Methods for assessing regulatory risk in a bank. Practical guideRegulatory risk in a commercial bank
For the first time, organizations in the financial sector began to be guided by the concept of legal risk - the Bank of Russia formulated the definition of legal risk in a letter dated June 30, 2005 No. 92-T "". It refers to the risk of credit institution losses due to various internal and external factors. External factors include factors that are not directly dependent on the actions of the company itself, for example, imperfection Russian legislation. Among the internal factors that give rise to legal risks of credit institutions, the Bank of Russia includes the following:
- non-compliance by the credit institution with the legislation of the Russian Federation;
- non-compliance of the internal documents of the credit institution with the legislation of the Russian Federation, as well as the inability of the credit institution to timely bring its activities and internal documents in line with changes in legislation;
- inefficient organization of legal work;
- violation by the credit institution of the terms of the contracts.
The specified letter of the Bank of Russia is mandatory for use by all financial institutions.
But legal risks arise not only for financial institutions. Companies in the non-financial sector should also consider legal risks if they want to make their business efficient. However, difficulties arise here - for these organizations, such a list of factors for the emergence of legal risks is not fixed in the legislation. This is one of the reasons for another problem - according to the 2010 Legal Risk Benchmarking Survey of the international law firm Berwin Leighton Paisner (BLP), 75% of CEOs and top managers of companies do not even know what legal risks are and how they can affect organization's activities. Despite the fact that almost four years have passed since the study, the situation, according to experts, has not changed dramatically. "Today there is a problem - the lack of a clear definition of legal risk in the legislation and an understanding of what legal risk is for both lawyers and top officials of the company, which negatively affects its activities," said the head of the department of legal support and compliance with regulatory requirements of the company for the supply of special equipment LLC "Zeppelin Russland" Anna Kalacheva.
Thus, in order to increase the efficiency of the company's work, it is simply necessary to determine the range of legal risks and direct your efforts towards their mitigation.
OUR REFERENCE
The legal risks of organizations in the non-financial sector as a whole are quite similar to those outlined in the said letter by the Bank of Russia. Based on expert assessments, we recommend identifying the following risk groups for non-financial companies:
1 Regulatory risks associated with changes in legislation, insufficient or inconsistent regulation of a particular area;
2 Contractual risks associated with fixing in contracts the liability of the parties for its violation, as well as the rules for choosing the applicable law and jurisdictional body - international commercial arbitration, arbitration or state court;
3 Risks from other non-public legal relations - these include, for example, relations on the use of intellectual property;
4 Risks from public relations associated with the participation of the organization in administrative, criminal or civil proceedings.
Moreover, each group of legal risks can be divided arbitrarily small. For example, depending on the scope of the company's activities, contractual risks can be identified by type of contract - for example, a supply contract and a lease contract will each have their own legal risks. Let's consider each group in more detail.
Regulatory risks
Mitigate regulatory risks legislative level it is quite difficult for a single company, although the opinion of public associations of entrepreneurs by industry or area of activity is often taken into account when drafting laws. For example, when preparing changes relating to OSAGO (Federal Law of July 21, 2014 No. 223-FZ ""), the opinion of the all-Russian professional association "Russian Union of Motor Insurers" (RSA) was taken into account.
A particular organization can mitigate regulatory risks by joining professional associations. This will help not only lobby your interests through them, but also quickly monitor important trends and changes in the legal field and make a forecast of the impact of innovations on the company's activities.
Legal director of the free classifieds website Avito.ru Viktor Topadze identifies three options for mitigating regulatory risks:
- reactive option - do not take any action until the adoption of the regulatory act, after that, analyze it and act according to the situation;
- a universal option is to conduct a preliminary analysis of a normative legal act with the development of a behavior strategy, updating it as changes are made to the draft normative act, and react after its adoption;
- a proactive option is to take preventive measures if there is information about the developed draft regulatory act.
However, companies do not always have the opportunity to predict certain changes in legislation. For example, the introduction by the Government of the Russian Federation of sanctions on the import of certain categories of products from the United States, EU countries and some others came as a complete surprise to many entrepreneurs, who only need to use a reactive option to mitigate this risk.
Contractual risks
Most often, companies face these risks. Among them are the following risks associated with:
- making changes not agreed with lawyers to the standard forms of contracts at their conclusion (innovations that have not passed legal examination may jeopardize the execution of the contract);
- dishonest actions both on the part of the company's employees and counterparties (exceeding or lack of authority to conclude an agreement, falsifying a signature or the agreement itself, amending the agreement after its approval);
- the conclusion of the contract by conclusive actions (that is, the actual behavior of the parties) or orally;
- performance of the contract (non-execution or improper execution of closing documents, non-performance or improper performance of the contract, performance of obligations under the contract to an unauthorized person);
- challenging the fact of the conclusion or execution of the contract.
In order to mitigate contractual risks, it is important to divide the areas of responsibility between the lawyer and the executor of the contract when drafting it. The conditions on the subject of the contract, the terms and methods of its execution lie in the area of responsibility, for example, of a sales manager or other employee. When drawing up a contract, a lawyer should be responsible, first of all, for the section "Responsibility of the parties" with the stipulated sanctions for violation of the terms of the contract and the procedure for resolving disagreements, for choosing the applicable law for disputes from the contract, for determining the competent jurisdictional body, etc. Which, of course , does not release the lawyer from checking all the provisions of the contract from the point of view of the law, as well as for the consistency of the terms of the contract with each other and the company's development strategy.
But most often Negative consequences from the absence of areas of responsibility, it is not so much the employee who allowed the conclusion of the contract with ill-conceived and inconsistent conditions as the lawyer. The fact is that if a court conflict arises over a company’s failure to fulfill, for example, the terms of delivery of goods taken at random, it can be very difficult to defend the correctness objectively. A lost litigation can cost a lawyer a premium.
