If the first stage of a pragmatic Know Your Risk strategy is deconstructing and understanding compliance obligations to define where you need to keep your focus, the next step is mapping policies, procedures and controls to performance indicators to be able to accurately assure compliance.
Essentially, at this stage, we need to answer the question: What do we actually need to monitor?
In the first part of our blog series about setting out a three stage approach to a pragmatic Know Your Risk (KYR) strategy, we focused on deconstructing compliance obligations. Breaking those regulatory obligations down is all about simplification - taking out the duplication and complexity to really shine a spotlight onto what really matters to your business. In a best practice approach, that’s packaged up into a visual map that can be updated as compliance needs change across the organisation.
In the second part of this blog series, we will continue with the theme of simplification. Having completed the first stage and having mapped out a good picture of key regulatory obligations, the next step is all about bringing simplification and clarity to monitoring, deciding which indicators are important, and maybe being a little bit ruthless about what can be cut loose.
At this stage of the process, a financial institution should have regulations mapped to obligations and then to policies and procedures that map to the obligations. For each item there should be a well-defined set of metrics and assessment points that are required for oversight. As those data points are recorded the data lineage should be attached as evidence so that compliance teams can easily track back to the source. The ability to see demarcation zones between 1st and 2nd line activities is also important – we want to be clear about expectations for each line of defence. By mapping roles to compliance obligations and policies and procedures in an Oversight Map, each item can have a statement of responsibility to ensure that both the 1st and 2nd lines clearly understand what their requirements are in the process.
The goal in this second stage is to create a continuous understanding of the status of how compliance controls are performing against the obligations of regulations and associated policies and procedures. If stage one has been completed correctly this will enable reporting of status against regulations, compliance controls, strategic objectives, etc. in a much more simplified manner.
For each policy, procedure and control the team can define one or more indicators that provide compliance data. These indicators can be either quantitative; a set of metrics that are recorded and have thresholds set to identify when these items are out of tolerance, or qualitative; an assessment from a process/control owner as to the state of the performance of their items. These indicators might range from automated control failure data points to the results of manual control tests or audits. They can also include attestations from staff/third parties that are used for other processes like SOX or SOC2 reporting.
This process might sound daunting, but compliance teams often find that many of these indicators are already in place for other reasons like management reporting. So it is often just a matter of reusing those same indicators for reporting on compliance with regulatory obligations.
A key pointer here is to ensure clarity when defining performance indicators.. Failures at this stage are often due to the indicators being too nebulous, resulting in a lack of understanding of what’s being reported or of how best to gather the data. Another common problem is the differing frequency of data points, for example how to merge daily, weekly and annual data into a monthly attestation. In both cases the optimal approach is to utilise proven processes and indicators already in use within the organisation.
By defining the items needed for compliance oversight upfront, the downstream processes of policy drafting, procedure definition and control creation are working to a defined specification rather than based on guesses and assumptions. This leads to both a better result and less re-work and duplication of effort. By defining the items required for compliance oversight upfront it becomes much easier to implement good policy governance as it is clear what sort of management information and escalation points are required.
Turning to data, a clear lineage from the business, through the policy to the regulation means that neither too much or too little information is collected and it is possible to do detailed analysis on the compliance data that’s of most importance to the organization. Furthermore, when the 3rd line or a regulator comes in for a review it is easy to produce a complete report with the proof points organised according to the regulation under review. Senior executives can easily be provided with compliance status updates for the policies they have signed off on and the regulations they have been made responsible for.
Importantly, simplification and clarity will win the hearts and minds of your senior stakeholders who are all too often suffering from dashboard and report overload as the previous norm has been for them to spend hours in front of them. Simplicity and clarity also mean there are fewer things to assess – the focus is on the compliance data and insights that matter. More metrics doesn’t equal better compliance. The key is to get the right metrics at the right time to the right people to make better risk-based decisions .
Having now built a unified monitoring approach by deconstructing our obligations, then having brought clarity and structure to how we are performing against what matters, the third and final step to building a clear three stage approach to a pragmatic Know Your Risk (KYR) strategy is to evidence that compliance. In the next blog in our series, we’ll walk through the importance of this critical step.
MCO's Know Your Risk solution helps firms the assure ongoing monitoring of policies and procedures that leads to efficient and effective compliance across the organization.
Learn more about KYR's modular solution:
- Regulatory Change Manager
- Compliance Library Manager
- Compliance Assessment Manager
- Assurance Data Manager
- Attestations and Role Manager
Ready to learn more about how MCO offers comprehensive regulatory governance and oversight of compliance obligations? Let’s schedule a conversation.
Check out a video that explains Know Your Risk in 90 seconds.