Business control functions — operational teams with a primary focus on risks, controls and compliance — are growing rapidly in the financial services industry, with the number of full-time-equivalent employees more than doubling at some large financial institutions every year since 2014.
It’s part of a trend toward a flatter, more agile risk management philosophy. Applying the taxonomy of the three lines of defense, business control functions have assumed the position of line “one-and-a-half,” identifying and remediating critical risk and compliance issues and bridging the gap between the operational responsibilities of customer engagement and second-line risk and compliance oversight responsibilities.
A recent Protiviti survey of business risk and control functions sheds light on how financial institutions are establishing these teams and how the functions are evolving.
Business control functions are established in a variety of ways, but generally share three common objectives:
- Alignment — To effectively manage risk, the operations, risk management and control groups need to be speaking the same language. Business control groups align business needs with enterprise objectives (including risk appetite, compliance, standards and expectations) to control risk “where the tire meets the road.”
- Automation — While this is, technically, process improvement and not a philosophical realignment, the rapid development of robotics and advanced analytic tools provide new ways to design and embed efficient controls and risk reporting while maintaining business agility. A lot of the growth we’ve seen in business control function resources comes from the need for people to conduct control testing. Once a control has been automated it becomes possible to automate the testing of that control, allowing organizations to accomplish more with fewer resources.
- Customer focus — Business control functions play a crucial role in providing both risk and compliance insights to first-line partners, working with second and third lines of defense (risk management and internal audit) and ensuring that risk management enables customer-centric processes and well-designed and managed products and services. This is an important differentiator of the function.
What Does a Business Control Function Look Like?
The concept of line “one-and-a-half” is relatively new — developing over the past three to five years. The function is evolving, with business control function teams at some large institutions increasing from a couple of hundred full-time employees to several thousand.
According to Protiviti’s survey, most business control functions are decentralized, with central oversight. This fosters close relationships with business leaders, while utilizing a common set of enterprise standards and tools.
To date, most business control functions have served primarily in traditional risk management roles — designing and embedding controls into business units, and supporting business units in adhering to operational risk and compliance standards. A little more than half (57 percent) document and track risks, controls and issues in GRC or similar tools and produce risk and control reports. A significant portion (43 percent) actually test controls performed by business units.
As the role becomes more agile, we expect the business control functions to take on more strategic responsibilities, including consulting on key business decisions — such as identifying the “right” controls and ways to rationalize the control process to increase efficiency — and taking the lead on remediation efforts when issues are identified.
Given the hybrid nature of this role, finding people with the right skillset can be a challenge. Operations people often tend to see their jobs as primarily bringing in customers and selling products and services. And risk and audit specialists may not be attuned to the needs of customers.
An ideal candidate either possesses, or can be trained to have, a working knowledge of complex rules and regulations, an understanding of the principles of risk and control, and a passion for customer satisfaction. Business control function leaders must find ways to embed flexible controls, tests, compliance and reporting mechanisms into an increasingly agile operating environment driven by the increasing customer demand for new tech-enabled products and services.
Experience so far suggests that given the heavy risk and controls emphasis, it might be most expedient to acclimate second- and third-line personnel to being more customer-centric, rather than training operational personnel in all of the nuances of risk and control regimens. That said, the risk acumen of many front-line resources and those who are designing processes, products and services and communicating with customers needs to improve.
Business control functions serve an increasingly important role in the financial services industry by aligning risk management with the customer-centric goals of operations. By bringing risk and control functions closer to operations and designing controls into agile business processes and digital solutions, financial institutions can accomplish more with fewer resources. Financial institutions can then deliver a better customer experience and manage risk more effectively at the speed of change.