"A contract is an instruction on exactly how and under what conditions a particular employee will work with a counterparty, exclusively he and no one else. But very often many managers and other actual executors of the contract forget about this and do not get the result of the execution of the contract that they expected at all And then lawyers deal with all the problems under the contract,” explained the head of the legal department of the pharmaceutical company Invar Anna Sologubova. We recommend fixing in employment contracts and job descriptions of responsible employees the obligation to agree on any amendments to any contract with lawyers. If this rule is violated, it will be possible to apply a disciplinary sanction in the form of a remark or reprimand () to such an employee, taking into account the severity of the misconduct committed and the circumstances of its commission.
Risks from other non-public relationships
Most often, these risks arise from the use of someone else's intellectual property, and for the most part they are associated with advertising campaigns. As the director of the legal department of the tire manufacturing company Pirelli Tire Russia LLC noted Nikolay Stepanov, the misuse of someone else's intellectual property to promote your own product can be fraught with financial and reputational losses.
Financial losses can be expressed in the payment of compensation to copyright holders for the use of their intellectual property, additional tax payments and fines for unpaid royalties to authors or copyright holders. Reputational loss will manifest itself in an unfavorable impression of the company on the consumer in connection with the publicity of such a violation.
To mitigate this risk, a lawyer needs to initially determine what intellectual property object will be used in advertising and on what legal basis. In particular, it should be clarified whether it is subject to legal protection in principle (for example, any objects that are in the public domain can be used freely), whether the organization has a license agreement or a letter of authorization from the copyright owner or his representative. This can be done by adding to the job descriptions of employees whose job functions include creating advertising or collecting materials for its creation, the obligation to report on the intellectual property objects used, their copyright holders and the grounds for using such objects. Separately, in the job descriptions or regulations of the organization, the employee’s liability to the company for causing material damage should be prescribed if the organization is fined due to the misuse of an intellectual property object.
If advertising materials are created by an advertising agency, it is necessary to check the legality of the actions of a particular advertising producer in terms of the use of intellectual property objects, for example, require license agreements or other documents confirming the right to use intellectual property objects involved in advertising to be attached to the act of acceptance and transfer of works. It should be remembered that the responsibility for the use of other people's intellectual property objects can be assigned both to the advertiser (the organization itself) and to the advertising producer at the choice of the copyright holder (). "In this regard, it would be appropriate for the advertiser to add to the agreement with the advertiser a clause stating that he is liable for violation of the rights of third parties - copyright holders and / or authors of intellectual property objects in the course of advertising, and also provide for the obligation of the advertising producer to protect the advertiser from such disputes and resolve all disagreements if they arise at their own expense," advises Nikolay Stepanov.
Company involvement in litigation
The risks associated with the participation of the organization in administrative, criminal or civil proceedings combine both court cases at the claims of counterparties, and those initiated by the company itself, as well as by public authorities. When identifying such risks, specific grounds for claims, the amount of claims or the imposed fine may be taken into account.
Some experts do not support the inclusion of a company's litigation into a separate risk group, noting that litigation with counterparties is inevitable when doing business. Another argument in favor of this view is that the risks of litigation are taken into account when assessing any other group of risks. And here is the head of the control and legal department of the industrial equipment manufacturing company Danfoss LLC Alexander Kotlyar, on the contrary, I am sure that participation in litigation should be considered as a risk and strive to reduce it - then the number of disputes will decrease.
The way to mitigate this risk is to keep statistics of court cases and analyze the causes of their occurrence and eliminate them - maybe there is a gap in the company's logistics system or there are no standard forms of contracts, or there is no feedback from consumers and an effective pre-trial method for resolving claims.
Compiling a legal risk assessment matrix
The presence of one or another group of risks and the peculiarities of working with them will largely depend on the company itself, its scope of activity and the priority direction of its development. An effective mechanism for identifying, tracking and mitigating legal risks is the legal risk matrix.
To begin with, it is necessary to identify measurable indicators for evaluating the company's activities, which will serve as the so-called "markers" of various legal risks. We suggest using a quantitative indicator for a certain period (year or quarter) as markers:
- claims made by consumers;
- court cases on claims of counterparties;
- court cases on the claims of the company itself;
- identified cases of violation of the requirements of the law by the company in the framework of its activities;
- identified cases of violation of the requirements of internal local acts by the company's employees;
- draft laws or amendments to the legislation governing the scope of the company's activities;
- instructions from government authorities.
To determine these markers, it is very important to keep a correct statistical record of each indicator. “You need to understand that it is impossible to achieve zero value for all legal risks, this is an unattainable dream of all managers and lawyers. For the normal operation of an organization, it is necessary to determine the risk appetite, that is, an acceptable risk rate for a particular company,” noted Anna Kalacheva.
This is followed by analysis of the collected statistical data. For example, the indicator "number of lawsuits on claims of counterparties" should be disaggregated by types of claims, their grounds, the amount of claims raised and the result of the consideration of the case, as well as analyze the category of contracts or other relations from which such cases arise, and their frequency and "cost" For the company.
A correct assessment of indicators, which underlies the construction of a matrix of legal risks, is impossible without the following conditions:
- direct interaction of the legal department with the company's management when making significant decisions, the participation of lawyers in the evaluation of business plans, new and current projects which may entail the emergence of legal risks;
- availability of a system for effective monitoring of changes in legislation and taking into account the results of such monitoring when making decisions;
- an established system of control over compliance with internal local acts of the organization by employees;
- sufficient qualifications responsible persons to describe and assess the legal risk.
Based on the assessment of indicators for a specific type of risk, the probability of its occurrence for the company should be determined:
- high - the violation is currently taking place, or happens periodically, or there is reason to believe that the violation will be committed by the company, risk mitigation measures are not being taken;
- medium - violation occurs or happens periodically, mitigation measures are being carried out;
- low – violation has occurred in the past, risk mitigation measures have been taken, but theoretically the risk still exists.
