Three battles for financial institutions

How to make risk and compliance work


February 2021


Bjørn Rothaus

Over the past decade, financial institutions (FIs) have globally racked up fines worth USD 36 billion for non-compliance with anti-money laundering, know-your-customer and sanctions regulations. Twelve of the world’s top 50 banks were fined during this period (Fenergo, January 2020).

However, the costs of fines are negligible compared to the costs that FIs and their customers have incurred due to a heavy increase in risk management and compliance processes. In this respect, the costs of the second line of defence are negligible compared to the burdens and lost opportunities that the risk and compliance processes place on the first line, i.e. the business. And even more worrying – the costs are negligible compared to the loss of people’s engagement and sense of purpose created by bureaucracy.

The question now is whether these gigantic investments in risk management will pay off and help FIs live up to the expectations of regulators, customers, shareholders and society. In our view, the short answer is: probably not. Several major FIs are currently on a large detour to achieve better and more sensible risk management and compliance. In our experience, FIs are facing three major challenges that will determine whether investments in risk management and compliance will pay off.

1. Regulation that makes sense

Firstly, the banking industry is dependent on future regulation that makes sense. Unfortunately, this is also the challenge where FIs have the least influence on the outcome. The volume and complexity of rules and requirements is growing rapidly and makes it difficult for even the most efficient FIs to comply.

As long as governments cannot credibly reject saving distressed banks, it is appropriate that regulators seek to ensure that FIs are robust and have processes in place that ensure compliance. But as with all regulation, inventing rules mainly to signal action and goodwill should be avoided; instead, have a strict focus on what is needed. In our experience, too much and too complex regulation can have the opposite effect than what was intended. Too many rules diminish the support for and knowledge of the rules.

2. Risk management processes that make sense

Secondly, FIs also need to ensure that internal risk management processes make sense and actually reduce the risk of non-compliance. We see too many examples of bureaucratic and ineffective risk management approaches: Multiple risk assessments that are not aligned or integrated across functions, risk reports that are not used for anything, decision tools that can be manipulated by subjective interests, methodologies that do not provide new information about risks but mainly focus on existing problems and issues etc.

Once bitten, twice shy. Most FIs are currently piling up new risk management processes. But as with regulation, sometimes less is more. FIs need to show courage, challenge their own practices and question whether they actually make a difference in terms of reducing risk.

3. Efficient and ethical leadership and culture

Thirdly, risk management and compliance are most effective when supplemented by mature business processes, data governance, IT systems and a healthy and ethical culture and leadership.

It starts with the board and executive management that need to strike a tone, install a shared purpose and risk appetite, ensure that incentive systems encourage compliant behaviour, that people take ownership of and are held accountable for their actions and that the organisation continuously learns from adversity, errors and changes.

In our view, risk management departments could add significantly higher value by spending more time on supporting leadership in achieving these goals.

Benefits of sensible risk management

The three battles are not won overnight. But fortunately, the benefits of engaging in the work come incrementally as FIs chip away at the bureaucracy pile.

In our experience, it works well to start in one corner of the risk and compliance jungle, find better and more simple ways of working and then move on to the next corner. Thus, the time spent on fruitless activities can quickly be reduced, and better control of the risks can be achieved.