Corporate risk rarely follows a calendar. There may be seasonal matters that ebb and flow month-to-month, but seldom is there an annual reset of issues that can be pre-filled into a day planner.
This year, however, may put those assumptions to the test as we enter the second year of the Trump administration. And with it, presumably, will come continued deregulation (or at least the perception of it).
More uncertain, and where risk factors start to gel, is that as key regulatory posts are filled, from the Federal Reserve to Securities and Exchange Commission, we will get to see how new regulators prioritize their workload. What rulemaking is top-of-mind? What will enforcement proprieties be?
2018 also brings uncertainty in Europe, with after-effects of Brexit and, more broadly, heightened privacy expectations (such as GDPR) vexing companies that do business there.
Meanwhile, cyber-security issues follow technological evolution, creating an imbalance of risk and reward to disruptive technologies like blockchain and FinTech, says an annual survey conducted by the global consultancy Protiviti and North Carolina State University’s Enterprise Risk Management Initiative.
Nearly 730 board members and C-suite executives from around the world provided their perspectives about the potential impact over the next 12 months, which include:
Recurring natural disasters with catastrophic impact on supply chains;
Soaring equity markets;
Turnover of leadership in key political positions;
Potential changes in interest rates;
Cyber-breaches on a massive scale;
Elections in Europe;
Threats of nuclear engagement, and
The dark side a strong U.S. dollar.
Not only has concern over the rapid speed of disruption risen three places since last year to become the second-highest ranked risk for financial services organizations, but the significance of this risk has increased substantially over the past two years, according to the survey. Financial firms in particular are concerned about their ability to respond competitively and modify their business models in a timely manner to manage the enhanced risks.
“What you put in place today is not going to work a year from now. And likewise, what you were comfortable with a year ago is likely inadequate today.”
Jim DeLoach, Managing Director, Protiviti
“New regulations coming into force in 2018—especially the European Union’s General Data Protection Regulation, which applies to all firms that store or use customer data, or even those firms who market to EU clients—have increased the focus of the compliance function on this area, requiring more resources over the past year,” the survey says.
“Pressures from boards, volatile markets, intensifying competition, demanding regulatory requirements, fear of catastrophic events and other dynamic forces are leading to increasing calls for management to design and implement effective risk management capabilities and response mechanisms to identify and assess the organization’s key risk exposures, with the intent of reducing them to an acceptable level,” a summary of the survey results adds. “Boards of directors and executive management teams cannot afford to manage risks casually on a reactive basis, especially in light of the rapid pace of disruptive innovation and technological developments in a digital world. Expectations of key stakeholders regarding the need for greater transparency about the nature and magnitude of risks undertaken in executing an organization’s corporate strategy continue to be high.”
Respondents also highlighted a cultural concern related to overall resistance to change within the organization. Respondents are growing even more focused on the organization’s potential lack of willingness to make necessary adjustments to the business model and core operations that might be needed to respond to changes in the overall business environment and industry. As many organizations have discovered in recent years, strategic error in the digital economy can be lethal. If major business model disruptors emerge, respondents are concerned that their organization may not be able to timely adjust its core operations to make required changes to the business model to compete.
Regulatory change and heightened regulatory scrutiny continues to represent a major source of uncertainty among the majority of organizations. Fifty-nine percent of respondents rated Regulatory change and heightened regulatory scrutiny as a “significant impact” risk, ostensibly due to the uncertainty they present. Political gridlock and checks and balances in governing institutions may have tempered that concern somewhat, however.
While the economy may be booming, Jim DeLoach, a managing director at Protiviti, warns that companies should not relax their guard. “Despite all the optimism, when we think about the pace of change it reminds us that we need to stay on our toes,” he says.
Disruptive technologies, in many ways, are a communication challenge, De Loach says. Boards and CEOs “get the stark reality that what you put in place today is not going to work a year from now. And likewise, what you were comfortable with a year ago is likely inadequate today.”
