Written by Paul Eccleson on Monday 13 February, 2023
A friend of mine, a Chief Risk and Compliance Officer within a financial services firm, recently told me about a dilemma he was facing with his board of directors. Compliance monitoring had uncovered a control failing that meant his firm seemed to be in breach of a regulatory policy. The requirement was for the manufacturing firm to collect information regarding fees charged to customers along the whole of the supply chain.
The intent of the rule was obvious – for the manufacturing firm to assess whether the ultimate price charged for the product was fair and good value. The board's decision was to ignore the requirement, their reasoning being that collecting and maintaining the information across all of its distribution channels, all of its partners and all of its products would be onerous and disproportionate. Furthermore, the impact on intermediaries in the supply chain would be even more burdensome. Each would be expected to report on its product fees to each of the manufacturers it dealt with, even when they had no direct relationship with the manufacturer, and that would be a very difficult sell to the firm’s partners. In a market where no other manufacturer seemed to be demanding such data, my colleague’s request for compliance with the rule was declined.
The true risk appetite
Although we, as risk and compliance professionals, would like to think otherwise, such risk decisions are common in our industry. A quick scan of UK Financial Conduct Authority (FCA) Final Notices reveals multiple examples. Non-disclosure of key financial facts so as to avoid share price drops, weak AML processes in order to accept lucrative business, deliberate misadvising pensions transfers: all demonstrate willful non-compliance in pursuit of profit. That such scenarios appear common is testament to the enormous challenge that supervising a market represents. Many regulators are under resourced, have difficulty recruiting skilled staff, face limited and expensive legal interventions and are required to regulate very large numbers of market participants. The blunt truth is that in every regulated market only a small number of the most significant breaches will face any sort of censure.
When making anti-regulatory decisions, a board is expressing its real risk appetite. Despite what it probably outwardly expresses as a ‘minimal’ appetite for regulatory breaches, the cost of the mitigating controls is considered too great when compared with the risk of regulatory intervention. This can be frustrating, even bewildering, for compliance professionals, especially when rules are clear and explicit in their expectations. It is, however, the role of the board to make such decisions and, uncomfortable though that may be for GRC staff, such decisions set the strategy and culture of the firm.
Practical steps
What are we to do when we find ourselves in this situation? Our role, especially if we are a regulatory approved person, is to challenge. This takes independence, bravery and a broad range of influencing skills. The following approaches may help, once you decided what you feel is the correct course of action.
- Look for factors that may not have been taken into account during the decision-making process. It is likely that the board considered only those arguments that supported the financial aims of the firm. After all, that is what most boards are there to achieve – profitable growth for stakeholders and investors. Listen to their position carefully. Our GRC role is to bring in opposing perspectives and arguments, but we can only do that if we understand what they have already considered and not ‘The rule is there to deliver fairness for our customers’; ‘AML checks prevent our firm being used for terrorism and organised crime’; ‘dishonesty in the market makes us like Enron’. Such alternative positions can prevent ‘groupthink’ – where cohesive teams reinforce each other’s ideas, disregard pertinent information and seek only confirmation.
- Challenge some of the underlying, but untested, assumptions in the board’s reasoning. Boards can often develop unchallenged beliefs about a market or business, which turn out to be inaccurate. It may be, for example, that several of the firms in the supply chain have information readily available, but have never been asked for it. Some may even be supplying it to others without issue, but about which the board is unaware. Assumptions about the ways in which a business operates tend to be cemented in a firm’s beliefs, but have never been investigated or tested.
- Consider whether you can take actions that will go some way to mitigating the impact of the decision. There may be some occasions when you have to live with the board decision, but even here you can take some steps to reduce the impact of a breach. Clearer statements regarding fees in customer literature, managing fee data from larger distribution partners, and speaking with peer compliance officers in the supply chain, will all go some way to minimising the impact of the risk without full mitigation. The extent to which you undertake such mitigations will depend upon how serious you consider the breach to be. Such ‘halfway house’ solutions, however, may make you feel too uncomfortable when managing serious risks.
- Appeal to individuals on the board whose role includes expectations of regulatory adherence. Several roles on boards are designed to provide checks and balances for regulatory purposes. Audit committee chairs, senior non-executive directors, and chief risk and compliance officers should all have components of their role profile that are designed to maintain regulatory balance in board decision making. A reminder of that obligation would be timely.
- Consider appealing to a higher authority than the local board. Should all else fail, and you consider the potential breach suitably serious, look to authorities higher than your board. This could be an owning group or higher board in the governance structure. It may even be a regulator. Needless to say, such a step should not be taken lightly. Even though you see this as an imperative escalation given the seriousness of the breach, your local board (who are, let’s face it, your employer) is likely to close ranks and see it as ‘trouble making’.
A career in GRC is challenging. You are the person walking towards issues when others are walking away from them; it is you asking the difficult questions and challenging the cosy status quo of the group. To succeed in the role requires strength of character, influencing skills and a strong moral compass. Only then will we be capable of balancing regulatory risk with opportunity within our organisations.