European Union: Smart Implementation: Reining In Risk And Cost Of Regulatory Change In Banking

Introduction

The unprecedented wave of regulatory demands is continuing to gather force. Looking ahead, conditions are set to remain challenging over a long period. The execution risks are being intensified by the complexity of delivering the set of programmes needed to address the regulatory environment against a backdrop of schedule, resource and cost constraints. These challenges and risks will need to be managed in a systematic and integrated way to minimise the chances of failing to meet mandatory deadlines.

As banks strive to keep pace with a complex array of interlinked and overlapping changes, a number of specific challenges manifest themselves:

• Draft regulations are open to interpretation and they evolve in parallel to programme execution
• Change activity is often duplicated as similar requirements necessitate changes to the same processes and systems. This results in 'digging up the road' more than once and increases avoidable cost wastage
• Demand for subject-matter expert (SME) knowledge in specific areas (e.g. risk control and financial modelling) can often far exceed supply and result in schedule delays
• Technology constraints, impacting the project portfolio, are not well understood or actively managed (e.g. test environment availability, release schedules, system capacity and fixed maintenance timetables)

Additionally, similarities and overlaps between key regulations create intricate relationships between the projects in the portfolio. If these aren't carefully managed, within acceptable tolerances and with appropriate mitigation plans, a minor incident, in one project, can result in an amplified – and often uncontrollable – domino effect across the regulatory portfolio.

Addressing these challenges requires effective delivery of complex change across a business. This must also take into account the business strategy, which provides the backdrop to all change. Given the generally strategic nature of regulatory change, we see a direct and heightened interplay, with business strategy shaping the internal applicability and relevance of regulations and the regulatory landscape shaping the business appetite for markets and products. This interplay has a profound impact as it influences the strategic direction a bank will take. As a result, it is vital to monitor the strategic change portfolio to ensure it is aligned with any planned shifts in business direction.

Meeting the significant regulatory demands over the last few years has not been easy. Consideration of the continuous stream of regulatory announcements, consultation papers and reviews, highlights the fact that this is set to get even more complex over the next few years. A new approach is needed to manage this 'new normal' environment. In 'Smart implementation: reining in the risk and cost of regulatory change in banking', we look at how a more agile, proactive and coordinated approach to implementation can ensure that waste is reduced, resources are used more efficiently and regulatory schedules are met.

The key is intelligent project portfolio management, capable of defining a clear order of priorities and operating highly disciplined change management processes (with deep understanding of the impact of regulation). Also critical is identification – and informed interpretation – of: the overall regulatory change landscape, overlaps in scope and requirements, potential spikes in resource demand and the level of uncertainty regarding heavily assumption-weighted plans. The telling advantage of effective project portfolio management is that it provides a concrete, data-driven foundation for decision-making rather than the recurrent, subjective, opinion-based approach. The first critical step is to design and empower an appropriate governance structure – with clear and active board-level sponsorship – to take responsibility for integrated project portfolio execution, and its constituent risks, and have clear and effective channels for escalation.

Drawing on PwC experience and studies in this area, we believe that the intelligent project portfolio approach to strategic regulatory change, with its characteristics of higher quality management information and standardised delivery processes, could deliver savings of up to 24% on the cost of implementing federated regulatory change. Although less quantifiable, the benefits of reducing management distraction, ensuring a consistent focus on frontline strategy and improved assurance of delivery against the supervisory requirements provides the basis for more efficient working, a more agile delivery environment and an improved external reputation.

While most banks have set up federated projects and programmes to deliver the current key regulations, management needs to recognise that regulatory pressure continues to intensify. With mandatory regulatory projects set to be such a large part of change expenditure for at least the next five years, the need for a more effective organisation-wide approach for managing these initiatives is vital. In part one of this paper, we look in more detail at the current regulatory environment and the implementation challenges it presents. In part two, we assess the current industry approach and describe why this both needlessly increases costs and heightens delivery risk. In part three, we look at a more effective approach and the potential financial, operational and strategic benefits that could be delivered as a result. We conclude by setting out the key considerations for making sure that the risks and costs of implementation are properly controlled.

Part 1:

Unprecedented change

Banks have always faced regulatory-driven change. What sets the current environment apart is the sheer volume of significant new regulation being introduced. Factors complicating the volume of work to be done include tight timelines, the degree of uncertainty around interpretation and inconsistency between regulators – all of which aggravate the delivery risk. Finally, the regulations require banks to fundamentally address the way they do business and so command a significant part of their annual change budgets.

