XLoD 2022 Agenda

• How well are banks managing the evolution and expansion of non-financial risks?
• What are the challenges with building new or expanded risks into existing risk management frameworks?
• Does the expanding mandate of risk and control functions require better collaboration between the 3 lines of defence?
• How can risk and control practitioners leverage technology to streamline the operating model?

• How can 1st Line Risk & Control functions effectively determine how many people they need to manage the key risks in the businesses they support?
• Is there a natural tension between the evolving mandate of the 1st Line control function and the desire to right-size the function? How can this be justified to regulators?
• How can banks balance the amount of regulatory remediation work in the 1st line in order to become an effective challenge function?

•  Do you expect the evolution of market abuse surveillance to be driven by regulation, internal cost drivers or demand for better risk management?
• In which areas of surveillance do you see the greatest opportunity to increase the scope of coverage?
• How can surveillance functions find the capacity to innovate whilst maintaining the BAU processes required to manage regulatory risks?
• What are the greatest opportunities for surveillance functions to collaborate more effectively with other control functions?

• How can outcomes from investment into conduct and culture be measured accurately?
• What are the tangible conduct and culture improvements that can be observed and measured?
• How are financial institutions identifying cause, making use of lessons learned, and measuring trends?
• Is there still work to do in the industry on culture and conduct?

• How should  financial institutions be thinking about risks associated with ESG?
• What should the roles and responsibilities be within financial institution in relation to those risks, and particular, what is the role of Compliance?
• What are the immediate priorities and how should financial institution go about mitigating the risks associated with ESG? What steps are required, and what needs to be implemented?  
• What is the future state and key considerations for financial institutions going forward in relation to risk associated with ESG?

• With finite resources, how can banks develop to meet regulatory expectations including maintaining a high-quality, forward looking, evolving and BAU risk and control function – whilst delivering impactful initiatives to the business?
• Is there a natural tension between increasing technological innovation and fulfilling BAU requirements?
• How can risk & control functions better collaborate with technology teams to ensure successful delivery of controls change management?
• When 1st line are being asked to do more, with less, why wouldn’t external transformation consultants or vendors be an effective resource for delivering impactful change management?

• What does risk based surveillance mean in practical terms?
• Is it feasible for banks to cease their surveillance on low risk individuals?
• What is the regulatory support for taking a risk-based approach?

• How should banks mitigate the risks of misconduct through voice channels when employees and clients are working from disparate locations?
• What are the key metrics required to provide surveillance teams with effective risk based indicators?
• What are the challenges of storing and using vast amounts of voice surveillance data with vast amounts of surveillance data still siloed?
• How can automation be utilised to monitor and analyse larger percentages of populations’ communications to reduce the necessary levels of random sampling?

• How should control functions be collaborating better when thinking about their resilience planning?
• To what extent should financial institutions be building resilience into systems and products from the outset and building resilience into the architecture of the institution?
• Where should ownership and management of resilience lie in the organisation?
• To what extent can resilience functions advise regulators about efficient and effective oversight programmes?

• How might regulation develop over the next five years? And how can regulators become more forward focussed and horizon scan for future risks?
• Will Culture & Conduct remain the major focus for regulators?

• What are the different approaches to thinking about culture and behavioural science in the US vs Netherlands and Europe? 

• How do we expect regulations in important areas such as ESG, resilience, and digital assets continue to grow?
• How can regulators enable regulatory certainty, enabling banks to make multiyear risk management frameworks, whilst remaining dynamic to emerging risks?

• How are banks able to identify upcoming new risks? Is a constant review of operational risk frameworks and RCSAs essential to identifying new risks?
• How frequently should banks be conducting horizon scanning? How can banks ensure the results are actionable?
• From a regulatory development perspective, who should own horizon scanning, 1st line or 2nd line? Or how should the two lines work closer to understand the potential development in regulations and how these affect risk & controls?

