Future View: Aspida Group

Written by: Aspida Posted: 27/07/2020

BL68_Peter Mills_AspidaPeter Mills, Co-Chairman of Aspida Group, shares his views on regulatory technology

While the UK’s Financial Conduct Authority states that “regtech applies to new technologies developed to help overcome regulatory challenges in financial services”, at Aspida we see utilising regtech as wider, to provide substantially more benefits to businesses. 

Regtech has to be an enabler for businesses and proactively deal with the demands of risk management, complexity, cost and compliance in an environment that isn’t getting any easier.

The period during Covid-19 is a good example of why technology will be essential in this area, and without it businesses strategies may be at risk.

There has been plenty of discussion on the future of regtech and the benefits to firms. Many businesses are struggling to determine how to use technology to their best advantage to manage their regulatory obligations and to improve efficiency in compliance.

In itself, the marriage of regulation and technology is not new, but it is becoming more and more crucial as levels of regulation rise and focus on data and reporting increases. 

Financial institutions have shelled out more than $300bn in fines since the financial crisis, according to Bloomberg. The cost of compliance spending is steadily increasing, with up to 15% of firms’ staff working on governance, risk management and compliance, according to the Financial Times.

Regtech has the potential to significantly reduce this figure by filling compliance gaps, reducing costs and detecting enterprise risks before the regulators.

Regtech puts a particular emphasis on regulatory monitoring, reporting and compliance, but we at Aspida believe that, importantly, to be practical it needs to assist in managing risks, identifying control issues and providing valuable business insight.

This in turn can produce positive outcomes for those businesses’ clients. Think about how businesses can demonstrate better protection for customers, while providing improved and faster services.

Identifying risks and mitigating them to ensure business survival and meeting regulatory obligations is fundamental, now more so than ever with the difficulties in operating in the unusual environment during Covid-19.

You, your clients and the regulator are largely interested in the same aspects, namely business resilience, meeting financial resource requirements, minimising operational risks, avoiding fraud and other financial crimes. These are aspects that are very difficult to manage through the use of spreadsheets or other similar tools. 

Integrated system

This is where technology can play an important part and finally bridge the gap between risk management and compliance management.

Governance, risk and compliance (GRC) platforms – commonly known as integrated risk management/enterprise-wide risks management systems – should be the answer, but often have some significant shortcomings.

They are not normally specific enough regarding the regulatory environment within which businesses operate, can become very difficult to manage and therefore costly.

They often fail to provide useful feedback to assist in the identification of issues that could lead to identifying whether risks are not as expected by the business. 

Historically, GRC systems have been useful to assist in the creation of risk registers and determining whether the associated controls are effective, along with giving key risk indicators to give an ‘early warning’ of possible changing risks. 

Assuming someone has populated the system with the relevant laws, rules and regulations, then this will also be helpful in determining areas of compliance. Even if the GRC system is effective in these areas, more often than not the risk management element of the system is not linked with the compliance management element, limiting the system capability and providing the business with only limited valuable information. 

As a result, most compliance monitoring is responsive to issues rather than looking forward to proactively identify potential risks and issues.

Development in these systems has been needed to make them useful for businesses and to overcome many of their problems. In this regard, Aspida is leading on the development to provide a practical solution for all businesses.

One key aspect is linking typical processes and controls with the compliance frameworks to provide immediate benefits to the organisation.

Any risk assessment can directly influence the compliance monitoring programme. Any controls identified as deficient, where there is a high inherent risk which would typically leave a high residual risk, should be areas of immediate focus. 

However, controls that are working effectively, where there is a lower inherent risk and therefore lower residual risk, should be tested less frequently, or perhaps not at all. 

Linking the controls with the compliance framework immediately means that the system has helped the business identify the important areas to test under the compliance monitoring programme. 

Any compliance testing, or other data such as incidents or complaints, should be used to identify control deficiencies and provide immediate feedback to the business on the appropriateness of the assessments of the risks. 

GRC systems should be able to determine whether the residual risk assessment is appropriate and provide input to the business to determine whether controls and/or risks need to be adjusted accordingly. 

