivation. Has the panel any thoughts?

Sonja – the FCA have really focused on purpose and how this underpins a company’s culture, value, behaviours and outcomes. If you get the underlying purpose right it is much more effective than the stick approach. The FSI is on a journey, focusing on how to align the purpose for shareholders, society, how to link to this to company values and how to drive behaviours.
 
Dhrupal – chose to address the internal versus external driver part of the question. He believes that if you gave organisations were given the option to be compliant most wouldn’t choose to be. Therefore, he sees the majority of drivers being external e.g., reputational damage. He also pointed out that shareholders are now asking questions of boards on ESG and effect on the balance sheet.  

Ian – Interesting the question came from the Netherlands where bankers take an oath in terms of conduct. Creating the culture that embraces the controls and the conduct will determine whether you as a company are just ‘getting away with it for now’ or you have ‘truly embraced climate risk’.
​
Paul – non-financial companies are marketing to directly to consumers and they are now more important than their shareholders e.g., due to vapes and related scandals across social media.
 
Thank you for continuing to engage with the GRC Supper Club and thanks to all our speakers for the time and effort.

If lockdown easing remains on track, we hope to see you at our next live event in October.