EXAMPLE
Legal risk assessment "Litigation" in relation to company X for 2014(prepared by the head of the department of legal support and compliance with regulatory requirements of the company for the supply of special equipment OOO "Zeppelin Russland" Anna Kalacheva )
Statistics: in 2013, 100 claims were filed against company X for a total amount of $1 million, of which 90% of claims were due to delay in the delivery of goods, 10% were related to the quality of the goods. The company's annual turnover is $1 billion, the total amount of claims is 0.1% of turnover, and the risk appetite is 1% of turnover.
expectations: the business plan for 2014 provides for an increase in the company's annual turnover to $ 2 billion and the introduction of new products with new scheme logistics.
Risk assessment: the value of the risk is $2.5 million due to an increase in risk factors (new products and new logistics schemes), in terms of quality it remains at the same level, unless significant problems are found in the production and sale of new products.
Outcome: the risk increases to 0.125% of the company's turnover, that is, the probability of its occurrence increases, but the degree of its significance does not change.
For the correct compilation of the matrix of legal risks and the subsequent mitigation of these risks, it is necessary to determine the person responsible for each specific risk, the so-called "risk owner". In those organizations where the assessment of legal risks is not carried out or is not carried out at the proper level, it is customary to consider the company's lawyer as the owner of all legal risks.
An example of a different approach is the position of the SIBUR Holding group of petrochemical companies: the owner of a specific risk is the deputy CEO in a specific line of business or the head of a particular department (for example, the sales department for contractual risk), and the legal service of the enterprise is either a co-owner of the risk, or provides only advisory assistance.
As the lawyer of Sibur LLC said Natalya Kuzmina, the procedure for developing and agreeing on a legal risk matrix involves three stages.
At the first stage, each structural subdivision The organization identifies legal risk within the framework of its activities and establishes areas of responsibility, after which it sends information about this to the owner of the risk and the legal service of the organization.
At the second stage, the risk owner (the head of the "general director minus one step" level - deputies of the general director for specific areas of activity, heads of departments and other structural divisions of the company, etc.) assesses the legal risk, develops, together with the legal service, risk mitigation measures and assigns responsibility for their implementation. However, the responsibility for failure to take action remains with the risk owner.
At the third stage, the legal service draws up a matrix of legal risks in a free form or provided by the organization, prepares an order for its approval and monitors the implementation of risk mitigation measures.
EXAMPLE
Sample Description of a Specific Risk in a Legal Risk Matrix(prepared by Natalya Kuzmina, lawyer of SIBUR LLC)
After compiling a list of legal risks and identifying their owners, it is necessary to develop measures to mitigate risks, depending on the factors of their occurrence. For example, in the event of a legal risk due to the absence of persons responsible for a particular process, the need to specify the job descriptions of the relevant employees will be identified. In the event of a risk arising due to imperfections or rapid changes in legislation, the need for the organization to participate in public discussions of regulatory legal acts, as well as develop internal behavior strategies to mitigate this and other regulatory risks, will become obvious.
In conditions of a not quite stable economy and the emergence of ever new challenges for successful business, the role of a company lawyer is no longer limited to preparing legal opinions. "Business needs solutions, not abstract arguments about what is legal and what is not," says the Director of Legal Affairs of the Rosvodokanal Group of Companies Dmitry Timofeev. From his point of view, in addition to the standard obligation to provide legal opinions, legal service quite a lot of other opportunities to facilitate the conduct of the company's activities. To do this, it is necessary to ensure the participation of lawyers in corporate governance, including through representation in management bodies, committees and working groups.
An effective tool will be the introduction of legal decision management and work within the framework of a project approach with the involvement of other departments of the company in problem areas identified in the course of compiling the legal risk matrix. In addition, standardization and automation of legal processes will make life much easier for a lawyer and an entrepreneur. As noted Dmitry Timofeev, for the positive development of the company there is no point in reports, there should be single base contracts and other data necessary for the functioning of the organization. The legal risk matrix will allow you to optimize the structure of the legal department or department of the company and will show the need to redistribute internal legal resources, increase them or attract external resources.
In this article, we will look at general provisions management of regulatory risk in a microfinance organization (MCC and MFC) and a consumer credit cooperative (CCC).
A microfinance organization and a credit consumer cooperative (hereinafter referred to as organizations), in the course of their activities, must strive to comply with the requirements of the law, as well as internal rules and regulations of practices and standards in the field of organizing regulatory risk management (compliance control).
Regulatory risk (compliance risk) is the risk of losses due to non-compliance by MFIs and CCCs with the requirements of the legislation of the Russian Federation, regulatory legal acts (including the Bank of Russia regulations), basic risk management standards, internal documents of MFIs and CCCs, as well as as a result of application of sanctions and (or) other measures of influence on the part of supervisory authorities. The term "regulatory risk" was introduced by the basic risk management standards and is equivalent to the term "compliance risk" used in global practice.
Compliance is ensuring that the activities of MFIs and CPCs comply with established requirements and standards; this is part of the corporate culture, in which the fulfillment by each employee of their official duties, including decision-making at all levels, must comply with the standards of legality and integrity set by the IFIs and the CPC for the conduct of their business. The main areas of compliance are countering the legalization (laundering) of proceeds from crime and the financing of terrorism, accounting and reporting, financial reporting, labor, antimonopoly, tax law, ethical standards, etc.
Compliance control is a process carried out by the management bodies and employees of the organization in order to control the compliance of the organization's activities current legislation, rules, standards, both internal and external. Compliance control is based on the systemic preliminary control of events that can lead to non-compliance with the established requirements and obligations of the organization and cause material damage or damage the reputation.
