Operational risk andcomplianceNew paradigms for synergyMay 2019

Reflecting on anoptimal frameworkMany financial institutions, consistent withregulatory expectations, organize their riskmanagement framework into a model withthree lines of defense (LOD):1. The business line, which generates,owns, and controls the risk2. The support functions, which provideoversight to the first line, and include therisk disciplines of operational risk andcompliance, among others3. Internal audit, whose remit is derivedfrom the board to process-audit the firstand second lines of defenseThe global financial crisis generated yearsof significant spend on the remediation ofidentified regulatory (and, at times, internalaudit and risk management) issues. Inresponse to addressing these issues andexecuting their oversight responsibilities,operational risk and compliance may havecreated multiple functions and activities,and in certain cases, generated duplicativerequests for the first line of defense.With the global financial crisis behind us,institutions now have an opportunity toreflect on what an optimal operating riskmanagement model may look like—and2where synergies may be garnered fromthe existing capabilities of operational riskand compliance. For the purposes of thispaper, we will discuss the first and secondlines of defense. Further, we will explorethe activities performed by each riskdiscipline and the capabilities wheresynergies may exist.Operational risk and compliance functionshave a shared mandate to provide oversightto the first line and challenge the executionof their risk management practices.But depending on how the functions areorganized, this may create some challengesthat result in inefficient processes. Forexample, operational risk and compliancemay request that the first line performthe same or similar activities (e.g., riskidentification, risk assessment, controlstesting, issue identification, and issuesreporting). So today, some institutions areexploring ways to optimize the execution oftheir risk management activities at both thefirst and second lines of defense.Figure 1 illustrates different regulatorydefinitions of operational risk andcompliance risk and the implication of each.Why do potentialsynergies betweenoperational andcompliance riskdisciplines exist?For a simple andobvious reason: ifthere is a breakdownin process, acompliance breachmay occur, andvice versa.

Figure 1. Operational risk and compliance definitionsThe Basel Committeeon Banking Supervision (BCBS)Operational risk andcompliance risk regulatorydefinitions Operational risk:1 Operational risk is defined asthe risk of loss resulting from inadequate or failedinternal processes, people, and systems or fromexternal events. This definition includes legal risk butexcludes strategic and reputational risk. Compliance risk:2 The risk of legal or regulatorysanctions, material financial loss, or loss toreputation a bank may suffer. Usually, this is theresult of failure to comply with laws, regulations,rules, related self-regulatory organization standards,and codes of conduct applicable to banking activities.Federal US regulators Operational risk:3 The failure to establish a systemof internal controls and an independent assurancefunction—one that tests the effectiveness ofinternal controls and exposes the bank to therisk of signification fraud, defalcation, and otheroperational losses. Compliance risk:4 The risk of legal or regulatorysanctions, financial loss, or damage to reputationresulting from failure to comply with laws,regulations, rules, other regulatory requirements,or codes of conduct and other standards of selfregulatory organizations applicable to the bankingorganization (applicable rules and standards). Important to note: Tension can exist between the definitions of BCBS and the federal US regulators, as BCBS takes ameasurement approach to risk. This includes compliance as a sub-risk category, while in the United States, regulatorsdefine compliance as its own discrete risk discipline. However, there is consensus among these regulators on the importance of maintaining the integrity of each risk disciplineand recognizing the need for separate operational risk and compliance functions.BCBS: Principles for the Sound Management of Operational Risk (June 2011).BCBS: Implementation of the compliance principles—A survey (August 2008).3OCC Comptroller’s Handbook: Corporate and Risk Governance (version 1.0, July 2016).4US Federal Reserve: SR 08-8/CA 08-11 (October 2008).123

Drivers for changeMany institutions are reevaluating their risk management operating models across lines of defense. Now they are looking to transform theirrisk management processes to address specific challenges as outlined in figure 2.Figure 2. Drivers for changeProcess/cost inefficiencyOutdated technologyInability to assess/quantify riskChallenges, post–global financialcrisis, arising from inefficienciesdue to siloed risk managementpractices of the same or similaractivities across various risk andcompliance functions and businesslines. These may be the result ofa historic tactical response vs.strategic response to regulatoryremediation and associatedincreases to headcount.Segmented data sources,along with a historicunderinvestment ofdisparate legacy systems,sometimes impede thecapture, measurement, andreporting of data.Challenges in providing managementand the board with data thattransforms into information. Datathat is concise, on-point, timely,and comprehensive for themto be advised and make informeddecisions.Drivers for changeStakeholderexpectations(management,board, andregulators)The need for moreeffective and efficientcommunicationsand reporting tostakeholders of anintegrated view of risk.4Need for clarity andtransparencyThe need forsecond LOD risk andcompliance functionsto break down silosthat often appear tooverlap in roles andresponsibilities.Cost reductionIncreasing pressure onfirst and second LODto find new ways toreduce costs, increaseefficiencies, and stillcontrol risk.Data andtechnologyopportunitiesHigh potential forautomation andemerging technologies(such as artificialintelligence, theuse of bots, etc.) tohelp improve riskeffectiveness.

