I use the phrase ‘dead wood’ because it covers a wide range of inefficiencies. Below are the suggested ways we can go from old world to new world and remove the debris in the process.
Get smarter: The repository of data
A very large percentage of due diligence data can be sourced from external suppliers and be at our fingertips for constant interrogation and assessment. The due diligence reviews every 12 months or 24 months – depending on the risk criteria attached to the counterparty or country – is hopefully becoming old news. When issues arise, not many in senior management will get the ‘warm and fuzzies’ from a nine-month-old due diligence assessment deficient of current critical data to make an assessment. Immediate, current, digestible and malleable data is the new black. The possibility of this framework model is in place and the connection points required are established. Imagine: no more silos, but a conduit of data with market consistency updated frequently for you to access. Blimey. Sounds awfully ideal.
Get efficient: the new approach of the desktop review
Remote working and desktop due diligence are here for the long haul. So, collectively, we need to reshape what the new regime will look like.
- What does it need to do?
Before the repository I have mentioned above is finalised to enable immediately accessible data for due diligence, we need the first interim step to occur. That will require a shift from the debris of the old method into the new regime whereby we have a ‘core’ that is supplemented with a local, detailed and granular focus. Start with your key regulatory thresholds, establish the conduit and feed it with solid and robust data. This is then validated locally. It is not that hard to do and it, critically, can be set up in a digital interactive format.
- What does it need to avoid?
Generic questions that inevitably mean generic answers. Generic doesn’t adequately manage your network risk nor provide adequate insight for your oversight committees. Ask the right question and get the detail to determine if it is the most adequate answer.
- Ultimately, we need to get thinking differently about our network risk.
Who determines the risk that our network has? What focus do we place on regulation? How involved are our committees and what level and frequency of reporting do they receive? Do our operations factor in to the due diligence? What about our technology? A few questions to contemplate as we consider what it means to assess our risk.
I’m not sure about you, but numerous times I’ve sat at a table to discuss assessing and capturing risk with people who have an ERM framework to populate or checklist to complete. Typically, there is a product information gap but there is a requirement to produce a document. Eventually, and in the best-case scenario, the document becomes the responsibility of the business to complete, because if you don’t know the product, how can you assess the risk? This process takes time, gets rushed and is usually so enormous that a thorough assessment by business colleagues of all the touchpoints and connections is not concluded. Garbage in equals garbage out (my old manager taught me that – thanks Andrew) and it is completely accurate. Checklists, monitoring programs, committee determinations and volumes of reporting comes from this final ‘achievement’. The approach is old, ridged and not refreshed enough. Risk and its management need to be dynamic. Think differently.
Imagine if you simply said to your regulator, committee, internal audit,
- Here are the top risks 1-10 (for this period, concerning this matter).
- Here is how we have oversight of them; and
- Here is how we manage and mitigate,
and all this documented clearly and concisely. Simple and most importantly, effective.
We say we do, but how many of us are really taking technology seriously and changing our practices? I think we are seeing the ‘FinTech for FinTech’s sake’ era fade away and the new innovative solutions to make our day to day less onerous filter through. And about time. No one has the time or money to continue with a haphazard approach. That is great news. Better news would be more joint efforts in the tech space across the entire chain, connecting intermediaries with innovative IT.
Final thought: Regulation. Since I last wrote, I have had comments that firms need to look at regulation separately and not in joint consultations. Sorry, I am still not there and absolutely see the ‘force’ in a combined industry regulation interpretation and understanding, followed by a separate firm application. A two-step process initially and one that is eventually second and third line tested. The key is a solid interpretation at the outset by a top-class working group. It exists in pockets, but more is needed.