Meet Our Bloggers: Chris Thompson
Chris Thompson

Meet Chris Thompson

Managing Director, Accenture Risk Management
Chris Thompson is a managing director in Management Consulting and leads Accenture's Risk Management practice for North America, focused on financial services and capital markets. Since joining Accenture in 1992, Chris has worked with some of the world’s leading retail, commercial and investment banks. With more than 20 years of experience in large-scale change programs, he has experience in financial architectures, performance management, risk management, trading, middle-office operations and back-office systems. Chris holds a master’s degree in engineering from Southampton University, United Kingdom. He lives in Brooklyn, New York.

Learn how financial algorithms fall under MiFID II compliance requirements

New trends are shaping and re-shaping financial markets—but regulations are quick to catch up.

Consider, for example, the trend toward using algorithms (“algos” for short) to help make trading decisions. Post market crash, European regulators were wary. They understood algos had the potential to adversely affect financial markets—particularly around transient liquidity that can result when order canceling volume is high, as well as impacting markets’ infrastructure when high volumes of cancellations occur.

Algos are well within the scope of Markets in Financial Instruments Directive (MiFID) II. Regulations stopped short of banning algorithmic activity altogether, but they do clearly require firms to implement critical controls and disclosers—to avoid adversely affecting the functioning of financial markets’.

From a MiFID II standpoint, algos are considered to be systems, and the decision to transact at a particular price or quantity should be made without human intervention.

Much of the thrust of MiFID II, as noted in our recent paper, From Impact to Implementation: Addressing the Key Technology Impacts from Markets in Financial Instruments Directive II, is around technology fixes and solutions to help financial firms comply with MiFID II requirements. As you might expect, there are technology implications around MiFID II requirements and algo trading—both things to look out for in existing technology and new technology solutions that can address concerns. Here’s a look at some of them:

Read the report.

Read the report.

  • Before algos can be released into production, MiFID II requires that test packs, trade populations and environments be reviewed for compliance. Organizations should apply their best testing methods, but they also now need to document the testing and review process and be able to provide evidence as needed.
  • Trading venues will need to provide an appropriate environment for testing algos, Per MiFID II, they’ll additionally need to identify orders generated by algos, and know what algo strategy is employed by the counterparty.
  • Market making falls within the domain of algos and MiFID II too. Financial institutions engaged in certain algo activities are obliged to continually make markets, depending on certain conditions.
  • Business continuity plans are required by MiFID II, and for some businesses this includes an algo specific “kill switch,” which may require sufficient human monitoring of the market and of executed transactions.

Technical solutions and processes can support financial firms as they work to comply with MiFID II requirements. Our paper offers much more on algos, as well as a deeper discussion on a variety of other business processes and strategies that fall under new scrutiny with MiFID II. I invite you to take a look.

Risk Leaders Can Take the Reins in Addressing Cyber Security

We’ve talked here about cyber security and its many tentacles: Whenever a business closes one security gap, a cyber criminal will continue “testing the walls” in search of another gap to exploit.

The problem spreads from the IT department to nearly every part of an organization, including, for example, a financial provider’s call center team, its fraud protection organization, its procurement and vendor management teams, the HR and recruiting department, the training department and even the corporate culture itself.

Seen this way, financial businesses seem almost porous when it comes to the potential for security breaches. Nearly every department is vulnerable, and thus each department must have its own security protocols and metrics.

When each department has its own processes, budget and strategy for cyber security, who owns the problem? Who is providing centralized coordination, and closing the gaps that might spring up between departments and operations?

In large part this is a corporate governance challenge that mandates individual departments put aside politics and jockeying for position so they can work together for the common good. Because the problem is all about risk, the CRO is the right person to lead this charge.

The risk department can push the conversation forward: Instead of a Chief Information Security Officer talking about secure technologies and budget needs, the Chief Risk Officer can elevate the discussion so security risk appetite and limits can be discussed alongside traditional risk types, such as credit risk, driving the conversation to a deeper, more sophisticated level.

Risk leaders know something must be done, but some are proceeding cautiously, waiting to see how things shake out. They can’t afford to wait very long. Banks need a comprehensive, holistic approach that can close the gaps in their business.

Banks that don’t solve this problem remain exposed to the opportunistic whims of terrorists and cyber criminals.

Cyber Criminals Opportunistically Exploit Gaps

If my client conversations are any indication, risk leaders everywhere are grappling with cyber security. Previously we observed how cyber risk has moved beyond monetary theft into data theft—opening an organization to potentially dramatic reputational risk.

Historically, risk leaders were often content to leave the cyber security problem to the IT department. A new role evolved, called Chief Information Security Officer (CISO). Securing the business rested in the CISO’s hands, and hinged on how much the business could spend to devise better cyber security.

