This paper provides a specific framework with practical examples to address the above challenges, leveraging on BCG experience with financial institutions impacted by COVID-19 (e.g., in Italy, China), as well as well ongoing discussions with Regulators and previous experience during severe pandemic and systemic crises.
Governor Olli Rehn: Dialling back monetary restraint
Adapting Compliance Projects and Operating Models for COVID-19
1. White Paper
Adapting Compliance Projects and
Operating Models for COVID-19
Matteo Coppola, Bernhard Gehra, Lorenzo Fantini, Michele Rigoni, Valeria Mij, Cecilia
Lisi
20th
March 2020
2. 2
hile the COVID-19 outbreak appears to be plateauing in Greater China, it has
reached an inflection point elsewhere, characterized by the emergence of
multiple epicenters. More than 150 countries in the world have been affected
by the COVID-19, and infection rates are increasing in countries like Italy,
Korea and Iran, but also in central Europe and the US.
As COVID-19’s international spread has accelerated, markets have started to price-in
epidemic-related risks, and equity markets have posted some of the biggest daily declines
since the 2007 financial crisis. Based on the experience of previous episodes (e.g. MERS
in 2014, 2015, and 2016 or the Spanish flu 1919 and 1920), the virus is likely to strike in
several waves, suggesting that containment measures will be only partially effective until
the release of a vaccine, which is currently not expected before Q1 2021.
The lessons of history suggest a V-shaped scenario – in which a GDP hit is followed by a
rebound, with no long-term loss of output – is likely. However, more pessimistic scenarios
with 2021 long tail impacts remain possible – especially in today’s interconnected world.
In this context, chief compliance officers need to understand implications for compliance
and respond appropriately to safeguard the institution. Beyond participating to bank-wide
crisis management and business continuity teams, as most CCOs are already doing in
these days, it is crucial for them to address compliance impacts in two key areas:
1. Projects’ portfolio management, in order to prioritize projects considering i)
Risks and Commitments (vs. Regulators, BoD, Audit, etc.) ii) Effort to deliver.
2. Compliance operating model, leveraging a scenario-based approach to assess
vulnerabilities in operations, quantify impacts and define mitigating actions.
Additionally, CCOs need to re-assess inherent risk exposure to capture COVID-19
changes. As an example, many of them raised concerns that pressure to quickly onboard
clients with remote KYC channels could increase the AML risk profile over next months.
This paper provides a specific framework with practical examples to address the above
challenges, leveraging on BCG experience with financial institutions impacted by COVID-
19 (e.g., in Italy, China), as well as well ongoing discussions with Regulators and previous
experience during severe pandemic and systemic crises.
W
3. 3
Projects portfolio management.
In a crisis situation, the regulatory and compliance projects portfolio should be analyzed
via a structured and fact-based risk assessment. The analysis should be conducted across
two dimensions, comprising risks and commitments and effort to deliver.
Risks and Commitments, may include:
The bank’s risk exposure to project postponement or cancellation (financial,
personal, reputational)
o E.g., a significant delay with AML V Directive implementation can lead to
different impacts vs. a roll-out of a new internal controls’ module.
Commitments towards i) authorities (e.g. ECB, NCAs) ii) internal stakeholders (e.g.
Board of Directors, Risk Committee or Internal Audit)
o E.g., projects to address Internal Audit findings have different commitment
levels vs. Compliance driven only efforts.
Effort to deliver, may include:
Maturity level, assessed by factors including supplier involvement, signed
contracts, and milestones achieved.
Flexibility and adaptability, i.e. possibility of alternative working arrangements,
such remote working with interactive tools retaining most deliverables
o E.g., a controls’ assessment across legal entities of the Group could be
managed remotely with interactive tools keeping most deliverables
Given the delicate nature of compliance projects, which usually entail mandatory
regulation and close interaction with regulatory authorities, banks should adopt a highly-
structured approach. This means implementing robust risk assessment with rigorous KPIs,
rating scales, and objective information that can be used to justify any change of plans.
Some banks have already started to implement this kind of approach to managing the
project portfolio. (Exhibit 1).
4. 4
Exhibit 1. Compliance Officers should perform a rigorous projects portfolio Risk Assessment
We see 4 main actions as a result of such a risk assessment:
Maintain, if risk/commitment and maturity/flexibility are high
o E.g., ECB remediation plan on Governance that can be delivered remotely.
