Kroll

Future View: Aspida Group

Written by: Aspida Posted: 27/07/2020

BL68_Peter Mills_AspidaPeter Mills, Co-Chairman of Aspida Group, shares his views on regulatory technology

While the UK’s Financial Conduct Authority states that “regtech applies to new technologies developed to help overcome regulatory challenges in financial services”, at Aspida we see utilising regtech as wider, to provide substantially more benefits to businesses. 

Regtech has to be an enabler for businesses and proactively deal with the demands of risk management, complexity, cost and compliance in an environment that isn’t getting any easier.

The period during Covid-19 is a good example of why technology will be essential in this area, and without it businesses strategies may be at risk.

There has been plenty of discussion on the future of regtech and the benefits to firms. Many businesses are struggling to determine how to use technology to their best advantage to manage their regulatory obligations and to improve efficiency in compliance.

In itself, the marriage of regulation and technology is not new, but it is becoming more and more crucial as levels of regulation rise and focus on data and reporting increases. 

Financial institutions have shelled out more than $300bn in fines since the financial crisis, according to Bloomberg. The cost of compliance spending is steadily increasing, with up to 15% of firms’ staff working on governance, risk management and compliance, according to the Financial Times.

Regtech has the potential to significantly reduce this figure by filling compliance gaps, reducing costs and detecting enterprise risks before the regulators.

Regtech puts a particular emphasis on regulatory monitoring, reporting and compliance, but we at Aspida believe that, importantly, to be practical it needs to assist in managing risks, identifying control issues and providing valuable business insight.

This in turn can produce positive outcomes for those businesses’ clients. Think about how businesses can demonstrate better protection for customers, while providing improved and faster services.

Identifying risks and mitigating them to ensure business survival and meeting regulatory obligations is fundamental, now more so than ever with the difficulties in operating in the unusual environment during Covid-19.

You, your clients and the regulator are largely interested in the same aspects, namely business resilience, meeting financial resource requirements, minimising operational risks, avoiding fraud and other financial crimes. These are aspects that are very difficult to manage through the use of spreadsheets or other similar tools. 

Integrated system

This is where technology can play an important part and finally bridge the gap between risk management and compliance management.

Governance, risk and compliance (GRC) platforms – commonly known as integrated risk management/enterprise-wide risks management systems – should be the answer, but often have some significant shortcomings.

They are not normally specific enough regarding the regulatory environment within which businesses operate, can become very difficult to manage and therefore costly.

They often fail to provide useful feedback to assist in the identification of issues that could lead to identifying whether risks are not as expected by the business. 

Historically, GRC systems have been useful to assist in the creation of risk registers and determining whether the associated controls are effective, along with giving key risk indicators to give an ‘early warning’ of possible changing risks. 

Assuming someone has populated the system with the relevant laws, rules and regulations, then this will also be helpful in determining areas of compliance. Even if the GRC system is effective in these areas, more often than not the risk management element of the system is not linked with the compliance management element, limiting the system capability and providing the business with only limited valuable information. 

As a result, most compliance monitoring is responsive to issues rather than looking forward to proactively identify potential risks and issues.

Development in these systems has been needed to make them useful for businesses and to overcome many of their problems. In this regard, Aspida is leading on the development to provide a practical solution for all businesses.

One key aspect is linking typical processes and controls with the compliance frameworks to provide immediate benefits to the organisation.

Any risk assessment can directly influence the compliance monitoring programme. Any controls identified as deficient, where there is a high inherent risk which would typically leave a high residual risk, should be areas of immediate focus. 

However, controls that are working effectively, where there is a lower inherent risk and therefore lower residual risk, should be tested less frequently, or perhaps not at all. 

Linking the controls with the compliance framework immediately means that the system has helped the business identify the important areas to test under the compliance monitoring programme. 

Any compliance testing, or other data such as incidents or complaints, should be used to identify control deficiencies and provide immediate feedback to the business on the appropriateness of the assessments of the risks. 

