Risk 'complacency': Regulatory challenges
Deliberately guard against overconfidence by raising risk and compliance investment and voice.
Regulators view “risk complacency” by financial service companies as a potential threat to both stakeholder trust and safety and soundness. Companies must deliberately ensure that they are guarding against overconfidence—particularly during times of business, M&A, and innovative growth—by raising risk and compliance investment and voice.
Over-confidence leading to complacency is a risk—when prudent risk management is set aside in pursuit of profit.
Michael Hsu
Acting Comptroller of the Currency, August 2021
Mitigating risk: Risk "complacency"
Appropriately stature, recognize and size risk management.
Prudent risk and compliance management (commensurate with size, complexity, and risk profile) must accompany business change and growth, as well as anticipate and address expanded regulatory risk expectations.
In the areas of human capital and risk culture and commitment, heightened regulatory attention will include:
- Demonstrable and credible challenge, including the adequacy of risk assessments and the monitoring and adjustment, as needed, of internal controls.
- Appropriate stature of Risk, Compliance, Information Security, and Audit that is comparable to other strategic functions, including the quality of autonomy, empowerment, and visibility.
- Sufficient and skilled staffing and funding resources.
- Dynamic, metric-driven risk capacity models to determine technology, operational, and risk resources needed to keep pace with the growth or changes in the business.
Invest in data-driven risk automation, analytics and process efficiency.
Financial service companies must continuously determine how best to utilize data and technology to meet consumer and client demands – both from a business and a risk perspective. Regulators expect companies to take a data-driven approach to risk and compliance monitoring and assessment. Likewise, regulators increasingly utilize data-driven supervision and enforcement.
Areas of regulatory attention will include:
- Sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions.
- Robust data quality auditability standards and practices.
- Use of data to perform a more dynamic and robust risk assessment, diligence and surveillance (and update risk and compliance programs accordingly).
- Ongoing data analytics to challenge business processes and controls and flag potential issues (systemic and isolated) timely and with resolution.
- Drive consistency and auditability via use of workflow and automation tools in such areas as risk, examination management, and compliance management processes.
Anticipate and incorporate emerging risks, but don’t lag in remediating known (or should have known) issues.
Financial service companies must incorporate emerging risks and regulatory expectations, but also continue to demonstrate timely identification and remediation of issues.
Regulatory attention will expand in areas such as:
- Establishing effective front-line units, independent risk management, and internal audit and control functions.
- Continuously accessing operational data and information across functions to update and revise risk assessments based on changing compliance risk.
- Ensuring that deficiencies (including data quality, timely and accurate reporting, and reporting to the Board) are quickly identified and appropriately remediated.
- Robustly analyzing complaints, disputes, and claims information for systemic issues, and demonstration that actions have been taken (e.g., to modify products or service, enhance process controls, and product or disclosure clarity).
- Analyzing employee/insider threat data and behavioral patterns and key insights from investigations and interviews to identify, acknowledge and resolve cultural/conduct risk or control issues.
Champion risk-embedded business, operational and technology change.
Regulators will expect that risk and control functions are part of continued business, operational and technology change. The sense that “it cannot happen here”, “the third party owns that risk”, or “that’s the way we have always done it” is unlikely to be a strong or sufficient risk stance and will be increasingly pressured by regulatory supervision and enforcement.
Key areas of focus for robust risk governance and controls will include:
- Continued large scale technology change-related initiatives, such as focus on data management, digital assets, digital adoption, cloud adoption and migration, and core platform modernization.
- Support for, or investment to facilitate, access to operational data and information across functions and/or from disparate sources.
- Industry or corporate practices that have not undergone recent changes but may result in disproportionate impacts across consumer/client groups (e.g., complaints handling, use of appraisal or other valuation models, application of product fees).
- Appropriateness of risk and control testing of AI and other technology (e.g., for potential bias, inappropriate or vulnerabilities in access and security).
- Consistency of public issuances and of regulatory responses (e.g. in such areas as ESG commitments and reporting and regulatory inquires and examination responses).
Dive into our thinking:
Ten Key Regulatory Challenges of 2022
Download PDFGet the latest from KPMG Regulatory Insights
KPMG Regulatory Insights is the thought leader hub for timely insight on risk and regulatory developments.
Explore more
Insight
Ten key regulatory challenges of 2021
The future of regulatory: Altering our view
Insight
Washington Report 360
A weekly newsletter covering legislative and regulatory developments affecting financial services firms—in 360 words or less.
Insight
Points of View
Insights and analyses of emerging regulatory issues and their impact.
Meet our team
