RBI Deputy Governor MK Jain did some straight talking last month where he cautioned against the extant sub-par quality of compliance setups, weak risk culture, the inadequate scope of internal audits and an overall disconnect between compliance and audit functions within regulated entities. HIs concerns were as follows:
Compliance:
- Failure/delay in detection and reporting of non-compliances
- Continuing sub-par compliance
- Deficiencies in compliance testing
- Limited transaction testing
- Lack of root cause analysis
- Lack of focus on sustainability of compliance
- Lack of adequate quantity and quality of resources within the compliance function
Risk:
- Disconnect between the risk appetite framework as approved by the Board and actual business strategy and decision making
- No guidance from senior management
- Improper risk assessment
- Repeated exceptions to risk policies
- Evident conflict of interest especially in related party transactions
- Zero or faulty enterprise-wide risk management
- Board’s failure to look at cyber risk as an enterprise-wide risk management issue instead of an IT security issue
Internal audit:
- Inadequate coverage / scope
- Weak audit process leading to non detection of irregularities
- Non-compliance/ delay in compliance with audit observations
These are serious issues highlighted by the Deputy Governor which needs to be addressed head on by the Board and the leadership within regulated entities. While business growth is important, it cannot come at the cost of ineffective risk management and inadequate compliance.
While the RBI has repeatedly nudged entities to conduct training and awareness programs for the Board, leadership and the compliance and risk staff, business needs have often superseded these supposed ‘distractions’. However, given the increase in sophisticated financial crimes, the RBI has recently advised that Financial Institutions should undertake awareness training programmes for their Board of Directors and senior leadership team to familiarise them with Compliance, Risk Management, IT and relevant cyber security topics.
Way forward:
Given that proper risk management and effective compliance monitoring & reporting are not start-stop functions but are continuing efforts that need to be properly implemented once, refined repeatedly and monitored continuously, the help of experienced compliance and risk professionals from within the financial services industry needs to be leveraged to prevent events of non-compliance that have repercussions, both regulatory and financial.