Who owns the surveillance risk assessment?

More than 30 of the most senior surveillance professionals in London came together at a 1LoD Surveillance Leaders' Network to talk about challenges around the risk assessment process. In a fascinating discussion, it became clear that there is an almost complete lack of standardisation of the SRA process; that banks struggle with determining the level of granularity required for effective SRAs, and that there is no common approach to linking SRAs, CRAs and RCSAs.

Most interesting of all SRA ownership and inputs are still a matter for strong internal debate. Just as methodologies have not coalesced around a standard, neither have questions of ownership and process. At one institution (at which surveillance sits in the first line) the enterprise compliance function ‘administers’ the SRA template: they provide a template for individual business compliance officers to complete with the help of the first line. Those BCOs then provide completed templates back to compliance for aggregation. The enterprise second line also has to make up for the variable quality of those returns and the global inconsistency.

Other banks involve the surveillance teams at a very granular level in building the initial risk assessment and then it is passed to compliance for check and to be embedded in the risk assessment process. “We find it very beneficial to include the people who operate the controls and triage the alerts to be deeply involved in the SRA,” explains one Head of Surveillance. “For a start it helps them understand why they're running the control rather than just being passive recipients of the assessment. This does come with a huge cost in terms of time for those SMEs, when they should also be focusing on alerts. I don't think we've quite got the balance right yet.”

Other institutions reported friction between first and second line around even fundamental questions about the role of a second line surveillance compliance function in creating SRAs and being able to challenge the first line. “There were people who perhaps weren't necessarily SMEs from a market abuse risk perspective taking responsibility for a market abuse risk assessment process and then not necessarily wanting to listen to the feedback that we had for them about the process,” said one Global Head of Monitoring, Surveillance & Controls.

Ideally, banks say, risk assessments should be done in partnership with the business, surveillance wherever it sits, and compliance. And regulators have made it clear that they want compliance involved not simply to provide input on regulatory reviews or changes, but also to robustly challenge the business from a position of sufficient business and product knowledge.

Most banks agree that before adding complexity, the basic issues around structure and ownership need to be agreed. Beyond that, assuming coverage is not an issue, then surveillance leaders want to focus on making the SRA less unwieldy, better integrated into enterprise risk frameworks and to include a wider set of risks than simply mappings of explicit regulation. “Ideally we can move towards a more holistic risk assessment that takes into account areas that perhaps haven't been reviewed adequately but which have a direct bearing on your effectiveness or coverage – such as data system architecture,” said one Group Head of Surveillance Strategy. “Things like this need to come into the risk assessment itself more and more because they equally have as much or a greater risk than whether or not you've got, say, a low-risk item covered from a trade surveillance perspective.”

Using data better was a more general aspiration across all of the banks attending. “We need to increase the granularity of the data and the logic that we're feeding into the SRA and our reports to be able to back up what historically was a relatively subjective opinion with better data,” said one Global Head of Regulatory Surveillance.

Given that regulators conducting examinations generally start by looking at what they call the market (abuse) risk assessment, which is essentially the SRA, banks need to solve these problems fast.