What barriers of independence or findings can be suprising in the below example, also paying attention to where hand how compliance function is positioned in lines of assurance model?

The cost of regulatory compliancein banking rose dramatically in the years after the financial crisis. Some of the increase came from investment in technology, but most of it wasand remainsdriven by additional staff. The crisis triggered numerous critical control failures that required immediate remedy. Institutions responded, appropriately enough given the urgency, by adding layers of control. An idea of what resulted can be seen in a typical example. At a large universal bank, a quarter of one business unit's resources is now dedicated to control, significantly reducing the share focused on the business (Exhibit 1). While the exact numbers will vary by institution and business unit, what's certain is that more resources than ever before are being dedicated to testing, monitoring, and other oversight responsibilitiesat the expense, given budget limits, of production resources.

The investments have magnified industry resilience and improved the quality of risk management. The high cost, however, is now coming into focus. At many financial institutions, business, compliance, and risk practitioners are beginning to question the sustainability of the resource-intensive approach tomanaging compliance risks. We believe they are asking the right question. Banks are still adding layers of control as the remedy of choice for compliance issues. The result is an unwieldy "system" of overlapping controls that is difficult to automate and does not address the true root causes of risk. Arising issues are approached one at a time and in isolation; remediation efforts are inadequately measured and tracked.

We analyzed the time spent on remediation at one global financial institution according to the importance (materiality) of the issue. We found that first- and second-line compliance staff were spending 80 percent of this time on issues of low or moderate materiality, and only 20 percent on critical high-risk issues. The issues were approached individually, according to an "issue log" with thousands of entries. Unsurprisingly, separate remediation initiatives and audit reports were often directed at the same processes and had the same underlying causes. These could have been addressed systematically, but individual projects did not have the budget to take that on. Only when the institution took an enterprise-wide view did the case for IT investment become clear.

The status quo approach to compliance does not allow for an integrated view across the enterprise. The approach to risk assessment is fragmented: some risks are covered by multiple assessments and others not at all. Nor does a consistent understanding of the material risks emerge, as the varying standards of materiality and testing produce conflicting results across the organization. Compliance, activities relating to banking secrecy and anti-money laundering (BSA/AML), operational risk, third-party risk, and other assessments are performed frequently by separate teams applying different approaches, and much effort is expended in reconciling the outputs. At one large financial institution, we found that business leadership teams are required to participate in 20 or more risk-assessment activities annually, led by the various control functions. Yet despite all this labor, top management still cannot obtain a reliable view of the institution's biggest compliance exposures nor on the state of controls governing them.

Many leading institutions have tried to shift compliance frameworks toward a more risk-based approach. They have struggled to escape an orientation to procedural adherence and refocus on residual risk (outcomes). Metrics present another challenge. Rather than forward-looking measures of risk, many are ill defined and generate data with unclear implications. As mountains of details pile up, critical exposures can get lost easily. Legacy controls remain in use as new metrics are added. Many intermediate controls and testing can be removed, however, as a recent efficiency effort at a bank's consumer business demonstrated. The needed solution (expanded sample-based quality-assurance testing on executed affidavits) was simpler, less time consuming, and more effective in disclosing material exposures. And it was less costly than the existing haphazard system.

The value in sustainable compliance

The aim of a sustainable compliance program is to improve the bank's risk profile through a more effective and efficient compliance function focused on the most important risks. The approach both centers on material risk and eliminates inefficient activities. In our experience, it can free up to 30 percent of the compliance function's capacity (Exhibit 2). The size of the opportunity depends on the starting point of the bank: leaner institutions will benefit from effectiveness improvements, while institutions with heavier quality-assurance, control, and audit structures will additionally benefit from meaningful efficiency savings.

One global financial institution recently developed a set of initiatives to free up 20 percent of capacity in its risk and compliance functions. The starting point was organizationally heavy: the two second-line functions accounted for one-third of corporate function expenses. The resource footprint was 95 percent concentrated in high-cost metropolitan areas with very competitive talent markets. At the same time, effectiveness was inadequate, as evidenced by a growing backlog of regulatory issues and audit findings. Risk-management standards, including taxonomies and tolerances, varied across and within lines of defense; "shadow" testing and monitoring activities were being performed by business lines (the so-called one-and-a-half line of defense); and modeling, analytics, and reporting activities were fragmented across the first and second lines.

The improvement program prioritized initiatives that enhanced the effectiveness of compliance and risk-management activities and their efficiency, to achieve a sustainable operating model to support future growth. Better effectiveness was sought by taking a proactive approach to help the business manage material risks. Rather than reacting to issues, the bank would diagnose root causes and translate regulations into operational requirements. Effectiveness was further fostered through timely and adequate transparency into the state of risks and controls, and increased confidence that no material risk would be left unattended. The functions became more efficient through the automation of tasks and controls and easier access to qualified talent. The resource footprint was optimized, aligning it with business and strategic needs. Resource allocation could then focus on material risks, boosting staff productivity. Nonessential work was minimized, including the remediation of low-materiality risks. Testing, reporting, and other activities were rationalized across the three lines of defense; duplication, especially in the control functions (such as remediation tracking and risk identification and assessment), was largely eliminated.

Building it: Seven steps to sustainable compliance

Compliance practitioners point out that compliance activities are triggered by regulatory requirements and by how well businesses manage regulatory risks. Regulatory demands, they argue, are outside the control of the compliance function, while the adroit management of regulatory risks takes time to mature. In our view, the key to sustainable compliance is how well the compliance function responds to these demands. Below we lay out seven practical steps that institutions can take to move closer to sustainable compliance.