Policymakers are wielding more influence, transforming both banks themselves and the markets in which they operate. The differences between Basel II and Basel III provide a clear instance of this fundamental change. Basel II aimed to bring risk and capital more closely into line, but it did not lead banks to fundamentally change their strategy. The impact of Basel III goes further as the capital requirements it introduces is forcing banks to examine both the business

that they do and the manner in which they do it. This is already causing banks to examine the capital implications for the products that they trade. Some are coming to the conclusion that certain products are no longer economically viable. The cumulative effect of the regulations will also be seen in the clearing of over-the-counter (OTC) products, which has been driven by the Dodd-Frank Act and European Market Infrastructure Regulations (EMIR), as banks seek to move to a central counterparty clearing model to benefit from the improved capital treatment that they will receive under the Basel III approach.

No let-up

The year 2013 is set to be a decisive year, combining key milestones for regulatory implementation and the strategic reorientation that many banks have set in train. However, there is unlikely to be any easing off after that. As Figure 1 highlights, further waves of regulatory development are predicted to demand further changes from banks over the next five to seven years. No-one should expect that it's going to end there.

Complications

Implementation of these key regulatory initiatives has specific complications. The first is uncertainty. Ideally, projects start with clear scope and objectives. Specifications can be clearly defined and budgets can be established from the outset. In many of the new regulations being introduced, the draft rules, or guidelines, are often open to interpretation, become clarified through dialogue with the regulator and are subject to short-notice changes. An example of this would be the UK Financial Services Authority's (FSA) decision to change the timetable for Basel III delivery, due to the timing of the Capital Requirements Directive IV (CRD IV). For many international banks this introduces a significant issue, if they were expecting that achieving FSA model approval would provide a basis for applications in other regions.

This situation is exacerbated by the marked variations in approach, interpretation and timing in different jurisdictions. From an approach and interpretation perspective, the example of resolution planning highlights the extent to which the same requirement is handled differently. The US regulators through Dodd Frank have approached resolution from a strategic perspective, asking banks to deliver their resolution strategy. In the UK, the FSA and Bank of England will take responsibility for developing the resolution strategy themselves and have instead asked for a vast amount of highly structured information about every aspect of how a bank operates. This can leave international banking groups struggling to identify synergies and exploit work done in one region for another, even though the fundamental requirement is the same. In other cases, direct contradictions have arisen at both the strategic and operational levels. For example, from a strategic perspective, fundamental differences exist in the approaches proposed for the separation and prohibition of specific services. In the UK, the Independent Commission on Banking suggests ring-fencing retail businesses and allowing proprietary trading. In the EU as a whole, 'The High-level Expert Group on reforming the structure of the EU banking sector' ('Liikanen Report') puts forward proposals for the ringfencing of trading and wholesale banking business including proprietary trading. In the US, the Volker rules have directly prohibited proprietary trading. That said, it is clear that the direction of travel is for simplification and transparency of business and legal entity structures so that separation, in whichever form, can be achieved at a later date. At an operational level, banks have to work through detailed design and implementation contradictions, for example the Dodd-Frank Title VII reporting requirements, which have run up against data confidentiality legislation in Switzerland.

In normal circumstances, the appropriate project approach may be to wait until the scope is sufficiently finalised and/or ask for clarification from the regulators and other key stakeholders. However, the highly charged political atmosphere surrounding the industry is not conducive to flexibility or compromise. As a result, deadlines rarely move despite the challenges, and dialogue both ways is cautious and indirect. Banks therefore have to base their plans on a set of significant assumptions, so they can move forward with a supporting set of notes on how the regulations have been interpreted. Management of those assumptions then becomes a critical task within the delivery of the portfolio. This requires active management and communication with regulators and a sharp focus on the impact of any changes to assumptions as soon as they happen.

The second key complication is duplication. This may result from overlap of intent such as the impact of Dodd-Frank and EMIR on OTC clearing or reflect timing issues such as the EU being some years ahead of the US and Asia, in applying Basel III. When rules are introduced in the US and Asia, it will take foresight and disciplined planning to ensure that work done in Europe can be exploited and synergies realised, and unnecessary rework is avoided in the core front-to-back trading and risk management systems.

