1Intelligent Risk Management & Compliance Cost Reduction DateIntelligent Risk Management & Compliance Cost ReductionCreating a sustainable risk and compliance organization while reducing inefficiency and improving effectivenessInformational Presentation for Our ClientsAugust 2008PwC
2Table of contents Date Section Page 1 Point of view 3 2 Current situation5Regulatory considerations104A framework for response12Competitive intelligence156Case studies17
3Section 1 Point of view Date It is possible to significantly improve risk management and compliance effectiveness and lower costs – This may seem counterintuitive, but rationalizing the organizational structures, eliminating duplication and applying common sense generally leads to operational process improvements which result in better risk and compliance information at a lower cost.The last decade has seen an unprecedented increase in risk management spend – The functions that make up the risk management and compliance activities of firms have grown well beyond revenue and inflation rates, often times without demonstrable increased value to the organization. These functions have evolved largely independently from each other, leading to multiple organizations, risk universes, assessment methodologies, compliance activities and testing regimes.The costs of the risk management and compliance functions themselves are only a fraction of the true cost of risk and compliance activities – The true cost of implementation of the compliance and risk activities in the front, middle and back office processes is generally multiple times the cost of the risk management, audit and compliance departments themselves. We are seeing a consistent trend where simplification and reduction efforts in these functions lead to business efficiencies as well.The credit crisis has caused deep reflection as to the effectiveness of risk management & compliance in its current form – The Financial Markets disruption has created inter-related challenges for companies- e.g. valuations and risk, dealing with investigations and disputes, developing proper liquidity management capability, capital adequacy, dealing with regulatory oversight. Many organizations are now re-considering everything from organization, governance, roles, level of review, reporting and the like. Our conversation with the regulators has only reinforced the view that they are expecting significant changes. The challenge is how to enact those “changes” without triggering a new cost spiral.Moving quickly is imperative – There are two significant reasons to act quickly and intelligently in this area. First, there is a heightened regulatory focus on the horizon in the aftermath of the sub-prime crisis. If this sharpened focus occurs, it could translate into greater scrutiny of risk management functions and more difficulty in making meaningful efficiency gains in cost structures, organizations and approaches. Secondly, as financial institutions approach their next budget cycle, there is greater pressure for freezes or reductions in GRC costs while the responsibility and prominence of those functions has generally been increased over the last year. Both of these factors argue for moving quickly and decisively.
4Section 1 Point of view Date A fundamental re-think of the existing frameworks is needed – This is a difficult challenge. Risk and compliance are historically areas where cost cutting has not taken place. This is primarily due to increasing regulation (most recently largely SOX and AML rules) and fear of compliance and risk issues if cuts were made too deep. In other words, the risk/reward of reducing risk and compliance headcount and spending was heavily weighted to maintaining status quo. The increasing cost and demands on the business associated with these areas along with the recent risk management failures in the marketplace are causing financial institutions to fundamentally re-think their existing models and contemplate fundamental change.Financial institutions are beginning to organize around a core of common principles as opposed to the existing silos – A number of our clients have begun to move in this direction. Several have created common testing utilities, consolidated risk assessment methodologies and are moving towards rationalizing risk control self assessment processes and tools. More recently, the credit crisis has caused several institutions to take more radical actions such as moving towards integration of the credit and market risk functions.Progress is being made through agreement on these principles, alignment of the organization and the execution of pragmatic, incremental steps – Once the principles are agreed and the organizational roles clearly defined, the definition of specific simplification and cost reduction efforts around risk assessment, testing, planning, reporting and the like are the key to making consistent, sustainable progress.Technology is emerging as a key enabler – We are seeing technology being leveraged to reduce cost, enhance risk information access and improve efficiency in such diverse areas as legal discovery, risk control self-assessment efficiency, compliance monitoring, risk reporting/dashboards, AML alert filtering and other core risk and compliance functions.Modern sourcing practices for risk and compliance services are being applied to reduce costs – Leading firms are expanding their sourcing options for 3rd party specialized skills to assist audit, risk and compliance functions in efficiently and executing their roles. Routine risk management activities such as compliance audits, external information risk assessments, surveillance monitoring lookbacks, security reviews and the like are increasingly being outsourced to third-party providers with proper supervision.Where successful, senior management has committed to this new way of thinking and the accompanying cultural changes – The resistance to change in many institutions is strong. We have seen both successful and unsuccessful efforts in this area. The common thread in the successful clients has been the consistent commitment of senior management to make the tough decisions and articulate their program and the rationale behind it to employees, the board and regulators.