In this scenario, the testing is genuinely providing corroboration of the risks and controls for the business and allowing attention to be focused on key areas.

GRC systems need to trigger the re-testing of areas that failed first time, trigger testing from other data (such as incidents or complaints) and provide automatic notifications to ensure that regulatory reporting is undertaken as required.

The risks and the testing of a compliance monitoring programme need to flex to take into account the changing environment. This linking of risk management and compliance management naturally enables this to happen. 

It is impossible to identify all risks and many people did not foresee the potential issues around Covid-19. Aon’s 2019 Global Risk Management Survey identified pandemics as 60th in the list of risks.

The World Economic Forum’s 2020 Global Risks Report did not have infectious diseases in the top 10 most likely risks. No doubt this risk will be included in most businesses’ risk registers going forward, but it is often the ability to react swiftly to risks, identify the controls and compliance aspects that is important. GRC systems need to provide that immediate benefit. 

Business continuity

Sticking with Covid-19, businesses have had to think about many relevant risks and have tested the resilience of their businesses. Initially it commenced with business continuity and how we continue to operate during this time. 

A lot of businesses implemented work-from-home plans (whether they were part of their normal plans or not). This itself leads to further risks around information security, data protection, operational risks associated with errors, cyber or fraud.

Then there is the importance of financial resilience and health and safety, the latter being especially important as the business starts to work under the new arrangements of social distancing.

It is essential that businesses can evaluate each risk and determine the appropriateness of the controls, while continuing to meet legal and regulatory obligations. 

This is a challenge, but made all the easier by a well-designed and forward-thinking GRC platform that links these aspects. 

By tracking certain key risk indicators (KRIs) and getting early warning information, it is possible to avoid or mitigate breaches for operational incidents. Having a system that allows you to monitor those risks ‘live’ through KRIs, which are linked directly to any relevant regulations, is hugely beneficial. 

During Covid-19, liquidity risk is a key risk with a potentially large impact to the business. The basic regulatory requirement (Financial Resources Requirement) may be to maintain a minimum of 25% of liquid assets of annual expenditure.

Setting appropriate KRIs (monitoring the Financial Resources Requirement, debtors and cash collection), creating thresholds and tracking the trend on a regular basis would give an early warning to the business if the liquidity looks like it could become a problem. 

Monitoring this ‘live’ in a GRC platform enables the business to plan, take action and if necessary forewarn the regulator, rather than wait for the actual breach. 

External benchmarks

It is also important for businesses to get some external factors to determine whether their level of risk and controls is in line with peers, or at least at a level where they can understand why they are prepared to accept more or less risk or have looser or tighter controls.

By combining anonymous data within a GRC system, it is possible to give key information to determine whether the business is an outlier.

Again, this is helpful during Covid-19, but how often have businesses been told they are an outlier compared with their peers by the regulator but have no information to determine that prior to an onsite visit by the regulator. 

Where GRC platforms need to develop further is in providing appropriate feedback to the business to enable swift changes to their operating environment.

By evaluating the data, it may be possible to determine a competitive edge – for example, where the business is able to demonstrate a better controls environment than their competitors, allowing the take-on of different types of client.

Aspida has developed a GRC system that covers these aspects more effectively, and yet is also able to deliver another key element which is to reduce the cost of compliance. 

Just maintaining a programme to meet the current rules and regulations and adjusting to the relevant risks and controls environment is almost a full-time job for a compliance officer. Our system does that, but we are well aware of areas that we want to develop further. 

When we look to the future, it is about how we can incorporate machine learning in risk assessment and testing. The system should be able to test certain areas if fed data and then do a peer comparison automatically.

We should even get to the stage that the GRC platform is able to determine the risk assessment based on the external factors influencing the inherent risk and the internal factors determining the residual risk.

Exciting times – but a demonstration that a properly developed GRC platform can truly become an enabler for the whole business. 

• This sponsored article was first published in Businesslife's Future View supplement in June 2020

Add a Comment

  • *
  • *
  • *
  • *
  • Submit

It's easy to stay current with blglobal.co.uk.

Just sign up for our email updates!

Yes please! No thanks!