The third key complication comes from the fact that the same people are critical to the implementation of many of the current regulations. This demand for time from SMEs in risk, legal, finance, capital modelling and IT must be prioritised. This can lead to 'resource pinch' as competition for the time of these key SMEs places the deadlines of the different projects at risk.

A further complication is the demands placed on other types of resource. Given the front-to-back nature of much of the change, it is important to understand, and manage, the technology constraints within which you're operating. In practical terms, this requires careful oversight and early resolution of contention risks in areas such as multiple demands on limited test environments, restricted release schedules/windows, system capacity constraints and/or fixed maintenance timetables.

The final issue results, to a degree, from all of the other complications. This is the domino effect that could result when a slip in the timeline of one project has a knock-on impact on others. An example would be availability of test platforms. Schedules for test environments are planned, based on the expectation that problems will be encountered. However, if there are more problems than expected for one programme this will have a knock-on impact on the test schedule for those programmes further back in the queue.

Part 2:

Surviving the 'new normal'

With so much to do and so little time to do it in, banks employing the traditional federated approach to delivering the overall regulatory change agenda will both significantly raise their delivery risk and leave potential synergies unexploited, leading to increased costs. This approach is unsustainable.

At the heart of the problem is the standard approach of tackling each regulation in isolation. This fragmented approach leads to scarcity of information on the overlaps, interdependencies and resource issues. Without looking at the impact on the organisation as a whole, understanding it by division, functional process and system, the overall picture is opaque. Given the risk of noncompliance, and the costs of these initiatives, this approach is like playing the metaphorical role of an air traffic controller, at a busy airport, in a storm, without radar.

Working across the portfolio of regulatory change in a consistent manner is critical to managing the uncertainty and frequent changes in the regulations. As mentioned previously, waiting for regulatory rules to be finalised is not a realistic option, so this necessitates robust management of assumptions and a commonly understood approach to scenario and contingency planning. Bringing the regulatory programmes under common 'air-traffic control' has the added benefit of allowing a more consistent approach to regulatory communications. More proactivity around managing the regulatory dialogue helps to both clarify requirements and manage supervisory expectations by demonstrating control over the critical programmes.

Another key benefit is effective governance. In some banks, the amount of executive and senior management time spent in the different steering committees of multiple key regulatory meetings has become excessively demanding and highly inefficient. One senior executive complained that the relentless meeting schedule left him with no time to run the business. If programmes are aligned in the right way, and a common approach is found to track and report information, then tighter, more informed decision-making will result and business leadership time will be released. One bank, which has introduced this approach, states that the release of senior executive time is one of the biggest benefits. If the programmes continue to be managed in isolation then time is wasted, decision making can be impaired and key demands may fall between the cracks. This will frequently result in implementation decisions that are out of step with long-term business strategy including spending money on complying with regulations in business areas that are subsequently dropped.

Part 3:

An integrated solution

As has been described, the challenges facing the banking industry are clear: The volume of regulatory reform filling the change pipeline; an evolving regulatory scope; the complexity of mapping of regulations to the strategic business model; multiple interdependencies exacerbating delivery risk and many moving parts (projects), amalgamating against a backdrop of constrained budgets, resources and schedule.

To address the multifaceted nature of the problem, and integrated solution is needed. The elements of this solution fall into three categories which interrelate as shown in Figure 2:

• Portfolio controlling – Managing delivery (at programme and project level) in an integrated and controlled manner, with governance to provide visibility at appropriate levels of the organisation
• Regulatory coordination – Understanding the moving regulatory landscape and responding, both from a communications and scope management perspective, in an agile manner
• Strategic design – Identifying and resolving interdependencies and synergies, and understanding impact of changes to the regulatory landscape

The remainder of this section summarises the key considerations under each of the three elements.

Portfolio controlling

To maintain control over all projects within the portfolio it is essential to embed structured governance and communication processes; implement standardised controls and supporting tools and templates; and, identify and leverage opportunities to increase delivery efficiencies. The three subelements of portfolio controlling are:

Governance and Communication

• Design governance and supporting communication processes to provide appropriate insight and ensure alignment between organisational strategy and portfolio delivery
• Ensure fit-for-purpose reporting, information flows and decision support systems are in place to provide visibility of portfolio performance and provide the right information to drive informed decision-making

Programme controlling

• Implement standardised and appropriately mature controlling processes to provide assurance of project/programme delivery
• Articulate the portfolio baseline including impact cases, scope statements, risks, issues, assumption and dependency (RAID) logs, integrated portfolio critical paths and financial summary

