Effective internal control that matters
Three practical components to eliminate silo thinking in internal control departments
“When having a suitable kit of brakes fitted to your car, you just have that bit more confidence on a twisty road. Having effective internal controls suited to your company, gives you just that bit more confidence over projected returns, associated risks and underlying processes. Though, it is not all about having the controls, it’s equally important to have them adequately fitted” say Broes Breyne and Dave Vreugde, Project Managers at TriFinance Financial Institutions and members of the Risk Management & Compliance Practice. “In this text, we will unveil how governance, managing non-financial risks and talented people are key to one united organization.”
Controls over processes are set-up as the as the three line of defense model.
Fig 1: Three Lines of Defense
Prompted by the legal obligations for the Board of Directors and Management committee (Art 21, 23 and 57 - Law 25 April 2014), financial institutions have demonstrated tons of good intentions to fit and embed the 3 lines of defense model.
We believe however that the efforts translate more than often in a silo-working environment between and within the three defense lines resulting into double work, undetected gaps on inter-process/company-wide risks and the use of jargon, nearly incomprehensible for the rest of the audience.
In our view, the current rate of change in IT-requirements (systems, cybersecurity), customer expectations (servicing & apps) and regulatory aspects (MiFID II, AML 5) should be reflected by the impact on controls and risk exposure. When an organization is reactive instead of pro-active on these market-trends, your internal control environment and key controls will definitely lag even further.
But how to upgrade your brakes, as your engine development goes along?
An observed market trend is to change the working methodology towards ‘Agile and Lean’ approaches rather than implementing the real solution.
In our opinion that real solution is to embrace change as an opportunity to increase sales, satisfy customer demands while complying with regulation.
We believe that a combination of three components throughout the organization should be considered to break the stalemate and to put in place an internal control … that matters.
1. Deal with governance
As referred to above, the Board of Directors has the legal responsibility to set the risk appetite for all operations and to review strategies and policies for the overall internal control process. Meeting these legal obligations is a conditio sine qua non for alignment of the overall organization and a key success factor for internal control.
In the endeavor to fulfill their duty, governance bodies are currently still too much confronted with segmented and sometimes even incoherent reporting. This reporting is based on several risk & control taxonomies, concepts and materiality thresholds, fragmented data warehouses and recognition/valuation of mitigating elements. This fragmentation makes it impossible to issue powerful messages to the Governance bodies.Together with this observation, we also want to warn for the increased risk of ownership dilution as financial institutions follow new routes as e.g. the Agile and Scrum methodology to cope with this challenge.
Risk exposure will not be substantially mitigated if we continue thinking in silos. A joint approach of the second line of defense departments will however definitely result in a more efficient and effective internal control process.
Risk indicators measuring the impact of major negative events and the associated controls should be jointly designed to ensure that operational risk tolerance remains within the defined limits. The associated reporting should provide assurance that the overall internal control system is on track and that control gaps have been appropriately addressed. The history of operational losses also constitutes valuable input for operational risk capital charge in the Internal Capital Adequacy Assessment Process.
2. Address non-financial risk in an integrated way
We observe increasing awareness for non-financial risk in terms of compliance and for the operational risk of disruption of operations. The European Banking Authority currently ranks the stability of ICT systems and misconduct/reputational risk as respectively high/medium with an increasing trend. The materialization of anti-money laundering (AML) conduct has raised significant concerns and may result in substantial misconduct cost remaining a drag on profitability.
The creation of a companywide awareness-planning and -process is a cornerstone to address non-financial risks in a integrated way. Every employee should share the concerns of the organization, and be aware of his individual responsibilities and accountability related to the regulatory obligations, internal control outcomes and compliance duties.
Reputational damage caused by recent compliance failures has put additional pressure to continue investing in additional staffing. Managing risks related to AML and Outsourcing are key in reducing this reputational risk, considering the latest AML breaches at several European banks and the pressure and regulation on Outsourcing by the European Banking Authority (EBA).We believe however that these investments still primarily address historical recommendations issued by the internal control departments and supervisory bodies.
Beyond the walls of the actors, digitization is key in speeding up the awareness-process. Manual controls are far from the exception at e.g. compliance departments, and whilst not only prone to errors, these controls are also expensive due to the time required.
Advanced analytics and Artificial Intelligence are currently available to reduce both ‘false positives’ and ‘false negatives’ in the money-laundering screening process.
As the number of false positives goes down, the pertinence of the hits goes up, and so the awareness in the business. It is finally a matter of turning lessons from the past in knowledge and best practices for today/tomorrow.
3. Support the revamped organization with the capacities that fit requirements
With the rate of change in mind, the focus areas shift from processes to people and information systems. We believe it will be primordial to develop the skillset to deal with areas such as cybersecurity, data management and fraud detection.
People present in your internal control environment will no longer have the luxury to hide behind screens and spreadsheets, but will need to build bridges between people, departments and vendors for outsourced business. IT and system knowledge will no longer be limited to knowing where the mainframe is located, but it will be crucial to understand how systems interact, in and outside organizations.
To anticipate the needs of our clients on these development areas and guide them through the twisty roads of risk management, TriFinance has already put extensive effort in hiring and developing the internal control skills of the future.
The consultant of the future can create these bridges, create a fit with the organization while showing his insights for considering regulation as an opportunity rather than a burden.
- EIOPA - Outsourcing to the cloud: EIOPA’s contribution to the EC FINTECH action plan
- EBA - Revised guidelines on outsourcing arrangements - Feb 2019
- EBA - Risk Assessment of the European Banking System – Dec 2018
Broes Breyne joined TriFinance as Project Manager in 2019 and is an experienced Risk Manager with a broad history of responsibilities in change projects in an international environment. In previous roles he has built familiarity with the implementation of regulatory frameworks in the financial sector within Risk and Compliance, including cultural change, communication and awareness programs. Broes took up these roles in Banking (ABN AMRO – Belgium & Luxembourg), Captive Financing (FIAT Group - Italy) and Assets Management (Candriam).
Complementary to Operational, Credit Risk Management and Business Continuity competences, he is also certified as DPO and can lead or support change programs in these areas of expertise. Broes is convinced of the importance of creating practical in-house controls and awareness to build a resilient risk-aware organization.
Dave Vreugde joined TriFinance Financial Institutions as a Project Manager in 2016. Before that, he performed external financial audits, for EY, at different financial institutions. During this period, he discovered his passion for Risk management and compliance whiten this sector. His first assignment at TriFinance was as an internal auditor assignment at Bank J. Van Breda & C°.
Dave has experience in the analysis and implementation of regulatory changes such as MiFID II, Basel III and GDPR. Furthermore, he has a broad experience in banking and insurance products, processes, systems, accounting and distribution channels. Dave is experienced in the internal audit of different processes in Finance, Risk, Operations and Regulatory. He has a strong affinity with regulatory implementations.
About TriFinance’s Risk Management & Compliance Practice
The TriFinance Risk Management & Compliance practice is supporting banks and insurance undertakings in anticipating and addressing the tighter supervisory and internal Group standards relating to risk management and internal control. In this perspective, recommendations issued by the different supervisory bodies are closely monitored and translated into best practices. Simultaneously, TriFinance can help banks in all kinds of transformation processes in the area of Risk Management and Internal Control to be better prepared for the rapidly evolving external environment.