5Section 2 Current situation DateSection 2 Current situationMost C-level executives face a dilemma which can be characterized by increasing change, oversight, and transparencyAccelerating rate of change and complexitySophisticated products, unfamiliar markets and unprecedented volatilityRapid technological advancesAccelerated rate and volume of change demands increased flexibility and anticipationNew risk and accounting standards (Basel 2, fair value accounting)Increased regulatory oversight and uncertainty surrounding future regulatory landscapeRegulatory implications stemming from the Senior Supervisors Group observations on the financial markets disruptions of , and the 2008 Treasury BlueprintUncertainty on how to effectively relate to the 3 core regulatory objectives- market stability, safety and soundness, customer protectionBig focus on managing liquidity risk more completely and effectivelyFed regulation of investment banks, potential of additional regulationFocus on trading markets exposure and the possibility of internal fraudIncreased number of relevant regulatory regimes for global institutionsLikelihood of rise in enforcement activities and litigationIncreased visibility and demands for transparencyStakeholders learn about unmanaged risk almost immediately (credit crisis, trading breakdowns)Management has little time to remedy the impact of a risk management failureGreater disclosure to the market relative to practicesPlaces a premium on the ability to proactively identify, evaluate and manage risksThere are several factors that are driving an increased focus on GRC. See detail on slide.
6Section 2 Current situation DateSection 2 Current situationCompanies have historically responded by instituting independent governance risk & compliance (GRC) oversight functions and committeesIncreasing stakeholder demands+Expansion of Risk and Control Oversight FunctionsExpanding Risks, Laws and Regulations=Business FatigueLack of coordinationDuplicate effortsRisks falling through the cracksCompetition for attentionFSGPrivacyInfo Sec.Anti-FraudBCPSOXCreditAMLFCPAOp RiskBusiness UnitShareholderThe BoardCommunityRating AgenciesOthersInternal AuditComplianceRisk MgmtFinanceLegalIT
7Section 2 Current situation DateSection 2 Current situationFinancial institutions are realizing that they cannot sustain this ineffective and costly approach to managing risksAMR Research estimates that in 2008 organizations will top $32 billion on compliance spendMany of our financial services clients are reporting greater than 20% increase in overall costs, with an average of 16% per year1Most clients are reporting that they cannot cost effectively sustain this approachOthers are concerned about the impact that future growth will have on an already fractured systemSiloed approach is impeding standardization, scalability and speed to marketSub-prime crisis and many “lessons learned” reviews that firms have undertaken have highlighted the inadequacy of the current approach at many firms in terms of organization, reporting lines, risk appetite, risk monitoring and overall infrastructureIn the current environment, new regulation is inevitable and this will carry additional cost as wellIntegration and rationalization of GRC functions is necessary to avoid another cost spiral and to seize future business opportunities and cost effectively manage new risks and compliance obligationsAs a result of this approach, companies are spending nearly $30 billion annually on GRC oversight functions with the majority of the cost being related to headcount.Companies recognize this level of spend is not sustainable from an expense perspectiveThey also recognize that the fractured system in place will not cost effectively support the growth of the businessThere has to be a better way to effectively and efficiently address the GRC demands confronting the organizationWe believe that the solution is to integrate GRC efforts and resources where is makes sense. This approach will result in a higher quality GRC result at a lower cost to the organization1Financial Services Finance Executives Forum survey (2007)
8Section 2 Current situation DateSection 2 Current situationWhat some of our financial institution clients are experiencingStakeholdersGRC ChallengesBoard & Audit CommitteeDifficulty in exercising their role of effective oversight into corporation’s risksLack of visibility into potential landminesDifficulty in understanding breadth and implications of regulatory expectationsSenior ManagementLack of a consistent or defined view on the level of risk the company is willing to acceptNeed better information and articulation of critical emerging risks and control issuesCurrent risk information not sufficient to be a key factor in driving key corporate decisionsRisk and Compliance LeadershipMultiple and/or uncoordinated risk/control assessmentsIndependent GRC oversight functions and committees, each focused on a specific GRC challengeDifficulty in responding to the next regulation in a coordinated fashion