Shifting to supply chain woes, terrorism and natural disasters can cripple a company’s manufacturing and shipping plans. “If one or more of strategic suppliers were to be brought down for an indeterminate period of time, how long would you be able to operate?” DeLoach says. “If you don’t like that answer, maybe you need to think about creating another supplier or sustaining inventory to give a little bit of a buffer and allow the supplier time to get back on their feet.”
Weighing in with its own year-end risk assessments is Wolters Kluwer. Its annual “Regulatory and Risk Management Indicator” survey of U.S. banks and credit unions, shows that regulatory compliance and risk management concerns have inched up three percent over 2016 results.
The survey was sent to banks and credit union nationwide earlier this fall and generated 608 responses.
While concerns over several specific challenges such as fair lending exam scrutiny and new Home Mortgage Disclosure Act rules remained high, other compliance-related factors—including the ability to track, maintain and report to regulators—remained steady or declined slightly.
Overall, risk management concerns jumped by 13 percent over the 2016 Indicator results. Cyber-security and data security led the list of top risks that respondents anticipated giving escalated priority to in 2018, with an 83 percent ranking of “concerned” or “very concerned,” followed by IT risk (54 percent) and regulatory risk (50 percent).
“These results—compiled against a backdrop of highly publicized data breaches at well-known entities, and at a time when financial institutions are preparing for the implementation of the most significant set of Home Mortgage Disclosure Act changes in several decades—drove the increase in concerns expressed in this year’s survey,” says Timothy R. Burniston, senior advisor and principal regulatory strategist at Wolters Kluwer.
Efforts in implementing risk management programs remained relatively steady, with modest progress in those characterizing their organization’s efforts as having either an integrated, strategic risk management program (37 percent) or a well-defined but not enterprise-wide implemented program (33 percent) versus those in the early stages of program development (22 percent).
Respondents expressed concern about optimizing their organization’s compliance costs (78 percent), reducing exposure to financial crime (72 percent), and managing compliance monitoring and testing (73 percent). In a free-text response question, the Home Mortgage Disclosure Act rules going into effect January 1, 2018 were cited as the single biggest compliance challenge.
Regulatory examiners’ scrutiny of fair lending programs was also seen as a growing pain, with 46 percent of respondents noticing either a considerable or slight increase in scrutiny based on their institution’s most recent exam.
Respondents cited a multitude of obstacles to managing an effective compliance program, led by “inadequate staffing” (46 percent), “manual rather than automated processes,” (39 percent), and “too many competing priorities” (34 percent).
The survey shows that deregulatory buzz in Washington may not be translating into compliance departments taking their foot off the gas.
“The responses reinforce the strategic imperative of having a proactive, well-staffed and supported corporate compliance program that operates across the three lines of defense —the business units, along with compliance/risk and audit areas—in tandem with an overarching risk management framework integrated with all lines of business,” Burniston says.
“People who have been doing this for a long time have not really seen wild swings to the core of what everyone is responsible for and continues to be responsible for,” he adds. “The fundamental building blocks of what makes a good compliance program really don’t change from administration to administration because regulators are still keeping their expectations high. There may be changes in enforcement and emphasis here or there, but they are still expecting folks to stay on top of things and do a good job.”
Doing a “good job” is an increasing challenge as qualified compliance job candidates are becoming harder and harder to come by. “Inadequate staffing,” as a risk factor, rose 13 percent in this year’s survey.
“It was a really big jump,” Burniston says. “All of a sudden staffing is becoming a really big issue. You can’t just keep throwing people at this the more you can automate and standardize processes the better off you are going to be. More sophisticated monitoring is going to be a more critical thing in the future as companies look for consistency and stability with their compliance program.”
Even as rulemaking is scaled back under the Trump administration, the foundations of a good compliance program still remain.
“Regulators are always expecting compliance, even in a favorable regulatory climate,” Burniston says. “The consequences may continue to be significant. Maybe you are not going to see really large fines or a whole lot of public enforcement actions, but the regulators have a lot of both formal and informal ways of compelling change in organizations, getting people to address weaknesses and problems that may not always make the newspapers.”