Compliance control requires compliance with the established rules of internal interaction, procedures and decision-making process, the requirements for identifying and assessing compliance risks in the field of combating the legalization of proceeds from crime and the financing of terrorism, identifying unreliable counterparties, risks of fraud and corruption, as well as monitoring conflicts of interest , use confidential information, receiving and giving gifts, the quality of work with clients and counterparties, compliance with ethical standards (standards of professional business conduct). Compliance control analyzes to a greater extent the non-financial performance indicators indicated above.
Compliance control eliminates unconscious risk taking, provides a sufficient degree of confidence in the absence of violations of legal requirements and potential claims from supervisory authorities, helps prevent prosecution, including criminal liability, identifies emerging compliance risks at the earliest stages, responds quickly and thoroughly eliminates deficiencies, identifies the causes of problems to prevent their recurrence, eliminates duplication of functions, re-evaluates the role and importance of the functional units of MFIs and CCPs, and completes the necessary elements of the internal control system to ensure compliance with established requirements, effectively complements the internal control system, reduces unplanned costs, strengthens the reputation of the organization as a reliable partner and increases the attractiveness, thereby ensuring sustainable development.
In order to manage regulatory risk, MFIs and CCPs should appoint an internal controller. Internal controller - an official whose duties include regulatory risk management (compliance control).
The internal controller is independent in his activities and reports to the head of the organization. The organization's risk manager controls its activities. The internal controller is responsible for the quality of regulatory risk management. MFIs and CPCs provide the internal controller with all the necessary resources, permissions to perform the duties assigned to her.
Standards and principles of regulatory risk management (compliance control)
The purpose of compliance is to minimize the risk of an organization's involvement in processes that can result in not only financial losses for it, but also a loss of trust on the part of society represented by regulatory authorities, investors, partners, owners, customers, etc.
Compliance risk is managed from top to bottom. The head of the MFO and CPC is responsible for organizing compliance control.
Compliance control is an integral part of the corporate culture and activities of the organization. Identification, assessment and management of compliance risks accompanies any process of the organization's activities. MFIs and CCPs should implement compliance controls into their business processes.
Compliance with the principles of compliance control is the responsibility of each employee of the organization. Employees of the organization must perform the tasks assigned to them within the established requirements of internal regulations and in accordance with generally recognized standards of conduct and business ethics.
Compliance control is one of the elements of the risk management system. Compliance control is carried out continuously.
The organization develops and implements measures aimed at reducing compliance risks and continuously improving the internal control system in areas of activity with high compliance risks.
IFIs and CCCs ensure compliance with the principles of compliance by counterparties in the implementation of contractual relations with them.
IFIs and CCPs provide opportunities to identify and manage conflicts of interest, including potential ones.
MFOs and CCPs provide employees and third parties with the opportunity to confidentially report possible violations of compliance standards using the methods specified in internal documents.
The application of disciplinary measures is inevitable in case of violation of compliance standards by employees.
Employees of the organization provide an attentive attitude to customers, when communicating with customers, they are guided by the principle of equality of customers; resolve conflicts with dissatisfied customers in accessible ways in order to prevent them from spreading negative information about the organization. MFIs and CPCs should strive to ensure that employees understand their responsibility in terms of compliance, the importance of compliance.
Our experts have developed methodical manuals on risk management in a microfinance organization and a credit consumer cooperative, which include the necessary document templates.
Regular risk management is one of the main components of effective organization management. Tougher financial conditions of the crisis environment determine more stringent risk requirements. The most important factors of sustainability can be the policy towards them and when making important decisions - both at the operational and strategic levels.
What's this?
The direct or indirect possibility of a restrictive impact on the part of a state body provided by law on the business processes of a company. As practice shows, it can be detected before problems appear. Regular risk affects the bank moderately. Basically, problems are created by undeveloped regulations that protect the rights of creditors, including those related to the process of alienation of collateral.
In addition, the effective functioning of the banking sector is often hampered by differences in the interpretation normative documents various courts and bodies (STA, PFU, NBU). Banks also suffer from the imperfection of the executive and judicial systems. It is enough to exercise influence on the financial sector from the side of social normative documents.
Despite the fact that many documents are adopted daily by the legislature, there will be no changes in the near future. This is due not only to the lack of improvement of the system, but also to the lack of control over it. It should also not be ruled out that foreign banks will demand liberalization from the regulator to maintain a place in the market of the country's banks.
Large banks, sometimes, have larger budgets than even the developed countries peace. But which ones are the biggest? We have prepared the top 10 largest banks by their capital,
Significant steps in this direction are:
- Reform of the court system;
- Amendments to the Civil Code in order to synchronize with the current law on banking.
Terms of interaction with government agencies:
- A clear division of powers by levels of interaction, based on the type of activity;
- The work of the body to resolve contentious issues in terms of interaction with government agencies;
- Creation of a body for the development of strategic approaches to interaction with state bodies;
- Availability of specialists in interaction with state bodies;
- Involvement of other scientific and specialized organizations to replenish experience.
Creation of a risk management body
Reasons for creation:
- A sharp increase in the number of regulations;
- The emergence of new offenses (administrative and criminal);
- Lack of order in the interactions between the company and government agencies;
- The complex structure of interaction between the state. bodies with the company.
Management and downsizing
Despite the presence of a huge selection of methods and tools of influence that can be applied,
There are several main ways of regulation in banks:
- Control - risk retention with active influence on the part of the bank, aimed at reducing the likelihood of potential damage;
- Avoidance - avoidance of actions that may cause a high risk;
- Preservation - is used when the level of risk is at an acceptable level, and it is not effective or impossible to act on it;
- Risk transfer is carried out when it is impossible for the company to act on it. It is carried out in case of insurance.
Principles of regular risk management:
- Understanding the main differences between risks and problems;
- Creation of infrastructure for their prevention;
- Creation of a special body that should deal with corporate issues and affairs;
- Strengthening the analytical and predictive function;
- Focus on the analysis of legislative activities.
