Risk based compliance programmes require engagement with stakeholders every so often to make sure that they are not completely off target.
In today's world we are peppered with information on the geopolitical landscape on a daily basis and it is easy to overlook the need to take stock of events and impact on your strategy. It is always a good idea to periodically step out of the 24-hour investment/news cycle in order to reflect on the direction of travel of the business against the prevailing environmental winds. This is probably best done by creating uninterupted time in your diary to take a good look at what you trying to achieve.
One of the best times to do this for any business is following the meeting of global decision makers at Davos (i.e. at World Economic Forum). This event occurs in January and has become a meeting which sets the major agenda for risk management focus of governments and regulators for the coming year. My experience has been that if there is going to be any major surprise initiatives implemented by a regulator, it will typically have been socialised at this event in some form or another. Climate, Social Impact and Governance is clearly something that will be discussed further in 2021 having had a reasonably good airing last year, but what follows here is a tasting of the other areas that may be worth your consideration as a regulated firms and as part of your risk management planning for 2021/22. We provide a light snack of the key issues that may be more relevant for regulated firms, an implied invite for you to delve into the further detail as you may wish and some suggestions on what you may consider worthwhile in addressing as part of enhancing your controls (relevant for any jurisdiction).
COVID Action Platform
Not surprisingly, the global pandemic and its impact has been at the core of the Davos event. There are a lot of discussion resources around recovery and prevention. The COVID Action Platform focuses on bringing government and industries together to deal with the global impact of the pandemic. Carolina Klint, Managing Director of Marsh & McLennan Insurance does a fantastic job discussing the key issues on their dedicated page. A key understanding explained here is how the pandemic has impacted on the management of pre-existing risks and what that means for the economic recovery during the aftermath. I would highly recommend listening to the discussion on the top 10 risks and how firms can use the Forum’s Global Risk Report to improve resilience.
Licensed Firms (of whatever size) should maintain awareness of the local, regional and international direction with regards to the key environmental risks impacting employees, business sustainability and operational continuity as part of their governance responsibilities and this series should help provide a contextual summary of the key issues that are being addressed by global action.
Other Key Themes
Outside the core focus of getting the world to the other side of the current pandemic, one of the key factors is helping the world get back to operating at business as usual (whatever that has mutated into). This year the Forum has provided an opportunity to refocus on issues that may have been overlooked due to the pandemic response.
Cyberrisk and Data Protection
As predicted, the risks of data attack/loss have continued to increase. and while it may feel like we are in a continuous business continuity loop; system integrity and recoverability still demand everyone's ongoing attention. The threats accelerate faster than the controls can be implemented so the issue has raised itself to the centre of the risk radar in particular for financial services. See the cybersecurity platform for multiple projects around finding solutions to this persistent issue. In addition to ensuring an annual risk assessment is completed and standard reviews and processes are followed, firms should at least;
· Re-assess the effectiveness of the cybersecurity training against the risks.
· Book some more practical training with security industry specialists and discuss approaches to training with security professionals.
· Plan to run a simulation of what you would do if investor/client data is stolen/leaked/lost.
· Make sure you are up to date with risk intelligence using the various data sources that are available [e.g. HKCert in HK].
Evaluate your threat readiness with our US service partner's Cyber Security Checklists which can be accessed here for a more in-depth consideration of key issues around this topic.
Geopolitical Risk
While a more politicised sanctions regime has appeared , I expect that on balance we are all hoping for a calming of tensions between the US and China. Geopolitical stability is up there on the key risk list for everyone as it impacts the pandemic recovery and the path to economic recovery. If you are not already fully plugged into the issues, and would like to know more, we can recommend a great sources of reflection on the impact of the US-China trade war that was #presented in a podcast format by the political and economics team of the SCMP. If you have 45-minute slot over the holiday, there is a balanced analysis of some of the statements made by key leaders at Davos with some balanced commentary on the economic issues at play.
The relationship between the US and China is clearly going to have an impact on all firms’ strategy (whether local, regional or global) and therefore should be under ongoing review. Some key ideas to consider might be:
· Checking that the risk team are recalibrating risk scenarios tests for 2021 (in particular asset management teams consider probable scenarios).
· Confirming that your sanctions intelligence resources are up to date and current.
· Internally reviewing your risk of sanction impact and speaking with counsel about relevant matters.
· You might also consider sounding out your staff about their personal concerns around regional stability (even if you as a firm do not have a concern)
Please also see superb technical resource produced by Gibson Dunn on the current Sanctions Regime if you like to get into the legal detail and of course please do speak to your own sanctions counsel about specific issues if they arise.
