When satisfactory is no longer enough for your risk, compliance, and audit function

By Duncan Edwards

At a conference in November 2012, Thomas J. Curry, Head of US Office of the Comptroller of the Currency (OCC) said: “We are no longer willing to accept audit and risk management functions that are simply satisfactory. We are looking for excellence. Our expectation now is that large institutions will meet the standard of ‘strong’ for audit and risk management functions, and that the independent directors will take a strong hand in ensuring compliance.”

He further added that the OCC has “heightened expectations for corporate governance and oversight”1. And “strong” is exactly what Board of Directors, senior managers, and risk, compliance, and audit functions need to aspire towards.

In the OCC’s last review of internal audit, risk management and succession planning of the 19 largest US banks, not a single one met its expectations. On a separate occasion, Richard Thorpe, former Head of Accounting, Audit, and Regulatory Reporting Policy of UK’s Financial Services Authority shared similar sentiments: “I can’t point to the internal audit function of a single bank or insurer and say, with hand on heart, that that is how we envision it being done in the future.”

Clearly, there is a gap in regulator’s expectations and practices on the ground.

Interestingly, at our recent roundtable on risk culture, participants made up of executives from Asia’s financial services industry shared that “risk, compliance, and audit are the places to be nowadays. There is unprecedented demand, our jobs are safe, and our salaries are good”.

But is that really the case? The answer is maybe, if you and your function are up to scratch.

Before the risk management, compliance, and internal audit functions in financial services organisations feel too confident about the work they do, it pays to know that Mike Brosnan, who heads large bank supervision at the OCC, is targeting operational, compliance, strategic, and reputation risks. “For the first time in my life, we actually say this basket of risks is more important and more of a priority for the system to deal with than ‘asset quality, liquidity, interest rate risk, and trading activities’,” he said.

So what do financial institutions in Asia and around the world need to do to move from “satisfactory” to “strong”?


As Curry said, “…it’s important that independent directors understand the risks that their institutions take on, and that they make sure those risks are well managed. The Board therefore needs to clearly articulate its expectations and communicate to management and the business as a whole.

They must set the tone at the top in terms of strategy, culture, ethics, and risk appetite expectations. They must demand information – not data – from risk, compliance, and audit, and exercise challenge over standards and risk mitigation. They are not expected to be ‘friends’ with management.

Risk culture

Risk management must be embedded into the consciousness and conscience of the business. People in all aspects of the business need to understand and implement the standards set by the Board in their thoughts and actions.

As such, employees need to be measured and rewarded accordingly.

The question is whether companies actually incorporate compliance and risk management performance indicators into their annual appraisal and remuneration process for all employees.

As well, do these companies provide ethics training or explain the organisation’s risk appetite to all employees? Thus far, the signs are encouraging.

Based on observation, more companies are looking into assessing risk cultures, risk appetite, compliance monitoring, and ethics training.


The best systems and tools need the right people to use them effectively. Every function needs to critically evaluate every resource to see if they are capable of going from “satisfactory” to “strong”.

Otherwise, would additional training and experience be the solution, or do some of these resources need to be redeployed? For instance, companies can explore e-learning. The beauty of e-learning is that it can be used over and over again at little or no extra cost.

Governance, risk, and control (GRC)

Having done all the above, there is no point in having the risk, compliance, and audit teams operating as three independent functions, with differing views of the business, its risks and standards of reporting. An Audit Committee Chairman recently shared with me his “solution” was to take the audit team’s recommendations as he trusts them the most, and disregard the others.

A more effective solution is to have a GRC solution, where all three disciplines, while remaining independent, are integrated to identify the risks that matter and drive the form and structure of the business response to risk and compliance issues. Integrating these disciplines can provide the organisation with valuable recommendations on risks, controls, and costs.

Transforming risk, compliance, and audit

Getting your risk, compliance, and audit function from “satisfactory” to “strong” is a business imperative. Regulators expect it.

Further, the risk, compliance, and audit functions have the ability to contribute more significantly to an organisation’s value, strength, and resilience by transforming into truly risk-focused, value adding functions.

The key to realising these benefits is adopting a transformation model that quickly and effectively provides a balanced focus between compliance and business improvement, as well as defining and developing the additional competencies and behaviours required.

Eventually, risk, compliance, and audit will take leadership roles in the business, prompting a holistic review of the organisation’s entire control structure.

In reality, few organisations attempt all stages of transformation at once. For that reason, many companies approach transformation in a modular fashion.

The end goal of transformation is an integrated GRC model that delivers a balanced, cost-effective control environment. Investments are unavoidable but it will deliver value through an enhanced control environment and reduced cost of risk events.

1“Remarks by Thomas J. Curry”, OCC website, http://www.occ.gov/news-issuances/speeches/2012/pub-speech-2012-165.pdf, accessed 4 March 2014

Get Asian Banking & Finance in your inbox
Since you're here...

...there are many ways you can work with us to advertise your company and connect to your customers. Our team can help you dight and create an advertising campaign, in print and digital, on this website and in print magazine.

We can also organize a real life or digital event for you and find thought leader speakers as well as industry leaders, who could be your potential partners, to join the event. We also run some awards programmes which give you an opportunity to be recognized for your achievements during the year and you can join this as a participant or a sponsor.

Let us help you drive your business forward with a good partnership!

Banking leaders admit that they are at risk of ceasing to exist in 5-10 years.
It creates a one-stop ecosystem that connects its users to EV car dealers.
It enables end-to-end visibility for both the user and their clients.
FIs role as the middleman is under threat as tech firms mull offering financial services.
The final order book saw that most demands come from the UK and EMEA.
Fund transfers from India to Singapore will only need mobile phone numbers.
The alliance, made up of 35 NGOs, noted the bank’s alleged lack of a public policy to reduce coal investments.
Banks’ credit costs are expected to undershoot their guidance.
BEA highlights hiring plans, whilst Citi says it will offer 100 types of wealth products under WM Connect.
Stress test shows NPL ratio likely to rise, but not to levels PBOC expects, the ratings agency said.
Lenders will have to reduce cross-border fees once CBDCs become more mainstream.
Users will be able to set spending limits and block cards, amongst other features.
And Mastercard bets on crypto with acquisition of CipherTrace.
He Xingxiang is suspected for “severe discipline and law violations.
Two local digital currency exchanges said that none of the top four banks would do business with them.