Management consists of several stages:
- Applying to special authorities with a request to obtain clarifications in order to resolve the issue that arises as a result of the company's activities;
- Participation in the work of groups and expert councils at various departments on state registration issues;
- Active position in the adoption of normative acts.
Control
The control system functions primarily in accordance with the requirements of the Central Bank, and then in accordance with the general recommendations of the management. Management of the Central Bank is a process of continuous work, which is constantly accelerating. Regulation No. 242-P uses a lot of new terms that do not explain their essence and the procedure for introducing them into the company, one of these terms is “regular risk”.
Given the uncertainty of this term, it can be recommended to the internal control service:
Due to the instability of the economy in recent times, many are wondering whether it will be re-indexed wage in the new year? And who will get it first?
- It is necessary to prepare a risk map, determine, show your clear understanding of risk management techniques of this type from the point of view of a bank manager;
- Submit for analysis all the procedures of the credit organization to show the compliance of their provisions with the main requirements of the legislation.
When conducting such checks, it is important to focus on providing the full scope of documents: all kinds of reports related to regular risk control and the results of its testing. It is positively evaluated if the opinion of a third party is given.
Regular risk management is the work of officials, which is aimed at reducing and preventing the occurrence of risks, as well as creating a normal business environment.
A management strategy is a set of measures to influence legislative work based on prioritizing the company's security in order to conduct business.
Remember, if you decide to pay off the loan early, be sure to return the insurance that you did not use. How to do it, the editors of our financial portal
Video: M&A - three sides of the coin
Edition information
Special offer!
Not so long ago, the Bank of Russia introduced the concept of regulatory risk. Almost immediately, it became one of the most discussed among professionals. Given practical guide- the first and so far the only one in Russia - dedicated to this complex topic of regulatory risk.
How to identify and minimize regulatory risk? How to build a management system? You will receive exhaustive answers to these and many other topical questions from the proposed manual.
These answers will help you to significantly reduce the risk of losses that may be incurred as a result of deviations from legal requirements, sanctions and other enforcement actions by regulatory authorities. This will be achieved thanks to the recommendations contained in the manual on building and implementing an anti-corruption policy, a conflict of interest prevention policy, a system for detecting violations of customer rights, etc.
The book is addressed to managers and employees of departments and services:
- risk management,
- internal audit and internal control,
- methodology and analytics.
Marina Burdonova- GARP certified risk manager with extensive practical experience, Director of the Department of Non-Financial Risks and Financial Monitoring of RosEvroBank JSCB. Previously, she headed the Department of Non-Financial Risks in this bank (2011-2015) and the Department for Analysis and Control of Client Operations (2010-2011). Education -- Faculty of Law of the Academy public service and the Faculty of Economics of the Financial Academy under the Government of the Russian Federation.
CHAPTER 1. FORMING THE RISK MANAGEMENT SYSTEM
A bit of history
Overview of Regulatory Risk Management Approaches
Approaches and principles of the Basel Committee
COSO Approaches and Principles
Sarbanes-Oxley Act
Regulatory framework of the Bank of Russia
CHAPTER 2. ORGANIZATION OF THE REGULATORY RISK MANAGEMENT SYSTEM IN THE RUSSIAN FEDERATION
Basic legal aspects(external regulation)
Basic methodological aspects (internal regulation)
Goals and objectives of the regulatory risk management system
Ensuring influence on the regulatory environment (norms and requirements for banking activities)
Interaction of representatives of the compliance service with regulatory and supervisory authorities
Development, implementation and implementation of regulatory risk management mechanisms and tools
Identification of processes and procedures subject to regulatory risk. Assessment and monitoring of the level of regulatory risk
The place and role of regulatory risk in the bank's risk management system
Place and role of regulatory risk in the bank's internal control system
Variability in the construction of a regulatory risk management system
CHAPTER 3. SURR PARTICIPANTS IMPLEMENTATION OF REGULATORY RISK MANAGEMENT FUNCTIONS
Roles, tasks and interaction of participants in the regulatory risk management system
Analysis of the structure of corporate governance. Bodies and relevant committees
Key macro function in regulatory risk management
AML/CFT Regulatory Risk Management
Principles of a risk-based approach
Analysis of indicators of the dynamics of customer complaints and analysis of compliance by the credit institution with the rights of customers
Prerequisites
The structure of the claim work
Organization of claims work: controversial issues
Implementation of anti-corruption policy
Ranking business processes by risk level
Areas and types of risk and control
Risks of on-farm activities
Reporting Example
Managing the risk of conflict of interest
Control of a professional market participant valuable papers. Control over the use of insider information and market manipulation
International sanctions compliance
US sanctions
EU sanctions
CHAPTER 4. MANAGING REGULATORY RISK AS PART OF A COMPLIANCE CULTURE
Compliance culture maturity level in the bank
Stages of development of a compliance culture
Organizational elements
Usage information systems and technology
Reporting for management and government organizations
Types of control used in business processes
Codes, policies and procedures
Distribution of functions and risks at the management level
Application areas of compliance procedures
Availability of compliance experts (compliance officers)
Monitoring compliance rules and regulations and responding to their changes
Implementation of a compliance culture through training and education of employees
Audit and self-assessment of the system
Map of compliance risks, assessment of these risks and analysis of possible impact
External auditors
Personnel management (reduction of the primary human factor)
Development and adaptation of training materials
Organization of staff training
PR campaigns
Motivational programs to involve personnel in regulatory risk management
Stimulation
CHAPTER 5. STAGES AND TOOLS FOR REGULATORY RISK MANAGEMENT
Identification and accounting of regulatory risk events
Regulatory risk assessment
Alternative approaches to regulatory risk assessment
The approach based on operational risk management tools as an alternative approach to assessing regulatory risk
