Transforming risk to drive value

Move beyond compliance to performance driven risk management

Download RFP
Reviewing financial reportCompliance and risk operations at financial services companies suffer a range of problems stemming from organizations’ efforts to achieve regulatory compliance while adjusting strategies, business models and approaches to risk. The current moment presents a real, and perhaps time-limited, opportunity to transform compliance and risk operations. This paper, directed to CEOs, CFOs, and CROs and other potential sponsors of such an initiative, explains why and how to go about it

Why sponsor risk management transformation? Is your organization experiencing:

  • Regulatory violations, fines and compliance exceptions and deficiencies
  • Processing errors, operational problems and customer complaints
  • Losses due to risk events and other unpleasant surprises
  • Increasing operating costs due to complexity and inefficiency
  • Shortcomings in the control environment and risk management infrastructure
  • Inability to identify risks worth taking and risks to avoid

If you’re seeing these issues, you can reduce cost, achieve greater efficiency, and increase effectiveness through risk management transformation. These issues indicate a need for greater integration of compliance and risk operations and the need to begin moving toward performance-driven risk management.

Performance-driven risk management

Risk management transformation aims to achieve and maintain a performance-driven risk management approach that uses risk management to drive revenue growth as well as cost savings. It both creates and protects value for the organization. The journey to performance-driven risk management starts with moving from a compliance-driven approach to an integrated approach to risk management activities. Integrated risk management is both an intermediate stage of maturity and a necessary precursor to performance-driven risk management.

Three stages of risk management maturity

Integrated risk management moves operations beyond the compliance-driven stage and delivers the following benefits:

  • Fewer regulatory violations, fines, compliance exceptions and deficiencies to remediate
  • Fewer processing errors, operational problems and customer complaints, and reduced rework
  • Fewer losses due to risk events, and smaller losses when they do occur
  • Lower operating costs due to efficiencies resulting from streamlined business processes
  • Enhanced effectiveness of the entire control environment and risk management infrastructure
  • Visibility into the entire enterprise on a risk-based approach basis
  • Enhanced ability to identify risks worth taking and risks to avoid

Transforming mortgage servicing operations

The situation: A major mortgage servicing organization had experienced three internal audit major findings, six management-identified major findings and more than 20 other internal audit and management-identified findings. The organization had also experienced losses exceeding $1 million per month due to late payments on insurance premiums and taxes and other processing errors. Customer complaints had been growing significantly, even as operating costs continued to rise. In addition, processes had been designed for less than one-third of the existing volume and approved system enhancements had been on hold for more than two years.

The transformation: Executive management initiated an end-to-end operations transformation. Initial analysis identified extensive manual processes, widespread lack of controls and numerous manual controls. Working closely with internal audit and enterprise risk management, the team developed short- and long-term solutions. These solutions streamlined the end-to-end process, rationalized controls (reducing the number of controls by 50 percent), automated controls (increasing automated controls to 60 percent from 20 percent), and dramatically reduced operating costs and losses. Internal audit- and management-identified findings were remediated and system enhancements were prioritized and implemented (with some still in process as of this writing). The partnership between the business, enterprise risk management and internal audit is also greatly improved.

This initiative significantly enhanced the efficiency and effectiveness of the organization’s mortgage servicing operations. The success of this initiative has prompted management to commission similar efforts. Mortgage servicing now represents an area of strength for the organization.
Why is now the ideal time for transformation? Financial services companies are emerging from a decade in which regulatory requirements seemed to suck the air out of the room. Dodd Frank forced breakneck adoption of processes, practices, models, controls and reports geared to achieving and demonstrating regulatory compliance across the banking, mortgage lending and insurance industries. Constant regulatory demands left little time for coordination of related activities, let alone a strategic approach to integrating them. Most management teams have been forced to throw money and people at the problem.

While some risk may have been bled out of the financial system, many organizations are now living with serious side effects. These include operational problems, customer complaints and losses in some lines of business. Many organizations have dedicated significant resources to address specific regulations, such as anti-money laundering and stress testing. Most have a patchwork of processes, controls and reporting mechanisms that stand apart from or occur after those that serve the actual needs of customers and business units. Worse yet, none of this is generating revenue, accelerating growth or managing risk more effectively.

The latter item is key. While financial institutions have long been regulated, the demands of the past decade have reached the point where they typically divert resources from risk management to compliance. Redirecting those resources back toward business-oriented risk management will take some effort.