9Section 2 Current situation DateSection 2 Current situationWhat some of our financial institution clients are experiencingStakeholdersGRC ChallengesBusiness Unit ManagementBusiness often views risk management as a bureaucracy that provides limited insight or toolsExperiencing “assessment fatigue”, and is distracted from its core revenue generating activitiesSuffering losses or breakdowns in controls but feels like they spend a lot of money to identify and prevent breakdownsHigh volume/complexity of management reports that don’t distill what’s importantBusiness has only informal or ad hoc approaches to managing riskPrevious cost cutting actions have often been “slash and burn” headcount reductions that are reversed when the growth cycle returnsInternal AuditBusinesses that feel over-audited or that audit focuses on the wrong areasDisjointed remediation and tracking of issuesLack of automated controls and/or too much time spent on evidence collectionRisk and compliance information not suitable for driving interventionChallenges in proper internal valuation and validation of securities & portfolios
10Section 3 Regulatory considerations DateSection 3 Regulatory considerationsIn our interactions with regulators and our clients, it is clear that the regulatory backlash to the sub-prime crisis is building and that this will have negative implications in a number of areas, including the cost structures of risk and compliance functions. These negative consequences will likely show up in areas such as increased reporting, more focused supervisory exams, more critical reports, findings and mandates for remediation. There is also likely to be a rise in enforcement actions and litigation. There has been a stronger focus on sound and internally coordinated enterprise risk management practices (particularly those put forward by the Senior Supervisory Group and the BIS).In this environment, real operational process improvements that result in better information on risk and compliance profiles should also result in cost reduction if carried out intelligently. Cost reduction should be a by-product, not the primary goal.Some Key ImplicationsMore regulation, greater regulatory scrutiny and costs are comingFinancial institutions will need to deal with these challenges in the backdrop of very difficult economic times and severe pressure for cost cutting, notwithstanding the substantial risk management challenges that must be managed on a day-to-day basis for the foreseeable future. Any attempts to cut costs will need to be made in a careful manner,Much better enterprise risk oversight will be requiredRegulators will expect a unified view of the major risks facing the enterprise. They are starting to ask for evidence that the Board, Senior Management, and risk and control functions have similar views of the core enterprise risks facing the organization, and a unified mechanism for determining internal capital adequacy.Accountability for specific compliance mandates can not be delegatedRegulators will encourage efforts to integrate, but will expect individual control functions to perform their expected role- for example, AML assessments need to produce specific information on AML risks
11Section 3 Regulatory considerations DateSection 3 Regulatory considerationsSome Key ImplicationsGreatly expanded supervision of liquidity risk managementThe June, 2008 BIS guidance has expanded the supervisory powers over liquidity risk management. To limit the damage liquidity shortfall can have, on individual companies and systemically, a more integrated framework consisting of tolerance, risk identification, stress testing, reporting and disclosure will be necessary at each financial institution.More compliance training will be expectedThe regulatory expectation of across-the-board awareness of risk will require a great deal more spend on employee training, especially on compliance related issuesGlobal organizations are expected to have similar approaches to risk management across their entire organizationHome regulators will expect head office to lead globally, and demonstrate an affinity for local rules interpretationsThe race is onFirms will be held up to the best practices of their competitors- in other words, the bar is going up for demonstrating leading practiceAn integrated regulatory model will be supportive of an integrated GRC modelA move towards a more integrated objectives-based regulatory scheme in the US would be supportive of integrating risk and compliance activity with an approach that focuses on results and core principles.
