In the aftermath of the recent financial market crisis, the burden of implementing regulatory requirements has been constantly increasing. From a political perspective, the key issue is establishing values in the financial sector, along with a clear understanding of its social responsibilities. Overall, the aim of financial market regulation is to protect customer interests and ensure the stability and integrity of the market and ultimately of the system on which our economy is based. To achieve this aim, rules are set out and anyone who wants to operate in this world has to abide by them.
Both the establishment and the implementation of these rules can frequently lead to imbalances. This is not really surprising as, in the absence of a test system, everything has to be tried out on the actual system. A certain amount of time is needed to be able to assess whether or not the desired effect has been achieved. Unfortunately, many imbalances often lead to excessive bureaucracy and missed opportunities. And it is very rare for these imbalances to be corrected.
Therefore, it is vital not just to seriously address regulatory requirements and the associated compliance risks but to simultaneously establish a risk culture that will ensure that entrepreneurship and commercial and corporate risk management is not choked off by fear of compliance risks. This would have severe medium to long-term consequences for the creativity, innovativeness and profitability of the financial sector and thus for the fulfilment of its social responsibilities.
Dealing with regulatory requirements and compliance risks
Every organisation has to deal with a certain amount of bureaucracy, whether it wants to or not. To a certain extent, bureaucracy is simply a necessary evil. The amount of bureaucracy depends primarily on how extensive the rules stipulated externally and developed internally are and how pragmatic or complex their implementation.
The current constantly intensifying rules in financial market regulation and the associated compliance risks inevitably lead to increased bureaucracy for banks, investment management companies and insurance companies, and also for asset managers, investment advisors or multi-family offices. And, of course, this affects not only those major, internationally operating houses with a risk profile that could actually pose a threat to the integrity and stability of the market (systemically important financial institutions – SIFIs – in the language of the Financial Stability Board). All companies subject to financial market regulation have to suffer under an increasingly overwhelming bureaucratic burden. This includes those whose risk profile could hardly result in any risk to the market as a whole and who have previously always managed to achieve a good balance between their own commercial interests and the interests of their customers.
In the increasingly impenetrable jungle of regulatory demands at EU and national level, all companies affected by financial market regulations – the large ones and the small ones – are increasingly concerned about overlooking or misconstruing something and thus failing to properly implement the requirements. Compliance risks have become an increasingly significant risk factor for these companies in recent years, and in some cases can overwhelm their business and tie up huge amounts of capacity and energy. Those who can afford it employ a variety of experts to reduce their compliance risks. Within companies, compliance departments are growing, in some cases at an explosive rate. Needless to say, external experts such as lawyers, auditors and consultants are delighted with the upturn in demand for their services.
Many companies are so concerned about misunderstandings and incorrect implementation that they are being excessively fastidious in the way they deal with regulatory requirements. For example, when the German Federal Financial Supervisory Authority (BaFin) announces that minutes of investment advice have to undergo appropriate quality assurance, there are companies who internally stipulate that every minutes of investment advice has to be checked and approved by at least two employees. In the worst cases, this not only produces additional bureaucracy but also misses the actual point of the requirement, as it replaces addressing the issue of what makes a good minutes of investment advice with an extra layer of control and documentation.
It is important for us to ask ourselves what "those who can afford it" actually means. It is about much more than just personnel and consultancy costs. And also about more than the affected companies.
Compliance risks and challenges in avoiding them
Companies may possibly get to grips with compliance risks by employing lots of experts and bureaucratically implementing the regulatory requirements. However, this throws up at least three new risks that jeopardise the objective that the regulation is actually attempting to achieve.
Firstly, complete safeguarding against compliance risks is extremely expensive due to additional high direct and indirect overhead costs such as technical experts, external consultants, new processes with corresponding IT support and a change in the allocation of working time for all employees affected by regulatory requirements in the broadest sense. In times when banks are having difficulties meeting their capital costs, not many can afford to examine and go over every single regulatory requirement in such exhaustive detail and then to ensure a totally watertight implementation until all compliance risks are reliably eliminated. Particularly for small banks, asset managers, investment advisors and family offices, the costs of bureaucracy are making it increasingly hard to survive. They may be the first market participants to be brought to their knees and have to give up or sell their business. Will this make the market more stable and customers more satisfied?
Secondly, the scope of regulatory requirements and complete safe- guarding when implementing them is noticeably detrimental to employee motivation. In turn, this curtails creativity, innovation and productivity in companies. Most regulatory requirements do make sense and are designed to meet a specific objective – even if this is sometimes not immediately apparent. If financial market regulation is to meet its objective, it needs to be able to be communicated to employees. In addition, the objective must also reflect an appropriate ratio to the work involved, depending on a company’s size, complexity and risk profile. Excessive bureaucracy alone will not establish values or social responsibility. To reach that, we also need an intensive critical dialogue in the financial sector, and this does not currently exist to a sufficient extent. We cannot afford not to have this dialogue.
Thirdly – and this point may be the most important in view of the objectives of regulation – the number of regulatory requirements, some of which are now extremely detailed, can actually discourage people from taking responsibility. If people are told in great detail all the things they have to take into account and document – in risk management, in remuneration rules, for protection of customer interests, to name just a few examples – they will do exactly that. And usually nothing more than that. Let’s look at the "minimum requirements for risk management" (MaRisk) issued by the BaFin as an example. In practice these are frequently implemented word for word. People forget that this regulation is an approach based on principles and also that they are MINIMUM requirements.
