Performing a regulatory compliance risk assessment is very important to build an environment of internal controls. To appropriately build and manage the compliance controls in an organization, management must implement a process in an overall internal control system, where compliance risks are assessed periodically.
Performing A Regulatory Compliance Risk Assessment
The new regulations or regulatory updates in most cases are a way forward, but in some cases for financial institutions such as banks, it takes considerable time and effort to implement the changes, which gives rise to the risk of non-compliance.
From the introduction of a new regulation to the final entity-wide risk assessment and aggregation stage, organizations need to perform multiple steps to effectively manage the compliance risk. These should be formulated, documented, and implemented.
To perform a regulatory compliance risk assessment, it would be practical to break it down into four stages, with each stage having multiple steps.
Stage 1 – New Regulation
At the first stage, the regulator releases a new regulation or provides an update or amendment to an existing regulation. An organization, or a particular department within an organization such as the compliance function, is then required to be vigilant enough to capture all the applicable regulations, perform a regulatory assessment, and update their regulatory repository respectively. It is also the responsibility of the department in charge to inform the relevant business unit about the new regulation or update. For example, a new regulation regarding liquidity requirements would require the department in charge to send an alert to the treasury department for them to address the requirement by designing relevant controls.
Stage 2 – Risk Identification
The second stage is performed periodically irrespective of whether a new regulation is issued or not. This is because organizations are constantly evolving and a particular organization may become exposed to a certain regulation due to a change in its size or due to its product or service offering. For example, certain regulations may only be applicable to specific credit portfolios such as infrastructure financing or agricultural credit.
The business should identify the compliance risks from the new regulatory requirements along with the review of the initial inherent compliance risk assessment. In addition, a department such as the compliance department should be responsible for highlighting the change in the regulatory environment and perform an initial inherent risk assessment on the applicable regulatory requirements. On the other hand, the business functions should be responsible for identifying the associated risks due to changes in products or services and to develop mitigating controls. The compliance department should review the control design performed by the business function for the new regulation.
The organizations should also refer to the major sources of identification for compliance risk (such as risk management identification of breaches, internal audit observations, and regulatory inspection observations) to identify unaddressed compliance risks.
Stage 3 – Risk Evaluation
Once the compliance function has identified the sources of compliance risks and the applicable regulations, the next step is to measure or evaluate the inherent risk in the new regulation.
For this purpose, organizations should use multiple tools and techniques such as scenario analysis and historical internal loss data to be in the position to assess the likelihood and impact of the compliance risks.
Even though a substantial amount of subjectivity is involved in assessing the impact and likelihood of compliance risk on an organization, some broad measures should yet be defined, which may include the financial, reputational, and strategic impact on the organization.
The next step at this stage is to assess the residual risk as a function of inherent risk and relevant controls that the organization may have against those risks. Controls are assessed on the dimensions of the strength of their design and their operating effectiveness results. The design assessment is performed by benchmarking and comparing a control’s objectives and its design against the regulatory requirements and assessing if it is theoretically strong enough to capture all the expectations of the regulator.
The assessment for operating effectiveness entails an empirical analysis (carried out via testing exercise on a sample basis) to assess if the controls are being operated in a manner that is necessary to meet its objective and to assess and challenges in their implementation.
The outcome of performing the above-mentioned analyses would provide the two components of input required to compute residual risk rating for each risk. The inherent risk rating would be multiplied by the control effectiveness rating to arrive at the residual risk rating.
Stage 4 – Risk Treatment
Finally, the organization needs to decide how to treat specific residual risks. This would require the board and management to devise action plans for the residual risks. There are typically four options for treating residual risk in an organization. The remaining residual risk can either be mitigated, accepted, avoided, or transferred. However, the compliance risk appetite of an organization is often zero and compliance risk of any kind might not be accepted by an organization. The compliance risks can also not be transferred to other organizations (as is normally the case with other operational risks through insurances or other measures).
In most cases, organizations choose to mitigate the residual risk for which a well-planned risk treatment plan must be devised. Effective risk treatment relies on committing to realistic objectives and timelines for implementation. Trends, which enable a business unit to identify corrective actions and, where appropriate, apply changes to reduce or eliminate realized or potential risk exposures. Lagging indicators are set against the detective and corrective controls.
For example, an increasing trend in the number of times a regulatory reporting deadline was breached in the past should alert a financial institution of the need to improve the related controls to take corrective actions to meet reporting deadlines and avoid non-compliance.
Final Thoughts
Businesses must conduct CRAs in order to identify and assess the entity’s risks. Based on the assessment, the entity will identify any inefficiencies in the system and increase compliance efforts to improve the “problematic” sector. Companies typically conduct a variety of assessments, but the compliance risk is a specific one that focuses on the business’s compliance with applicable laws.