12Section 4 A framework for response DateSection 4 A framework for responseWe recommend using a Principles-Based Approach to analyze alternatives to integrating Governance, Risk and Compliance functions (iGRC)Core GRC principlesObjective settingRisk appetite and toleranceRoles and responsibilitiesPolicies and standardsRisk and control assessmentIssues management and remediationMonitoringTestingReporting and AnalyticsCommunication and trainingAdvantages of using a principles-based approach:Establishes a common understanding of risk across the organization (e.g. business units, control functions, risk oversight functions, senior management, the board)Anchoring around principles allows the organization to focus on the core set of practices and utilities needed rather than organizational silosFocuses management attention on what needs to be done rather than on who reports on it or where it occursHelps ensure business effectiveness, regardless of the function, risk or regulation being addressedBetter aligns with regulatory focus on objectives-based approach
13Section 4 A framework for response DateSection 4 A framework for responseTake an incremental, pragmatic approach to identifying improvement (quick wins) within an integrated frameworkGovernance – Provides leadership, consistency and accountability over the entire process. Critical roles (e.g. Internal Audit) are preserved as centers of excellence leveraging shared processes to drive greater effectiveness and efficiency.TechnologyAnalysis & ReportingGovernanceTechnology – Supports the entire framework, creating process efficiency and more effective data management and reporting.Foundational ComponentsForm the basic reference data and standards/methodologies used by all participants in the process.Analysis & Reporting Metrics-based information enabling effective management response.Core GRC principlesFoundationalComponentsObjective settingRisk appetite and toleranceTestingIssues management and remediationCommunications and TrainingPolicies and standardsRoles and responsibilitiesRisk and control assessmentMonitoringReporting and AnalyticsCommon LanguageCommonOrganizational ViewMethodologiesData AggregationData AnalysisData Presentation
14Section 4 A framework for response DateSection 4 A framework for responseLook for improvements along three practical avenues…Three approachesQuestions to askHave you identified the unique and distinct mandate for each oversight function?Have you aligned your risk assessments to specific business objectives?Do you have a standardized way of approaching the requirements of new regulation?Do you know the full costs of each oversight function? Or, of each core GRC principle (e.g. risk reporting)?Does the organization have a consistent language and taxonomy of risk descriptions/libraries ?Are there multiple and distinct issues and control deficiency repositories?Has the organization conducted an inventory of its risk and control assessments?Does senior management have concise documentation of its top risks, and identified risk ownership among business leaders?Can the business align its risk profile against acceptable risk tolerances?Can business leadership justify its spend on controls, or show that the spend has reduced control failure?Integrate within an oversight functionIntegrate across oversight functionsIntegrate within and across business units
15Section 5 Competitive intelligence DateSection 5 Competitive intelligenceWe are seeing some sophisticated financial institutions making advances in integrating their risk management and compliance activities.Examples of recent responsesCore GRC PrinciplesFinancial Institution AFinancial Institution BFinancial Institution CRisk appetite and toleranceImplementing a shared risk language anchored in policiesDeveloping a risk tolerance model for multiple risk classesRoles and ResponsibilitiesCreated a costing model to evaluate and limit multiple responsibilities for CSAEstablished a Risk Governance structureDeveloped a Risk & Compliance Council to tackle common issuesPolicies and StandardsStreamlined corporate policies and procedures frameworkRisk and Control AssessmentRationalized separate risk assessments under a common platform and processDeveloped one risk assessment standard and methodology for consistent scoring across multiple assessmentsIssues management and remediationDeveloped a shared issues repository for audit and risk issuesIntegrated deficiency databases and created a standard reporting mechanismCentralized issues tracking and exceptions management processMonitoringImplemented global lower-cost monitoring hubs on a shared services basisUnified monitoring of compliance action plansDeveloped KRI across all businesses with Op Risk’s sponsorshipTestingDeveloping a central testing utility for financial and audit controlsIntegrated independent testing/validation processes, technologies and repositoriesA testing “czar” has been appointed for RCSA, Audit and AMLReporting and AnalyticsMining data through electronic discovery tools for Regulatory reporting, investigations into subprinme, etc.Created a dashboard of multiple assessments across all BUsRisk dashboard with a common set of compliance and risk analyticsCommunication and TrainingShared compliance and risk-awareness training program