An alternative approach to assessing the acceptability of the level of regulatory risk as a way to improve the effectiveness of risk self-assessment
Monitoring and control of regulatory risk
Register of Key Risk Indicators
Monitoring and control of regulatory risk associated with changes in the regulatory environment
Control methods
Minimization of regulatory risk
Action plans to minimize regulatory risk
CHAPTER 6 REGULATORY RISK MANAGEMENT REPORTING SYSTEM
Reporting levels
Operational level
Regular Level
Regulations and best practices
Reporting purposes
Reporting tasks
Basic reporting principles
The principle of completeness and accessibility
The principle of clarity
The principle of accuracy
Principles of Timeliness and Relevance
Composition and frequency of reporting
Data for consolidated management reporting
Information about the dynamics of the CIR
Risk self-assessment results
Scenario analysis results
Preparation of data on the status of action plans
Preparation of data on realized regulatory risk events
How Stakeholder Reporting Is Prepared
Intermediate and external reporting levels
CHAPTER 7. DISCLOSURE OF INFORMATION AND PREPARATION OF PUBLIC REPORTING
Information disclosure
Reasons, goals and objectives of disclosure of information on the activities of financial institutions
Disclosure principles
Open reporting structure for a mid-sized bank
CHAPTER 8. EVALUATION OF THE EFFICIENCY OF THE REGULATORY RISK MANAGEMENT SYSTEM
Internal audit of the regulatory risk management system
Technology for assessing the quality of the compliance control system
Methods for calculating a comprehensive assessment
Audit of the anti-corruption compliance program
External audit
Working with regulatory authorities
Evaluation of the compliance system and function by commercial organizations in order to assign a rating score
Simple about the complex: external audit of specific organizations (case studies)
Assessment of the compliance function by credit rating agencies
Evaluation of the compliance function by creditors
Evaluation of the compliance function by a potential buyer/M&A partner
Assessment of the compliance function by insurance companies
Evaluation of the compliance function by business partners and contractors
External audit at the bank's own request
LIST OF REGULATORY DOCUMENTS
APPS
Annex 1. Classification of types of operational risk
Annex 2. Examples of indicators for assessing the state of the AML/CFT system
Annex 3. Overview judicial practice on the application of protective tariffs
Annex 4. Fragment of the report on claims work
Annex 5. Assessment of the level of maturity of the processes of the compliance control system
Appendix 6 Regulatory risk event declaration form (example)
Annex 7. Detailed version of control/risk management methods
Annex 8. Plan of measures to minimize regulatory risk
Annex 9. Fragment of the report on regulatory risk for the Board of Directors
Annex 10. Fragment of the report on regulatory risk for the compliance committee
Annex 11. Potential effectiveness of the compliance control system (compliance/regulatory risk management) in general
Special offer! All buyers of electronic kits (printed + electronic version of the publication) will receive a bonus: 11 supplements to the manual in an easy-to-copy and edit MS Word format.
Yuri Yudenkov Chief editor, Ph.D.The internal control system in a credit institution functions first of all in accordance with the requirements of the Bank of Russia and only then - in accordance with the recommendations of corporate governance. Rulemaking by the Bank of Russia methodologists is a continuous and accelerating process. The new version of Regulation No. 242-P uses many new terms, but does not explain their essence and implementation procedures, in particular, the term “regulatory risk”. Let's deal with this object of control.
Regulatory risk is a new concept in supervisory practice. The Bank of Russia has not given its definition anywhere before.
Clause 4.1.1 of the new version of Bank of Russia Regulation No. 242-P dated December 16, 2003 “On the Organization of Internal Control in Credit Institutions and Banking Groups” (hereinafter Regulation No. 242-P) defines regulatory risk through the concept of compliance risk, then there is a risk of losses due to non-compliance with the legislation of the Russian Federation, internal documents of the credit institution, standards self-regulatory organizations(SIRO, if such standards or rules are mandatory for a credit institution), as well as as a result of the application of sanctions and (or) other measures of influence from the supervisory authorities.
Regulatory risk control as a compliance risk?
For a more accurate understanding of the essence of regulatory risk, it is necessary to refer to the concept of compliance control. Traditionally, compliance risk has been viewed as generalizing for legal and reputational risks (although in the interpretation of the BCBS, legal risk is part of operational risk). For banks, the practical issues of organizing compliance control were regulated by Regulation No. 242-P, Letter No. 92-T of the Bank of Russia dated June 30, 2005 “On the Organization of Management of Legal Risk and the Risk of Losing Business Reputation in Credit Institutions and Banking Groups” (hereinafter Letter No. 92 -T), for some banks - also by the Regulations on Internal Control professional participant securities market, approved by Order of the Federal Service for Financial Markets of March 21, 2006 No. 06-29/pz-n.
It is not yet clear what the responsibilities of compliance controllers will be in connection with the emergence of reputational risk controllers, but traditionally main responsibility The first was the implementation within the organization of effective support of business functions to comply with relevant laws, the requirements of external and internal regulatory documents.
The Banking Compliance Function recommendations issued in October 2003 (BCBS 103) define compliance as: “an independent function that identifies, assesses, advises, monitors and reports on compliance risk, defined as legal or regulatory sanctions, financial loss, reputational damage that may be incurred by the bank as a result of its non-compliance with laws, regulations, codes of conduct and good practice standards”.
In more common definition, given by the International Compliance Association not only for banking organizations, the main task of the compliance controller is to ensure that the organization has an internal control system that adequately measures and manages the risks faced by the organization.
1) control over legal risks associated with the regulation of banking activities. The emergence and growth of the level of these risks can cause significant financial losses due to the imposition of sanctions against banks, increased capital requirements;
2) prevention of the risk of loss of reputation associated with dishonest observance by employees of the rules and norms of business ethics;
3) optimization of relations with supervisory authorities and integration of existing rules and norms of banking regulation and supervision into the current activities of the bank;
4) development of cooperation and partnership with other banks, which can help increase the competitiveness of the bank.
