A long time ago, I thought about becoming a teacher. Not, I might add, because I fancied the idea of standing in front of the most critical audience in the world. But because I always thought the teaching went both ways.
There’s as much for us to learn from little people as we can teach them. Like the highly creative and usually entertaining excuses they come up with for not having done their homework. No, Ashley, the dog did not eat your homework. You know that, I know that, and you know that I know that. Do you even have a dog?!
It was (pun intended) a lesson I was reminded of when I became a financial services regulator. Only this time, it wasn’t little Ashley explaining how his or her fictional dog really did have an insatiable appetite for paper and ink.
When — as they inevitably would — things went wrong in the firms I was supervising, it was adult Ashley’s turn to play the same game. Only this time, the excuses had one thing in common; the reason things had gone wrong was entirely unpredictable.
"A third party provider had an outage..."
"An unfortunate series of events led to..."
"initial investigation point towards an unusual..."
Not to mention my favourite, the ones that began with
"a junior employee..."
Our response — straight out of the teaching textbook was always the same. We’d ask for more information. And then we’d ask for more. Until we got to a point where the excuses ran out.
Now, I didn’t blame the adult Ashleys for trying this approach. Financial services firms are complex operations that can be difficult to hard to oversee. Particularly when they’re run on legacy systems, are heavily reliant on manual controls and are engaged in a wide range of highly technical products. But we know what happens when firms aren’t properly controlled. Unlike little Ashley’s failure to do his or her homework, there are big societal consequences.
Which is why my former colleagues are increasingly introducing regimes that are making sure firms are on top of these issues. Measures like accountability regimes that hold management accountable for whatever happens on their watch. The test isn’t whether you knew about something but whether you should have known about it. If something goes wrong in a business you’re being paid to run, then you’re accountable for it.
Then there’s operational resilience; the idea that certain activities performed by firms are so societally important — think running ATMs or payment systems — that regulators are requiring firms to ensure they can keep them running whatever happens.
All of which poses a challenge for Ashleys everywhere. How can they really know what’s happening in their organisation? The traditional answer is more controls, more reporting and above all, hiring more risk, compliance and audit staff. Of course, as a former Risk & Compliance Officer, that’s something I should be encouraging! But it’s not efficient. Having more controls, doesn’t necessarily make the world safer. It can make it more dangerous.
What we need is a smarter solution. It’s why I’m a big proponent of data science and behavioural science. The former can help us to understand what has happened, the latter why.
'you can blame the dog as much as you like, but ultimately you're the one who gets in trouble, not the dog'