16Section 5 Competitive intelligence DateSection 5 Competitive intelligenceBenefitValue PropositionExamplesCost ControlLess spend on risk, compliance and control activities.After an initial phased investment, one institution is estimating an estimated 10-20% reduction in spend in 2009Example: Establish a standard BU risk assessment methodology that integrates several assessments (SOX, business continuity, vendor mgmt, new product, model validation), creating risk reporting across enterprise, with a practice view to meet regulatory requirementsImproved Business LeverageReduced process fatigue due to coordinated activities by control groups.Business freed up to focus on revenue-enhancement.Example: Businesses will be assessed a minimal number of times by the internal risk, compliance and control groups. Results in higher quality input and more time to spend on revenue generating activities.Better CoordinationControl functions and business risk management improve their coordination and sharing of informationBetter able to focus their joint efforts on the areas of most critical risksExample: A metrics-driven control health check of individual businesses will be the product of a coordinated effort that provides an improved ability to focus resources where risk and control concerns exist.Improved Regulatory ResponsePositions a better response to regulatory expectations of a broader analytical underpinning for risk assessment, monitoring and capital adequacy activitiesExample: The risk impact of a new regulation (e.g. identity theft red flags rule) was better evaluated by reviewing output from existing BU assessments, and incorporating into subsequent risk reviewsBetter Visibility into Risk/Control EffectivenessSenior management will have better information and articulation of critical emerging risks and control issuesExample: Implementing risk reporting which integrates data across all key control groups linked to critical risks will provide a consolidated view of risk for management.
17Section 6 – Case studies Leading U.S. global financial institution DateSection 6 – Case studies Leading U.S. global financial institutionConsolidation of AML risk monitoring activities through the use of outsourcing and global hubsCritical client issuesThe client was undergoing persistent difficulty in maintaining consistent and adequate AML monitoring practices, and was facing regulatory concerns about its insufficient monitoring filters and compromised data integrity. Additionally, after conducting an internal study, the financial institution found that the cost of running its AML monitoring service in the United States was significantly higher than if it were placed in locations with lower labor costs in Europe and Asia.PwC approach: The scope of our work includedWorked with the financial institution to replace its current single-filter AML monitoring process with three scenario filters to improve the ability to identify suspicious transactions.Moved the AML monitoring process to interim hubs in London and Hong Kong where the team focused on the proactive reengineering of processes and procedures that would result in more sophisticated AML monitoring and reduce the effort and cost required to identify and analyze issues.Analyzed 12 months of historical data against the three scenario filters to address regulatory requirements and determine whether any transactions in this timeframe were suspect. Worked with the financial institution to develop a consistent monitoring approach, processes and procedures to deploy to the strategic hubs.Added additional countries and an additional five filters to the monitoring process, bringing the total scenarios to eight. The advanced AML monitoring process was migrated to the two strategic global hubs.Client results/benefits: The client realized approximately 60 percent labor savings in unit cost by relocating its AML monitoring processes to lower-cost labor jurisdictions. Additionally, the hub approach reduced the cycle times required to respond to issues.Helped the financial institution create two strategic AML monitoring hubs, including building processes and procedures, hiring and training more than 60 new resources and management, cleansing data feeds, and testing and debugging new monitoring protocols.Lower-cost hubs were created on a shared-services basis to provide AML monitoring services to all non-US countries where the financial institution conducts business.