Opportunities for synergiesIn transforming risk management operating models, many institutions are beginning to identify potential synergies across their riskmanagement efforts. These synergies can bring greater transparency and higher-value intelligence to management and the board. Synergiescan also provide greater transparency of issues and risks, and their potential impacts.Figure 3 illustrates a selection of discrete capabilities of operational risk and compliance, as well as opportunities for potential synergiesbetween these risk disciplines.Figure 3. Operational risk and compliance capabilitiesOperational riskPotential synergiesCompliance Operational risk appetite/metrics Governance and interactionmodel Compliance risk appetite/metrics Risk measurement (e.g., scenarioanalysis, stress testing, andcalculation of economic capital) Operational risk monitoring Operational risk domain activities(e.g., third party, businessresilience) Effective challenge and oversightcontent Framework and methodologies Taxonomies Challenge and oversight process Evaluation of controls Tools and technology Reporting (e.g., data collection,analysis, and aggregation) Issue management Training program New business initiative process Obligations library and regulatorychange management Regulatory interaction andcoordination Code of conduct Compliance monitoring (e.g.,complaints, whistleblowing, andallegations) Compliance risk domain activities(e.g., anti–money laundering,privacy) Effective challenge and oversightcontentTo realize the opportunities of synergies, a common and consistent taxonomy is foundational for effective risk management. A definition ofterms is considered a leading practice to advance the consistent interpretation, measurement, execution, and reporting of issues and riskswithin the two risk disciplines. There are five critical data elements where a common and consistently applied taxonomy is crucial: risks,controls, processes, policies, and obligations.Synergies become most evident when performing a risk assessment, regardless if it is a self-assessment at the first LOD or a complianceassessment performed by the second LOD. The ability to map processes from obligations to policies, and then to risks and controls, canassist in the identification, reporting, and escalation of issues. Figure 4 highlights specific opportunities for synergies.5

Figure 4. Key opportunities for synergiesGovernanceEvaluation of controlsThe rationalization of governancecommittees and risk managementframeworks that support theorganization model across the firstand second LOD.A shared services unit forconducting second LOD testing thatpromotes single testing of controlsand effective challenges for bothoperational risk and compliance.Issue managementReportingHolistic issue management thatenables effective identification andaggregation of systemic issues,along with the prioritization andcoordination among functions toachieve single issue remediation thatis sustainable.Comprehensive reporting thataggregates operational risk andcompliance metrics and issuesto produce, where possible, anintegrated risk report.GovernanceEvaluation of controlsIssue managementReportingThere may be opportunityto rationalize governancecommittees to allow risksand issues pertaining tooperational risk and complianceto be addressed by the samecommittee. Such committeeconsolidation could lead togreater collaboration betweenthe first and second LODon policy interpretation andexecution, issue management,reporting, and so forth.A common taxonomy enableseffective evaluation andmeasurement of controlsassociated with key risks andobligations. Potentially, a sharedservices unit for conductingsecond-line testing could beestablished to promote singletesting for both disciplines,including validation andoversight of the first-linetesting results.Issues identified in isolationacross operational risk andcompliance may createinefficiencies regarding issuemanagement and remediation,specific to solving for the sameor like issues twice. A centralizedsystem of identification, analysis,reporting, and tracking of issuesmay promote the successfulsystemic identification andprioritization of issues.This process can be morecomprehensive whencollaborative analysis byoperational risk and compliancecreate common risk andperformance indicators andmetrics to produce shared andinsightful reports. Centralizedreporting across operational riskand compliance can bring abouta reduction of overlaps.6