Now is the time to make that effort. Given the current political environment,  we can reasonably expect a lull in the pace of new regulatory demands and rules. Compliance is generally being achieved (albeit with excessive manual processes and human resources). So it is time to take a breath, look to the big picture and employ a strategic approach to integrating compliance and risk management by means of an efficient end-to-end operations transformation.

The case for integrated risk management (IRM) In an era driven by digital transformation and customer centricity, financial services companies face heightened risk management expectations from their customers and shareholders. The management wants better risk management so they can innovate faster and bring new products to their customers. And the board, the audit committee, the risk committee and regulators want to make sure that there is appropriate oversight. Yet too many risk management functions remain primarily compliance-focused, or quite simply backward looking.

Grant Thornton research found that more than 50 percent of banks’ risk management functions across all asset-size segments are directing more than half of their activities toward compliance. That research also found that respondents most often articulate the value of risk management in terms of reduced business losses and reduced regulatory penalties, both indicating a compliance-focused view. Yet businesses exist to serve customers and create shareholder value, so the risk management function need to include these two important aspects in their KRI (Key Risk Indicators) balanced scorecard.

While most leadership teams grasp the distinction between risk management and compliance, it can become moot when compliance traditionally demands so many resources. Moreover, some teams have not truly distinguished between the two, yet the distinctions are well worth making:

  • Risk management can enable the business strategy, while compliance cannot (business agenda vs. compliance agenda).
  • Risk management centers on decisions and conduct, while compliance centers on examination and verification.
  • Risk management serves the business agenda, while compliance serves the regulatory agenda.
  • Risk management activities are integral to achieving high performance, while compliance activities can put a drag on performance.

A patchwork of compliance and risk management solutions cannot assist management in developing a sound risk appetite and tolerances, or in monitoring risk profile and exposures. This hampers timely and informed decision making and responses to risks and risk events. It also leaves money on the table in the form of suboptimal risk strategies, inaccurate risk assessments and forgone opportunities.

To achieve goals, enhance efficiency and effectiveness and drive superior performance, compliance and risk management capabilities must be integrated across the organization.

But how?

First, it means determining where current problems, such as customer complaints, excessive costs, and increased risks exist. Second, it means developing an approach to identifying, prioritizing, and addressing specific problems. Third, it means integrating compliance and risk management into an overall risk governance and management framework.

Many organizations have desires to develop a rationale for transforming their risk and compliance operations and charted a path toward achieving that transformation but few have taken the necessary steps to move forward. So, here we offer a broad outline of that rationale and path, and related challenges to address:

Transforming anti-money laundering (AML) compliance processes

The situation: Most financial services organizations have been challenged by regulators to enhance, and in some cases immediately remediate, their AML processes. Reports of organizations censured and fined for violations of the rules continue. In response, organizations continue to add staff and technology solutions to review, monitor and address suspect transactions and accounts. As a result AML-related costs continue to rise, often dramatically, without a noticeable reduction in risk profile.

The transformation: Transforming the end-to-end AML process can significantly reduce headcount, costs and exposures. The solution hinges on data analytics and automation of manual processes. An end-to-end assessment of the AML processes—before implementing any solution—identifies where to apply analytics and automation. The most forward-thinking institutions bring AML monitoring, assessment, reporting and response into real time. Such steps, coupled with data visualization tools, put risk monitoring and management in the hands of those who actually manage the risk, thus dramatically boosting efficiency, effectiveness and business performance.
Start at the top Integrated risk management starts with the organization’s value proposition, strategy and culture—and with the senior leadership. Integrated risk management is not simply rationalizing and harmonizing controls (although that’s a necessary element). Nor can it be delegated to the compliance function. It must be considered a means of delivering on the value proposition, enabling the business strategy and creating the desired culture. That requires senior-level management engagement and coordination among the compliance and risk functions and the businesses.

Challenges: It’s tempting to think you can address the patchwork of compliance mechanisms by knitting them together. But that’s nearly impossible—and deeply suboptimal—without the organizing principles provided by the value proposition, strategy and culture. Financial organizations prosper by evaluating, pricing, managing and allocating risk. The better they are at that, the more they prosper. Integrating risk management and compliance positions them to do that.
Develop an effective risk management culture In the minds of some in financial services, organizations have become “cultures of compliance”—to the extent where some have deliberately created such cultures. While this is understandable, a culture of compliance will not deliver on the value proposition or achieve strategic goals. However, an effective risk management culture will. In such a culture, the full range of risks (including compliance risks) is well-understood and actively managed. Risks are managed where they are owned, generally in the first-line businesses, with expert support from the second-line functions (including compliance) and assurance and advice from internal audit, the third line.

