Competitive Compliance: Manage & Automate, Or Die

By Professor Michael Mainelli
Published by Journal of Risk Finance, The Michael Mainelli Column, Volume 6, Number 3, Emerald Group Publishing Limited, pages 280-284.

You’ve Paid The Compliance Costs, Now Read The Textbook

It had to happen; now we have the definitive UK corporate governance textbook: Corporate Governance by Dr Kathryn Vagneur. And it’s good. Dr Vagneur not only lays out the essentials of governance, she also includes challenging true/false, multiple choice, in-depth and case study questions. Hers is a significant work and a good starting point for people interested in the history and current state of corporate governance. She points out that societal demands for corporate governance, and we all know exactly (sic) what that means, have led to numerous different forms in the USA, UK, France and Germany all exactly (sic) meeting each society’s needs perfectly.

Naturally, we find different forms for governance within these countries for listed firms, large private firms and smaller firms, let alone government entities or non-governmental organisations (NGOs). We really don’t know what we want in each country, before considering imposing standardised international structures. Further, she highlights one of the great contradictions of most organisations – why is the finance director (or CFO) both responsible for the reporting of performance and the delivery of a large element of performance, i.e. financial efficiency? This contradiction vexes one of the key elements of good governance, compliance – proving that you’re doing what you say you’re doing.

One could almost caricature two contradictory finance directors – one, the MBA-trained aggressive financial engineer full of off-balance sheet vehicles, sale & leaseback schemes and highly-geared derivative strategies; the other, a stereotypically dull numbers person insistent on chasing down the final penny and presenting an accurate report of the exact state of today’s affairs regardless of any political discomfort. In today’s typical board, most finance directors are expected to mix parts of both, with attendant conflict and tension about how far they have swung to one extreme or the other. This tension was touched upon in an earlier paper [Mainelli, 1999] that postulated the need to separate the ‘compliance’ functions of the finance director from the ‘operational’ functions. Perhaps compliance has grown so large that finance directors need to be replaced by a “Compliance Director” and a “Financial Engineering Director”.

We Compete Under The Consequences of Compliance

Governance is not compliance, and compliance is not just about regulation, but the Centre for the Study of Financial Innovation’s annual “Banana Skins” [CSFI, 2005] survey shows that the top risk for banks is “too much regulation”, up from sixth out of 30 in 2003. From a City of London perspective the burden of regulation and quasi-regulation is increasing:

  • Corporate Governance: 1992 Cadbury Report, 1995 Greenbury Report, 1998 Hampel Report, 1999 Turnbull Report and 2003 Higgs report; German KonTraG corporate governance reforms; Sarbanes-Oxley Act 2002; and the OECD Principles of Corporate Governance;
  • General Compliance: Basel 2, Sarbanes-Oxley (Section 404), the Patriot Act, Anti-Money Laundering, the Financial Services Modernisation Act, the Insurance Mediation DirectivePrivacy and Electronic Communications (EC Directive) Regulations, the Freedom of Information Act 2000, substantially different International Accounting Standards (e.g. IAS 39), Data Protection Act 1998 and the Financial Groups Directive;
  • Regulators’ Rules: from the FSA, SEC, OCC, BAFIN, etc., let alone SAS 70 or ISO 9000 as voluntarily-incurred compliance, or industry trade association voluntary compliance codes;
  • General Business Regulation: Health & Safety, COSHH, taxation, equal rights, etc.;
  • Future Planned Regulation: Markets in Financial Instruments Directive (MiFID), Equal Treatment Directive, Market Abuse Directive, Occupational Pension Fund Directive, Pension Directive, Capital Requirements Directive, Credit for Consumers Directive, Sales Promotion Regulation and the Unfair Commercial Practices Directive.

What’s A Poor Financial Institution To Do? Fight Back!

Historically, compliance has been seen as an overhead or ‘cost of doing business’. But today the costs are significant. The top 1,000 US corporations spend an average of $5.1 million on just Sarbanes-Oxley compliance according to Korn/Ferry. Financial institutions with exemplary compliance functions improve capital efficiency and reduce compliance costs resulting in competitive advantage; poor compliance functions consume staff, investment and capital. What should we make of these quotes?