That approach won’t suffice anymore. Why not? Because cyber criminals have moved on. They now pose threats that go beyond the IT infrastructure. Cyber criminals exploit whatever security gaps they can find.

Contrary to popular belief, cyber criminals are rarely devising brilliant code to break through the latest cyber security measures. These criminals—like any other thieves—are too opportunistic for that. Instead, when one gap closes they just poke around for a new gap.

Maybe a half-dozen years ago, cyber thieves could (and did) steal credit card data from big box stores by pointing an antenna at the store’s unsecured Wi-Fi. Once Wi-Fi security and encrypted data became the norm, criminals shifted to a new strategy—perhaps stealing an unsecured laptop from a call center professional. Or distributing spyware a bank’s associate might unwittingly install onto his networked PC. Or paying an hourly worker to take cell phone pictures of a computer screen containing social security data.

The problem isn’t always “cyber,” but it’s almost always tied to data and information theft. And, as we’ve seen, the problem is no longer confined to the IT department.

For risk managers, this is less an opportunity and more a mandate. In my next post we’ll look at how the CRO can lead the business toward comprehensive cyber security.

Cyber Security Shifts Risk from Financial to Reputational

Many of us have seen cyber security grabbing headlines lately. This past March at GARP, cyber security was a hot topic. Often it’s one of the first things my clients mention to me.

But despite the buzz, cyber security isn’t actually a new thing. Historically, banks and financial providers have long dealt with threats to their IT infrastructure involving cyber criminals breaking in and stealing money. Often it’s been viewed as a cost of doing business.

What’s new today is that cyber theft is no longer only about money. As data theft comes on the scene, the whole equation changes. When social security numbers, credit card numbers, embarrassing e-mails, health records or strategy documents are among the many data items that can be stolen, the challenge no longer is about working to minimize possible monetary damage.

Instead, the risk becomes reputational. The potential for damage to be catastrophic—and instantaneous—is real.

When hackers breech a bank’s security to steal money, it rarely makes headlines. But the theft of information is somehow more damaging and more embarrassing, and the entire world discovers in an instant—as we’ve seen more than once in global headlines.  Money is fungible, and stolen funds are replaced by the banks. Our information is not.

Seemingly overnight, businesses have gone from managing fairly known concerns such as credit risk—which can be measured and, to some degree, predictable—to managing little known and maybe more damaging risks posed by cyber security gaps.

Is this an IT challenge, or is it a risk management challenge, or both? What can—and should—risk managers do? In my next post we’ll explore what cyber risk looks like these days, and why “cyber security” itself may be a misnomer.

Data Helps the Risk Function Manage New Operational Risks

In last week’s post, I talked about the need for risk teams to use analytics and modeling so they can leverage data to make decisions. Why is mastering this so critical for capital markets risk leaders? Because getting operational risk management right changes the nature of risk management.

Traditional operational risk management is about measuring the damage and ensuring sufficient capital exists if something really bad happens. Now the emphasis shifts to prevention—the risk of reputational damage, to give one example, is so potentially sudden and far-reaching that averting disaster is far better than mitigating it.

Good use of analytics and data can go far toward developing a preventive approach. It’s called “predictive analytics” for a reason—gathering the right data and applying the right analysis provides trend information that can help predict events. Thus, when a bank sees a trader making an unusual transaction, say, at odd times, or with unusual products or volumes, it can insert an additional approval point into the process to help prevent fraud or abuse. That’s one small example of how capital markets risk leaders can leverage data to become proactive protectors of the business.

Capital markets leaders are stepping in the right direction. Our report shows 42 percent of respondents have data analysis skills within their risk function, 38 percent have data management skills and 37 percent have modeling skills.

View the image.

View the image.

I would expect those numbers to rise as capital markets risk executives retool their teams, pushing them toward being a proactive, strategic partner to the business.

For more on how the capital markets risk function is evolving, see this year’s report.

Data and Analytics Equip Risk Managers for Proactivity

In my previous post about the results from the 2015 Global Risk Management Study I talked about making risk a part of the capital markets growth engine. Today I wanted to share a finding that I find particularly interesting for capital markets: The need for risk teams to use analytics and modeling so they can leverage data to make decisions, be strategic and act proactively.

Today only eight percent of risk executives say their decision making is aided by risk-based analytics tools. Clearly, there is room to grow.

View the image.

View the image.

Digital technologies generate reams of data, both internally and externally. We’re talking about big data here. Leveraging this vast, unstructured data is still a new discipline. It’s about tapping into traditionally gathered data sources, but also monitoring non-traditional sources like e-mails and other transactions, and keeping tabs on social media chatter.

