Controlling risk and compliance: It takes a system

By Ben Harrison and Nigel Riley

While financial services firms have spent significant resources to knit together systems that allow them to aggregate financial risks such as credit, counterparty and market risk, they have sometimes neglected the systems to manage the tremendous compliance obligations from other forms of non-financial risk. For instance, investment banks and private equity firms who manage deals typically have decentralized and siloed information. These siloed organizations have yet to find a meaningful way to manage conflicts of interest, which sit at the crux of non-financial risks and control.

Financial services companies need a system—not just a cohesive organizational infrastructure, but the technology that supports it—before they can adequately manage their tremendous compliance obligations and related areas of non-financial risk. Very often, they have not one technology, but five or more, each supporting a different division or function.

Compliance problems are most common among distributed organizations with many pockets of people handling their own clients and deals and running their own strategy, each supported by unique technologies with independent databases. Arranging entrepreneurial silos might be considered an organizing system that breeds success in dealmaking. Unfortunately, market forces and stricter regulations increase the need to streamline critical risk-management activities. They can no longer neglect the need to manage compliance risk with a form of central oversight and control – and the need for a central technology to support a consistent and accessible database across deal flow, CRM, staffing, contracts and other activities to manage risk. Finding the balance between individual dealmaking and non-financial risk and compliance management is vital.

As market forces demand more transparent reporting and stricter regulations take hold, many firms are attempting to evolve into more collaborative organizations. Yet industry reports, including a recent study by PwC, acknowledge that many financial services companies maintain compartmentalized or legacy programs even as they invest in new technologies and platforms. That’s a waste of time for deal-oriented due diligence as days tick by. It is also an elephant in the room of compliance risk.

When each system is touching a different part of the proverbial elephant, the risk is that the firm never knows exactly what it is facing, cannot get a sense of its size or weight and certainly never expects a stampede. When multiple systems are active and each owns its own information and exposure, the firm faces significant, and potentially multiple, risks.

Unifying deal, relationship, and compliance records can accelerate conflict review and resolution. Increased collaboration between compliance teams and investment professionals can drive success.

Conflicts or collaboration and compliance

Conflicts of interest stand atop the issues that can be difficult to track and analyze—whether conducting normal diligence or facing a regulatory crisis.

Conflicts are critical to five key areas of risk across any investment bank:

  • Deal-related compliance
  • Personal conflict of interest compliance
  • Material non-public information
  • Obligation, including industry exclusivity or key-person limitations
  • Reputation risk

The need to streamline critical risk-management activities and unify deal, relationships and compliance records may not be clear until organizations need to accelerate a conflict review and resolution. Firms that maintain conflicting databases don’t have an approach to prevent any of these issues. Each might be built on a tech “platform” that supports a single function, perhaps deal-related activities and valuations, CRM for pipelines, financial reporting, or internal accounting.

As noted in a pre-pandemic McKinsey report: “Platforms are distinct units, but their value is based on how effectively they work together. Most companies overlook the criticality of making all IT components work together seamlessly because their attention is focused on individual projects.” It’s reasonable to expect that the increase in remote work has increased the need for a more institutional system of sharing and collaboration.

Examining how that works in times of crisis helps to make the point.

Larger firms are the most visible and often the most vulnerable when crisis strikes. When facing exposure to a company’s collapse, a la Enron, a large investment firm’s own decentralization may lead it to waste time trying to understand its level of involvement, type of risk and total exposure across multiple business units. Such delays in reporting or repeated corrections have led to re-statements that lose trust and increased challenges by government regulators. These challenges, in turn, might lead to class action suits by investors who see the lack of information as negligence—or simply strain their own investors’ confidence and stock price.

In addition to the web of investments, it is vital to track the vast network of relationships. A large investment firm that empowers its teams to work separately is also likely to have myriad tentacles connecting many of its people in the organization to a single executive or company in crisis. It takes time to confirm if the rogue player is a private equity client. Perhaps the firm has not made a direct investment, but what if a board member’s company works with a client of the company in trouble? What if directors are on multiple boards? Is the troubled company one that a managing partner has been prospecting? Even worse, is that rogue player you just met with accused of insider trading?

Compliance is data managed well

The problem for compliance is not in the lack of data and information within the firm. The problem is taking too long to use it. One the one hand, a study by Thomson Reuters suggests that compliance teams are spending one to three hours tracking and analyzing regulatory developments, which they credit to better technologies and databases.

On the other hand, that tracking is often limited to the question of new regulations. When it comes to deal compliance, it can take days to find and reach all professionals who may work with the company, check each of their different data systems, identify all contractual promises of exclusivity and address key-person obligations if one person becomes key to several deals. The firm might never compare reputational exposure to the compliance database or perhaps the billing system and staffing records. It might be difficult to reconcile potentially conflicting dates and other pertinent information. Even more, for full compliance, a firm may need to rectify or justify different compliance parameters across divisions in a decentralized, transaction-oriented company to auditors.

Most of these risks can be managed by streamlining the process and having a single source from which to access all prospects, active deals, entities on watchlists, the network of professional relationships and histories of different business divisions and functions.

Unfortunately, despite massive industry expansion, rudimentary operating systems are not keeping up with increased examination by regulators. Even in more centralized data systems, limited functionality demands hours and expertise to mentally analyze the pros/cons and potential conflicts and liabilities inherent in a deal, a relationship or an employee.

Risk is contagious

We have seen how the effect of mismatched systems clashes with an environment of increasing regulations and causes delays in recognizing firmwide and personal conflicts of interest. It also weakens the ability of conflict and compliance teams to manage other risks.

Most directly, a lack of a unified system can obfuscate each contracted key-person obligation, making exclusive relationships harder to consider and the sudden loss of a key person harder to manage.

Reputational risk management is also challenging organizations as criminal behavior grabs headlines and stirs public fury, or as activist investors with ESG parameters demand clear social policies. The autumn 2021 DealCloud Pulse survey of investment bankers found that 87 percent would not invest in companies or sectors that could have a negative impact on their reputation regardless of potential returns.

While many firms are instituting new policies to meet regulatory or reputational risk issues, any new firmwide policy proposals should be checked throughout a system to measure their impact, and then tracked for compliance across all records. Even firms with a clear hands-off policy for certain industries can face complications when, for example, a joint-venture participant or investment target has its own exposure to that industry. Compliance teams will need to follow what bankers and their teams are working on and what’s been approved or declined—all with an internal audit trail that will highlight issues and resolve them as quickly as possible. Or, as called for in a recent KPMG report, every employee needs to take responsibility for risk management supported by a “robust governance, risk and compliance program.”

A culture of collaboration around compliance and risk can be reinforced when bankers focus on reducing opportunity risk. Once on board with a single system, many bankers have found that efficiency reduces deal risk in several ways. They save time developing the pipeline, target deals with the deepest relationships, and leverage active business in other parts of the organization.

Without collaboration between compliance teams and investment professionals—without databases that house all geographies and business divisions—banking teams waste precious time that may result in potential deals slipping away. Many tell stories about feeling like they were led down a garden path on too many deals before conflicts and other compliance issues were uncovered. Once they have the right system, all teams appreciate saving time rather than wasting it in a bottleneck of diligence.

Ben Harrison is president of financial services and Nigel Riley is general manager for risk and compliance at Intapp.