Let’s continue the conversation about compliance as a function and what are the main pain points experienced by the compliance profession these days.

Based on my observations, they are:

• onboarding of corporate customers (e.g. legal entities or corporations)
• relying (or not relying) on technology (which results in a growing amount of work spend reviewing redundant or duplicate alerts and dismissing false-positive signals)
• not really understanding your risks

In fact, one could argue that not understanding the risks is the underlying root cause of the other two problems and many more. Let me explain. 🤓

When you talk to an average financial institution and ask them, “What are your risks?”, traditionally, risk and compliance function people would produce for you a long laundry list of 200-300 risk items with all possible risks that might happen and about half of those risks would be rated as high or extremely high. People feel that this is a responsible thing to do – they document all the risks, they describe them, they write down what may happen and they submit these long lists to their boards and auditors, and regulators. They feel they have done a thorough job. And my point is that they have done a total disservice to their companies because these long lists are not actionable.

Think about it: if your compliance or risk team identified 100 high and extremely high risks within your business that exist at any given time, you would not be able to focus or prioritize any of them, you would not know what to do. Plus, at the same time, the entity keeps functioning, customers are getting served, nobody dies or goes to jail, so you create the impression that, perhaps, you could live with all those risks and just do nothing. 🙄

Why this is happening? – It’s very simple: if people would be forced to pick just 3 risks out of 100, they would be afraid to make a mistake, to get it wrong, and to be blamed for the consequences. Strangely enough, listing all 100 risks and doing nothing about them feels safer – it creates a false sense of security “since everyone is aware”.

Furthermore, compliance teams often have a tendency to deliberately inflate the risks because they think it’s the responsible thing to do, they expect that their business stakeholders will become more accountable and dedicate more resources to the area if the risk is rated higher. But in my experience, this strategy never ever works. 🙅🏼

Another big issue and friction point within many entities that I see is related to internal decisions about “how much can we trust the technology” or how much can we rely on technology for automated decisions.

For example, within fraud detection or facial recognition space, most decisions are already automated, and everyone is happy about it. But where it comes to more complex analyses of industry risks or corporate structures or sources of funds, teams are still not comfortable relying on technology. For some reason, people believe that assembling compliance and risk committees and spending hours, there is a better and more reliable strategy.

Frankly speaking, I don’t believe that COVID times have really accelerated compliance progress or automation or brought up something fundamentally new to our profession. Yes, for more traditional companies, working from home, hiring and firing people remotely, sharing documents remotely, making decisions on Zoom was a new experience, but I don’t believe that this experience on its own is that significant because it does not address the root cause, which is not dealing with risks, having too many subjective human decisions that are taking too long, and not using technology enough.

If you resonate with the statements below and would like to learn more about the Just in Time versus Just in Case (old fashioned) approach to compliance, you can read more about it here.