Banks and insurers are caught between two fires. On the one hand, there is the pressure to improve their cost/income ratios while making their digital transformation a success. On the other hand, they need to patch up ever-expanding internal control frameworks to bring them in line with increasingly demanding regulatory requirements. The result: high overhead costs, and stifled innovation. It’s time to make internal controls and frameworks more flexible, more transparent and more cost effective.
For a while now, risk and compliance professionals in the banking and insurance industry have seen the writing on the wall about the challenges facing their profession today. From implementing ever more stringent control requirement in legacy systems, to having to manage error-prone administrative control chores. From managing gaps in the three lines model, to having to improve cost/income ratios. We live, as they say, in interesting times.
Banks have been tasked with ensuring their customers’ financial wellbeing, as well as having become society’s gatekeepers against money-laundering, fraud, and fiscal irregularities. Moreover, the barrage of regulatory requirements shows little sign of abating.
Banks responded to the emphasis placed on risk management and internal controls by erecting complex control frameworks to keep abreast of assorted financial malfeasances. These frameworks are often implemented in a less than effective way – in no small part because many banks and insurers operate a patchwork of legacy systems.
In our interactions with clients, we often see a large amount of control and assurance activity in the second and third lines of the classic three lines model of risk management. The controls required at the operational level often take the form of periodic ‘bolt-ons’ to day-to-day activities, like end-of-month reports, spreadsheets and other administrative tasks.
In fact, it’s not uncommon to see control frameworks requiring over 1,000 controls – many showing overlap. All of these controls need to be administered, registered and reported. They then need to be monitored and checked (often manually) by the second line. More administrative chores.
The Covid-19 pandemic has spiked the demand for liquidity in society, while banks have had to administer the Dutch government’s NOW-scheme and invest in their financial restructuring and recovery departments, as a significant number of bankruptcy filings is to be expected. Of course, all while a substantial chunk of staff worked from home. It hardly comes as a surprise that, in the three lines model, many banks have taken to moving resources from the second line of defense to the first. The people who used to monitor the checks carried out on the ground, are now actually doing those very checks. This leaves a vulnerability at the second line of defense, waiting to be exploited by those who wish to commit fraud.
More structurally, banks are under pressure to lower their cost/income ratios. Fintechs are outperforming them on primary processes, while investors, public and private, demand a higher return on their investments.
A final challenge is typical for banks, where risk managers and the second line show a bias towards over-controlling. Driven by increased regulator scrutiny and, risk managers are unlikely to reduce the number or intensity of their controls. Even when they’re no longer needed, adequate or appropriate.
All of these trends have made it difficult for leadership to know whether they’re in control – even though this is exactly what regulators demand. Instead, banks increasingly struggle to have an up-to-date overview of their balance sheet, to know whether they are compliant, or whether there are any unpleasant surprises hidden in their customer base.
What banks need is real-time insight in whether they are in control. Their leadership needs to be able to ‘see through’ their organization in order to detect shortcomings, before regulators and watchdogs do. This requires consistent data and fact-based transparency from their systems. How to get there?
In our experience, there is a two-pronged approach to alleviating the burden of increased internal controls. For many of our clients, standardizing and automating controls helps them become more flexible, transparent and agile, while saving substantially on overheads.
The first step is to map processes. This is easier said than done, because complex processes like loan applications may run through an organization like spaghetti on a plate. Alternatively, processes are often split up in chunks with no clear indication where the connecting chunks may be. A complicating factor is that many banks work with separate, non-interoperable legacy systems that prohibit plugging queries in at the top of an organization’s ERP system. As a result, all too often no-one has a true and complete picture of what these processes look like, which in practice means that bolt-on controls are copied, measured and registered in different ways.
Once all processes are mapped, their associated controls are ‘X-rayed’, ranked and de-duplicated. The ones that are left are merged where possible, or re-defined where necessary. There are instances where this exercise alone led to over 60% reduction in the number of controls.
Standardizing controls alone can cut the amount of resources required in the first and second lines. Making the remaining controls an integrated part of the automated first-line processes can reduce them even further.
Take manual journal entries. If an insurer receives a claim, a simplified process is to check whether there is a policy, whether there are grounds to pay out and whether the amount payable is higher or lower than some predetermined signal amount that triggers closer examination. If all is well, payment takes place. This describes a primary business process that directly affects an insurer’s P&L statement. There are huge benefits to be had if claims handling allows for as few detours, exceptions or human error as possible. This in turn allows for automated controls which needn’t be verified manually at the end of the month. This can only work if the full process of claims registration and administration is standardized. In this standardized process, each step is logged, checked and calculated by the algorithm. The system only flags up irregularities like manual journal entries.
Designing primary business processes with controls built in allows for straight-through processing and first-time right reporting. It also allows for management by exception.
In the first line it removes administrative bolt-on chores at the end of the month, while enhancing accuracy. In the second and third lines, it reduces the amount or monitoring and checks that need to be carried out. For leadership, it allows for real-time insight in whether the organization is in control and helps management detect shortcomings before auditors or regulators do.
Moving internal controls from the second and third lines into the first is a daunting job, but it can be done in any organization. Want to learn how you can get started, what the process involves or if you would like our help? For any further information, please contact Ferdinand Veenman.