GRC systems should be able to determine whether the residual risk assessment is appropriate and provide input to the business to determine whether controls and/or risks need to be adjusted accordingly. 

In this scenario, the testing is genuinely providing corroboration of the risks and controls for the business and allowing attention to be focused on key areas.

GRC systems need to trigger the re-testing of areas that failed first time, trigger testing from other data (such as incidents or complaints) and provide automatic notifications to ensure that regulatory reporting is undertaken as required.

The risks and the testing of a compliance monitoring programme need to flex to take into account the changing environment. This linking of risk management and compliance management naturally enables this to happen. 

It is impossible to identify all risks and many people did not foresee the potential issues around Covid-19. Aon’s 2019 Global Risk Management Survey identified pandemics as 60th in the list of risks.

The World Economic Forum’s 2020 Global Risks Report did not have infectious diseases in the top 10 most likely risks. No doubt this risk will be included in most businesses’ risk registers going forward, but it is often the ability to react swiftly to risks, identify the controls and compliance aspects that is important. GRC systems need to provide that immediate benefit. 

Business continuity

Sticking with Covid-19, businesses have had to think about many relevant risks and have tested the resilience of their businesses. Initially it commenced with business continuity and how we continue to operate during this time. 

A lot of businesses implemented work-from-home plans (whether they were part of their normal plans or not). This itself leads to further risks around information security, data protection, operational risks associated with errors, cyber or fraud.

Then there is the importance of financial resilience and health and safety, the latter being especially important as the business starts to work under the new arrangements of social distancing.

It is essential that businesses can evaluate each risk and determine the appropriateness of the controls, while continuing to meet legal and regulatory obligations. 

This is a challenge, but made all the easier by a well-designed and forward-thinking GRC platform that links these aspects. 

By tracking certain key risk indicators (KRIs) and getting early warning information, it is possible to avoid or mitigate breaches for operational incidents. Having a system that allows you to monitor those risks ‘live’ through KRIs, which are linked directly to any relevant regulations, is hugely beneficial. 

During Covid-19, liquidity risk is a key risk with a potentially large impact to the business. The basic regulatory requirement (Financial Resources Requirement) may be to maintain a minimum of 25% of liquid assets of annual expenditure.

Setting appropriate KRIs (monitoring the Financial Resources Requirement, debtors and cash collection), creating thresholds and tracking the trend on a regular basis would give an early warning to the business if the liquidity looks like it could become a problem. 

Monitoring this ‘live’ in a GRC platform enables the business to plan, take action and if necessary forewarn the regulator, rather than wait for the actual breach. 

External benchmarks

It is also important for businesses to get some external factors to determine whether their level of risk and controls is in line with peers, or at least at a level where they can understand why they are prepared to accept more or less risk or have looser or tighter controls.

By combining anonymous data within a GRC system, it is possible to give key information to determine whether the business is an outlier.

Again, this is helpful during Covid-19, but how often have businesses been told they are an outlier compared with their peers by the regulator but have no information to determine that prior to an onsite visit by the regulator. 

Where GRC platforms need to develop further is in providing appropriate feedback to the business to enable swift changes to their operating environment.

By evaluating the data, it may be possible to determine a competitive edge – for example, where the business is able to demonstrate a better controls environment than their competitors, allowing the take-on of different types of client.

Aspida has developed a GRC system that covers these aspects more effectively, and yet is also able to deliver another key element which is to reduce the cost of compliance. 

Just maintaining a programme to meet the current rules and regulations and adjusting to the relevant risks and controls environment is almost a full-time job for a compliance officer. Our system does that, but we are well aware of areas that we want to develop further. 

When we look to the future, it is about how we can incorporate machine learning in risk assessment and testing. The system should be able to test certain areas if fed data and then do a peer comparison automatically.

We should even get to the stage that the GRC platform is able to determine the risk assessment based on the external factors influencing the inherent risk and the internal factors determining the residual risk.

Exciting times – but a demonstration that a properly developed GRC platform can truly become an enabler for the whole business. 

