Overall – and not surprisingly – most see the business environment as highly unpredictable and believe that this level of uncertainty will continue for the foreseeable future.
The key themes of the discussions centred on the following matters:
- Customer relationships are changing and firms look to use customer data in novel and innovative ways. Further new technologies provide new types of interactions between customers, firms and third parties but customers in May 2018 are also set to gain stronger rights over how business use their data (think GDPR).
- The regulatory ecosystem of financial services is as ever changing and evolving. MiFID II will intentionally overhaul the trading landscape as will the fourth and fifth EU directives, also driving changes throughout the industry.
- There is much geopolitical uncertainty and events which were unthinkable a few years ago are now a reality. A new-world order appears to be emerging with populist politicians offering simple solutions to complex problems with a worryingly growing focus on protectionism and the sovereign rights of individual countries at the expense of global relationships.
- The outlook in the US under President Trump includes the repeal of numerous financial industry regulations, incorporating much of the Dodd-Frank financial reform legislation passed by the Obama administration in response to 2008’s financial crisis. Talk of protectionist tariffs on products such as steel may trigger more extensive trade restrictions as other countries take retaliatory actions.
- In the UK, Brexit negotiations have yet to begin in earnest but the prospect of the UK departing the EU is sending shockwaves through the financial sector and beyond amid the possibility of changing economic rules, relationships and tariffs.
- Challenges from Russia, North Korea, the Middle East and countries within the continent of Africa and elsewhere.
In talking to these Jersey executives about the aforementioned matters, there appeared to be re-occurring operating vulnerability themes that included – but are not limited to – the following:
- Supply Chain remains one of the weakest links in risk management
- Regulation continues to add to the complexity of management
- Unmet board expectations exposed by significant incidents
Alongside these, the themes included new-world information security threats:
- Crime-as-a-Service (CaaS) – Criminal groups behind ransomware attacks and data breaches are expanding their activities and commoditising their hacking tools and services, selling them on the Dark Web to other, less sophisticated criminals
- The Internet of Things (IoT) – IoT adds unmanaged risk possibilities and IoT devices offer a way in for cyber-attacks
Ten critical problems
As organisational risk advisers, we wished to distil from this the Governance, Risk and Compliance (GRC) risk challenges. In considering the causation of the risk matters discussed, the 10 critical GRC problems highlighted were:
- Cybersecurity and Data Privacy
- Data and Analytics
- Risk Management Governance and Controls
- Conduct and Culture
- Compliance Risk Management
- Financial Crimes Compliance
- Strategic Risk and Disruptions
- Fiduciary and Investor Protection
- Capital and Liquidity
- Geopolitical Uncertainty
The Jersey Financial Services Commission (JFSC)
In considering risk, we should also consider other bodies and their views. In particular, on the 5th September 2016 the JFSC published its Risk Overview survey, within which the JFSC suggest that the first two of the following risks pose the most severe of the different threats facing firms in Jersey:-
- Terrorist financing
- Financial crime more generally (think bribery and corruption, tax evasion and facilitation, insider dealing and other predicate crimes)
- Financial failure
- Confidential data losses
- Reputationally damaging products
- Market abuse
- Loss through malpractice or incompetence
- Business disruption
The JFSC has said these finding would help determine its enhanced approach to their risk-based supervision of Jersey regulated entities.
In considering the aforementioned multiple risk factors, our discussions with the Jersey executives turned to capacity and the hard decisions on which direction their businesses should go.
Our conclusions on these discussions are as follows.
The Jersey finance industry will always face resource constraints with numerous competing priorities. With business models already under pressure, it can be difficult for regulated firms to achieve the minimum standard, let alone invest in becoming best in class, although with the rise of regtech and fintech products, firms can do old things better, introduce new products, services and find new cost-effective ways of working. However, this also creates new risks for firms because their business models may not be up to the challenge, as well as for consumers where technology use is not well understood or controlled.
The result of the rise of the regtech and fintech revolution will be that both old and new players will forge different types of connection, mainly through technological innovation and third-party service providers. With this disruptive change, the shape of markets is changing and with this the nature of risk in the system.
The message is that the rapid pace of change and development in the global marketplace provides a challenging and unpredictable operating environment for entities of all types and sizes. Further, with the speed of change, constant advances in technology and rapid responses to new market opportunities, the emerging risks can be a significant source of competitive advantage.
The unique aspect regarding disruptive change is that it presents a choice – which side of the change curve does a firm want to find itself? Organisations consequently need to make a conscious decision about which strategy they adopt. Either to be the disruptor, leader and or transformer, or play a waiting game, monitor the competitive landscape and react only when necessary to defend market share.
In consideration of the aforementioned factors, those firms that do not stay ahead of the ‘change curve’ become captive to events rather than charting the direction of their choice. Further, for those firms choosing not to disrupt the current situation, the challenge is when change does happen (because it will), that they are able to ensure they react quickly as an early mover.
On the last point, it seems to us that too few businesses are responding quickly enough. What we would also add to this statement is that some parts of the regulatory environment also suffers from the same state of affairs. For example, the EU’s General Data Protection Regulation (GDPR) is a game changer but can other areas of law and regulation claim to challenge current and future risks in the same manner?
In consideration of the outlooks examined here and in the interest of evaluating and improving the risk assessment process, there are many conventional diagnostic techniques and questions for the board and the directors along with the C-suite executives to consider when evaluating their organisation’s risk assessment and process.
For the purposes of this article, we will try and simplify these into the following:
- Know your risks
- Know what your appetite is to the risks identified
- Know what assets you have exposed to the risks identified
- Know the threats and vulnerabilities (TVs) to your assets
- Against the TVs, measure the impact and probability of risk crystallisation on your assets
- Evaluate the outcomes and assess them against your risk appetite
- Manage the above results using the x4 Ts – treat, transfer, tolerate and or terminate and
- Manage and Monitor the residual risks
These and other questions can assist organisations in defining specific risks and assessing the adequacy of the processes informing risk management and board risk oversight.
We hope this synopsis provides essential insights about both the real and potential risks on the horizon for 2018 and beyond, as well as a catalyst for an updated assessment of the risks and the risk mitigation capabilities within all organisations.
Mathew Beale, Managing Director, Comsure.
Mathew is a Fellow of the Chartered Institute for Securities & Investment (FCSI). He started his career working within the asset management industry for 10 years and has since focused on financial services regulation. Between 1995 and 2002, he worked for the body now known as the Jersey Financial Services Commission, where he was responsible for the day-to-day conduct of business of regulated entities, reaching the position of Senior Compliance Manager. Since 2002, he has worked within private practice in all aspects of regulatory compliance.
From 2002 until May 2005, Mathew was a senior lecturer on the International Compliance Association’s (ICA) Introductory Certificate in Compliance, the International (and UK) Diploma in Compliance and the UK Diploma in Anti-Money Laundering. During this time he co-authored the materials used by the ICA in their UK and International Diplomas in Compliance.In April 2005 Mathew founded Comsure, that now consists of three companies: Comsure Compliance Limited, Comsure Technology Limited, Comsure Group Limited (the Comsure Group of Companies).
Paul Declat, Chairman, Comsure.
Paul is a career banker who worked for Barclays Bank for 39 years, the last 25 of which were spent in the Channel Islands. Paul undertook a variety of senior roles and gained experience in most aspects of the Jersey Finance industry. His last role was as Channel Island Platform Director responsible for business risk, implementation of the strategic change agenda and business management.
Paul was an active member of the Jersey Bankers Association and was President in 2015/16. He is ACIB qualified and also holds the IOD Certificate in Company Direction.