Unfortunately, that’s what people are like. If someone appears to have done the thinking for us and then presents us with a detailed list of rules, we tend to believe we no longer have to think for ourselves, just work through the list and document everything. In this kind of environment, it takes huge inner conviction to look beyond the list of rules and deal creatively and innovatively with issues such as risk management and customer interests. And this is precisely the biggest danger of over-detailed financial market regulation. If we want to protect customer interests, the market and our system in the long term, we cannot afford to have a culture where individuals in the financial sector are discouraged from taking responsibility.
Shouldn’t we want to accept the three risks outlined, we need to master a balancing act between commercial thinking and action, adherence to and compliance with our social responsibilities and avoidance of compliance risks.
Commercial risk culture as a framework and a Balance
We need to go in a different direction. All employees in a company should view risks – not just compliance risks – as a natural and intrinsic part of their business and should continuously identify, monitor, communicate and manage them. The banking and insurance sector is a business based on risk. To permanently reduce potential threats and establish sustainable opportunity management, a comprehensive understanding of all relevant risks is essential. This requires a genuine opportunity and risk culture that shapes day-to-day actions. The overall risk culture provides the necessary framework for effective risk management in a company. The compliance risk culture can only be part of it – an important part but not the most important. It is necessary to initiate a comprehensive programme to develop a corporate risk culture, with the following aims:
- Development of a genuine opportunity and risk culture, which is deeply embedded in the organisation and its corporate culture and is not merely an appendage to it. This includes proactive and explicit risk and opportunity management as part of regular procedures, promoting both customer and employee satisfaction as well as business results. First and foremost, the opportunity and risk culture must allow people to take commercial risks and to then manage them efficiently.
- Creating a proper counterweight to the developments made to comply with regulatory requirements, so that no more bureaucracy is created than is actually required. This is important because, in view of an almost universally forceful emphasis of liability risks for managers, the trend is towards fastidious implementation of regulatory requirements for reasons of personal mitigation. This does not mean that regulatory requirements should not be implemented, or only in a rudimentary fashion. They should be one part of a comprehensive opportunity and risk culture, providing guidelines on which areas need particular attention while simultaneously leaving scope for pragmatic implementation focused on the actual aims of the regulation.
- Creating a basis and encouraging sensible and pragmatic decision-making and preventing brave commercial decisions from being curtailed. Risk is part of entrepreneurship. The task of an effective risk culture is not to prevent "risky" commercial decisions but to promote early identification of risks that could become relevant, increase the ability to take action in a stress situation, and limit the extent of any losses.
- Developing risk communication comprising both effective risk cockpits at the different decision making levels and comprehensive training on how to more effectively communicate opportunities and risks in order to bring about better decisions and more effective risk measures. Particularly these days, this is more important than ever. Because of our complex environment, there is so much information containing just as many risks and it is therefore extremely important to communicate risks correctly in order to arrive at the correct response to handling risk. Since the beginning of time, it has been important – sometimes even crucial for survival – to correctly communicate risks. For example, it has always been important to communicate which specific plants should not be eaten and which can heal illnesses.
It is important to understand that risk management is always about finding the best possible way to achieve an objective and not to be obstructed from doing so by problems. In the financial sector, "the best possible way" includes the best possible way for both the company’s own interests and, at the same time, for the company’s customers and for meeting its social responsibilities. There is no doubt that this is a delicate balance, but it must be managed for the sector to have a future.
How do people respond to risks? What are the patterns of behaviour and what often gets in the way of effective risk management? Developing a risk culture ultimately involves changing behaviour. The organisation in a company needs to do certain things that it didn’t do in the past and leave other things. For example, it needs to avoid reporting risks just for the sake of reporting. In addition, the bearer of bad news should not be criticised, risks should not be kept hidden, and they should not be delegated. Risks should not be communicated as failures. By contrast, a start should be made on reporting openly and honestly, increasing communication between departments, taking responsibility for risks and systematically taking opportunities. Management by example is absolutely essential.
If a company has undergone this kind of programme to develop an appropriate risk culture, managers and employees are in a much better position than before to identify and evaluate risks in good time, make better decisions and explicitly manage the risks they take. A genuine opportunity and risk culture has to grow in an organisation and needs to be internalised by all areas of the company. There are good examples of how this can be done. The success of a risk culture can be measured using three key performance indicators, or KPIs. They are risk management knowledge, behaviour and process.
The comprehensive and detailed requirements under financial market regulation lead to a great deal of bureaucracy and high costs, significant dissatisfaction among employees and even to the dangerous situation of discouraging individual responsibility. Fear of compliance risks leads to compliance standards being introduced that totally or partly miss the actual aim of financial market regulation or overshoot that aim. To prevent this, we need an organisational factor that enables compliance risks to be viewed in a healthy relationship with all of a company’s opportunities and risks. This factor is a programme to develop a corporate risk culture, as some good examples show. This programme plays a key role. It manages what is definitely a very difficult balance of more effectively deciding how much bureaucracy is necessary to implement regulatory requirements and when a decision can be left to commercial freedom and employees’ responsibility. Equally, this promotes commercial freedom and responsibility by supporting establishment of behaviours. This ultimately leads to better decisions, greater employee satisfaction, better service for customers and improved profitability.
Dr. Andrea Fechner, FECHNER Coaching & Consulting.
Christoph Schwager, Partner, Ernst & Young GmbH Wirtschaftsprüfungsgesellschaft.