Amid a tough climate of regulatory enforcement and an explosion of new rules after the financial crisis, many large companies—especially financial institutions—have beefed up their staffing on risk and compliance.
Citigroup, for example, now boasts nearly 30,000 employees dedicated to regulatory and compliance issues. As 2014 drew to a close, HSBC was well on its way toward a goal of 7,000. Since 2013, JPMorgan Chase has increased compliance- and risk-related spending by $4 billion and added 5,000 new employees. Last year, Deutsche Bank added 500 U.S. compliance officers to its ranks.
While those investments have not gone unnoticed, are they actually effective? Time will tell, as specific firms wrangle their way out of ongoing regulatory woes. The payoff isn’t immediate. Deutsche Bank, for example, still failed its recent Federal Reserve stress test because of “numerous and significant deficiencies” and a failure of its “ability to identify risks.”
While few would argue that these investments are a bad thing, ramping up does require a carefully developed strategy that matches adequate talent with a coordinated game plan, says Mitch Avnet, CEO of Compliance Risk Concepts, a consulting firm. “While companies have taken huge steps to increase the size of their compliance functions, I can’t tell you that those functions are any better today than they were historically,” he says. “There can be a lot of confusion among a lot of the added compliance folks in terms of where they fit in, who owns what, and who is stepping on whose toes.”
Ed Wilmesherr, of the law firm Butler Snow, agrees. “It is a balancing act. You have to have enough people, but they have to be trained in the necessary procedures,” he says. “They have to know what their part of the puzzle is—what their job is—and go out and do it. Then there has to be monitoring and follow-up, including testing to make sure everything runs the way it is supposed to.”
“It is one thing to have a big head count, but it can be caveman compliance: They are just hunting and gathering. How much of their time is really being used to conduct high-quality analytical work and provide good advice to your stakeholders?”
Mitch Avnet, CEO, Compliance Risk Concepts
If improperly managed, adding more compliance personnel won’t necessarily translate into a more effective function. “It definitely sends a message when somebody says they are going to add 300 or 500 people to compliance and risk,” Avnet says. “My fear is that you are throwing all these resources at risk management functions and diluting the impact of these efforts, because there is a lot of redundancy in what people are working on … When you get in front of your business owners you lose credibility because they already met with 18 people just like you within the last month.”
Another concern is meeting a hiring quota without regard for the skill set of those being hired. “The necessary skills may not be present in the individuals taking on these jobs,” Avnet says. “You need to take a strategic approach to compliance, and throwing bodies at a problem is not strategic … It may require a complete upgrading of your infrastructure and the technology that is available to your compliance departments to manage this additional staff.”
It is difficult for a CCO who now must oversee hundreds of extra bodies and ensure they are all doing the right things, says Dwight Smith a partner with the law firm Nelson Mullins Riley & Scarborough. “There are only so many skilled compliance people out there, so once you bring in hundreds of people you are certainly bringing in some who might have the right attitude, but need the right training.”
Smith’s suggestion is to divide compliance efforts into two flanks. The CCO, and the broader function, can focus on reviews and conduct audits. A large institution would also benefit from having compliance teams embedded within the business units to build a day-to-day relationship. “On a continuing, day-to-day basis you have compliance people in the business operations to figure out what training is necessary and answer questions,” he says. “They can try to be supportive, not punitive.”
Firms might do well to assess whether adding employees is worth the expense when compared to a technology upgrade. “It is one thing to have a big head count,” Avnet says. “But it can be caveman compliance: They are just hunting and gathering. How much of their time is really being used to conduct high-quality analytical work and provide good advice to your stakeholders? I’d much rather have a department that has state-of-the-art tools at their disposal, has good risk information to discuss with the businesses they support, and be in a position of knowledge in terms of what is coming down the pike.”
Systems vs. Staff
“It’s a risk all organizations will always have to contend with,” says Samantha Regan, managing director of Accenture’s finance and risk practice. A proper use of GRC technology, and making smart use of data analytics, may be able to help companies move in the right direction as they populate their risk and compliance efforts.
“The idea is to spot patterns and trends,” she says. “Looking at different types of data might hold clues to potential bad apples in your organization and people who are more prone to market abuse and doing the things they should be doing. Predictive analytics can help look for patterns and trends you might not have seen in traditional monitoring and surveillance activity.”
“One of the areas we all struggle with in this post Dodd-Frank era is how we deal with all this regulation that has been coming down the pike and will continue to come,” Avnet says. “How do we make sure that information is ingested effectively within an organization and there is a strategy in place to comply with those regulations. It is very hard to do and nearly impossible to do manually.”
Technology, when properly integrated, can also force a rethinking and modernizing of the compliance function that goes hand-in-hand with added staff, Regan says. That mindset, however, isn’t always evident.
Hard to Earn, Hard to Retain
The following is from a 2014 survey and study by Accenture, “Compliance’s Seat at the Table: Hard to Earn, Hard to Retain.”
Further investment in compliance is needed to achieve strategic goals. Given the relative maturity of compliance programs, it is perhaps not surprising that further work is required to maintain and build upon compliance programs’ achievements to date.
Achieving this success comes at a price, and investment in compliance programs is set to continue to rise. Respondents were more certain than they were in 2012 that investment in compliance programs would increase, with a majority of respondents expecting spend to grow by 10 to 20 percent or more over the next two years. Goldman Sachs, for example, announced that its compliance and regulatory costs had more than doubled – from $444 million to $962 million – from 2012 to 20133.
Key areas of investment were expected to include analytics and risk modeling, which aligns with the industry’s growing interest in trend analysis across both structured and unstructured data to help predict and mitigate compliance events. Such focus on data analysis is also in line with the concerns of a majority of respondents around their firms’ performance in “data intensive“disciplines such as management reporting and issue management.
The need for investment in compliance talent is key to sustaining the required growth of the compliance function and addressing sources of financial and reputational damage to an organization. Over a third (34 percent) of survey respondents are currently trying to expand headcount, while an additional 46 percent are planning such increases. A failure to attract and retain talent in a fiercely competitive environment can be a barrier to success for the compliance program.
A recent Accenture survey of compliance officers at 150 financial firms found that investments in compliance continue to accelerate, with 76 percent expecting a total increase of at least 10 percent in the next two years. The results, however, call into question “the strategy and long-term relevance of many current investments in compliance,” Regan says. Eighty percent of respondents agreed that the compliance function’s ability to predict and avoid reputation and financial crime events can be a competitive advantage.
Just as more staff isn’t a cure-all, neither is throwing unrestrained money into technology, Avnet warns. “It is not a magic pill. and anyone thinking that it is will be is in for a big surprise,” he says. “It is not just a matter of plugging in a piece of software and problem solved. You have to be ready to deal with that output.”
That may be an area where extra staffing pays off, but key stakeholders from across the organization need to understand how a new or improved system will change things and be prepared for an on-boarding process that could take months.
There is another catch, however. While technology may help deploy all that extra staff effectively, it can also streamline operations to the point they aren’t needed.
“One of my fears, in the wake of this post Dodd-Frank ramp-up, is that the pendulum is going to swing the other way at some point and this regulatory environment will start to cool,” Avnet says. “Then how are you going to offload all these extra resources? We haven’t seen it play out yet, but if you hire 500 people you’d better have something for 500 people to do.