Options forrealizing synergiesBaseline maturity and sustainable processesfor both operational risk and compliancefunctions are needed before real efficienciesand synergies can be considered. A definedvision—one shaped by tone from the top—is acritical factor for a successful transformation.Also crucial to transformation are identifiedand effective agents of change with requisiteskill sets.As financial institutions explore differentways to realize synergies and touchpointsbetween operational risk and compliance, someexamples of organizational construct include:1. C oordination between operational riskand compliance. Streamline processes forrisk management requests of the first LODwhile having the two risk disciplines remainindependent functions.–– Potential advantages: Minimal disruptionto people, process, and technology toreduce redundancies and costs andmaintain desired independence andauthority of respective risk discipline,which enables them to continue to meetregulatory requirements and expectations.–– Potential disadvantages: May not resultin optimal long-term operating modelobjective of supporting cost reductionassociated with risk management. Also,there is potential to create confusionbetween operational risk and complianceroles and responsibilities with the first lineunless communicated properly.2. Centers of Excellence (CoE). Someinstitutions are considering, or have alreadyestablished, a shared service model acrossoperational risk and compliance usingCoEs for same or similar risk managementactivities. This includes controls testing,issue management, reporting, etc. TheCoE may have a dual reporting line to bothoperational risk and compliance seniorofficers with a single interface to the firstline. In addition, some institutions areopting for a managed services modelwhere they outsource selected riskmanagement processes.–– Potential advantages: Reduction inoverall effort and cost of activities,greater consistency in results andapplied methodologies, and streamlinedcoordination with first line and alignment tothe enterprise risk strategy and vision.–– Potential disadvantages: Regulatoryconstraints and possible dilution of subjectmatter expertise specific to each respectiverisk discipline.3. Singular ownership for operational riskand compliance. Some institutions haveconsidered merging the two risk disciplinesunder one organization to take advantage ofthe synergies between exposures.–– Potential advantages: Strategic alignmentof visions and objectives with limited or noconflicting requirements and processes,and reduced burden and touchpoints withthe first line.–– Potential disadvantages: Differentapproaches and perspectives tomanaging risk, which can cause inherentconflict between the two functions. Forexample, operational risk often anchorsrisk management activities to a process,whereas compliance manages risk to anobligation. Further, compliance mustmanage regulatory requirementsand expectations for legal obligations(e.g., laws and regulations), whichdoes come under an operational riskmandate. Requisite knowledge andunderstanding of such is generally notresident in an operationalrisk function.7

ConclusionWith the global financial crisis in the past, financial institutions can now revisit their organizational construct and required capabilitiesacross the first and second LOD. In doing so, these organizations can optimize risk management processes and create efficiencies.The transformation of the risk management operating model and culture may be warranted based on potential synergies. But it is alsoimportant to retain the integrity of each respective risk discipline, consistent with regulatory definitions. For success in this transformation,it is critical to establish a clear, well-articulated, and communicated vision combined with an appropriate tone from the top.Contact us:Monica O’ReillyPrincipalDeloitte Risk and Financial AdvisoryDeloitte & Touche LLP 1 415 783 [email protected] BhatPrincipalDeloitte Risk and Financial AdvisoryDeloitte & Touche LLP 1 973 602 [email protected] SinhaPrincipalDeloitte Risk and Financial AdvisoryDeloitte & Touche LLP 1 415 783 [email protected] ReynoldsManaging DirectorDeloitte Risk and Financial AdvisoryDeloitte & Touche LLP 1 212 313 [email protected] AppertManaging DirectorDeloitte Risk and Financial AdvisoryDeloitte & Touche LLP 1 212 436 [email protected] ParfenyukSenior ManagerDeloitte Risk and Financial AdvisoryDeloitte & Touche LLP 1 201 685 [email protected] ConnorSenior ManagerDeloitte Risk and Financial AdvisoryDeloitte & Touche LLP 1 215 982 [email protected] Chandra AkalamkamManagerDeloitte Risk and Financial AdvisoryDeloitte & Touche AERS India Pvt Ltd. 1 404 487 [email protected] GuptaSenior ConsultantDeloitte Risk and Financial AdvisoryDeloitte & Touche LLP 1 212 436 [email protected] used in this document, “Deloitte” means Deloitte Tax LLP, a subsidiary ofDeloitte LLP. Please see for a detailed description ofour legal structure. Certain services may not be available to attest clients under therules and regulations of public accounting.This publication contains general information only and Deloitte is not, by meansof this presentation, rendering accounting, business, financial, investment, legal,tax, or other professional advice or services. This publication is not a substitutefor such professional advice or services, nor should it be used as a basis for anydecision or action that may affect your business. Before making any decision ortaking any action that may affect your business, you should consult a qualifiedprofessional advisor.Deloitte shall not be responsible for any loss sustained by any person who relieson this publication.Copyright 2019 Deloitte Development LLC. All rights reserved.

Operational risk and compliance definitions 1Operational risk: Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events. This definition includes legal risk but excludes strategic and reputational risk. Compliance risk: 2 The risk of legal or .