INSIGHT 2 Regulatory, Risk & Control Management 05 | 2015
This function will partner with control functions within the organisation to ensure compliance and adherence to organisation wide control frameworks and standards
INSIGHT 2 Regulatory, Risk & Control Management
In the rush to deliver transformational initiatives across an organisation, the Regulatory, Risk & Control implications that are introduced by delivering such initiatives requires a coherent framework to adequately identify, quantify and mitigate these themes throughout the transformation.
• Global organisations today are intertwined, are subject to significant volumes of regulation • and are exposed to a whole host of top risks which all have impact nuances depending • on the region in which the organisation operates. • The delivery of transformational initiatives, specifically those related to outsourcing or • partnering with new vendors, adds a further layer of risk management complexity. • Balancing the running of a complex organisation whilst trying to deliver transformational • initiatives (e.g. changes) has been likened to flying a Boeing 747 whilst attempting to • upgrade its crew, engine, navigational systems, wings and paintwork. • If this is not done in a controlled and prioritised way with the appropriate supporting • control frameworks in place, then the plane would be unable to fly. • Ensuring that a portfolio of transformation has the right Regulatory, Risk & Control • framework in place is heavily dependant on the type of transformation that is being • delivered (i.e. outsourcing IT infrastructure will have different implications to transitioning • roles to low cost hubs), the scale of the transformation and the presence and ability of • internal groups to balance change with existing BAU work i.e. Governance & Regulatory • Affairs departments, Control Functions and Control and Risk Officers) • Dependent on the scale, size and pace of transformation, in many cases it makes sense to • establish a designated Regulatory, Risk & Control function to support transformation work.
Regulatory, Risk & Control Management
Take the time early on in the process to understand the link between transformation â€œeventsâ€? and the risk profile that these events generate
CONTINUED • This function will partner with control functions within the organisation to ensure • • • compliance and adherence to organisation wide control frameworks and standards. In • addition the function will undertake bespoke risk assessments of the transformation, the • organisation is about to embark upon and plan and deliver the Regulatory, Risk & Control • framework requirements accordingly. • Upon completion of the transformation on-going management of Regulatory, Risk & • Control compliance will be assumed by BAU risk and control functions within the • organisation. • When designing a Regulatory, Risk & Control function in support of delivering transformation • initiatives, the scope of this function will be heavily dependant on the type of transformation • being delivered. To ensure, however, full coverage the following capabilities must be • established as a minimum: • Regulatory: Ensures that the global regulatory framework and associated • requirements for the type of transformation being delivered are satisfied. The • function works with internal teams such as Government & Regulatory Affairs, to • ensure regulatory compliance and to respond to regulatory requests. In addition, •
• where required, this function facilitates the regulatory approvals and notification • requirements for the transformation. Where a complex legal entity structure exists • within an organisation, legal entity notification or approval for the transformation • may be required. Additionally, the function will work with strategic suppliers where • there are joint regulatory dependencies to satisfy. • Risk: Ensures that all risks associated with the transformation have been identified, • impacts have been defined, mitigation plans have been developed and accountable • owners assigned. The function monitors the management of these risks through to • full mitigation during the transformation. The key risk themes that this function • prioritises, will be vendor risk, operational risk and programme risk. The team works • with all internal control functions to ensure risks have been fully satisfied. These • functions include Information Security, Business Continuity, Group Tax, Compliance • and Legal. Where risk management relates to an outsourcing engagement, the • team works with the internal legal teams to ensure control requirements have • been factored into all legal documentation e.g. Master Service Agreements, Local • Services Agreements and Intra Group Services Agreements • Control: Works primarily with internal and external audit functions where required, • and undertake fieldwork and address audit findings • Regulatory, Risk & Control Reporting: Works with the transformation leadership • team to proactively approach regulators and to respond to regulatory requests • related to the status of Regulatory, Risk & Control activity across the transformation • initiative. The sole responsibility of this function is to ensure the complex • status of Regulatory, Risk & Control work can be documented and • communicated in a concise, consumable and auditable way.
Regulatory, Risk & Control Management
Create strong relationships with internal risk and control functions however encourage an equal relationship
CONTINUED • In my experience these functions need to be established with the right expertise and • need to be supplemented with resources seconded from internal risk and control • functions. This helps to drive understanding of existing frameworks and policy and • seamlessly embed the outcomes of the programme into the organisation. • In addition due to regional nuances of regulatory requirements or risk policy, a regional • team structure should be considered and resourced, based on the scale of transformation • in that particular region. • In addition to creating the right Regulatory, Risk & Control structure in support of • transformation initiatives, there are also some underlying risk principles that should be • adhered to in order to create the right environment to foster proactive risk management; • Understand the risk profile early on in the transformation journey by embedding • the Regulatory, Risk & Control function into the initial stages of the transformation • planning lifecycle • Utilise existing frameworks within the organisation to ensure buy-in from control • functions and to drive consistency of risk identification and assessment across all • transformation initiatives • Take the time early on in the process to understand the link between transformation • “events” and the risk profile that these events generate • Understand the dependencies across the transformation initiatives in order to • identify risk that may not be forthcoming when assessing risk in silos • For those risks that the have the potential to derail a change initiative in the event • they become issues, special focus needs to be applied by both the risk function • and the management team to ensure success mitigation • Drive a positive risk culture across the programme, making it clear that self• identified risk management is as important as risk assessments that are • undertaken from the centre • Create strong relationships with internal risk and control functions as well as • encouraging an equal relationship governed by a joint understanding of policy • and frameworks • Create a joined-up framework and approach to risk management across all • core risk components, to ensure dependencies are understood e.g. Operational • Risk, Vendor Risk, Programme Risk and further risk arising from Audits, both • internal and external • Create a global coverage model to ensure the nuances of regional requirements • throughout implementation are understood - extremely important when applied • to regulatory requirements • Assign risk accountability to members of the programme leadership team, to drive • ownership of risk management and to ensure sufficient focus is maintained • throughout initiative implementation
Regulatory, Risk & Control Management
ANDREW@CARBONADO.CO.UK INFO@CARBONADO.CO.UK CAREERS@CARBONADO.CO.UK
07872 463 882
CARBONADO PO BOX 56494 LON DON SE3 3DJ
W W W. CA R B O N A D O . C O . U K