Enabling delivery

• Identify opportunities to optimise the resource delivery model (e.g. " Build an efficient management information system (MIS) to capture, analyse and report on key delivery risks (see the 'Smoothing the way' section for specific examples)
• Embed standard delivery life-cycle methods

Regulatory coordination

To gain a better understanding of the changing regulatory landscape it is essential to interpret existing rules and monitor their development; translate regulatory requirements into business impact; and, identify upcoming regulations that will affect the bank and support regulatory interactions. The three sub-elements of regulatory coordination are:

Regulatory impact analysis

• Conduct ongoing regulatory impact analysis (for new or updated rules). Assess both the commercial and operational impact of regulations. Our paper 'Banking industry reform: A new equilibrium' provides our perspectives on how the banking landscape is changing and how this impacts the strategic business choices banks are making ( http://www.pwc.com/gx/en/bankingcapital-markets/publications/banking-industry-reform.html)
• Closely work with the regulatory initiatives to translate rules into business scope
• Provide a consistent rules-mapping methodology and a tailored tracking approach across the bank

Regulatory watch and compliance

• Track future regulations expected to impact the bank to inform timely strategic decisions about their implementation
• Monitor and confirm the organisation's compliance with rules as the regulatory initiatives deliver the required changes
• Define criteria to assess if a regulation should be included in the regulatory portfolio and review candidate regulations suppliers, internal resources)

  Regulatory interactions and lobbying

  • Ensure level of interaction with the regulators and key industry bodies is appropriate (e.g. frequency, participants)
  • Where rule clarifications are required, engage regulators at the right level (i.e. SME) to confirm rule interpretations. Do this with real understanding on the consequences for projects
  • Facilitate and participate in lobbying efforts where appropriate (e.g. through industry bodies and associations). Do this with real understanding of the impact on bank strategy

  Strategic design

  To execute change efficiently it is essential to manage implementation dependencies and synergies across the regulatory initiatives and other programmes; coordinate scope and planning changes; and conduct ongoing business impact analysis. The three sub-elements of strategic design are:

  Dependencies and synergies

  • Analyse dependencies and synergies (between regulatory initiatives and with other relevant non-regulatory programmes)
  • Provide insight where prioritisation decisions need to be made, with particular focus on understanding strategic over tactical solutions
  • Drive the realisation of synergies where they have been identified
  • Focus on resourcing, data, IT and model development issues

  Scope and planning changes

  • Monitor impact of regulatory changes (e.g. finalisation of rules) on the scope and plans of the regulatory initiatives
  • Analyse areas where delivery prioritisation conflicts appear and coordinate scenario planning activities to assess impact and inform regulatory interactions
  • Assess scope changes related to 'mandatory' versus 'discretionary' tasks

  Business model impact

  • Work closely with the regulatory oversight function to translate regulatory rules into business requirements
  • Provide input to the bank's business strategy team
  • Complete a 'component' business level assessment of regulatory impact to create a bank-wide view of main change areas
  • Identify practical dependencies and synergies between 'components'

  Part 4:

  Smoothing the way

  Once the 'air-traffic control' function is established, a number of standard tools can be deployed to help manage the complexity of the portfolio. Examples include:

  • Executive scorecard
  • Automated RAID tracking
  • Functional heat maps
  • Dependency deep-dives

  Executive scorecard

  While executive scorecards are not a new concept, they are still an area that continues to be executed poorly to drive management information and decision-making. High-value scorecards typically balance snapshot and trended quantitative analysis across a high-quality data set, with supporting qualitative commentary. Analysis should highlight key areas for attention and key decisions requiring focus.

  Automated RAID tracking

  To produce the high-quality data set outlined above, it is important to deploy standardised project control processes across the various initiatives. This ensures consistent treatment of risks, issues, milestones, dependencies, etc. and, importantly, consistent reporting of the same. Tools to facilitate this should, ideally, be centralised such as enterprise portfolio management (EPM) software packages, but can start by using consistent end-user tools such as templates and automating the aggregation and analysis processes.

  Functional heat maps

  These allow assessment of the aggregate impact on the business as a whole through a common language that maps how different regulations affect the bank and its operations. This view breaks the business down into functional components (e.g. valuation, risk modelling and collateral management) and evaluates the impact on each of these areas and what will need to change as a result. As an illustrative example, Figure 3 sets out a typical heat map for the impacts on different functional components within finance.