This is where, for the risk function, the nature of the game changes. Yes, risk leaders still must manage traditional risk, ensure compliance and monitor progress on regulations. But now the function is taking on a whole additional role.

The new challenges facing risk managers, including exposure from social media channels, internal personnel miscues, gaps exposed via online transactions and more, are encompassed within operational risk.

Capital markets risk leaders have only started to tap into the many facets of operational risk. Yet our report shows 58 percent of them anticipating an increase in cyber risk, one key element of operational risk. Fifty-six percent expect disruption from new digital technologies. The same percentage foresees a rise in operational risk overall.

Resource constraints are an immediate concern: The Risk Management Study found only nine percent of capital markets leaders saying they have sufficient resources necessary in specialist areas such as modeling and emerging risk. There’s a glimmer of hope, in that 27 percent expect to have the necessary resources within another two years.

Why is mastering this so critical for capital markets risk leaders? Stay tuned for next week’s post. In the meantime, read more about how the capital markets risk function is evolving in this year’s report.

Making Risk a Part of the Capital Markets Growth Engine

If I could summarize the results of this year’s Global Risk Management Study for capital markets, I would say: Seize the moment. For risk leaders in capital markets, now is the time to move the function beyond control and approve. Given the increasing complexity of today’s risk environment, Chief Risk Officers (CROs) and other risk leaders can’t be content to act in a “middle management” capacity.

Our study found nine of 10 capital markets risk leaders agreeing that the risk function has an important role to play in supporting the business’s long term growth. These leaders know the risk function must change—and, ready or not, is changing—in response to the new threats and opportunities available in today’s digital, social, data-driven market place. But nearly as many leaders (78 percent) say their existing controls and compliance responsibilities are a barrier to change.

Capital markets risk leaders still need to handle their traditional activities, but they must unveil their ability to drive profitable, long-term growth for the enterprise. CROs now have a role to play when it comes to outpacing competitors and helping the business rise above today’s challenges.

How can capital markets CROs start moving the risk function forward? I believe a few key steps can help risk leaders elevate their function:

  • Crafting partnerships throughout the organization, supporting the journey toward building a comprehensive risk culture. Surprisingly, only 10 percent of capital markets risk leaders say their organizations have a strong risk culture—plenty of room for improvement here.
  • Recognizing—and stepping into—the new role demanded of the risk function. Businesses generally have good mastery of financial risk and so risk management has settled into a control role. It’s the new risks that are less understood but no less troubling for capital markets: cyber, conduct, social media and operational risk. Four of every five risk survey respondents say emerging risks, such as cyber attacks, are consuming more of their resources. Guiding the business through these concerns will increasingly be a priority for the risk function.
  • Tightening connections between risk and finance to drive efficient use of capital, balancing between profitability and regulatory requirements. Today, only one in five (22 percent) of risk leaders say their function coordinates closely with finance to drive decision making. The same percentage uses integrated data resources for risk and finance.
Read the report.

Read the report.

Taking these steps won’t be easy. CROs will need to build deeper relationships throughout the business, but that alone won’t move the risk function to where it needs to be. Investing in talent, particularly in specialized areas such as modeling non-financial risk and assessing emerging risk, will be a critical step in building a stronger, more influential risk function. Much progress is to be made on this front. Only nine percent of risk leaders say they have the right talent in place when it comes to specialized areas such as emerging risk.

Accenture’s 2015 Global Risk Management Study explores these issues across financial services and particularly for capital markets. My next post will take a look at big data, and what capital markets risk leaders can do to make the most of it.

Meanwhile, remember: Seize the moment. The market conditions and regulatory climate make this the right time for capital market risk leaders to expand their role beyond the second line of defense.

To learn more, read the Global Risk Management Capital Markets Report

MiFID II: Opportunities await those firms that overcome major hurdles

While the full regulatory impact from MiFID II for trading and investment firms is not expected to begin until 2017, the burden on them is significant as the regulation has wide implications for operating and business conduct models. As I introduced last week, yes, the challenges are considerable, but the opportunities are significant—that is if firms are ready to overcome a number of key hurdles. This week I’ll conclude my series by exploring the two remaining challenges firms will need to confront if they want to seize the opportunities.

Challenge: Provisions for pre- and post-trade transparency

Provisions for pre- and post-trade transparency strengthen and extend the trading and disclosure requirements to all forms of trading and all asset classes.  Previously MiFID’s transparency rules only applied to share trading in regulated markets. Because of this, companies need to take appropriate steps to master the greater transparency requirements demanded by MiFID II.

Among other things, the new processes for bonds, structured products and derivatives must be taken into account, which will require significant adjustments of systems and processes across several trading systems of financial services providers.