• Do banks need to do additional testing in the 1st Line?
• How can banks avoid marking their own work? How can the 1st Line Risk & Control functions ensure they are independent assuring the business that controls work?
• How should 1st line be building out testing and assurance work to make it complementary to 2nd and 3rd Line assurance? Wargaming, Scenario Analysis, Live testing
• To what extent is the current 2nd line testing and assurance regime not evolved enough and just a QA process around the 1st line testing?

• How are banks developing industry best practice for the roles and responsibilities of the 1st & 2nd lines?
• What is the regulatory and industry view regarding the 1st line taking more responsibility from the 2nd line?
• Should banks be taking a top-down approach when defining the principles and expectations of the lines of defence?
• To what extent is there currently an unrealistic accountability and expectation placed on the 1st line?
• Should costs be cut in the 2nd and 3rd lines to compensate for 1st line’s increasing accountability?

• How can firms harmonise controls and redesign the processes to increase coverage, efficiency and effectiveness?
• Does there need to be a regulatory imperative to drive control digitisation? And do ‘run the bank, change the bank’ conflicts lessen the desire to adopt further digitisation?
• How are firms implementing advanced technology solutions that allow for ongoing risk monitoring in a BAU state?
• To what extent has the adaption of legacy taxonomies to reflect today’s operational risk environment affected multiple downstream processes and control procedures?

• How should banks be reducing false positives by tuning/re-tuning parameters to balance risks?
• Should surveillance recalibration follow more formal model risk governance processes?
• To what extent is calibration, and re-calibration, more important than strategic initiatives such as implementation of a contextual model?
• How often should calibration be conducted? And what tools can be used to ensure these are based on an ongoing monitoring of the scenarios’ effectiveness?

• How should banks be building capabilities to ensure that they are capturing, storing and indexing required communications data?
• How can teams justify sufficient coverage to regulators and audit teams when adopting a risk-based approach?
• How can financial institutions keep up with the expansion of new communication channels?
• How do banks ensure all communications take place within official channels and are appropriately recorded?

• What’s on the near term horizon/what can be expected from advancements in voice tech in the coming years?
• What is the evolving skillset for effective voice surveillance?
• How does your organisation mitigate the risks associated with unmonitored communications on personal mobile devices?
• Is there a minimum sample size expectation for voice coverage?

• How are regulators globally moving towards establishing best practice for surveillance regulation?
• Is it possible for banks to deploy a global, ‘golden standard’ across all regions?
• How can you have confidence that the regional branches are doing everything they should?
• What is the divergent regulatory expectation on the management, review, and escalation of false positives?
• What does the future of surveillance regulation look like?

• To what extent are data issues the single biggest challenge to surveillance effectiveness?
• Are banks capturing all the trade data and data from communications channels?
• How can arrangements be made to ensure data quality, curation and access are adequately coordinated?
• Are Buy v. Build decisions unduly affected by data quality issues?

• How can banks create consistent metrics while allowing for nuances across different trading businesses?
• Can the industry create standardised Conduct Risk measurement in the same way as Market and Credit Risk metrics?
• Should Conduct Risk be defined at a group or individual desk level?
• How can key conduct management information and behaviour metrics enable a risk-based approach to conduct risk?

• Does what we measure directly correlate to overall cultural strength and weakness? Or are measurement metrics selected because they are more readily available?
• How well do conduct dashboards highlight issues at sub-culture level? How can firms sufficiently map their cultures and sub-cultures?
• What is good practice in identifying unacceptable sub-cultures and bringing them into acceptable norms?

• Who should be leading the banks conduct risk framework and agenda?
• How have control functions across all 3 lines worked together to manage conduct risk during the unprecedented disruptions in recent years?
• How can you measure the total cost of controls for the conduct risk programme, group wide?
• What lessons have been learnt from the conduct programmes deployed to date and how should banks be looking at conduct risk over the next 3 years?

• What steps can internal audit functions take to effectively assess risk based controls?
• To what extent will there always remain a requirement for sample based testing?
• How can internal audit functions partner with 1st and 2nd line functions in order to effectively place assurance on risk based controls?