  

  When deployed more widely, the mapping process allows banks to develop an organisation-wide blueprint to understand what needs to be done in which areas. This allows better assessment of what resources are required and where conflicts may arise. A key consideration in the development of such a view is the classification of regulation in terms of where it is in its life-cycle (i.e. inception, consultation, compliance implementation and business optimisation). In this way, banks can not only understand the impact of the immediate priority projects, they can also establish the forward-looking view that will allow some level of synergy and efficiency to be achieved. For example, the forward-looking radar may allow considerations for a future requirement to be considered now. This can result in developments being done in a way that lays the foundation for the future regulation to be delivered more easily.

  Dependency deep dives

  A further benefit of mapping the impact is ability to identify the common threads between the various regulations. This allows the early identification of dependencies within the business, and between programmes, which are critical to delivery. As an illustrative example, Figure 4 sets out a dashboard of possible dependencies in data and systems.

  De-risking delivery

  Using summary views that support a common understanding, the bank can better understand the big picture, drill down into detail and set priorities and create a clear timetable for each step. This both allows potential hot spots to be identified and drives the ability to make decisions that ensure that milestones are met.

  A key benefit of this proactive approach is that it not only reduces delivery risk, but also helps to drive resourcing decisions so that effective use is made of scarce resources. Even with good insight into execution risks, there may be instances where an unexpected outcome occurs. The proactive approach would help to accelerate mitigation, but there may still be a missed deadline. In such cases, this approach would allow the bank to reassign priorities to get implementation back on track. It would also allow the bank to engage with its supervisor in good time and engage in active dialogue around the issues and the steps being taken.

  Taking advantage of synergies

  From a cost perspective, a key advantage of this approach would be allowing the bank to identify and take advantage of the synergies that are possible across such a closely aligned portfolio of change.

  Looking at data architecture as an example, the regulatory reform agenda is accelerating the need to rationalise data flows and improve the quality, consistency and timeliness of data. The need for changes to the architecture is driven by a variety of new regulations including Dodd-Frank, Basel III, EMIR and the Foreign Accountant Tax Compliance Act (FATCA), as well as accounting and disclosure requirements such as IFRS 9. Understanding the impact of the changes collectively on key fundamental processes in the bank allows coordinated planning and synchronised implementation. Without this, the issues associated with fragmentation and complexity will be exacerbated.

  Furthermore, anticipating demands across the portfolio will help the bank to avoid the expense and disruption of 'digging up the road' more than once. In the example given of fundamental data change, a little extra work will allow systems' changes the bank is currently carrying out to be adapted to meet future demands. For example, the bank may need to add a new data field, a task that could take ten days to carry out as they open up the transaction systems, conduct the necessary impact assessment and engage with the design authority, code and test. But once this process has been initiated it would be possible to add multiple other fields, projected to be a future necessity (using assumption-based planning), in as little as half a day, potentially saving nine and a half days of work and expense.

  The dividends

  PwC has analysed the resource demands, functional dependencies and synergy potential across the current and upcoming regulations. From this analysis, we estimate that banks could save up to 24%4 of the cost of implementation by following this more proactive and systematic approach to portfolio programme management.

  At a time when budgets are stretched and returns are under pressure, these savings could provide an important competitive edge in themselves. Even more telling would be the competitive advantages of faster and less disruptive implementation and minimising the chances of missing key supervisory deadlines.

  Our approach also makes it easier to demonstrate progress towards compliance, align implementation with wider business changes and allow senior management to focus more of their attention on the changes in the commercial landscape.

  

  What's next?

  With no let-up in the scale and pace of regulatory change in sight, the ability to manage the transformation in an efficient, assured and cost-effective way can give banks a clear competitive advantage.

  The following five questions, and an organisation's ability to answer them, provide a rough yardstick against which they can test their readiness:

  • What do you expect to spend on regulatory change in 2013 and beyond?
  • Is the matrix of compliance responsibilities, for each regulation, in each function or division, at each governance level clear and understood?
  • What is your level of confidence in meeting all regulatory deadlines on the horizon and do you understand the consequences of not meeting these deadlines?
  • Do you have the right information to inform planning and decision making which allows you to avoid duplication, deliver effectively and avoid 'regret' spend?
  • How effectively do you manage your regulatory interaction from early strategic lobbying through to detailed interactions around final delivery?

  The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.