Compliance Study_complet - pwc

More documents

Recommendations

Info

Setting the scene - defining compliance risk © PricewaterhouseCoopers - Protecting the brand, May 2005 15 To set the scene, participants were generally asked for three definitions key to compliance functions, namely the definition of i) compliance risk, ii) regulatory risk and iii) reputation risk. Not all respondents had defined all three terms, and amongst those that had there were some subtle differences. Compliance risk A definition of compliance risk, as determined by the Economist Intelligence Unit and PricewaterhouseCoopers 6 , is: “The risk of impairment to the organisation’s business model, reputation and financial condition (resulting) from failure to meet laws, regulations, internal standards and policies, and expectations of key stakeholders such as customers, employees and society as a whole.” The breadth of this definition was reflected in the definition of a bank’s compliance function set out in the Basel Committee in its paper “Compliance Functions in Banks”, of October 2003 7 . While many respondents found this definition was in line with their own view of compliance risk, a number of international institutions considered it too broad. For them, compliance risk resulted from the possibility of non-compliance with laws and regulations affecting the offering of (relevant) products and services. Some saw this definition as closer to “reputation risk”, while others thought this definition more akin to “operational risk”. A number of firms, especially those in Sweden and Japan, believed it was better to look at compliance risk as “the risk of business not being conducted according to legal and regulatory requirements”. Respondents also considered “compliance risk” as implying the potential ramifications of non-compliance with laws and regulations in terms of adverse regulatory attention for the firm, loss of confidence in the compliance function, and the negative impact on Compliance and management time. Regulatory risk For some respondents, regulatory risk was a narrower concept than compliance risk, defined as the risk of not complying with specific laws and regulations. Others, however, had a much more comprehensive definition of regulatory risk, for example: “Regulatory risk can be defined as the risk of regulatory sanctions, financial loss, or loss to reputation a bank may suffer as a result of its failure to comply with all applicable laws and regulations, change in business models in order not only to avoid its failure to comply with all applicable laws and regulations but also to correspond with the change in the expectations of regulators.” In effect, many respondents saw two clear dimensions to regulatory risk: i) breaching regulations and ii) not meeting regulator expectations. Regulatory risk might be interpreted as the risk of not keeping pace with the rising regulatory bar. This bar was no longer national: Sarbanes-Oxley had demonstrated the potential impact of extra-territoriality. Regulatory risk also lay in the need to adjust business models to comply with new detailed rules, particularly in terms of costs and possible Major regulatory challenges identified: • AML related-legislation • Basel II • Best execution • Compliance arrangements • Conflicts of interest including market abuse/insider trading • Focus on treating (retail) customers fairly • IFRS • Market disclosure and transparency requirements • Privacy legislation • Sarbanes-Oxley • Solvency regimes for insurers 6 PricewaterhouseCoopers and Economic Intelligence Unit survey, July 2003: Compliance: A gap at the heart of risk management 7 “A bank’s compliance function can be defined as: “An independent function that identifies, assesses, advises on, monitors and reports on the bank’s compliance risk, that is, the risk of legal or regulatory sanctions, financial loss, or loss to reputation a bank may suffer as a result of its failure to comply with all applicable laws, regulations, codes of conduct and standards of good practice.““Note: the October 2003 paper was a consultation paper. The Basel Committee has very recently (April 2005) issued a formal guidance note entitled “Compliance and the Compliance Function in Banks”.
16 © PricewaterhouseCoopers - Protecting the brand, May 2005 inappropriateness for the business. There was also risk in not communicating appropriately with the regulator(s). Clearly, the most explicit concern in this respect was that regulators moved the goal-posts, retroactively. Respondents said that these concerns considerably increase uncertainty, and risk stymieing business. “[It] takes years to build it but can be lost in an instant” Reputation risk Many respondents said that management’s biggest fear was damage to reputation and brand. Often, however, “reputation risk” or “brand risk” were not defined, sometimes intentionally in order not to dilute judgement. Some respondents provided more granularity to a potential definition. Damage occurred when business behaviour, in any sense, was viewed as inappropriate by stakeholders, whether regulators, customers, other market operators, or - in certain businesses - the public at large. A German institution described it as “[..] broader than regulatory risk and is the risk of any activity that may impact the reputation of the business. It is not necessarily legal in nature.” Respondents highlighted the inability to quantify this risk, or even to mitigate it thoroughly in all circumstances, particularly where it arose through no wrongdoing on the part of the organisation. Reputations could be tarnished by association. There was also the materiality factor: a media “feeding frenzy” could cause serious damage, however minor the incident. Reflections Clearly, there was no overall consensus on a definition for these risks. The differences in the meaning and appreciation of the risks are understandable given the evolving nature of risk management, the different stages of evolution of compliance functions across organisations, the positioning of the compliance function within financial services organisations (legal, risk, operations) and the cultural receptivity towards regulation. However, the differences in the definitions point to the need for a common language and approach to compliance and regulatory risks, across sectors and between industry and the regulators. This would facilitate improved granularity in identifying and assessing compliance risks. Considering the study’s responses, the definition of reputation risk is more generic: an over-arching risk, to which all areas of the business are susceptible, both from the organisation’s own activities, or changing perspectives of external stakeholders which it fails to anticipate adequately. As a primary concern of management, reputation risk could, perhaps, provide a framework within which risks to the organisation can be correlated, and their interdependencies better appreciated. However, boards and senior management need to be realistic in terms of what the compliance function can achieve: it cannot mitigate reputation risk generally. Reputation risk can only be managed by the careful orchestration of the various control mechanisms within the organisation.
Page 1 and 2: Protecting the brand The evolving r
Page 3 and 4: Protecting the brand*
Page 5 and 6: complying with management’s strat
Page 8 and 9: Structure of the Report Executive S
Page 10 and 11: © PricewaterhouseCoopers - Protect
Page 20 and 21: Challenges to achieving compliance
Page 40 and 41: Based on our analysis, we suggest t
Page 52 and 53: Compliance contributing value to bu
Page 58 and 59: © PricwaterhouseCoopers - Protecti
Page 66 and 67:
Annex I Overview of regional and na
Page 68 and 69:
© PricewaterhouseCoopers - Protect
Page 70 and 71:
Page 72 and 73:
Page 74 and 75:
Page 76 and 77:
Page 78 and 79:
Page 80 and 81:
Page 82 and 83:
Page 85 and 86:
PricewaterhouseCoopers (www.pwc.com
Page 87:
www.pwc.com
show all

Compliance Study_complet - pwc

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?