Banks must ensure that communications and training about the code are delivered to all staff and supervisors, including any external third parties through whom they provide their services and offshore staff. This will enable banks to set expectations of what is required to comply with the Code and how the bank will monitor and report on their compliance. The Banking code compliance committee (BCCC) expects a positive customer-focused culture to be supported through training and considers that customer-facing staff are well-positioned to identify and escalate a possible breach of the Code.
Banks should review and develop KPIs & KRIs that ensure staff performance metrics promote behaviours that prioritise good customer outcomes and reflect the Guiding Principles and spirit of the Code. Senior executives understand that their organization’s measurement system strongly affects the behaviour of managers and employees. Risk plays a very important role in training and monitoring.
Risk-based supervision is largely outcomes and principles-based compared to a compliance-based approach. It seeks to assess, within a forward-looking perspective and making extensive use of judgment, the most important prudential and conduct risks posed by firms to supervisory objectives and the extent to which firms are able to manage and contain these.
Supervisors are mostly resource-constrained and requiring them to prioritize a variety of code compliance & conduct related activities rigorously. Risk-based supervision increases the effectiveness of compliance while increasing efficiency through improved resource allocation and processes. It assists in prioritization of resources to the areas of greatest conduct risk. Risks are not eliminated, but supervisors are able to address them in the most efficient and effective way of pursuing their objectives. This allows banks to address the risks in a systematic manner giving priority to what matters most.
Quick starting points on how to initiate a Risk-Based Supervision approach
- Risks need to be addressed in a systematic manner giving priority to what matters most
Risks need to be identified that would have the most significant detrimental impact. These are outcomes that would, for example, cause maximum damage to code compliance objectives. Risk-based supervision considers a combination of the effect of crystallization of risks and the likelihood that this will occur. The very highest impact firms and activities will be judged to be a potential source of systemic risk. Failure would result in extensive losses to consumers; broader reputational damage, fines, or regulator initiated a formal investigation.
2. Risk-based supervision requires the assessment and consistent grading or scoring of issues
3. Risks can originate from a variety of sources, so it is necessary to take a broader perspective and establish risk profiles
4. Risk-based supervision is dynamic and forward-looking. It allows risks to be identified and addressed early
Narrow compliance-based approaches may involve a fixed schedule of compliance checks which is relatively invariant to perceived risks. Risk-based supervision, by contrast, is a dynamic and continuous process that involves planning, risk assessment, execution of the supervisory programme and regular monitoring and evaluation on a risk-based cycle. It seeks to identify emerging areas of risk and the adequacy of management and financial resources to address these.
The emerging risks can be identified in both internal and external sources. External sources can be regulatory and ombudsman bodies like ASIC, AFCA. AFCA Insights service launched by us is a great source to learn so much on emerging risk patterns from complaint management data.
It also greatly facilitates dialogue on things that really matter. Continuous control monitoring and supervision strategies will differ from one firm to others but some foundations of forward-looking assessment based on risk remain the same.
To learn more about how to automate risk-based supervision for Banking code of practice and strategies to identify emerging risk patterns, send us an email (email@example.com)