So – first - an apology – this article is a bit ‘back and forth’ with terms and discussion how we collide risk and development landscapes together… but here goes….
The financial landscape is being swept by a wave of ever-increasing regulations, with a particular focus on operational resilience. This regulatory tsunami is forcing financial institutions to re-evaluate their approach to risk management and internal controls. In this turbulent sea, automated controls testing emerges as a life raft, ensuring that the financial services industry can report and “keep its nose clean!”
Why the Regulatory Surge – and why am I banging on about this in a operational resilience blog?
The recent years have witnessed a spate of high-profile financial meltdowns and cyberattacks, exposing vulnerabilities in FIs' operational resilience (and controls testing).. Regulators are taking action to prevent future disasters by mandating stricter controls and robust testing procedures – and evidence / reporting.
Additional to the operational resilience lens – there is also the ever-increasing demands of regulatory controls testing, risk management – and an ever-increasing list of sample points – again, scaling manually just doesn’t work as this evidencing grows exponentially…
Enter Compliance / Controls Tesing as Code – and starting to scale response through tech… & get some smart humans automating & coding their way through this regulatory spaghetti, reporting & response!
Stating the obvious.... Manual testing through humans does not scale well. As testing grows exponentially - organisations simply cannot afford to scale by putting more people in front of computers to complete testing, report, munge data, write dashboards etc….
Automated controls testing is going to an invaluable weapon - you will notice I use the phrase “going to be” … Why?
Whilst we have pockets of useful tooling, data, reporting - have we, as an industry really embraced the skill and embedding the right ways of working – probably not!
To really embrace this properly and across an enterprise landscape - you really need to focus on transformation of your approach to risk management and bring skills / operating models / unification & identification of data sources – and do some heavy lifting.
Skills, Ways of Working / Enablement Teams…
So, before I move onto the benefits (and putting the cart before the horse). I want to provoke some food for thought - how do we really make this utopian world of full automation? The answer- bringing that development and risk mindset together – If we can do this, we can massively move the dial!
Policy as code, compliance as code, configuration as code, standards as cod
e, API integrations etc etc – how many risk / compliance / regulatory teams are thinking about these skill sets, embedding in a consistent way, driving standards of engineering – and agreeing cross-enterprise? Probably not many – but this is where need to drive this way of thinking!
Bringing the skill set of risk and development together to drive an awesome outcome is the only way we are going to truly get after this - Just look at where development practices/ pipelines / Infrastructure as Code has taken us in a relative short amount of time – imagine embedding these paradigms into the risk & compliance world in a uniform manner! – how powerful is that!
Whilst you may start small and grow out - the enterprise wishing to transform needs to agree the primitives of how to operate - and build in a unform way – with consistent and standard engineering approaches, terminology, data model etc. Get this right then you can start to scale this automation dream!
Danger Will Robinson….. (Lost In Space Phrase!)
However – if you try and automate in pockets and in different ways – there will just be complexity, inconsistent ways of working. This is the place you don’t want to be!!! – You want to be able to articulate your enterprise’s risk in a consistent programmatic way.
Agree across all of your risk and compliance functions all of your standards – so everyone can contribute to the party….
So – get this approach right – what are the benefits of Automated Controls Testing:
Increased Efficiency and Accuracy: Automation dramatically reduces testing time and eliminates human error, leading to more consistent and reliable results.
Enhanced Coverage: Automated tools can test a wider range of controls and scenarios, providing a more comprehensive picture of an FI's risk landscape.
Real-time Insights: Continuous monitoring & scenario testing capabilities offered by automated tools allow FIs to identify and address control weaknesses in real-time, preventing potential breaches.
Conclusion:
Bring development, engineering and enablement team skills into your risk & compliance organisation – Codify the hell out of your controls, embed this into technology and business teams so that when they deploy services, technology, business processes into a digitised landscape the measures and control objectives are considered auto-magically with close to real time exception reporting.
Get this nailed – and we might just survive this onslaught of controls testing!
Comments