By Duncan Edwards
Risk is double-edged; no one makes money without taking risks, but do not manage risk and you will certainly lose money. But the thing is, risks are like icebergs – only the tip is clearly visible, so you need to understand all risks if you are to manage them effectively.
The current global crisis is testimony to how risk, when badly taken or not fully understood, spirals out of hand. Not just how governments and scientists are managing their various responses to covid; not just how the retail sector is responding to the impacts of covid; not just how the financial sector is learning to operate differently; but also ‘how are you and your business navigating the crisis effectively?’
Regardless of whether you believe in the facts behind this crisis, or if you think there are hidden forces behind it, or the facts are being misrepresented, one thing is certain… this current crisis is having a significant effect on you and your business’ risks. This unprecedented global crisis has put the spotlight squarely on technology and assurance providers.
How will you and your business not only survive this crisis but prosper as well? Have you thought through the risks and opportunities of not being compliant in this global crisis? Get it wrong and that could be the end of your business. Get it wrong and regulators can fine and/or censure you and your business. Get it wrong and other businesses may take advantage of your business’ weaknesses. Get it right and your business can prosper.
But it’s a medical crisis, not money laundering, terrorist financing or sanctions
Well, that is true. But this medical crisis has caused worldwide disorder, forced new and untried ways of working, moved digital banking forward 10 years and all in the blink of an eye. This is what criminals like: confusion; new processes; businesses trying to manage new risks, taking their eyes of the basics; less face to face contact. All this is a godsend for criminals trying to hide their identity. Employees working from home, with reduced support and technology, and maybe not working as effectively can help criminals mask identities, transactions and relationships. You only have to look at the rumours around the UK Government’s purchase of personal protection equipment (PPE) and the billions, not millions, that have reportedly been overspent to realise it is a goldmine of an opportunity for those with ‘lower ethical standards’. Although the UK Government continues to state it has “robust checks and balances” in place, the opportunities this crisis has given to criminals is like money growing on trees! How have these risks been thoroughly identified and managed in your business?
How has compliance responded?
More importantly, how has your compliance department responded to the crisis? What new risks have they identified? What impacts have new processes e.g. working from home; had on controls effectiveness? What about the customer experience, how have they worked to improve it? How have they helped the business to prosper in a crisis?
Managing risk – a reminder of the basics
A common response to risk management is the “three lines of defence”. This approach has been around for over 20 years and can be very effective, but only if fully understood and managed. In my experience of working with many global, regional and national organisations most say they have implemented the three lines of defence. But many have done it in name only, few have done it effectively and few have prospered from it. Moreover, how has it been affected by the crisis, with corners being potentially cut just to get things done?
How does the three lines of defence help to clearly define risk roles and responsibilities:-
The first line of defence (1st LOD) is front-line management and staff; people at the heart of the business who bear the risks of the business. They have to understand their risk exposures, the organization’s attitude to risk and put in place appropriate risk mitigants.
The second line of defence (2nd LOD) is people undertaking risk and control functions such as compliance, operational risk and finance. They interpret the risk appetite of the Board into practical policies, procedures and limits. They support the first line of defence, monitor the performance of the business and should provide early warning signs of adverse risk trends and practices. Key is to provide assurance to the Board that the organization is mitigating the risks and updating them on the impacts – regulatory; operational; financial; reputational etc
The third line of defence (3rd LOD) is internal audit, which should provide comprehensive assurance to the Board, management and stakeholders on the whole system of internal controls. Internal audit is your last internal line of defence, so it is imperative it is effective.
Recover. Adapt. Advance. The next steps
It is still not too late, but it is getting to be. Urgent action is needed to manage new or increased risk and to prosper as a business. The diagram on the right provides a clear structure of the areas that need to be assessed and evaluated in order to recover, adapt and advance.
One of the best ways to recover is to transform the assurance provided by both 2nd and 3rd LOD. Many compliance departments have not undertaken a ‘deep cleanse’ of the impact of covid on their risk approach and typically not adapted their plans to respond effectively to the crisis, as potential consequences were originally not fully understood. But all that is changing and it is time to advance. Executives are rallying around four initiatives as they look to better manage, enhance and gain competitive advantage from the crisis:-
- Tightening AML, CTF and Sanctions infrastructure and operations
Some call this going back to basics, making sure fundamental processes and controls are sound and operating effectively. Clearly a role for the compliance team. It also includes reassessing and re-evaluating identified risk portfolios more carefully, especially for the impact of the crisis. We have now learnt that the “once-in-a-lifetime” risk scenario does happen and businesses need to be ready for it, however infrequently it occurs.
But many organisations miss the key risk that “other businesses may manage the crisis better than we do”, so that your business is adversely impacted. How do you recover from this? Hold risk workshops, with participants from all three lines of defence to assess the impact of covid on your risk profile. Obvious, but few have done it effectively.
- Building a risk-aware AML, CTF and Sanctions people culture
Risk is everyone’s business. A risk management culture is only as strong as its weakest link. Although some staff are specifically tasked with risk management, it is everyone’s responsibility to know and manage business risk. But you can bet your bottom dollar that staff have not thought through the additional impacts of the crisis on risks and controls and shared them. You need to provide leadership on this. Front-line management and staff have to be coached on risk management and the organization’s risk appetite.
- Escalating governance communications
Risks can quickly unfold into a crisis, so communications, both upwards and downwards, need to be earlier, faster and more substantive; clearly explaining the potential impact and implications to those who are less risk-aware. And importantly, we have to listen to the messenger, no matter how unpalatable the message. This is where technology helps. You need to assess how your communications, both internal and external, should be adapted.
- Advancing technology and assurance
In times of crisis, comprehensive and reliable assurance is needed. You need to prevent AML, CTF and Sanction risks happening, not reporting them after they occur as ‘loss events’ with remediation actions.
Comprehensive assurance needs technology that proactively monitors customer profiles, transactions and relationships with timely reports and warnings. And technology that enhances the customer experience i.e. they prefer to do business with your organisation as it is easier and more intuitive than others. “But it costs money we don’t have”, is what I always hear. Wrong. Get the right AML software vendor and it is an investment that can be repaid much sooner than you would expect. Technology has moved on so much. When did you last assess your technology for comprehensiveness, costs and, most importantly, customer experience? You should.
How can Idenfo systems and services help us?
Idenfo may be a relatively new business, but the people who own and run it are not. Between us, we have decades of real, practical industry experience with global, regional and national financial services organisations. And that is why Idenfo was created, to bring all this experience and skills together as we knew and understood the frustrations, requirements and opportunities of businesses who want world class, leading AML, CTF and Sanctions technology and assurance assistance to help bridge that gap.
At times of significant change, high pressure and uncertainty, the risk of control failures increases significantly. Has yours?
The writer, Duncan Edwards, for over 20 years was an Executive Director for Business Risk Services in one of the ‘Big 4’ professional services firms in London, Europe and Asia. Most recently, for a global bank, he was the Retail Bank, Managing Director, AML, CTF and Client Tax Process and Governance. He now brings that experience, as a Senior Advisor, to Idenfo.