While conducting research on the financial services industry during the past few weeks, I felt dazed by the extent to which regulatory compliance demands have stunned the banking sector: Basel II and III, Dodd-Frank, 173 pages of enhanced prudential standards from the Fed, the Foreign Account Tax Compliance Act (FATCA), and the list goes on.
(For those who operate outside the realm of financial services, FATCA is part of the Hiring Incentives to Restore Employment (HIRE) Act of 2010; it "requires financial institutions to use enhanced due diligence procedures to identify U.S. persons who have invested in either non-U.S. financial accounts or non-U.S. entities," according to PricewaterhouseCoopers. "The intent behind FATCA is to keep U.S. persons from hiding income and assets overseas.").
This is truly stunning: the list of regulations -- and the regulations themselves -- continue to morph, even after their passage.
For example, as of May 1 a total of 221 Dodd-Frank rulemaking requirement deadlines had passed, according to law firm Davis Polk & Wardwell LLP. How many total rulemaking requirements does Dodd-Frank have? A whopping 398. In other words, only 55.5 percent of the Dodd-Frank's total rulemaking requirements had been finalized a few weeks ago. "Regulation right now is the number-one, top-of-mind issue for essentially every banking and securities executive," says John Kocjan, a principal with Deloitte Consulting LLP who leads Deloitte Consulting's financial services practice globally. "It's regulation, regulation, regulation."
Beyond the banking sector, survey statistics suggest that most other industries also face a growing regulatory burden.
The findings of a recent survey of 175-plus U.S. GRC managers conducted by LockPath suggest that many companies are not able to adequately manage their regulatory compliance demands. A majority of respondents rated their organization's risk level as moderate-to-high (84 percent) and noted an increase in the regulations with which they must comply (78 percent); however, more than a quarter of compliance and risk professionals also indicate that they do not have sufficient capabilities in place to manage these regulatory requirements and risks.
The question for many companies is: where to begin? Organizations outside the financial services industry might start by looking over the fence at banks and thanking their lucky stars that they're not being walloped by as many new rules. More practically, however, companies might look to financial services for ideas on how to structure sustainable and flexible GRC systems as well as for innovative ideas.
When I ask financial services experts (i.e., consultants) for risk management and regulatory compliance lessons that can be applied to other industries, they often decline. The industry's risks are uniquely complex and its regulatory environment is exceptional, they say. But maybe these leading analytical minds don't flex their relational creativity often enough. I see plenty of GRC practices within the financial services industry worthy of considering by risk managers in other industries.
Consider financial services consulting firm Capco Partners' work with Commerzbank developing an IT complexity model. This project is designed to help make CIOs aware of IT complexity -- and its costs -- by measuring and managing it in a quantitative way, rather than by intuition and trial and error.
By reducing IT complexity, Capco and Commerzbank believe they can reduce project risk. But the benefits would extend further: reducing the time required to respond to information requests from regulators, reducing operational risks, strengthening IT security, increasing speed and efficiency, and so on.
These are valuable outcomes in any industry. The LockPath survey identifies the following as the Top 5 IT priorities for 2012:
- Minimizing data breaches and litigation
- Staying current on federal and state laws
- Cutting costs and delivering services more efficiently
- Getting one consolidated view of all compliance and risk factors
- Automating processes and simplifying reporting.
We've all looked to the financial services industry to observe their efforts to oppose new regulations and also to gasp at the magnitude of their risk-management breakdowns. These reasons may be obscuring a more valuable reason for studying financial services companies as they address some of the most formidable GRC challenges in a generation.