One of the things that us board directors are constantly watchful about is whether key risks in the organisations we govern are identified and effectively mitigated. It’s great to have skilled and diligent management who expend the necessary resources to implement controls to minimise these risks. But sometimes the complexity of the control environment itself can get in the way of effective risk mitigation.
Having witnessed this myself throughout my career in financial services, the operational complexity of an organzation tends to grow as the organization expands – organically or through supply chain providers - such that the solution to each new problem is often to layer on another set of controls and additional FTE, as it’s too hard to identify and retire redundant ones. Even worse when the controls get segmented such that different departments in the organization are only accountable for their bit of a multi-part process. Then it becomes impossible for any person to understand a process end to end, let alone assess whether a risk is adequately mitigated. Add in the fact human judgement will always play a role in assessing the effectiveness of controls, the fact that there is often too much data (but not insights), and that most key risk indicators are rear vision oriented – and we end up with a situation where chinks in the controls armour are entirely possible such that a small problem can quickly develop into a big one.
My point is that no organization has an ideal control environment. What is needed is a way to identify and assess the control imperfections, objectively and to get targeted and predictive insights. A fact-based continuous assessment of the control environment real-time 24 X 7 across the entire population of controls, providing incisive data driven insights about ineffective controls before they break – that would be useful. Plus we need to do this pivot by embracing the RegTech capabilities to reduce the overall cost base of managing the control environment. Such an assessment would be useful for management (esp. a 3 Lines of Defence model) and also for boards.
Especially as regulators globally introduce tougher more robust operational resilience requirements – including UK PRA PS6/21 and FCA PS21/3, European DORA, Monetary Authority of Singapore Revised Guidelines for Business Continuity Management, Federal Reserve System SCR 20-24 and APRA CPS230 – coupled with stricter financial accountability regimes – UK’s Senior Managers Regime (SMR) and Australia’s Financial Accountability Regime (FAR).