• How can firms ensure compliance with new global ESG-related standards, ensuring more credible corporate disclosures?
• To what extent can banks turn net zero pledges into near-term action to reduce reputational risk?
• What are the most important skills for practitioners working in ESG Risk? Is there a lack of controls expertise in ESG?
• How can banks ensure ESG Risks are taken into account when establishing, implementing and maintaining effective reporting within the firm and with third parties?

• How can business heads retain oversight of critical services when so many data and infrastructure functions are outsourced?
• Do banks really understand the risks created through their myriad of 3rd and 4th party relationships?
• Can you effectively manage resilience and privacy risk exposure when information travels to 3rd parties and beyond?

How we're using AI/ML to predict and help prevent operational losses,  and understand when processes are likely to fail so we can target investment to drive the greatest financial and operational return.

VoxSmart: Are the recent SEC fines transforming Wall Street’s WhatsApp policy?

• A brief overview of the SEC fine, events leading up to and after
• Examples of how our clients are handling WhatsApp use – perhaps a quick show of hands to see who in the room is monitoring WhatsApp
• A quick look at how the market and regulation might evolve in the coming years

Presenter: Oliver Blower, Group CEO, VoxSmart

• The importance for risk functions to develop and retain trust with business stakeholders
• How should financial institutions create risk and control functions that act as business enablers?
• What are the opportunities to create confident front office decision making through effective governance?
• Aligning risk and control functions to support business decisions
• The role of effective governance in building trust with disparate stakeholders

• Given the growing volume of trading venues, how can banks ensure they have complete governance over communications that occur on disparate venues?
• How are banks ensuring coverage of communication channels which are routinely releasing updates with new functionality?
• Can you ensure compliance whilst managing the evergrowing temptation to use social media and mobile devices?
• How can banks ensure that their surveillance functions have a completeness of data across all venues? Who should have appropriate ownership and responsibility for completeness of data?

• What insights does behavioural science provide that can help financial institutions improve conduct?
• How can behavioural science-based approaches help to effect behavioural change in organisations?
• What are the key behavioural indicators which can be used to assess whether conduct programmes have had a lasting impact on an organisation?

• What are the opportunities for Internal Audit functions to leverage AI and data analytics technology for identifying trends?
• How can Internal Audit functions move towards more Intelligent Risk Identification?
• Should Internal Audit be championing the capture and visualisation of risk and control Data across the entire bank?

• With the return to the office and recent regulatory action, are there heightened regulatory expectations around supervising teams?
• How should banks be re-calibrating their controls in order to manage the return to traditional operating models?
• How should banks be leveraging technology in order to ease the return to traditional operating models?

• What kind of hidden threats can banks identify through the integration of trading activity with client data?
• Do these integration initiatives present technology budget savings or simply the better identification or risk?
• Is integration possible in a meaningful way without leveraging machine learning or are the data sets too large?

• To what extent should banks extend their surveillance programs to non-Sales & Traders for potential misconduct? Particularly those with potential access to MNPI such as Legal and Compliance?
• What are the regulatory expectations regarding surveillance of non-regulated individuals?
• Where should banks be prioritising their surveillance coverage?

• What are the practical issues and challenges of auditing culture? And how do firms focus on what’s beneath the iceberg?
• How do culture audits enable financial institutions to understand their conduct risks and why re-engineer them?
• What are Internal Audit teams doing to encourage 1st Line ownership in strengthening culture and conduct?
• What does Internal Audit see as key indicators of cultural strength/weakness?

• Does there need to be a regulatory imperative to drive control digitisation? And do ‘run the bank, change the bank’ conflicts lessened the desire to adopt further digitisation?
• Are risk managers prepared to give up head count once control digitisation is delivered? • Is control digitisation a false efficiency, as regulators will require further independent assurance that controls are being effectively managed?
• Should RPA be better utilised to automate highly manual jobs to create more interesting jobs for risk & control practitioners?