18Section 6 – Case studies Leading investment bank DateSection 6 – Case studies Leading investment bankLowering the cost of internal investigations through use of electronic discovery techniquesCritical client issuesOur client was facing a government investigation in connection with the packaging and selling of subprime mortgages.Our client’s challenge is to gather and analyze historical information obtained from various sources relating to the attributes of the underlying mortgages, included in several securitizations, and to respond to the regulatory officials in a robust and objective manner.PwC approach: The scope of our work includesImplementation of electronic discovery tools and interrogation techniques into client communication records, , and archived documents to respond to regulatory requests regarding:The manner in which investment banks evaluated the credit quality of mortgages before they were purchased, securitized and subsequently sold to investors;The relationships between mortgage originators, third-party due-diligence firms, credit rating agencies and brokerage firms; andThe disclosures made by investment banks to investors and rating agencies about the risks associated with the underlying mortgages.Focus on leveraging advanced electronic discovery tools for searching and archiving to reduce the cost and effort of responding to complex regulatory requests in an appropriate manner and time frame.Client results/benefits: Through the use of levered discovery tools and techniques, the client will be able to more efficiently and accurately respond to regulatory requests for data and information.Cost savings are realized by eliminating duplicate efforts, reducing data redundancies, and enhancing the regulatory discovery and response process in a more efficient manner, utilizing far fewer manual processes and improved use of advanced technologies.There is now a dramatic improvement in the consistency of data retrieval, and a far quicker response to sensitive regulatory requests.
19Section 6 – Case studies Top ten US bank DateSection 6 – Case studies Top ten US bankCost reduction actions through targeted integration of Governance, Risk and Compliance ActivitiesCritical client issuesThe client was seeking to review its corporate governance, risk and compliance related activities and assess cross-functional efficiency and effectiveness opportunities, which senior management believed could be derived through greater cross-functional leverage, clarity in roles and responsibilities and common understanding of risk tolerance.PwC approach: The scope of our work includedFacilitated completion of our iGRC principles based framework and proprietary diagnostics to assess the People, Process, Technology and Information used to execute around 10 common risk principles. Please refer to Section 4 for the core GRC principles.Captured the costs for each function relative to each of the 10 principles. We analyzed the activities of each function across the 10 principles and 4 efficiency levers and documented the current state or risk governance across all functions and business units.Identified opportunities for greater efficiency and leverage, role clarity and common understanding of risk tolerance. We then developed actions plans, timelines and business cases for each initiative.Client results/benefits: By applying the iGRC framework and methodology, the client was able to identify action plans for achieving key project objectives of common language, efficiency and role clarityThe iGRC framework and methodology helped the client identify $15-30 million in potential annual cost reductions and agree high-level action plans and business cases for pursuing integration improvement opportunities with respect to RCSA, Issues Management, Risk Tolerance and Risk Governance.
20Section 6 – Case studies Top three global bank DateSection 6 – Case studies Top three global bankConsolidation of multiple Risk and Control Self-Assessment ProcessesCritical client issuesThe client sought to enhance the risk and control self-assessment (RCSA) process throughout its various business sectors around the globe to reduce the touch-points to the business and improve oversight and control over the process. This required a realignment of the people, process, technology and information involved across the 17 independent RCSA processes currently in place, covering Global Operational Risk, Sarbanes-Oxley Section 302 and 404 (SOX), all other regulatory reporting requirements required by business lines globally.PwC approach: The scope of our work includedApplication of the iGRC methodology and approached the project in three phases, assessment of current state, design of future state, implementation planning and support.Leveraging our deep technical and functional expertise to help the client define the opportunities for integration, develop a desired end-state process for RCSA, define the functional specifications for a technology solution, develop and roll out communications and training to facilitate transition to the new integrated solution.Supporting a process and cost optimization initiative through the realization of the benefits of a streamlined process and optimized use of resources.Client results/benefits: This project is still underway today. As a result of this engagement, it is expected that the client will have achievedEfficiency gains in the use of corporate and business unit resources in the RCSA process that will result in projected savings of $10 to $15 million annually resulting from elimination of systems and resources post implementation.Greater governance and control over the operational risk processImproved ability and speed to follow-up and resolve risk and control issuesIncreased optimization of controls.
