Risk and Governance: 2023 Regulatory Challenges

Board importance

Regulators will continue to look to demonstrable evidence of credible challenge and dynamic risk assessment and decisioning from both within and across the board and senior management. As part of these expectations (and as part of supervisory focus and evolving regulatory reporting), regulators will expect increased and formalized documentation, mapping, ownership, and ongoing testing and monitoring of controls.

Regulators will expect board and senior managers to:

• Demonstrate board and governance domain skills (e.g., this is key element of the SEC’s proposed climate and cyber rules).
• Stature Risk, Compliance, Information Security, and Audit comparably to other strategic functions, including the quality of autonomy, empowerment, and visibility.
• Integrate critical challenges (e.g., escalation procedures, actions initiated, decisions made, and proof of altered/terminated paths based on risk determinations) into risk and governance frameworks.
• Focus on both novel, complex, long-term risks as well as basic, shorter-term risks (e.g., risks associated with the current rate outlook and mixed market signals impacting credit risk).

Risk management: Mission critical

Regulators will continue to focus on the robustness of the risk framework across all three lines of defense – as a part of rulemaking and as an ongoing theme in enforcement actions. This will include assessing whether risk and compliance programs across the enterprise are “geared” to current and emerging risks as well as sufficiently and appropriately resourced, including investment, funding, technology, and skilled staffing. Individual accountability and companies deemed to be “repeat offenders” will be a key focus of investigations and enforcements.

Companies will need to demonstrate:

• Completeness of the risk framework across all risk pillars (e.g., credit, liquidity, operational, compliance) and to reporting expectations/requirements (e.g., climate risk management, SEC climate, ongoing examination responses).
• Third-party/nth-party risk management that covers all third-party relationships over the entire life cycle; subjects vendors that support critical activities or are heavily relied upon to more comprehensive and rigorous oversight; and considers transition, contingency, recovery, and duplicity alternatives.
• Planning for and mitigation of disruptive risks to functions of the organization (e.g., climate change, ongoing sanctions due to geopolitical conflicts, economic stability, cybersecurity threats).
• Information governance processes and controls to protect the confidentiality and integrity of corporate and consumer data.
• Agility to maintain effective risk management processes through significant change such as mergers, acquisitions, separations, workforce shifts (retention/roll over).

Mitigating misconduct

Conduct risk and ethical business practices will take on additional importance with evolving ESG importance.  Regulators will look to the corporate culture and the investment in ethics and compliance programs to ensure they both reward compliant behaviors and accountability and deter misconduct. Areas of regulatory interest will include:

• Proactive identification, voluntary disclosure, and remediation of misconduct.
• Compensation program features, including incentives for compliance; accountability, clawbacks, and/or penalties for individuals contributing to the misconduct; and disclosure of the relationship between executive pay and financial performance (e.g., DOJ guidance, SEC disclosure rule; SEC listing standards rule).
• Surveillance activities, including insider risk programs, that test and monitor for compliance with regulatory requirements and the firm’s code of conduct (e.g., use of authorized communications channels and devices, records retention and disposal requirements).
• Customer protections, such as conflict of interest disclosure, best execution/best interest, use of MNPI, and outcomes related to the use of decisioning tools (algorithms, models, AI/ML).
• New technology applications, including digital adoption, models/AI/ML, access authentication and validation.