Compliant by Design? Or just good fortune and hard work?

+0

For the last 10 years financial services have been absorbing a relentless torrent of regulatory change that has, amongst other things, tested and changed operating models, demanded ever more detailed reporting and drained resources from and impeded other business improvement initiatives. This is especially hard for firms with international operations who have to comply across numerous business lines and multiple jurisdictions.

Compliant by Design? Or just good fortune and hard work?

While most firms have achieved timely compliance with the various rules and regulations and would, I am sure, claim they are still compliant, there must be doubt about exactly how robust this assurance is. The changes have become increasingly complex and inter-connected, yet globally they have been poorly co-ordinated. While looking similar, they have often differed in critical ways as local and political overlays have been applied to detailed implementations. 

Adding to the burden is the fact that regulators are already updating a number of important regulations, e.g. UCITS V, MiFID II, and Solvency II, with more to come.

While there has been much...

And then there is BREXIT

It is fair to say that as an industry group, financial services did not want Brexit and was shocked when the UK populace voted to leave the EU. In the immediate aftermath, as industry leaders searched for any positive aspects to the outcome, there were some who grasped at the possibility that there might be a let up in the demand for regulatory change on UK firms. Unfortunately as more reasoned thinking has been applied it is clear that this is not the case.

As a new father grappling with broken sleep and an onslaught of new child-related challenges I asked a friend of two older children if things improved. His answer was that things did not get better, they just changed. 21 years later I can confirm that assessment and would apply it to the question of regulation under Brexit. The arguments go something like this:

  1. The UK will be bound by EU law until it has officially left the Union so current changes like MiFID II will all have to be implemented in the interim. On its website the FCA advises that firms need to continue with the implementation of regs, including those which are still to come into effect.
  2. The UK has been at the forefront of developing regulation as a member of the G20 and that won’t change if it wants to maintain London as a world-leading financial centre. As such it will need to have a framework in place to replace the EU regulations that will cease to be relevant when the UK exits in order to keep it current. There is no capacity in the short term to review and redraft all that legal text so it is most likely that the core of the existing regulations will simply be copied and adopted.
  3. When the UK is considered to be a ‘third country’, the best chance for simple access to the single market will be through being judged as equivalent. While there may be some local considerations, keeping instep and in line with the EU regulatory agenda will be a key component of gaining and retaining that assessment.

Arguably there will be even more regulatory change as a result of Brexit, not less. The hope of some CEOs that in a couple of years they will be able to refocus on a ‘“normal’ business environment again seems rather optimistic.

Table 1

So where are we now?

While there has been much encouragement to firms to take a strategic approach to addressing these emerging requirements, the more common result is something of a patchwork of solutions (practices, policies and systems) that can at best be described as tactically pragmatic. Each new regulation adds more panels to the corporate quilt and unless a solution component fails or a regulator demands it, there is little appetite or bandwidth to return and improve past implementations. Instead resource is focused on the next new regulatory demand.

Regulatory change is different

It does not help that regulatory change is different. In some critical ways it differs from the more usual business or technology change that organisations better understand. This table illustrates the key differences. (See Table 1)

This gives a firm little room for self-determination. Instead the agenda is largely driven by influences outside of management’s direct and personal control.

Despite this most firms have relied on the change methodologies that have previously been used to deliver more normal business and technology change. The same methodologies that have clearly struggled with simpler change are now expected to produce miraculous results. Asking any UK/US firm about their experience of Dodd Frank, FATCA, EMIR, AIFMD, MiFID, Solvency II, PRIIPS, UCIT IV, etc. will illustrate the issue.

Just trying to use the methodologies more vigorously, employing ever larger PMOs does not help and in fact just tires and distracts the very people that need to be focussing on delivery.

A simple illustration of the problem can be found in the following diagram. (See Figure 1)

Figure 1

The green line represents the typical efficiency curve, where the unit cost of production can be reduced through experience and process improvement. The trouble is that there is a lower limit. In this situation the line can be considered to illustrate the amount of effort/resource required to deliver a change. Most firms have improved in this area, but are exhausting areas for further improvement.

Meanwhile the red line looks at the ‘demand’. In the context of regulatory change this represents a combination of both volume and complexity. This could be measured a number of ways, eg the number of rules/lines of text published, the number of business lines/systems/processes impacted, the number of data items that require collecting/reporting etc. By most measures this is climbing exponentially.

The blue line (with the “X”) is a point of critical change.

On the left hand side of the diagram a firm is improving its ability to deliver change faster than the demand for change is growing. This is where most firms found themselves in the last part of the 20th Century and was evidenced by the proliferation of methodologies, change tools and the creation of dedicated change teams.

In contrast the right hand side of the diagram describes a situation where the demand is growing relentlessly, faster and faster, but there is little more improvement to be made to the “traditional” change processes/capabilities. For the management of change teams this is an increasingly uncomfortable place as at the very least the cost of delivering the required change keeps growing and more likely the organisation struggles to create and maintain the capability required.