“Up to 15% of support staff at Dresdner Kleinwort Wasserstein are working on compliance projects or financial regulations, Stephen Ashton, director of global IT business management at the investment bank, revealed last week.” [Computer Weekly, 1 February 2005]

“Regulatory controls take up a sizeable proportion of spend. Basel 2 and Sarbanes-Oxley compliance is chewing up 40% of investment spend.” Kevin Lloyd, Barclays CTO [Computer Weekly, 15 June 2004]

Both quotations resonate with people in the financial services industry. The numbers, 15% of support staff and 40% of IT investment, are not questioned. While the numbers are probably unscientific, their casual acceptance in conversations indicates the depth of accord with the sentiment implied – compliance is inflating out of control. One internal approach for large organisations is to institute enterprise risk/reward management systems [Mainelli, 2003]. However, this is no longer enough; large financial organisations have to change their external environment. Financial institutions have two obvious avenues to fight back at over-regulation – manage compliance and automate compliance. Too little has been done on both fronts.

Manage Compliance

You can’t manage what you don’t measure. Few financial institutions have any idea of the actual costs of compliance. Sure, measuring compliance is not straightforward. Large banks have a variety of different compliance units and compliance structures. Compliance can report to a global head or be combined with other functions or allocated to product lines. Much compliance is intertwined with normal procedures, e.g. Know-Your-Client requirements are wrapped up in account opening processes. An organisation that seems to spend little on ostensible compliance may be superb in compliance due to smoothly functioning systems. An organisation that spends an enormous amount on compliance may be ineffectual. Historic investments in compliance systems may lead to lower compliance costs today. Under-investment can lead to large apparent expenditure that is simple inefficiency. But just because measurement isn’t straightforward is no reason to evade it.

Global benchmarking of Comparative Compliance Costs could work towards measures such as:

  • cost and headcount per book;
  • cost and headcount per P&L;
  • cost and headcount per trading function;
  • cost and headcount per unit revenue and per transaction;
  • cost and headcount per legal entity;
  • cost and headcount per regulatory jurisdiction;
  • cost and headcount per customer;
  • cost and headcount allocated to regulatory initiative, e.g. Sarbanes-Oxley, Basel 2, AML,…;
  • cost per employee;
  • incidents per…;
  • losses per ….
  • If financial institutions had benchmarks and solid data for compliance costs, such benchmarks would help them to:
  • assess current compliance costs and identify areas for improvement internally;
  • establish a baseline for future work on balancing the costs of compliance with ‘doing the business’;
  • provide frameworks for proving that voluntary certifications and ratings, e.g. quality systems or fiduciary ratings, justified a reduction in direct regulatory oversight;
  • negotiate with regulators on obligations based on the comparative costs they impose.

Automate Compliance

Most industries faced with spiralling costs in an area that is essentially paperwork would ‘try and automate the problem away’. Financial services institutions have long resisted approaches that imply they could learn a lot from ‘sausage factories’ [Mainelli, 2002; 6 – Mainelli, 2004]. However, new approaches may permit large amounts of compliance to be automated. At heart, compliance is investigating anomalies in order to understand them or to flag them upwards in the governance structure.

Where these anomalies are contained within automated transaction systems, they can be investigated using statistical techniques embedded in as Dynamic Anomaly and Pattern Response systems [7 - Mainelli, 2004]. Automated systems can flag anomalies or exceptions upwards to humans in the governance structure. Financial institutions of the future cannot afford to have large numbers of staff ineptly and inconsistently looking for inconsistencies in thousands of transactions. Automated systems can help to flag regulatory submissions that are ‘out of line’, trades that are likely to require manual intervention, or transactions with unusual amounts or fees. Some institutions will succeed in automating the bulk of compliance tasks and this automation will give them a competitive edge.

Future Proof

According to Dr Vagneur, governance is:

“the act, manner or functioning of the rules, guidance and controls which determine a course of actions through an intended or emergent system of processes.”

For too long financial institutions, supposedly exemplars of probity, have relied on emergent systems of processes, i.e. reacting to past events rather than designing forward control systems. Due to a groundswell of disappointment flowing from bad financial surprises, society has applied the blunt tools of law and regulation to financial institutions in order to impose norms from outside. The last column [Mainelli, 2005] showed that one front in this battle might be promoting voluntary or market-based operational risk standards, such as ISO 9000 or fiduciary ratings, that provide greater flexibility than regulation. If financial institutions want to take control of their destiny, they must begin to recognise that competing on the efficiency and effectiveness of compliance will be, whether they like it or not, as exciting a battleground as the forex markets or the retail mortgage markets.

