Compliance professionals in the financial sector might feel a bit uneasy and gloomy these days. Your career prospects, conventional wisdom says, are not as secure as they used to be.
People might be tempted to cite the election of Donald Trump, and his distaste for just about every regulation he can find, as the cause of this angst. Trump’s anti-regulation histrionics certainly add to compliance professionals’ anxiety, but let’s not kid ourselves: reports of a decline in compliance jobs have been circulating all year. Earlier this month the Financial Times had an article essentially saying the boom in compliance hiring is over.
I don’t know whether the boom is over, but the need is changing, that’s for sure.
What catches my eye these days is the steady stream of job openings I see for heads of enterprise or operational risk management. Are they growing in number? I don’t know. But I do see and hear anecdotal evidence that the nature of these jobs is changing—so anyone looking to keep his or her career prospects bright may want to focus on that, and skate to where the puck is going to be.
Take these three job posts, all selected randomly, as examples:
- A credit union in suburban Chicago, looking to hire a chief risk officer to help the firm implement Dodd-Frank Act stress tests, to oversee policy management, and generally build an ERM program.
- An asset management firm in New York, seeking a head of enterprise and operational risk management, to help with risk assessments and “event management” including root cause analysis;
- A financial technology company in New York, seeking a vice president of compliance to help develop a compliance program for the blockchain software product it wants to sell to financial firms.
All these jobs exist at the intersection of compliance and operational risk. I’ve written about this trend before: that in the Dodd-Frank era, regulatory burdens have grown so large that regulatory risk is the biggest risk banks face, even larger than credit or liquidity risk. In that world, compliance becomes an operational risk, that can’t exist as a separate function unto itself.
Now, this is the part where you say, “Sure, but regulatory risk is passé. Donald Trump is about to take office. Dodd-Frank will get amended. The headcount party is over. How do I stay employable now?”
You’re correct. Everything is going to change in 2017. But that’s not the same as everything reversing.
Internalize and Operationalize
To a certain extent, what we’ve seen in financial services recently is similar to what Corporate America experienced in the mid-2000s in that early, chaotic rush to comply with the Sarbanes-Oxley Act. First we spent gobs of money hiring people and advisers. Then we integrated all those manual, people-intensive processes into routine operations.
The financial sector is at that same point with regulatory risk now. That’s not going to change just because an anti-regulation president is taking office. (If anything, the arrival of the Trump Era will accelerate that push for streamlining and embedding compliance into operations.) Compliance and risk professionals need to understand that evolution of operational risk if you want to keep your career on a sustainable, lucrative path.
The critical point is to remember is that just because policy-makers in Washington decide to reduce regulatory requirements, it doesn’t automatically follow that operational risks—including regulatory risks—decline in equal measure.
For example, Republicans will probably succeed in amending some parts of Dodd-Frank. My bets are on allowing banks to exit required stress tests if they hold higher capital reserves, and simplifying the living wills required of large firms. If these changes do come to pass, does anyone believe the jobs mentioned above will vanish? That operational risk managers will run out of compliance concerns to worry about, and things to do?
Financial firms aren’t just highly regulated. They are highly interdependent and highly interconnected, with lots of money flowing through those connections. We can cherry pick some regulations likely to disappear under the Trump Administration, and enforcement of non-compliance might fall—but the operational risks of interdependency don’t go away because of those things. Other jurisdictions will still impose their own burdens. And if a firm can’t find a way to navigate all of that efficiently, it will still find its operations wheezing mightily.
So someone who can address that pain point—someone who can help a firm build reliable, flexible operations that manage all risks well, regulatory or otherwise—is going to be in demand.
Let’s Get Practical
Now this is the point where people start to say, “Exactly what career certifications should I get? What conferences do I attend? Where’s the website that lists all the operational risk and compliance jobs?”
I don’t know. Or more accurately, even if I could answer those questions with certainty, the answers today won’t necessarily be true tomorrow. This evolution for compliance and risk management in financial services is more about how firms refine what they already do, rather than firms creating some new professional discipline from scratch to replace something else.
I look to examples like the Institute of Internal Auditors’ guidance earlier this year for how the audit function can take over some compliance duties. It gets to the idea of embedding compliance, risk assessment, and improving business operations. That concept won’t go away.
I look to the federal government’s forthcoming experiment to tie together internal control and enterprise risk management more closely. That concept won’t go away either.
I look at COSO’s framework for internal controls, and how firms might leverage its approach for cybersecurity or liquidity risk. I await COSO’s forthcoming framework for enterprise risk management, to see how operational and compliance risks might be tamed by that. I look at PWC’s State of Compliance Report for 2016, and the vast number of risks still managed by Second Line of Defense functions rather than “the business” which everyone says should manage risk.
Those things are all about embedding, streamlining, internalizing, operationalizing. How can compliance professionals achieve all that at your own specific firm?
I’m not sure. But people who do know those answers can be a whole lot less worried about career advancement than others.