Extend, if maturity/flexibility is high and risk/commitment is low
o E.g., a new set of GDPR controls that can be delivered in longer time.
Reshape and potentially postpone, proactively engaging other stakeholders, if
risk/commitment is high but maturity/ flexibility is low
o E.g., a new IT tool deployment committed with US Authorities.
Stand-by, if risk/commitment and maturity/flexibility are both low
o E.g., an efficiency project on Compliance activities within the function.
Several of these actions require a proactive dialogue with authorities, as well as the board
and audit function. Some European banks are already reaching out to ECB. From our
experience, authorities (e.g., FED, ECB, NCAs) are usually ready to start a dialogue, even
during significant remediation cases. Therefore, being proactive is key.
Two real-world examples of COVID-19 contingency plans for compliance projects:
Following the travel ban in Europe, a large EU-based bank initiated a dialogue with
non-EU authorities to review upcoming on-site visits, developing a range of
contingency options in terms of timing, location, and working modalities.
Another large EU Bank discussed its remediation plan with the ECB after the
Supervisory Review and Evaluation Process (SREP) and on-site inspections, with a
view to adapting deadlines and action points to reflect the impact of remote
working.
5. 5
A Compliance Operating Model Scenario-Based approach.
As they consider impacts of COVID-19, compliance officers should assess the resilience of
their operating models. Given our experience in previous crises and the uncertainty
associated with COVID-19, we suggest a four-step approach that starts with a
vulnerabilities’ analysis and moves to defining scenarios, their operating model impacts
and contingency actions, to be activated based on forward-looking triggers. (Exhibit 2).
Exhibit 2: Compliance Officers should follow a scenario-based approach in four steps
Step 1: Vulnerability Analysis
Compliance Officers – with input from Operations and Business – should identify and
map key vulnerabilities on their Operating Models, assessing two main areas:
1. Process relevance
Assessing relevance of processes, clearly defining severity levels. This may be
categorized on three levels:
o Critical for both the compliance function and the business (e.g., financial
sanctions screening on names and payments; which could freeze some
operations if not completed).
o Critical for compliance (e.g., risk assessment, compliance planning).
o Useful but not critical (e.g., general advisory or training).
Process Relevance should take into account any increase in risk exposure due to
6. 6
COVID-19. For example, shortcuts to quickly make up for lost client activity and
volumes could increase exposure to i) Financial Crime violations (e.g. fast opening
of accounts increases money laundering risk; relaxed trade finance manual
controls can lead to financial sanctions violations) and ii) Market Conduct
violations (reduced screening of market player’s communications).
2. Process resilience and adaptability
This means understanding to what extent the delivery of different processes is
impacted by COVID-19, leveraging a structured scale that incorporates factors
including:
o Possibility of remote working for critical mass of employees allocated to
the process (e.g., possible for hits clearing or KYC backlogs).
o Concentration of FTEs in one physical space (if remote working not
possible).
o Concentration of activities across geographies (versus fragmentation).
o Backup plans (e.g., alternative methods for screening payments).
o Dependence on specific suppliers and suppliers’ ability to react to
COVID-19 crisis (e.g., one IT provider with limited back-up plans).
Banks should leverage a structured assessment, with scales and clear criteria, similar to
that used in the project portfolio. They should clearly document results.
Step 2. Scenario Design
While several Compliance Officers are putting in place contingency actions based on
vulnerability analysis only (step1), the significant uncertainty of COVID-19 outlook
suggests to leverage a scenario analysis approach.
Scenario design starts with the identification of two/three macro scenarios relating to the
spread of the contagion. As in any scenario-building exercise, there should be two macro
types:
A general health-related scenario, often used by researchers and medical experts
to describe the spread of diseases based on aggregate statistics (e.g. number of
infected people, contagion curve impacting treasury staff in key activities)
An event-based scenario, which is idiosyncratic and relates to specific triggering
events (e.g. quarantine of a specific area, expected drop in volumes)
We recommend starting with a limited number of external scenarios (2-3) and translating
them in Compliance bank-specific scenarios, based on a narrative that comprehensively
captures the main vulnerabilities identified in step 1. A few simplified examples:
7. 7
Information feeds from payment systems are delayed due to roadblocks at
market infrastructure providers. Compliance screening (e.g. for financial sanctions) is
processed at half the speed as previously. Business functions receive a high number
of complaints. Reputational risk increases exponentially.
