InsideNOW

Risk management and compliance operating models in investment management

The investment Management & Wealth sector is experiencing a range of client, regulatory and technological change that is having a direct impact on decisions around chosen operating models.

Authors

Authors

Jonathan Burdett - Partner - Risk Advisory - Deloitte

Daniel Barry - Director - Risk Advisory - Deloitte

Published on 12 March 2019

Share this article

Over the last 15 years, risk and compliance functions within the investment management and wealth sector have primarily focused on responding to unprecedented levels of regulatory change, with headcounts for traditionally separate risk and compliance functions markedly increasing in some of the larger firms—and existing staff being overstretched in smaller firms—as a result.


Whilst the regulatory change agenda remains a top priority, CROs and CCOs are facing a range of other challenges that are driving reviews of business and functional operating models (including a re-definition of roles and responsibilities) across the traditional lines of defense. Brexit, market consolidation, supervision and investigation activities from regulators, general capacity constraints, and strategic objectives set by CEOs to “do more with no more” are all shaping the evolving identity of risk and compliance functions, and determining how they design and execute their methodologies.


Additionally, we expect that senior risk and compliance professionals will need to demonstrate a strategic, business-aware, commercial, and relationship-orientated set of capabilities rather than a purely technical set of skills as would have often been the case in the recent past. From the candidate’s perspective, this also represents an opportunity to ensure that they have the mandate to effect change and re-shape the identity and purpose of the function. This is particularly important given the implications of getting it wrong under the various new senior manager individual accountability regimes such as the Senior Managers & Certification Regime (SMCR) in the UK.

Three lines of defense

The “three lines of defense” principle has been applied inconsistently across the sector and it is relatively common for responsibilities not to be formally documented. Historically speaking, the inconsistency was due to second-line functions lacking the maturity or credibility to embed common principles and practices effectively, or an insufficiently risk-aware culture within the business areas resulting in second-line functions performing a greater role in the risk management cycle.


However, as the December 2019 SMCR deadline looms large in the UK, we expect that more investment managers will explore opportunities to bolster their risk identification and control assurance capability within the specific business areas themselves—with the Front Office being a priority candidate for building out highly technical investment oversight capabilities merged with traditional risk and compliance skillsets.


Setting clear objectives and identities for the risk and compliance functions, and ensuring that all key stakeholders—from shareholders to board members, executives, staff and regulators—understand them, is critical.

The “three lines of defense” principle has been applied inconsistently across the sector and it is relatively common for responsibilities not to be formally documented. Historically speaking, the inconsistency was due to second-line functions lacking the maturity or credibility to embed common principles and practices effectively, or an insufficiently risk-aware culture within the business areas resulting in second-line functions performing a greater role in the risk management cycle.


However, as the December 2019 SMCR deadline looms large in the UK, we expect that more investment managers will explore opportunities to bolster their risk identification and control assurance capability within the specific business areas themselves—with the Front Office being a priority candidate for building out highly technical investment oversight capabilities merged with traditional risk and compliance skillsets.


Setting clear objectives and identities for the risk and compliance functions, and ensuring that all key stakeholders—from shareholders to board members, executives, staff and regulators—understand them, is critical.

Operating models

One key consideration across risk and compliance, especially given margin pressures and the challenge of attracting top talent for some firms, is the design of the operating model, including perspectives on location strategies and alternative delivery models. Whilst there is no common “second-line” operating model in the sector, a number of firms are starting to consider the merits of functionally integrating common activities into centralized teams focused on framework development and maintenance, management information (MI), reporting and analytics, emerging risk and regulatory horizon scanning, and the normally separately managed compliance monitoring and risk assurance activity. Activities that either require a high degree of standardization or operate high volume and repeatable tasks tend to be good candidates for centralization. There are opportunities for firms to consider housing some of these centralized activities in lower-cost locations and leveraging a range of technology solutions to effectively scale and globalize

this type of offering. This level of integration allows traditional advisory teams or business partner groups to focus exclusively on areas such as technical regulatory interpretation, business change, and specialist advice. A central assumption is that some activities will be delivered remotely, whilst others must be located close to core business activities so as to maximize benefits from functional, channel or asset class alignment and the opportunity to develop credible and trusted relationships with key stakeholders.

Re-defining second-line operating models should not be done in isolation as concepts around first-line risk management, compliance and control functions are beginning to gain traction. Managing any changes to operating models can be difficult and there are a range of people and cultural factors to consider including the willingness to change, the ability to think beyond personal bias, the acceptance of technology, and the need to invest.