• This sponsored article was first published in Businesslife's Future View supplement in June 2020


Add a Comment

  • *
  • *
  • *
  • *
  • Submit

Our Magazines

Issue 1 - Feb/Mar 2009Issue 2 - Apr/May 2009Issue 3 - Jun/Jul 2009Issue 4 - Aug/Sep 2009Issue 5 - Oct/Nov 2009Issue 6 - Dec 2009/Jan 2010Issue 7 - Feb/Mar 2010Issue 8 - Apr/May 2010Issue 9 - Jun/Jul 2010Issue 10 - Aug/Sep 2010Issue 11 - Oct/Nov 2010Issue 12 - Dec 2010/Jan 2011Issue 13 - Feb/Mar 2011Issue 14 - Apr/May 2011Issue 15 - Jun/Jul 2011Issue 16 - Aug/Sep 2011Issue 17 - Oct/Nov 2011Issue 18 - Dec 2011/Jan 2012Issue 19 - Feb/Mar 2012Issue 20 - Apr/May 2012Issue 21 - Jun/Jul 2012Issue 22 - Aug/Sep 2012Issue 23 - Oct/Nov 2012Issue 24 - Dec 2012/Jan 2013Issue 25 - Feb/Mar 2013Issue 26 - Apr/May 2013Issue 27 - Jun/Jul 2013Issue 28 - Aug/Sep 2013Issue 29 - Oct/Nov 2013Issue 30 - Dec 2013/Jan 2014Issue 31 - Mar/Apr 2014Issue 32 - May/June 2014Issue 33 - July/August 2014Issue 34 - September/October 2014Issue 35 - November/December 2014Issue 36 - January/February 2015Issue 37 - March/April 2015Issue 38 - May/June 2015Issue 39 - July/August 2015Issue 40 - September/October 2015Issue 41 - November/December 2015Issue 42 - January/February 2016Issue 43 - March/April 2016Issue 44 - May/June 2016Issue 45 - July/August 2016Issue 46 - September/October 2016Issue 47 - November/December 2016Issue 48 - January/February 2017Issue 49 - March/April 2017Issue 50 - May/June 2017Issue 51 - July/August 2017Issue 52 - September/October 2017Issue 53 - November/December 2017Issue 54 - January/February 2018Issue 55 - March/April 2018Issue 56 - May/June 2018Issue 2018 - City Edition - 2018Issue 57 - July/August 2018Issue 58 - September/October 2018Issue 59 - November/December 2019Issue 60 - January/February 2019Issue 61 - March/April 2019Issue 62 - May/June 2019Issue 63 - July/August 2019Issue 64 - September/October 2019Issue 65 - November 2019 - January 2020Issue 66 - February/March 2020Issue 67 - April/May 2020Issue 68 - June/JulyIssue 69 - August/SeptemberIssue 70 - October/NovemberIssue 71 - December/JanuaryIssue 72 - March/AprilIssue 73 - May/June/JulyIssue 74 - August/September/OctoberIssue 75 - November/December/JanuaryIssue 76 - February/March 2022Issue 77 - April/May 2022Issue 78 - June/July 2022Issue 79 - August/September 2022Issue 80 - October/November 2022Issue 81 - December/January 2022/23Issue 82 - February/March 2023Issue 83 - May/June 2023Issue 84 - July/August 2023Issue 85 - October/November 2023View more

Special Editions

Issue 1 - 2018Issue 2 - 2019Issue 3 - 2020Issue 4 - 2020Issue 5 - 2021Issue 6 - 2021Issue 7 - 2022View more
Kroll

Most Read News

Guernsey stays top for captives ..

29 February 2024

2022 Top Trust Companies ranking ..

04 November 2022

Crestbridge names Europe Director ..

28 February 2024

IQ-EQ names Head of Private Wealth ..

20 February 2024
Kroll

It's easy to stay current with blglobal.co.uk.

Just sign up for our email updates!

Yes please! No thanks!