A large number of KYC hub employees get infected by COVID-19 and, despite
others working overtime, KYC backlogs for high risk clients reach a record high,
requiring disclosure to authorities.
It is important to assign simple KRIs to each scenario (e.g. KYC backlog #, # of sanctions
hits escalated to 2nd
level) and to employ thresholds. Monitoring of these, together with
reporting to senior management and the board, will ensure early warning signals are
caught and will guide remediation strategies.
Step 3. Impact Assessment
Impacts under specific scenarios should be evaluated along two main dimensions:
Operating Model outcomes, for example:
o FTEs available for a specific process, considering their specific skill set (e.g.,
impossibility to perform on-site Quality Assurance according to policy)
o IT systems supporting a specific process fully operational vs. not/partially
(e.g., unavailability of IT testing environment to perform controls)
Key Risk Indicators outcomes, for example:
o KYC backlog (e.g., 30% FTEs drop result in 20% higher KYC backlog)
o # of SARs (e.g., significant drop due to unavailability of specialized staff)
o # of rejected payments
Clearly, a pandemic scenario affecting several critical processes will be more severe
(e.g., closure of head office locations eliminating any possibility to work onsite).
Step 4. Trigger-based Contingency Actions
In traditional Risk Appetite Frameworks and Recovery Plans, specific actions should be
activated when there is a breach of early warning triggers. Similarly, contingency actions
should be defined here consistently with the scenarios and KRIs. They should be more or
less aggressive depending on likelihood and severity of scenarios and cover:
Short-term actions, including for vulnerabilities with low severity:
o People management. This may include setting up alternate shifts of small
employees' groups to work on premise for activities that can’t be performed
8. 8
remotely (e.g., access to some systems, testing, on-site reviews).
o Vendor/supplier management, to re-focus on essential third parties that
can support compliance during the pandemic, after an assessment of the
supplier base.
Structural actions, which may be implemented as impact severity increases,
including for example:
o Quality Assurance. Amend policy to allow for off-site thematic reviews
instead of on-site inspections and visits (to be discussed with the board).
o KYC signature and document collection. Adapt procedures to allow off-
site client identification (to be discussed with regulators as necessary).
o Risk Assessment workflow management tools. These can facilitate
remote assessment and interaction with decision makers.
CCOs at many banks have already performed vulnerabilities’ analyses and are putting in
place contingency measures for the most affected operations. Few are thinking about
scenarios for specific cases (e.g. financial sanctions name and payment screening).
Given the opportunity to bolster their resilience, CCOs should plan ahead, so that
measures can be quickly implement once a scenario (or a variant of it) materializes.
Finally, while it is paramount to manage downside risks first, there may also be
opportunities to add value – for example through automating controls and increased use
of digital technologies– with support from authorities.
9. 9
Conclusion
In light of the spread of COVID-19, compliance officers should review their project
portfolios and operating models, and clearly communicate their status. Internally, full
transparency provides assurance and helps shape culture and behaviors. Externally, it
reassures authorities that CCOs understand vulnerabilities and are focused on compliance
in turbulent times. A lack of communication implies the opposite.
In the midst of a period of uncertainty, there is little value to be had from hesitating.
Instead, compliance leaders should be proactive in ensuring compliance operating models
continue to be fit for purpose.
Matteo Coppola
Bernhard Gehra
Lorenzo Fantini
Michele Rigoni
Valeria Mij
Cecilia Lisi
Matteo Coppola is a senior partner and managing director in the Milan office of The
Boston ConsultingGroup. Bernhard Gehra is a partner and managing director in the firm’s
Munich office.LorenzoFantiniisapartnerandmanagingdirectorin thefirm’s Milan office.
Michele Rigoni, Valeria Mij and Cecilia Lisi are part of the firm’s compliance task force.
You may contact the authors by e-mail at:
coppola.matteo@bcg.com
fantini.lorenzo@bcg.com
gehra.bernhard@bcg.com
rigoni.michele@bcg.com
mij.valeria@bcg.com
lisi.cecilia@bcg.com
About BCG
Boston Consulting Group partners with leaders in business and society to tackle their most important
challenges and capture their greatest opportunities. BCG was the pioneer in business strategy when it was
founded in 1963. Today, we help clients with total transformation—inspiring complex change, enabling
organizations to grow, building competitive advantage, and driving bottom-line impact.