The financial institution of the future, for a host of reasons, will be one that can demonstrate corporate governance, detect anomalies in transactions in real-time and prove to regulators that it is well run. Further, the automation of compliance reinforces the confidence of regulators in the compliance function. While customer service, product innovation and clever ways of using capital will always be important, the boring part of the finance director’s role, compliance, may be the new battleground. On balance, it is more likely that the field will be lost by ‘compliance’ rather than won. However, for financial institutions, perhaps a main-board director needs to be dedicated to the compliance battleground full-time. In the future, success-proofing may be proving that you comply.


  1. Dr Kathryn Vagneur, Corporate Governance, Pearson Education: Edinburgh Business School Heriot-Watt University (2005), ISBN: 0273 675923, 568 pages.
  2. Michael Mainelli, “Wither the FD? Hello Risk/Reward Director!”, Handbook of Risk Management, Issue 30, pages 5-7, Kluwer Publishing (12 July 1999).
  3. Centre for the Study of Financial Innovation, Banana Skins 2005: The CSFI’s Annual Survey of the Risks Facing Banks, Centre for the Study of Financial Innovation (2005), ISBN: 0-9545208-6-6, 37 pages.
  4. Michael Mainelli, “The Consequences of Choice”, European Business Forum, Issue 13, pages 23-26, Community of European Management Schools and PricewaterhouseCoopers (Spring 2003).
  5. Michael Mainelli, “Industrial Strengths: Operational Risk and Banks”, Balance Sheet, Volume 10, Number 3, MCB University Press (August 2002) [Highly Commended Award 2003, Emerald Literati Club].
  6. Michael Mainelli, “Toward a Prime Metric: Operational Risk Measurement and Activity-Based Costing”, Operational Risk (A Special Edition of The RMA Journal), pages 34-40, The Risk Management Association (May 2004).
  7. Michael Mainelli, “Finance Looking Fine, Looking DAPR: The Importance of Dynamic Anomaly and Pattern Response”, Balance Sheet, The Michael Mainelli Column, Volume 12, Number 5, pages 56-59, Emerald Group Publishing Limited (October 2004).
  8. Michael Mainelli, “Standard Differences: Differentiation through Standardisation?” (ISO9001, SAS70 and management systems), Journal of Risk Finance, The Michael Mainelli Column, Volume 6, Number 1, pages 71-78, Emerald Group Publishing Limited (January 2005).


I would like to thank Dr Kathryn Vagneur for the advance manuscript that inspired this column and Freddie McMahon for being the ‘grit’ that forced this paper forth.

Michael Mainelli, PhD FCCA FCMC MBCS CITP MSI, originally did aerospace and computing research followed by seven years as a partner in a large international accountancy practice before a spell as Corporate Development Director of Europe’s largest R&D organisation, the UK’s Defence Evaluation and Research Agency, and becoming a director of Z/Yen ( Michael was awarded IT Director of the Year 2004/2005 by the British Computer Society for his achievements in DAPR systems. Z/Yen won a DTI Smart award for its DAPR products PropheZy and VizZy.

Michael’s humorous risk/reward management novel, “Clean Business Cuisine: Now and Z/Yen”, written with Ian Harris, was published in 2000; it was a Sunday Times Book of the Week; Accountancy Age described it as “surprisingly funny considering it is written by a couple of accountants”.

Z/Yen Limited is a risk/reward management firm helping organisations make better choices. Z/Yen undertakes strategy, finance, systems, marketing and intelligence projects in a wide variety of fields (, such as developing an award-winning risk/reward prediction engine, helping a global charity win a good governance award or benchmarking transaction costs across global investment banks.

Z/Yen Limited, 5-7 St Helen’s Place, London EC3A 6AU, United Kingdom; tel: +44 (0) 20-7562-9562.

[An edited version of this article first appeared as "Competitive Compliance: Manage and Automate, or Die", The Journal of Risk Finance, The Michael Mainelli Column, Volume 6, Number 3, Emerald Group Publishing Limited (June 2005) pages 280-284.]

svg.lf_footer_svg{ height: 30px; width: 30px; }