Challenge: Provisions for internal organizational set-up and risk control

These provisions give more weight to risk control and a firm’s supporting internal control function. The extended requirement for investment firms to continuously evaluate regulatory compliance with MiFID II creates a need for extended risk control procedures and measures, but also calls for a consistent risk framework to support the effectiveness and efficiency of these risk control procedures and measures.

Opportunities arising from MiFID II

Read the report.

Read the report.

There are numerous opportunities available to investment firms throughout the analysis and implementation phases of MiFID II, which fall into five main categories:

  • Improved client service tailored to the required client classification.
  • Additional market share through client tailored products.
  • Reduction of operational costs if digitization and automation are used to implement the changes.
  • Stronger control environment and a reduction in reputational risk through greater surveillance and monitoring.
  • Reduction of costs for reporting infrastructure if a centralized repository is leveraged across MiFID and other regulations such as EMIR, FCA Transaction Reporting.

Bottom line: the time remaining for meeting MiFID II requirements is not as generous as it seems. Investment firms should now be considering the ramifications for business strategy and operations, and act accordingly.

To learn more, visit:

MiFID II: A considerable challenge and a significant opportunity

For trading and investment firms, changes brought about by Markets in Financial Instruments Directive II (MiFID II) will have multiple operational effects and a direct impact on sources of revenue such as fees, inducements and distribution of products. Compound these changes with the ones brought on by other regulations, and investments firms will have no choice but to consider a comprehensive, holistic approach to regulatory transformation.

MiFID II represents both a considerable challenge and a significant opportunity for firms to improve their organization and their way of doing business. The regulations are extensive and very complex, and over the next two weeks I’ll look at the three major hurdles firms will need to get over to seize the opportunities. I’ll start off by explaining the first.

Challenge: Provisions for investor protection

Read the report.

Read the report.

Firms will need to reshape their business models and cope with major new demands as provisions for investor protection covering the entire lifecycle of investment products and services are introduced.

The main MiFID II provisions affecting investor protection are:

  • Stricter rules for product design and distribution.
  • Provisions for transparent client segmentation.
  • Limitations on investment benefits such as kickbacks and inducements from third parties.
  • Recording of telephone conversations and electronic communications.

These rules for investor protection will affect many dimensions of operations. New processes and policies need to be created, such as product design and distribution, people such as client advisors will require specific training and qualifications, and innovative technologies will need to be in place to monitor compliance while keeping costs reasonable.

Next week I’ll dive deeper into the two other major challenges firms will be confronted with as MiFID II rolls out. Until then, to learn more, visit:

Changing consumer and digital trends may force modernization of compliance functions (2 of 2)

The impact of advanced technologies and changing customer behaviors has major impacts to compliance. To succeed in this changing ecosystem, however, compliance functions will need to develop new ways to monitor the new business models—and technology can help make that happen. Last week, I shared with you two key findings from our latest Accenture Compliance Risk Study. Today, I’ll conclude my series by looking at how compliance officers can stay relevant and continue to add value to their businesses. This will allow them to be the disruptor—not the disrupted—the two remaining themes uncovered in our study.

Creating and maintaining relevance and value are critical to the compliance function

To remain forward thinking, compliance must ensure its relevance. Our study finds that prioritizing predictive capabilities, developing partnerships with industry peers, cultivating a talented workforce and maintaining discipline will help drive the function forward.

More than half of survey respondents agree, indicating that skills to deliver effective management reporting will be a priority within the next year, and a similar proportion say external competitive hiring can be the best way to add those skills. Compliance officers who are comfortable working with the latest technologies will be sought after to deliver a “rational” compliance response to emerging challenges.

Along with technical skills, compliance functions seek to understand, reward and deliver a culture of ethical behavior. In fact, four out of five survey respondents agree that compliance will be the pre-eminent group in the bank for ethnical and cultural change within financial services.

Be the disruptor, not the disrupted

Read the report.

Read the report.

The expectations of compliance have never been higher, and the role of the compliance officer has never been more central to the ongoing health of the financial services industry. Some 80 percent of respondents agree that the compliance function’s ability to predict and avoid reputation and financial crime events can be a driver of competitive advantage for banks. Bold actions are needed to ensure compliance secures its place as a strategic and a positive disruptive force.

Compliance can’t solve for every emerging risk, so officers should acquire skills that help influence cultural and ethical change, thus encouraging self-correcting and self-policing behaviors. This will enable compliance to begin to use its “seat at the table” for positive disruption.

At a time when regulatory and consumer trust in financial services remains low, the compliance function can play a powerful role in influencing and transforming the industry. Now is the time for firms to take a deep look at how they can enhance the value, relevance and role of compliance.

To learn more, read: