"In today’s dynamic and ever-changing environment, new risks are constantly identified. Because of this, it is very easy and natural to focus our energy and resources on the hot topic of the moment. While it is important that we quickly assess the risk of these emerging threats, we must not lose sight of the basics. This will help ensure we maintain the effectiveness and integrity of our foundational risk and control environment." —Kandace Heck, Chief Audit Executive, US Bank
Across all regulatory challenge areas, the importance of risk management and avoidance of “risk complacency” is vital to remaining in compliance with evolving regulatory landscapes and ensuring resiliency.
Explore here insights on Risk and Governance from the KPMG report Ten key regulatory challenges of 2023.
Regulators will continue to look to demonstrable evidence of credible challenge and dynamic risk assessment and decisioning from both within and across the board and senior management. As part of these expectations (and as part of supervisory focus and evolving regulatory reporting), regulators will expect increased and formalized documentation, mapping, ownership, and ongoing testing and monitoring of controls.
Regulators will expect board and senior managers to:
- Demonstrate board and governance domain skills (e.g., this is key element of the SEC’s proposed climate and cyber rules).
- Stature Risk, Compliance, Information Security, and Audit comparably to other strategic functions, including the quality of autonomy, empowerment, and visibility.
- Integrate critical challenges (e.g., escalation procedures, actions initiated, decisions made, and proof of altered/terminated paths based on risk determinations) into risk and governance frameworks.
- Focus on both novel, complex, long-term risks as well as basic, shorter-term risks (e.g., risks associated with the current rate outlook and mixed market signals impacting credit risk).
Risk management: Mission critical
Regulators will continue to focus on the robustness of the risk framework across all three lines of defense – as a part of rulemaking and as an ongoing theme in enforcement actions. This will include assessing whether risk and compliance programs across the enterprise are “geared” to current and emerging risks as well as sufficiently and appropriately resourced, including investment, funding, technology, and skilled staffing. Individual accountability and companies deemed to be “repeat offenders” will be a key focus of investigations and enforcements.
Companies will need to demonstrate:
- Completeness of the risk framework across all risk pillars (e.g., credit, liquidity, operational, compliance) and to reporting expectations/requirements (e.g., climate risk management, SEC climate, ongoing examination responses).
- Third-party/nth-party risk management that covers all third-party relationships over the entire life cycle; subjects vendors that support critical activities or are heavily relied upon to more comprehensive and rigorous oversight; and considers transition, contingency, recovery, and duplicity alternatives.
- Planning for and mitigation of disruptive risks to functions of the organization (e.g., climate change, ongoing sanctions due to geopolitical conflicts, economic stability, cybersecurity threats).
- Information governance processes and controls to protect the confidentiality and integrity of corporate and consumer data.
- Agility to maintain effective risk management processes through significant change such as mergers, acquisitions, separations, workforce shifts (retention/roll over).
Conduct risk and ethical business practices will take on additional importance with evolving ESG importance. Regulators will look to the corporate culture and the investment in ethics and compliance programs to ensure they both reward compliant behaviors and accountability and deter misconduct. Areas of regulatory interest will include:
- Proactive identification, voluntary disclosure, and remediation of misconduct.
- Compensation program features, including incentives for compliance; accountability, clawbacks, and/or penalties for individuals contributing to the misconduct; and disclosure of the relationship between executive pay and financial performance (e.g., DOJ guidance, SEC disclosure rule; SEC listing standards rule).
- Surveillance activities, including insider risk programs, that test and monitor for compliance with regulatory requirements and the firm’s code of conduct (e.g., use of authorized communications channels and devices, records retention and disposal requirements).
- Customer protections, such as conflict of interest disclosure, best execution/best interest, use of MNPI, and outcomes related to the use of decisioning tools (algorithms, models, AI/ML).
- New technology applications, including digital adoption, models/AI/ML, access authentication and validation.
Call to action: Risk and Governance
☑ Assess board and executive governance structure, skills and composition
☑ Develop and formalize board composition /education program to address critical and emerging risks
☑ Ensure demonstrable board and executive management critical challenge
☑ Actively surveil and mitigate conflicts of interest and conduct risks, particularly in areas of “new” (digital adoption, models/AI/ML, etc.)
☑ Evaluate existing supervision and control testing coverage; explore methods to increase coverage (automation, methodology, etc)
☑ Invest in automation, analytics, and process efficiencies
☑ Appropriately position, scale, and reward risk management
Ten Key Regulatory Challenges of 2023
Read our report for client perspectives, regulatory recaps, and actionable steps to help mitigate risk.