Based on the above quotes and reasoning, it can be assumed that the introduction of the concept of regulatory risk was aimed at assessing the compliance of the current activities of the bank and its regulations with the adopted laws and regulations. regulations. But at the same time, we must also consider the reverse situation - if the goal is not achieved. And if there are as many goals and regulators as there are legislative initiatives and departments that have this initiative? In large credit institutions, the situation with the adoption of laws affecting the activities of banks has always been monitored, since the consequences in the form of direct losses can be sad. In some banks, the position of a GR-manager (Government Relations, by analogy with PR) has recently been introduced to minimize losses from legislative (in the broad sense - legal) risks.
In fact, we can talk about the general paradigm of control (in the light of the full cycle of managing an object): control is the transfer of a controlled object from the “as is” state (as it is) to the “as to be” state (as it should be) (Fig. 1 ). At the same time, it is assumed that legislators, the regulator and others like them better than anyone else understand and set out how it should be. The problem often arises not due to the fact that individual, let's call them "regulators", do not know their subject well, but because all these locally good "as to be" are poorly complexed, rather "complex", in a particular a real object - a credit institution.
The regulatory risk of the regulator deserves a separate analysis as an assessment of the effectiveness of its innovations in the “as to be” sphere.
Regulatory risk control is built into the overall control system of the credit institution. Considering it, one can imagine the general range of processes for achieving goals in certain structural units where regulatory risk can be realized and which are responsible for the implementation of the control function (Fig. 2).
Organizational and functional tasks of internal control of regulatory risk
The organizational aspects of regulatory risk control described by the Bank of Russia, unfortunately, also do not make it possible to give it an unambiguous definition. In clause 4.1.1 of Regulation No. 242-P, one can find indirect signs of determining regulatory risk through the functions that the bank's internal control service should perform:
— accounting for events associated with regulatory risk, determining the likelihood of their occurrence and quantification possible consequences;
— monitoring of regulatory risk, including analysis of new banking products and services being introduced by the credit institution and planned methods for their implementation for the presence of regulatory risk;
— coordination and participation in the development of a set of measures aimed at reducing the level of regulatory risk in a credit institution;
— monitoring the effectiveness of regulatory risk management;
— participation in the development of internal documents on regulatory risk management;
— informing the employees of the credit institution on issues related to regulatory risk management.
Moreover, paragraph 4.1.17 states that the annual reports of the internal control service on the work carried out to the executive bodies, and in cases established by the internal documents of the credit institution, to the board of directors (supervisory board) of the credit institution include:
— data on the implementation of the activity plans of the internal control service in the field of regulatory risk management;
— information on the results of monitoring the effectiveness of the implementation of the requirements for managing regulatory risk, the results of monitoring the areas of activity of a credit institution with a high level of regulatory risk;
Since Regulation No. 242-P does not have a clear “watershed” between the internal control service and the internal audit service, and many functions are repeated, it is worth using a temporal orientation as a discriminating feature: the ICS solves tactical and operational tasks to identify deviations and eliminate them in a mode close to to real time, and CBA is more focused on retrospective analysis of deviations. On fig. Figures 3 and 4 present the principles, tasks and functions of the ICS and IAS.
Comparing the principles, tasks and functions of the ICS and IA with the functions of the compliance unit, it can be argued that the main functions of a fully functioning ICS include the following:
— regulatory risk management. ICS monitors, assesses and manages regulatory risk in accordance with internal regulatory risk assessment methods;
— countering the legalization (laundering) of proceeds from crime and the financing of terrorism. The AML/CFT unit ensures and controls the process of verification of new clients (Know Your Client, KYC) and subsequent monitoring of the profile and transactions of clients;
— intermediary functions in interaction with the regulator. The ICS supports the interaction of the credit institution's divisions with the regulator, including during the regulator's inspections, and controls the process of correspondence with it (possibly in specific areas);
— control over the compliance of the corporate governance structure with the requirements of the regulator, etc. — depending on the characteristics of the organization;
— monitoring of changes in legislation and compliance with internal regulatory framework. The ICS monitors changes in legislation, informs the relevant departments of the organization about the need to make changes to internal regulations, monitors the compliance of the internal regulatory framework with current legislation and standards.
It can be assumed that the Bank of Russia, defining regulatory risk as an object of control (Table 1), includes loss of profitability, a decrease in capital, and a threat to the bank’s reputation associated with the inability to comply with growing regulatory requirements and expectations in the totality of adverse outcomes for this risk. But how to identify and assess regulatory risk?
Table 1
Participants in the regulatory risk control function in Russian banks
Subdivision |
Functions |
Disadvantages of regulations |
Internal Control Service (Internal Audit) |
An analogue of the "internal audit" function according to the standards of the Institute of Internal Auditors, as well as: — verification of compliance of internal documents with regulatory legal acts, standards of self-regulatory organizations; - evaluation of the work of the personnel management service; - other questions |
A number of areas of activity allow a conflict of interest due to the fact that the unit performs the functions of organizing and determining the methodology of the internal control system and at the same time has the authority to check these aspects |
Responsible officer (structural unit) for AML / CFT |
Development and implementation of internal control rules for AML / CFT purposes, programs for its implementation and other internal organizational measures for these purposes. Organization of submission of information to the authorized body for AML / CFT in accordance with Law No. 115-FZ and regulations Bank of Russia |
Scope of competence limited to AML/CFT |
Controller of a professional participant in the securities market |
Verification of the compliance of the activities of a professional participant in the securities market with the requirements of the legislation of the Russian Federation on securities and the protection of the rights and legitimate interests of investors in the securities market, regulatory legal acts of the federal executive body for the securities market |
The scope of competence is limited to the areas of activity of a professional participant in the securities market |
Responsible Legal Officer |
Verification of compliance with regulatory legal acts, SIRO standards, constituent and internal documents. The Recommendations on the organization of legal risk management (attachment to Letter No. 92-T) propose that the legal risk management unit (employee) be entrusted with the organization of work to minimize legal risk |
The status of this unit (employee) is not defined. The authors have encountered the notion that this is “just another name for the legal service.” The powers necessary for the implementation of functions and procedures for their implementation are not defined |
Regulatory Risk Assessment and Early Warning System
Identification and control of regulatory risk in credit institutions is carried out at two levels:
- Level 1 - compliance with external rules that the organization as a whole is obliged to comply with;
- level 2 - compliance with the requirements of the internal control system, which are established in order to ensure compliance with external requirements.
