Cara Williams Shares Takeaways from the ABA’s First-Ever Risk and Compliance Virtual Conference

Late last month, I had the pleasure of attending and facilitating a couple of on-demand panels for the American Banking Association’s (ABA’s) first-ever Risk and Compliance Virtual Conference.

In “normal” times, the Risk Management Conference and Regulatory Compliance Conference are two separate conferences, held at different times of the year. For as long as I can remember, the former was historically a broad-ranging event (with a smaller, targeted audience) that focused more heavily on financial risk and, in recent years, began to branch out to include more sessions on non-financial risk types – like operational risk. The latter was a larger event (growing larger and larger each year) that was hyper-focused on compliance risk.

As I attended this year’s combined virtual conference, I started to think about how appropriate it was to combine the two, since more and more often we’re seeing the convergence of compliance risk program elements with operational risk and other non-financial risk types, such as reputation risk and strategic risk. This is in large part due to companies’ increasing focus on building and maintaining enterprise risk management programs – and it makes a lot of sense, based on my own experience. Banks typically tend to have more mature compliance risk programs, as compared to operational risk, so I can see a clear opportunity to leverage elements of one to fortify the other.

As these risk types begin to converge, it’s critical to establish common taxonomies. In some cases, risk programs have been built in silos and are often managed in disparate systems. Banks should be working toward system-wide reporting and creating an aggregated, holistic view of their risk profile. But this effort becomes labor intensive if you don’t have a risk-type-neutral framework in place to establish the shared risk classification.

The effort to create one is necessary, though, because it’s imperative that your risk programs are able to “talk” to one another. The alternative opens up a whole new set of risks: first, an inability to produce meaningful, actionable reporting; and second, aggregating risk across the enterprise becomes cumbersome, leading to difficulties in adequately identifying, measuring and controlling your risk.

As I reflect on this year’s wonderful live and on-demand sessions, a few key themes are resonating with me. In many ways, the pandemic has desensitized us to words and terms like “unprecedented,” “record-breaking,” “new normal,” and “shifting priorities” – they’ve become part of our everyday vernacular.  But as I look at those words in reflection to the work I love, they can and should be applied to the way we think about existing risk and compliance management programs.  

It’s a paradigm we must adjust to meet the demands of this “new normal.” While many organizations shifted their focus at the beginning of this crisis, we’ve reached a point where it’s time for all of us to address key issues and continue to ensure compliance, manage risk, and keep the business going. Right now, I’m looking at this through a few lenses:

• How do we adjust to prolonged remote work? And what processes and procedures need to be put in place for organizations that are ready to transition back into an office setting? The answers will be different depending on whether you’re talking about a corporate office or, in the case of our FI partners, a branch location. But the sheer fact that we’re asking customers to wear masks inside our facilities is an illustration of just how far we’ve come – and a sign of necessary progress yet to occur – before this pandemic comes to an end (or is at least manageable).
• Given this environment, risk is evolving at a rapid pace. With that in mind, it’s important for banks to review their risk appetite as well as supporting models and adjust accordingly. Strategy and strategic risk factors should also be on the table for ongoing discussion. If we’ve learned anything from the past few months of quarantine, it’s that even after you establish and align on these elements, they should be revisited on a regular basis – at least quarterly – to ensure they remain appropriate for your institution.
• As we ease into our new way of working and regulatory bodies have the framework in place for safe remote inspection, it’s important to have a solid, documented and repeatable root cause analysis framework in place to ensure remediation and issue management efforts pass review and don’t reoccur. With that in mind, take the proper time and care now to fully understand root causes before you start active remediation planning. You’re sure to see a big return on investment on that effort, as it will save a significant amount of time in the long run.

Technology particularly in the regtech/fintech spaces will continue to play an increased role in our risk programs as we explore opportunities to migrate from manual processes and controls toward automation. Ultimately, this will provide a huge lift in efficiency and risk mitigation. I see real opportunity for this in the monitoring and testing spaces.

Automated monitoring allows for real-time insights, which will help financial institutions identify issues sooner and make remote teams more nimble. Automation also will make testing more representative, enabling banks to move away from small samplings to a situation where they could test an entire population, leading to increased accuracy and greater coverage by no longer relying on just representative populations.

As a first step in this transformation, it’s imperative that organizations take the time to find a single source of truth for their data. As operational risk and compliance risk converge and we move toward enterprise risk management programs, organizations must ensure they have a single source of information to support the various elements of their risk management program (i.e., key performance and key risk indicators).

In these uncertain and unprecedented times, it’s easy to get overwhelmed. I had so many great takeaways from the virtual conference that added to all the thoughts already swirling in my mind … but you can’t tackle everything all at once. No matter where you are in your risk management program journey, it’s crucial to review your existing framework now and ensure it’s in order and as strong as it can be. Only then can you start your renovations and prepare for what’s next in this “new normal.”