Thomson Reuters has released its annual "Cost of Compliance" report, which collected data from the surveys of nearly 600 compliance professionals from financial services firms around the world. In addition to presenting current regulation trends, highlights, and concerns among financial services firms, it aggregates previously collected data from earlier surveys.
Although the 2015 report notes a number of issues vital to corporate counsel, there is one particularly worrisome trend that has become increasingly prevalent among compliance professionals: regulatory fatigue.
"Regulatory fatigue" is a condition in which, in the face of identifying and preparing for a seemingly ever-increasing amount of regulations, contending with round after round of enforcement actions, and constant efforts to remain in compliance with existing regulations, compliance officers are feeling patently overwhelmed. According to the report, regulatory fatigue currently affects a majority of compliance professionals, and threatens to not only diminish firms' capacity to comply with new and existing regulations, but also to take focus away from the business improvement development of firms themselves.
The report also notes that, although the recent wave of new regulations may have slowed somewhat, 75% of firms report expecting a greater focus on managing regulatory risk within the next 12 months compared to today. As such, firms can't hope for external relief from this fatigue.
Nevertheless, the report does offer some methods for potentially alleviating regulatory fatigue from within.
First, although the report notes the importance of maintaining the independence of the internal audit function, there are definite benefits to creating alignment among risk, compliance, legal and internal audit functions. Perhaps most apparent of these is the increased communication and coordination on compliance issues, allowing for faster resolution of issues with less workload overlap.
But this increased communication also allows each separate control function access to a more complete picture of the current regulatory and compliance state of the firm. This also allows the board access to more complete information on the state of the firm's risk management, with which it can more efficiently coordinate top-level management compliance plans and decisions.
According to the report, there's plenty of room for growth in this area, with 67% of firms reporting that their respective compliance teams spend three hours or less each week consulting with the legal, internal audit, and risk functions on compliance issues. Although there is certainly a significant initial time investment, this investment will very likely yield worthy returns in efficiency and cost-savings.
A firm's "regulatory risk" is the risk of a regulatory or legal change that may affect how the firm operates.
This method involves a "big picture" setting of a compliance culture from the top-down, as well as the need to build and maintain "strong, consistent protocols through which a positive culture can be demonstrated effectively." In this way, this method is complementary to the first, but somewhat broader in scope.
In short, this method aims to build a centralized system for defining, measuring, and reforming different areas of risk management that reaches to all levels of the firm.
IT risks, including issues involving cyber crime, are becoming an increasing area of concern for compliance professionals, and the report notes that cyber risks "must not simply be left to the IT function." Instead, compliance functions need to be concerned about potential cyber attacks, both on the specific firm itself as well as the broader financial services infrastructure, and any potential effects stemming from such an attack on the business (and by extension, on its customers).
Because of the increasing amount of legal liability that firms are facing as a result of data breaches (resulting from cyber attacks), it's more important than ever for compliance to take an active role in managing IT risk, coordinating with the IT function to this end. Doing so not only allows the compliance function to understand and address any IT vulnerabilities without having to become experts in any areas of technology, but also aligns the IT function with the firm's compliance goals, such that managing IT risk is more efficient and complete.
Overall, the report does indeed reveal pressures facing compliance functions with little external relief to this pressure seemingly on the horizon. Nevertheless, some varying degree of respite from regulatory fatigue may be garnered internally from these and other approaches highlighted by the report.