Internal controls are in the spotlight. Impending regulation over financial reporting, combined with the potential for automation, is creating an opportunity to improve the way risks are managed. At the UK Finance COO Forum in September, chief operating officers explained how they were approaching the task – and what the future could look like.
As UK companies prepare for tighter controls over financial reporting, the state of their current risk frameworks is under careful review. Following a series of calls for the Sarbanes-Oxley legislation to be translated into UK law, chief operating officers and their colleagues have been busy preparing for the future.
At the UK Finance COO Forum in September, participants explained how they were bolstering their operational controls to ensure the integrity of reporting and to help prevent fraud. They discussed the challenges ahead, technology’s role in providing solutions and the areas needing attention as regulatory focus mounts.
Lucy Pearman, Managing Director Global Transform Risk and Compliance at Protiviti, set the scene: she described an environment in which automation would lead the way. An estimated $127bn would be spent on regulation technology (RegTech) by 2024; the market for intelligent process automation will increase 1,000 per cent in the next two years; and 90 per cent of corporate controllers will soon be using robotics to help do their jobs.
The surge in automation will be driven by an estimated 56,000 regulatory alerts by 900 bodies worldwide in the next year alone and by the fact that currently only 33 per cent of internal controls are automated.
Across the industry, centres of excellence are also emerging to help companies navigate the changing environment. There is appetite from regulators and businesses to create and share expertise from which everyone can benefit. There is also a real opportunity for companies to leverage some of the triggers around digitalisation, Pearman said.
What are the biggest risks and challenges?
People, technology and interpretation of regulation were the themes discussed in response to this question during the debate. The group shared a wide range of views about the challenges they faced, but it was the confluence of people and technology – when creating and managing controls – which punctuated the conversation.
One COO from a high street bank explained that automating controls requires risk professionals and software engineers to communicate effectively. He said the two sides often spoke different languages and assumed the other side knew things they didn’t. While the bank’s risk team thought engineers knew about good control design, some engineers thought controls were binary – that they are either on, or off. Bringing people together early in the design process is important.
Other leaders at the event explained how they were dealing with the challenge. One COO from a regional business bank said he had developed an internal consultancy team with specialists in robotic process automation (RPA) and machine learning. These skills were combined with existing expertise in Microsoft’s Power BI platform to help show the rest of the business how automated controls worked.
Another COO, from a mortgage lender, said he had created a system of internal certification, where automated controls had to reach a minimum standard. His team is using automation tools from Microsoft as a foundation to give people confidence in using and developing automated controls. One participant explained she had employed someone to work on RPA specifically, which was being used effectively to improve controls.
A further challenge discussed during the event was the interpretation of regulation and its impact on controls. Many of the COOs in the group have been talking about the recent policy statement on operational resilience. There have been working groups across financial services firms as they prepare to meet the next regulatory deadline in March 2022. At that point financial firms will have to begin putting their plans in place to protect important business services and mitigate intolerable harm to customers.
Many acknowledge that the UK regulatory system doesn’t lend itself to black and white answers. But they believe ‘important businesses services’ and ‘intolerable harm’ are currently being interpreted very differently. They believe that COOs and trade bodies should come together and discuss how best to interpret the regulations and understand what’s causing the differences before doing anything else. They argue this will help them to focus efforts on controls that the regulator is most interested in.
Which areas need the most transformation?
There is a pattern to what companies are doing to embrace the future of controls. COOs commonly highlight challenges with people and technology, so the solutions are often closely related. Early indications suggest that members of the UK Finance COO Forum are taking steps forward in both areas, but they also recognise it will take time for everyone to grasp the opportunities.
Risk professionals in the second line of defence often arrive in their roles with experience from the first line of defence, the operational side of a business. They bring plenty of hands-on experience to the profession. But, according to one COO, some have missed out on the trend towards automation because their operational experience predates the widespread use of technology. He believes their skills need to be updated.
The same is true for some executive boards whose experience isn’t always up to date and who need help to understand automation. COOs at the event described how boards were willing to understand new approaches but acknowledged it took time and effort to explain how they worked. Protiviti’s Pearman suggested boards were looking closely at the return on investment they would get from an automated system and still held concerns about losing touch with the risk management process.
There is also debate about creating an additional line of defence. While the first line refers to the operations team, the second to risk and compliance, and the third to internal audit, there are COOs that are building a ‘1.5 team’. The 1.5 team sits just behind operations teams providing them additional support. According to one COO, from a mortgage lender, the move has helped with the challenge of interpretating regulation.
He said the 1.5 team is providing additional support to the first and second lines of defence around cyber resilience and data governance. They act as translators between the owners of the risk and the people developing the frameworks. As technology becomes more prevalent, the move has been successful and helps to engage more people in the process of managing risk, he said.
The future of controls
In the future firms will move away from the risk structures they have traditionally operated within – the three lines of defence could include “1.5” and others. Specialists will solve problems, adopting what Protiviti’s Pearman called a SWAT team mindset. Subject matter experts will be hired to prove concepts and get things done.
Companies will also have well established centres of excellence for controls testing. These will help everyone to work in a more agile way and provide the latest thinking and support to operations, risk and audit teams. They could ultimately help integrate compliance and operational risk, too and give companies a comprehensive view of the risks in their controls.
But this vision will require technology to be applied well. COOs will therefore continue to consider the RegTech at their disposal: from the basics of control automation to machine learning algorithms and RPA to improve processes and speed up data collection. This ongoing process of managing and testing will help them to better predict areas of non-compliance – and move away from just reacting when things go wrong.
Ultimately, this way of working will be something boards and regulators will support because it will provide greater assurance that corporate governance is in good health.
UK Finance’s COO Network event, which was held in association with Protiviti, took place on 20 September 2021 online. For more information and to find out more about the work of UK Finance, contact head of member communities Zoe Bailey.
For more information on Protiviti’s work on the future of controls, please contact Lucy Pearman.