Global financial institutions are experimenting with an essential new C-level position—the Chief Control Officer—to ensure that organisational lines of defence are effective in fostering internal compliance, accountability, and transparency. But without the right data, they may still be feeling around in the dark.
Oversight and supervision of non-financial risks have long been part of the day job for senior banking and investment management executives, particularly as more headline-making examples of rogue traders and pockets of fraudulent activity in specific business units have cropped up at universal banks in past years. Think Adoboli at UBS, or the more recent billion-dollar enforcement action against Wells Fargo.
The approach to dealing with these risks has taken two directions. On one hand, Individual accountability regimes have pushed these responsibilities further down to senior managers—the first in the classic three lines of organisational defence. But, despite this expanded ownership for assessing, controlling, and mitigating risks, they often lack the resources, expertise or political clout to secure investment, implement automated solutions, and ultimately make positive and sustainable change happen. They need support from the second line of defence—professional risk, compliance, and control functions—and from the C-suite, governing bodies, and the independent third line. And so, on the other hand, non-financial risk responsibility is now vested at the boardroom level, as well. Enter the Chief Control Officer.
Whilst Chief Risk Officer (CRO) and the more familiar Chief Compliance Officer (CCO) positions are well-understood and have, within most regulated firms, been in place for a decade or more, this new talisman for internal controls is relatively immature and indeed, the role is still being shaped.
In general, the CCO for controls has a cross-functional remit focussed on managing down operational and conduct risks and other non-financial risks. The role contributes to the formulation of risk management and control strategy and policy, and is key to instilling a healthy risk culture within enterprise operations. The meat of the job, however, is active oversight: monitoring and mitigation of risk of loss or regulatory attention. The CCO is ultimately accountable for the effective execution of the control framework; that’s where most of his or her challenges lie. And to this extent, the role serves as a gatherer, consumer, and distributor of data as much as it does a policymaker.
Because of the reputational risk and considerable penalties now in play, there is an inexorable march towards more granular and more real-time controls among the world’s largest institutions. The new CCO role only highlights the opportunity firms have to fundamentally change their organisation’s approach to the controls lifecycle. Senior managers need to be able to identify and assess gaps, and design, build, and implement controls into their operations much faster. Contrary to the old notions of controls as crusty rules living only on paper, they now expect flexibility and “control on-demand” capabilities from their CCO colleagues, and we are seeing a new control-as-a-service concept evolve as result. Just as firms today can deploy internal factories for building and deploying analytic models, utilities for reconciliations, and centres of excellence for new initiatives like robotics, we are seeing the concept of controls being delivered as-a-service, leveraging the capabilities of agile technologies and robust data management platforms.
As the role continues to evolve, the CCO cannot be successful without effective monitoring systems, high-quality data, and actionable information drawn from that data. The CCO is heavily reliant on colleagues in operations and technology, but this role can also set the agenda and be instigators of change when it comes to the systems modernisation agenda. In fact, operations chiefs and tech teams are equally frustrated about their complex data spaghetti, inflexible processing platforms, and their critical—but typically expensive and cumbersome—legacy reconciliation systems. Without a refresh in these core areas and establishing baseline data about trading and business activity, it is difficult—if not impossible— to develop effective controls around organisational behaviour and individual conduct.
To this extent, the CCO should be driving the argument, bringing to bear new influence, leveraging a growing mandate from the boardroom, and ultimately striving to consummate broad-based technology transformation that puts controls at the center of the enterprise.