For a visual representation of the procedures and subjects for identifying regulatory risk, see fig. five.
In the fight against any violations, there are the following control methods:
1) preliminary control (prevention, preventive measures);
2) stimulation;
3) subsequent control.
The first method of control, the so-called preliminary control, includes:
— identification of requirements;
— assessment and ranking of risks;
- Identification of controls (example: US Corrupt Practices Act FCPA, "transfer of anything of value");
– identification of business processes, involved employees and internal regulation in the company;
— changing the practices of a credit institution, abandoning practices;
- making changes and additions to the company's internal documents and additional preliminary control (the "second pair of eyes" of the relevant functional units or senior management, where necessary and justified).
The second method is the implementation of subsequent control by the control units of the credit institution:
— conducting systematic training of employees;
— monitoring of legislation and judicial practice;
— regular assessment of legal risks;
— assessment of the effectiveness of the regulatory risk management system;
- reporting, corrective action.
In addition to the risk identification and control process itself, procedures are needed to “adjust” the control system to changes in risk characteristics. Figure 6 illustrates the presence of so-called “defense lines” in the internal control system and the change in the state of the internal control system when managing regulatory risk. The diagram also highlights the cycles of a priori — early detection and elimination of regulatory risk, and a posteriori — after risk realization.
If we assume that regulatory risk is the risk that practice does not meet some theoretical requirements, then what decisions should a bank make to reduce regulatory risks? The Bank of Russia may issue Regulations - "P", Instructions - "U", recommendations - "T". If a credit institution fails to meet “T”, is the regulatory risk higher or lower if “P” is not met? And if the bank staff does not comply with internal regulations, is it a high or low regulatory risk?
It can be assumed that the assessment of the regulatory risk control system can be carried out by third parties, and not only by the Bank of Russia. Then the following table can be formed (Table 2).
table 2
Third parties involved in the process of assessing the regulatory risk control system
Subjects of control |
Risk assessment |
Moderate |
|
Potential buyers (investors) who plan to complete an M&A transaction or a sale and purchase transaction with a company. The regulatory risk control function and the effectiveness of compliance risk management are assessed during the preliminary due diligence |
Moderate |
State organizations (depending on the industry and the country of operation of the credit institution) in the order of their main activity |
|
Lenders (banks and financial institutions): analysis of the regulatory risk control function as part of the company's credit risk assessment |
Moderate |
Insurance companies, brokerages and other companies: analysis of the regulatory risk control function as part of the overall risk assessment and determination of the amount of insurance premium |
|
Auditors during the audit of financial statements and AUP projects: analysis of risk management in the processes of preparing financial statements, assessment of the regulatory and compliance risk management system |
|
Counterparties when deciding to work with a client and (or) carry out projects |
The subjects of regulatory risk control, in this case third parties, when setting a positive or neutral risk assessments, respectively, positively influence decision making or do not influence it. With negativeAccording to the assessment of these subjects, the level of risk is (see the 2nd column of the table):
Moderate - in the event of a discrepancy, it may or may not affect the final decision.
High - if a discrepancy is identified, it will have a serious impact on the final decision.
Low - if a discrepancy is identified, it will have little impact on the final decision.
conclusions
Under conditions of general uncertainty in determining regulatory risk, it is possible to recommend to the internal control/audit service:
1) prepare a risk map, identify the risks associated with the regulatory, demonstrate a clear understanding of risk management techniques of this type from the position of the bank's management;
2) submit for analysis all the policies and procedures of the credit institution in order to prove the compliance of their main provisions with the requirements of the law.
When conducting external audits, it is necessary to focus on providing the full scope of the requested documents, providing self-assessment and internal audit reports related to the assessment of regulatory risk, and the results of its testing. It is especially appreciated if a positive opinion of a third party is given.
In the new version of Regulation No. 242-P, regulatory risk is defined through the concept of compliance risk, i.e. the risk of losses due to non-compliance with the laws of the Russian Federation, internal documents, standards of the SIRO or as a result of the application of sanctions by supervisory authorities.
Notes
1. In Russia, the term “compliance control” was first introduced by Bank of Russia Ordinance No. 603-U dated July 7, 1999 “On the procedure for exercising internal control over the compliance of activities in financial markets with legislation on financial markets in credit institutions”. Compliance control was defined as internal control over the compliance of the activities of a credit institution in the financial markets with the legislation on financial markets in the general system of internal control of a credit institution, and under financial markets understood the securities and futures markets. A little later, a definition of compliance risk appeared: “the risk of applying legal sanctions or sanctions by the regulator, real financial losses or loss of reputation, which may arise as a result of a bank’s non-compliance with laws, regulations, standards of self-regulatory organizations and codes of corporate conduct in relation to the bank’s activities” . Very similar to the definition of regulatory risk.
2. In the original - "compliance officer".
3. Federal Law No. 395-1 of December 2, 1990 “On Banks and Banking Activities”.
4. The figure is a fragment of the scheme and does not include all the components of the functioning of the ACS.
5. The figure is a fragment of the scheme and does not include all components of the ICS operation.
6. Federal Law No. 115-FZ dated 07.08.2001 “On counteracting the legalization (laundering) of proceeds from crime and the financing of terrorism”.
7. Employees must understand that they are being watched, this reduces the likelihood of violating the regulations by more than 80%.