With fresh risks, rising costs and the shifting of more activities from the second into the first line of defence, banks’ control operations are coming under mounting pressure, threatening the current model’s sustainability. As the industry searches for a way forward, 1LoD Ltd.’s recent Global Benchmarking Survey & Annual Report discusses the challenges control operations face, as well as some potential solutions.
The front office control function mandate is growing far faster than expected, in many cases without the financial resources or skills pool to keep up. Over 30% of banks polled by 1LoD in 2019 as part of their Global Benchmarking Survey, for example, reported a significant expansion in the function’s mandate over the previous 12 months – more than double the roughly 15% who had predicted this a year earlier. For the coming year, over 85% of those polled envisage a significant or modest expansion in the function’s mandate.
There are many reasons for this. New regulatory requirements and a growing risk agenda – including everything from artificial intelligence and the cloud to blockchain and cybercrime – are adding new tasks to the control stack. The first line of defence is also gradually absorbing a range of activities that were previously housed in the risk and compliance function, such as control assurance. At the same time, compliance officers are rolling out cost-reduction targets for compliance and control activity, meaning more should be done with less.
For the control function to carry this growing burden without collapsing, it should evolve – and fast. While organisational change is already underway at many banks and advances in areas like behavioural science are expected to beef up the control function’s toolkit, a radical rethink is required.
Control operations should be reconfigured to avoid translating new risks and responsibilities into growing manual demands. Visibility and accessibility of data related to controls should be improved to permit effective risks management and reporting. Skills should also be reappraised – not only in controls but across the three lines of defence – to assign the ‘right’ tasks to the ‘right’ people.
With so many changes required to make the control function sustainable, deciding which to prioritise is a task in itself and one that no bank is expected to approach in exactly the same way. There are however three key steps that all organisations should consider as they look to build an efficient ‘controls factory’:
Current controls are clearly not equipped to handle the complex new risks and cutting-edge capabilities the first line of defence is starting to grapple with. The creation of new, fit for purpose controls that can be reshaped and recalibrated as these continue to evolve are essential for many banks.
The use of algorithms, for example, is creating potential new conduct risks, such as the risk of mis-selling or other unethical behaviour by robo-advisory, that new controls should be created for. A number of institutions are building Control Design Functions, combining multidisciplinary ‘feature teams’ to rapidly design, prototype and deploy new controls using agile methods.
This does however first require significant human expertise, both in terms of external advisory and in-house talent. Firms should focus talent on designing for the ‘new’ risks, while re-balancing technology to automate and industrialise controls for more mature risks.
Controls should be standardised to fit seamlessly into organisations’ overall controls framework and automated to improve efficiency. Although many firms have created control automation programmes, automation is not a one-off exercise. Risks continue to change, and it is important for a firm to develop a control automation playbook that can be used repeatedly. The challenge is then to build a capability to perform continuous automation as control requirements change.
Whereas design relies primarily on human expertise, control automation draws on more technical facilitators such as control-by-design, robotic process automation, and improved data visualisation. The common challenges relate to provisioning the appropriate data and managing control ownership. With controls running automatically, data analytics can help control officers focus their attention on risks that require investigation.
As firms begin to better understand risks and controls mature, there are benefits to ‘industrialising’ control testing and assurance. This is an opportunity for radical cost take-out by working with third parties who can deploy standardised testing procedures, improving location strategy, or implementing self-testing controls with machine intelligence.
This approach allows organisations to move inhouse talent away from routine testing of legacy controls, and towards understanding, shaping and designing for new risks as these inevitably emerge.
Who does what?
Throughout these three steps, banks continue the journey begun to realign the three lines of defence. For firms we see a strong role emerging for the Chief Controls Office in the Design and Automation stages, Risk and Compliance focused on standardisation and industrialised testing, and Audit leveraging industrialised assurance practices.
Making control operations sustainable is likely to become a strategic priority for many banks – organised around control design, continuous automation, and industrialised testing – while aligning the proper resources and focused on the appropriate activities – to help firms manage growing complexity and prevent current pressures turning to crisis.
Please contact me if you have questions on building a sustainable control operation.