21Section 6 – Case studies Global financial institution DateSection 6 – Case studies Global financial institutionERM Framework EstablishmentCritical client issuesThe client sought to establish an Enterprise Risk Management (ERM) capability for a large and growing part of their business in order to better drive efficiency, eliminate duplication, and improve visibility and management across their key risks and controls.PwC approachWe used a principles-based approach to help the client identify an improved and refined ERM framework and gain visibility into how the firm was addressing its key risk and control activities.We identified the current ERM activities being performed by the various risk and control functions, including risk identification, control testing and risk reporting.We made recommendations for improving their practices, eliminating duplication and addressing weak points, and in addition, helped management perform a high level assessment of risks and control effectiveness to get a first look at key issues.Client results/benefitsThe development of the ERM framework helped the client’s key control functions and business risk management improve their coordination and sharing of information.This work helped management identify areas of control redundancy and identify gaps in key ERM activities that needed improvement.The client obtained a better ability to focus their joint efforts on the business’ top risks, and a more unified methodology for reporting on risks to the board and senior management.
22Section 6 – Case studies Major investment bank DateSection 6 – Case studies Major investment bankDeveloping an integrated risk management and control process across multiple control functionsCritical client issuesThe client wished to design a standard process to improve coordination and activities among control functions, e.g. Compliance, Audit, SOX and Operational Risk and to standardize interaction with the businessesPwC approachLeverage the PwC iGRC framework to:Gain an understanding of the current activities performed by several control functions and benchmark against industry practice;Design a common process for conducting the firm’s risk management activities in a more streamlined and coordinated fashion; andSuggest alternatives for supporting technology and a single information repository.Client results/benefitsThis work helped management work towards creating optimized risk and control assessments, a single, unified language for risks and controls, and fewer business touchpointsThe work led to better informed, and risk-based, audit plans with a heavier emphasis on risk-based approach to enterprise risks. The firm anticipates the ability to reduce the time and effort required to conduct internal audits in subsequent cycles.Design of a uniform issues repository with a consistent approach for approaching issues tracking and remediation, replacing multiple repositories that require redundant time and effort from the control teams.Develop the business requirements necessary to house risk and control information in one uniform technology for compliance, operational risk and audit data.
23Section 6 – Case studies Major investment bank DateSection 6 – Case studies Major investment bankDeveloping an outsourced model to support the Control Room trade monitoring and surveillance functionCritical client issuesTo remediate certain issues included in a regulatory settlement, the client agreed to conduct a retrospective review of hundreds of thousands of trades in certain employee and employee-related accounts. The review was designed to identify the potential misuse of material non-public information (MNPI). PwC designed a delivery model for the statistical selection, analysis, and reporting of the transactions subject to review. The overall costs of the project were efficiently managed through the use of a blended pool of off-shore and on-shore resources.PwC approachAssembled an integrated team of off-shore and on-shore resources to perform the Control Room surveillance function on a retrospective basis.Developed a statistically sound and automated filtering process to remove transactions or positions that were highly unlikely to be indicative of the misuse of material non-public information (MNPI).Executed an automated process to identify and review transactions and trades, and used PwC’s proprietary case management tool to efficiently analyze, document, track and report on the progress and findings from the case reviews.Client results/benefitsProvided management with a sound and reliable selection and review process that would withstand the scrutiny of the regulatory authorities.Assisted client by efficiently performing and reporting the results of the case reviews and, where necessary, escalating transactions for further consideration.Utilized PwC’s proprietary case management tools to provide real time assessments of progress and findings.Managed the overall costs of the project through the use of an off-shore and on-shore service delivery model.
24For further information, please contact DateFor further information, please contactJohn GarveyPaul MokdessiMiles EversonDennis Chesley