One key consideration across risk and compliance, especially given margin pressures and the challenge of attracting top talent for some firms, is the design of the operating model, including perspectives on location strategies and alternative delivery models. Whilst there is no common “second-line” operating model in the sector, a number of firms are starting to consider the merits of functionally integrating common activities into centralized teams focused on framework development and maintenance, management information (MI), reporting and analytics, emerging risk and regulatory horizon scanning, and the normally separately managed compliance monitoring and risk assurance activity. Activities that either require a high degree of standardization or operate high volume and repeatable tasks tend to be good candidates for centralization. There are opportunities for firms to consider housing some of these centralized activities in lower-cost locations and leveraging a range of technology solutions to effectively scale and globalize this type of offering. This level of integration allows traditional advisory teams or business partner groups to focus exclusively on areas such as technical regulatory interpretation, business change, and specialist advice. A central assumption is that some activities will be delivered remotely, whilst others must be located close to core business activities so as to maximize benefits from functional, channel or asset class alignment and the opportunity to develop credible and trusted relationships with key stakeholders.


Re-defining second-line operating models should not be done in isolation as concepts around first-line risk management, compliance and control functions are beginning to gain traction. Managing any changes to operating models can be difficult and there are a range of people and cultural factors to consider including the willingness to change, the ability to think beyond personal bias, the acceptance of technology, and the need to invest.

Technology

As firms seek to achieve efficiencies, they often focus on implementing technological solutions; the key assumption being that technology can reduce headcount (both in terms of not hiring additional resources and in terms of reducing the number of current resources). New technologies that would have previously been out of reach for all but the most sophisticated investment managers can now be used without significant cost implications. In our experience of assessing whether this is achievable, we have found the benefits depend on the business model, the scope of second-line functions, the nature of specific processes, and the culture within each organization.


Generally speaking, technological opportunities include the implementation of one or more of governance, risk and compliance (GRC) platforms, trade surveillance analytics, communications surveillance systems, MI production automation, code of ethics automation, and financial crime workflow tools.

That said, there are a range of additional factors that should also be considered in the lead-up to the development of a technology strategy, when it is advisable to develop a holistic business case around both operating model and technological opportunities at the same time.


Key considerations when defining a technology strategy include drivers of current capacity constraints, the scale of technological change required to enable meaningful efficiency gains, commensurate technology, co-investing opportunities and data efficiency initiatives in the first line, and optimizing your risk and compliance operating model across the lines of defense to derive optimal benefits from your technology strategy.

As firms seek to achieve efficiencies, they often focus on implementing technological solutions; the key assumption being that technology can reduce headcount (both in terms of not hiring additional resources and in terms of reducing the number of current resources). New technologies that would have previously been out of reach for all but the most sophisticated investment managers can now be used without significant cost implications. In our experience of assessing whether this is achievable, we have found the benefits depend on the business model, the scope of second-line functions, the nature of specific processes, and the culture within each organization.


Generally speaking, technological opportunities include the implementation of one or more of governance, risk and compliance (GRC) platforms, trade surveillance analytics, communications surveillance systems, MI production automation, code of ethics automation, and financial crime workflow tools.

That said, there are a range of additional factors that should also be considered in the lead-up to the development of a technology strategy, when it is advisable to develop a holistic business case around both operating model and technological opportunities at the same time.


Key considerations when defining a technology strategy include drivers of current capacity constraints, the scale of technological change required to enable meaningful efficiency gains, commensurate technology, co-investing opportunities and data efficiency initiatives in the first line, and optimizing your risk and compliance operating model across the lines of defense to derive optimal benefits from your technology strategy.

Conclusion

When seeking to optimize the risk and compliance operating model, firms operating in the investment management and wealth sector should:


  • Identify what type of risk and compliance function you want to be. Pinpointing how you want to be perceived by the range of audiences you interact with should be the driving force behind structural design decisions for your function. Historically, we have seen a lack of focus on continued improvement across the second line. Rather than being positioned as a potential differentiator in winning and retaining key clients and mandates, risk and compliance functions have been seen as “hygiene factors”. Adding value and acting as credible advisors is key for most risk and compliance functions but there needs to be a common understanding across the lines of defense to achieve this.


  • Be clear about the skills and capabilities you need to design and build, and then operate the tools of the framework. In combined risk and compliance functions, finding resources that are all things to all people can be challenging, so the development of complementary skillsets combining the rigor and discipline of risk management with the technical competence of regulatory compliance is preferable.


  • Identify processes and activities across your risk and compliance functions where there is a high degree of commonality and skillsets. This will inform views on the merits and practicalities of aligning (or merging) teams or processes in order to drive efficiencies, improve scalability, and reduce costs.


  • Consider technological opportunities when reviewing your operating models. Functional integration will require elements of process restructuring and this will allow you to understand where innovative technologies can improve efficiency and productivity. In order to fully realize the benefits offered by technology, it may be necessary to create sufficient scale by consolidating certain repeatable/predictable activities and assigning them to functional teams and creating synergies across risk and compliance taxonomy methodologies such as risk assessments, assurance activities, and reporting.

Share #DeloitteInsideNOW

Global Risk Management survey

Financial organizations face challenges from nonfinancial risks such as cybersecurity, model, third-party, and conduct risk—as well as looming economic dangers—that will require institutions to rethink their traditional risk management approaches.

© 2019. See Terms of Use for more information.

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about to learn more about our global network of member firms.

The Luxembourg member firm of Deloitte Touche Tohmatsu Limited Privacy Statement notice may be found at www.deloitte.com/lu/privacy.