Social Mobility and the Gap between Rich and Poor/Market Misconduct
The gap between rich and poor and social mobility does have an impact on the markets and regulations. Perhaps a tenuous link to the market event which coincidently happened during Davos week, but as the short squeeze that occured in the market that week demonstrated, the perceived imbalance between the Street and the retail trader has the ability to drive political reaction to market events and both licensed firms and regulators need to be cautious around how they react. Market manipulation generally evolved from the need to present fairness in market participation, but perhaps western markets are getting a taste of the retail investor forces that have emerged (or perhaps always existed) here in Asia and the micro market structural issues that such a structure presents.
Whatever your moral or political views are on market structure, any dissemination of information which has an intention to increase, reduce or maintain the price of listed security will bring a concern that market misconduct may be taking place. Motivation may be a factor in the determination of whether an action is a breach of market expectation, but motivation (in someones mind) can be difficult to prove in absence of retained evidence. It is not relevant whether you are regulated or not when it comes to acting in bad faith other than perhaps being in a position of knowing better.
Of course, professional market participants need to be aware of market sentiment and direction of trades to make proper decisions regarding risk, but it can be hard to collect data or verify a rumour without being able to research it or find its source. Message Boards and Social Media platforms have created a new issue that did not exist when the rules were written. There are key differences in selling a stock because it is overvalued and selling a stock because you are actually aware that the stock is being manipulated. It is likely that we will see even further additional attention being given to market behaviour by regulators given the events of last month but we also see some regulators have taken action on market behaviours already.
While there may be a few highly publicised winners in this latest market dislocation, all participants need to handle with extreme caution.
· Consider your exposure to receipt of Material Non Public Information/Rumour Management Policy (Market Abuse Risk Assessment)
· Re-consider implementation of surveillence of trading (we are seeing more cost effective solutions in the market)
· Consider your use of alternate data which may be sourced from discussion boards (see our Service Partner’s review on suggested controls over alternative data here).
· Consider short exposure risk controls and soft exposure limits and whether they are sufficient to avoid being overexposed in such types of adverse market conditions.
Final thoughts
I have tried to extract some of the core issues that are worthy of additional ongoing awareness for Licensed Firms with dealings in Asia.
There are a tremendous amount of goodies regarding wider risk issues and the impact on longer term sustainability contained within the reports, platforms, projects and other content curated by the Forum. The executive summary of the report can be found here.
For whatever reason, it is a good idea to understand the threats and solutions that are being presented to society or at least in this case, it is always useful to know what those in charge believe to be the greatest threats and therefore their likely reaction. The full report can be found here. If you already have a good knowledge of the impact of global risks of your business, this will hopefully provide a chance to provide a peer review of what you think.
How we can help
Cognitive GRC typically delivers standard GRC monitoring reviews that cover the key Governance Risk and Compliance issues that need to be analysed within an industry grouping. Just like conflicts, a firm’s analysis of relevant risks needs to be owned by senior management to be effective. We hope for the best and try to help firms be prepared for the worst. Our typical work focuses on the parts between our client’s strategic risk management and their micro-operational risks, but it is always good to take a step back and look at the bigger picture to ensure the work is effective in achieving the overall goal of helping clients manage the risks that can be mitigated while monitoring those that cannot.
The mere exercise of considering some possible or probable black swan events that may occur will help firms react appropriately if and when they or a similiar type of event does materialise.
If 2020 has reminded us of anything it is that the longer-term threats can strike, and firms do well when they are nimble enough to manage them. This can be achieved by having the right approach to risk management and an understanding that the risk and control monitoring programmes are part of an overall strategy to protect investors, businesses and the people that work for you and importantly, not just something that you have to do to satisfy regulatory/investor requests.
If you have any questions about your Governance, Risk or Compliance Programmes please do reach out for a consultation. We cannot take any credit for the resources that we have referenced in this discussion and we need to thank the collective sponsors and members of the Forum for such efforts in bringing such a diverse community of contributors to provide resources that give the world a better understanding on the global risks that are being faced.
The content of this discussion comes from the opinions and views of the author and should not be considered legal, or compliance advice. Cognitive GRC provides advice to senior management of regulated firms in design and delivery of risk-based control infrastructure around regulatory obligations in Hong Kong and should be read in that context.
Derek McGibney is the Managing Director of Cognitive GRC Limited and has been involved in providing Risk and Compliance service to regulated firms in multiple jurisdictions for over 20 years. Cognitive GRC’s team works with several service partners in helping deliver multijurisdictional services to regulated firms in Asia.