Challenges: A culture of compliance can generate risks through misplaced priorities and failure to properly manage the full range of risks. In contrast, an effective risk management culture recognizes compliance risk as one of many to be managed, along with strategic, financial, operational, conduct, cyber, reputational and other risks. Beginning with sound risk governance, the organization creates a culture in which every individual understands and fulfills his or her role in risk management.
Use formalized change management programs Leadership teams who believe that compliance mechanisms only need to be rationalized underestimate the levels of coordination required to integrate risk management. Close partnerships among the businesses and risk management and compliance, with Internal Audit standing ready to provide advice and, eventually, assurance, are critical. Clearly established goals and deliverables and first-line ownership of risk are essential to achieving and maintaining efficiency and effectiveness.

Challenges: It is not just that compliance needs to be rationalized; rather, the entire end-to-end compliance and risk management process must be transformed. Transformation is needed to the extent that the organization’s value proposition, strategic goals and businesses are not being supported by properly aligned risk management processes. Formal methodologies bring about changes in thinking and behavior—including culture changes—as well as transformation of processes.
Transforming borrowings from multiple lines of credit

The situation: A major nonbank financial institution relied heavily on five lines of credit to support loan purchases, with success depending on access to funding on a timely—and profitable—basis. The board recommended that the institution utilize all five of its credit lines to maintain diversity in funding sources but did not mandate level of usage. Non-utilization of a credit line could lead that lender to terminate the credit line due to lack of returns. So the finance function drew equally on all five lines for loan purchases to promote a good relationship with each bank. As a result, all five lines had equal borrowings at any given time—but two of the lines were priced 50 basis points higher than the other three.

The transformation: The CRO initiated a review to determine whether the organization’s risk profile would change if it utilized the three lower-rate credit lines more than the two more expensive ones. An analysis determined that funding risk would not increase by placing slightly more usage on the less expensive lines while maintaining borrowings on the more expensive lines. This analysis justified the new funding policy and enabled the institution to maintain its risk profile while saving millions of dollars annually on interest expense.
Analyze and prioritize issues, needs and activities Key methods for implementing an end-to-end transformation include process flow mapping, root cause analysis and other process improvement methodologies. These assist the organization in identifying and prioritizing sources of operational losses, compliance errors and customer complaints. Those actions must not only remediate the problem but also address redundancies and gaps in processes and controls.

Challenges: The processes in question must be handled carefully to avoid breakdowns that affect customers and the businesses. These are typically not processes that can be approached through agile methods, in which prototypes can be launched and failures tolerated and then addressed. Instead, it is generally best to compartmentalize problematic areas of the process, identify and implement needed changes, test rigorously and then go live with confidence that it will work as intended.
Use technology as the enabler Although many organizations view compliance only as a cost center, the function creates tremendous amounts of information, much of which has value in risk management and decision making. That is also true of other functions and processes within the organization. Yet organizations have been too slow to adopt advanced analytics, cognitive technologies, robotic process automation and data visualization. This has hampered their efforts to integrate risk management in an industry that runs on financial, factual, transactional and risk-related data.

Challenges: Manual process proliferation has gone hand-in hand with exploding head counts. However, tools for querying, manipulating, analyzing and visualizing data have become more accessible and less expensive. This makes converting manual processes to automated processes easier while making it possible to deliver risk data for decision support to the people who need it, when they need it. In this way, technologies enable not only integrated risk management but also performance-driven risk management, in which risk information provides a competitive edge. This does, however, call for management to align risk and strategy and develop an effective culture.
Getting to performance-driven risk management The current state of risk management is understandable, given all that organizations have had to address over the past decade. In addition, new business models, customer behaviors, competitive demands and developments such as FinTech are driving new needs. The number of compliance-related processes, controls, and reports—and related manual processes, headcounts, and costs—would themselves justify a risk operations transformation. Add to that an expected period of reduced regulatory demands, and you have a true window of opportunity.

An operations transformation sets the stage for the organization to move toward performance-driven risk management. In addition to enhanced effectiveness and reduced costs, performance-driven risk management generates strong alignment between business strategy and risk strategy, and between risk management and risk culture. It also improves the ability to deliver on the value proposition, win and keep customers, distinguish between risks worth taking and those to avoid, and grow top-line revenue.

However, integrated risk management, achieved through an end-to-end risk operations transformation, is a necessary step toward performance-driven risk management. Now is the time to take that step.


David PulidoDavid Pulido
Managing Director
Risk Advisory Services
T +1 212 624 5465

Mark DeLongMark DeLong
Managing Director
Risk Advisory Services
T +1 212 542 9504