I suggest that many/most firms are now somewhere on the right hand side of the diagram and their struggles can only get worse.

So what? How can a firm do better? Well some of the answers actually do come from the past, albeit probably the more recent past.

The first part of the solution is for a firm to appoint a Regulatory Architect. So what is a Regulatory Architect you may ask?

Consider this; as organisation’s have become more complex the role of Business Architect has emerged along with the Business Operating Model. The architect is charged with:

  • Understanding how the business operates - the key components, their relationships and interactions, and their contribution to the business as a whole.
  • Identifying where the organisation could improve the quality, efficiency and effectiveness of its operations.
  • Helping the organisation prepare for known and expected developments.
  • Aiding management in responding to unexpected developments affecting the operation of the organisation.

Possibly the best known aspect of this is the Target Operating Model (or TOM) that is used to design and describe key features of an organisation after a desired change. This can provide the vision for more specific change endeavours.

There are clear parallels with the emergence of other architects as aspects of a firm became more complex and difficult to manage efficiently. We are not surprised to find System Architects, Data Architects and Network or Infrastructure Architects to name but three. Within their respective areas of expertise their roles are very similar to that of the Business Architect above.

So isn’t the time ready for the Regulatory Architect? And for a Target Regulatory Operating Model (TROM)? Certainly agreement on a Target Regulatory Operating Model would catalyse debate about how to build and run this essential part of any financial services firm.

In the same way that there is no single definition of an ideal operating model, I think that the ideal TROM will emerge and will be relevant to the firm, it’s maturity and environment. At the very least I suggest that as a starting portfolio the ROM should include:

  • Details of each entity associated with the firm, who it is regulated by and for what purpose/reason
  • The key sets of regulatory obligations/rules under which the firm operates
  • The organisational face-offs to various regulators and rule makers
  • The critical regulatory policies and processes embedded in the organisation
  • The critical technical components required to deliver compliance e.g. reporting systems, surveillance systems, etc.
  • Regulatory assurance processes and their engagement with senior management
  • The accountable executives who are directly responsible for achieving and maintaining regulatory compliance and in some cases directly accountable to regulators for compliance
  • The procedures and methods whereby compliance is monitored and ensured continuously, or if the business model changes, ignored or dropped
  • .......

So isn't the time ready...The Regulatory Architect can also lead the shaping of the firm’s response to new regulatory challenges by sorting the elements into themes which could then be run as true programmes. There would undoubtedly be some core themes such as “Data” and “Reporting” with others depending on the firm, it’s business and the prevailing environment.

By supporting more of a themed/programme approach to satisfy the many regulatory demands the Regulatory Architect would also foster more strategic thinking and minimise the patchwork quilt of solutions that are increasingly hard to maintain and enhance.

It is easy to suggest that this role is part of Compliance, but I disagree. Compliance in most firms clearly occupies the advisory and assurance space and are heavily resistant to accepting any responsibility for change delivery. They are more likely to sign off on the solutions designed by others than take on the development solutions themselves.

That does not mean that Compliance has no role here, they obviously do as the SME’s (along with Legal) in the technical interpretation of the rules and regulations and as the gatekeepers to regulators and information gatherers from their peers. The skills and knowledge they bring is complementary to that of the Regulatory Architect.

 

So where?

To me the logical organisational location for this role is reporting to the COO, for it is the COO who is charged with ensuring that the firm’s operations run efficiently, effectively and compliantly. While adding new headcount may seem extravagant in the current environment, the cost of compliance is a growing concern everywhere and this function will be a key contributor to its control and minimisation.

Where will this person come from? The ideal candidate is someone from a business or operational management or change background, but with real experience in regulatory change being a bonus. I doubt they will be a legal or compliance professional and nor should they be a technologist. The role demands a strategic thinker, with strong analytical, communication and influencing skills and could be a business architect who steps into the role if they can demonstrate the requisite understanding of regulation.

The big question is can you afford not to have a Regulatory Architect? In answering this it is worth considering the following questions.

  • Can your firm clearly demonstrate how it remains compliant with all of its key regulatory obligations?
  • Will you have to set up yet another new programme to analyse and deal with the next big regulatory change?
  • Are you happy that you have optimised the cost of compliance?
  • Are you aware of your regulatory change roadmap for the near to medium future?
  • Do you monitor your firm’s overall progress in delivering regulatory change?

Appointing a Regulatory Architect could be the first and biggest step towards regaining control of your future, at least in respect of your current and future regulatory obligations.


This article was first published in edition 8 of Rocket, our magazine. Download available Rocket editions here, and save your up to date address in your profile to to indicate your interest in receiving a printed copy of the magazine. Copies are also available to purchase and subscribe to via the shop.Rocket 8

To save your address into your profile:

  1. Visit the home page
  2. Click Account (in the middle of the row of black buttons)
  3. Click Edit Profile (in the row of buttons at the top)
  4. Click Reader (top right)
  5. There you can see your profile, with a box for your address - complete it accurately, and click Save
Share