Systemically Important Financial Institutions (SIFIs), by simply being so labeled, have been forced into the financial services and public spotlight. The debates regarding SIFI status range from the likelihood of lower costs of capital, because of being identified as too big to fail, to whether SIFIs should be forced to make divestments to reduce their size and complexity to the point they are no longer systemically important. Within that particular debate the benefits to the sector of economies of scale among the larger firms will likely be considered by the regulators but ignored by the mass media, which will continue to demonise them for the purpose of convincing their readership that they are holding SIFIs to account on behalf of society.
Regardless of the drama and conjecture within the debates there is one certainty already evident – local supervisors are carrying out spot checks on SIFIs to ensure that their risk management policies and practices are comprehensive, documented and being complied with in practice. These checks are, in part, likely to be a process of getting to know the SIFIs better, with a view to understanding the sensitivities of their business models and the related economic or business performance factors and conditions that would alert the supervisor to force remedial action. Any SIFI that has also received government funding in recent years must expect all manner of intrusive interest from supervisors. The second reason for the checks is to give the supervisors confidence that business as usual activities are properly controlled and that in a stressed situation those responsible can resort to documented, accessible policies, processes and procedures, including those associated with living wills for resolution and recovery.
In Germany these spot checks are commonly referred to as ’44 Assessments’. The term stems from article 44 of the Kreditwesengesetz (KWG). This is part of the German banking license and article 44 gives Bafin, the local supervisor, the right to enter an institution at any time without notice to undertake a review of any part of the organisation it pleases. This is a common right among supervisors and many are exercising it on the global and domestic systemically important institutions in their territory. In Germany the arrival of Bafin, or even the rumour that Bafin is considering a 44 Assessment, is enough to send senior managers in risk, finance, compliance, IT and strategic planning into a cold sweat. This reaction indicates that regardless as to how well a firm is operating they have often been too busy with the day job to keep all the policies and controls up to date, documented, communicated and available for reference and review. And there is always a lot to keep up to date - after all, an institution wouldn’t be systemically important if it weren’t large and/or complex.
In the institutions with which SecondFloor is working there are many stakeholders and personal/professional agendas involved in risk and finance policies and procedures. Sometimes an overall responsible person either isn’t identified or has not had the capability or capacity to maintain a view of the complete business architecture in terms of the organizational structure and the processes, systems, data, policies, procedures and controls that, in combination, create the value and also the financial and operational risks within the institution. It is common for departments or individuals to maintain a repository in isolation, feeling that they are the safest guardian of such information, but those with ultimate responsibility might not even know of its existence. With this as a starting point it’s not surprising that supervisory spot checks generate nerves among executives.
Fortunately the recent checks by Bafin and other supervisors have, sensibly, resulted in constructive dialogue around the topics of governance and productivity. Despite the complexities of creating, maintaining and having available all the required information, it is, from a governance perspective, essential to have it. But for an institution to pay genuine attention rather than lip service there has to be a commercial payoff too – thus incorporating the value creation aspect as well as governing the risks.
Here a number of conversations have followed the strategic line of sight from understanding and documenting the risk and finance architecture of the institution to the practical applications of the resulting repository of interrelated elements. For example, capability management is a competence that stems from being able to look at a strategic business opportunity from the perspective of an institution’s ability to execute a strategy to take advantage of that opportunity, rather than simply basing a decision on the desire or ambition to make such a move. With the risk and finance architecture documented this is possible and can be used to achieve competitive advantage. Business continuity management and operational risk management will also be taken to the next level of professionalism when there is a common language and understanding around how the business functions and which data, systems and processes impact which products, services and customers.
The compliance function can also contribute to business efficiency and productivity when all relevant laws and regulations that impact a systemically important or large institution are documented, interpreted and cross-referenceable in terms of which policies, process and controls can be used for multiple, similar compliance activities. This eliminates duplication or repetition of compliance systems and processes. It also reduces complexity of the overall compliance function, which makes an institution’s control discipline much more streamlined, visible and clear to executives, supervisors and other stakeholders. Of course, compliance will always be seen by some as the business prevention department, but it has an opportunity to improve its reputation.
The exercise of mapping and visualizing the complete, interconnected risk and finance architecture also has a specific benefit for the IT division. It creates an as-is view and an IT cost structure of the IT landscape and architecture. In addition to IT contract management and security audits this can be used at the outset of any change programme to understand both the changes required to get to the to-be state and also the mutual and potentially conflicting impacts caused by multiple change programmes running in parallel.
Of course, the intention of any supervisory intervention, such as a spot check at a SIFI, is to ensure the existence or improvement of a risk aware culture within an institution. Having a complete, documented risk and finance architecture means that anyone responsible for compliance or for introducing true enterprise or integrated risk management throughout the institution has access to all the reference, planning, communication and training materials they might need. As with any intention or obligation that cannot be put in place with a one-off exercise, the key is building, maintaining and deriving value from such a resource by making it accessible to, and winning adoption from across, the risk, finance, IT, compliance and strategic planning functions.
Supervisory spot checks will always be an unwelcome intrusion and distraction, but enabling the maintenance of risk and finance policies and procedures to be part of a business as usual view of the business architecture there can be many strategic business benefits to be gained. It will also diminish the cold sweats that, in future, might transmit the smell of fear that triggers a less than constructive supervisory discussion.