Risk and reward

Jack McNamara explains to FST how a risk-based approach to compliance process has allowed Merrill Lynch to get on top of its SOX requirements.

As we all know, the regulatory environment in recent years has been ‘challenging’. While many of us might be forgiven for substituting a more Anglo Saxon adjective as a replacement, for the technologists and compliance professionals, tasked with ensuring compliance with SOX et al, a more measured approach is needed. This is especially true for someone like Jack McNamara, the MD of Risk and Compliance at Merrill Lynch, who is responsible for heading up all the financial giant’s regulatory and control activities in its Global Infrastructure Solutions group – the umbrella organization responsible for its technology.

With 61,900 staff, operations in 38 countries, and total client assets in the region of $1.7 trillion, ensuring that systems and processes are compliant is obviously not a trivial task. Talking exclusively to FST at our summit earlier in the year, McNamara exuded the calm demeanor that you suspect makes him well suited to heading up the compliance function at the 22nd biggest corporation in the world. Having worked at Merrill for the past decade, in a variety of positions, it is clear McNamara has seen most things in his role, and this perhaps explains his sense of calm when discussing the impact of regulations like SOX on Merrill’s global business.

Three year process
McNamara is certainly confident that Merrill’s work towards SOX compliance has been largely completed, and this is in no small part due to the risk-based approach it adopted from the start. “We just finished the third year of SOX compliance along with the rest of Corporate America. Within our technology SOX approach we were, I like to say, early adopters of reform before reform was actually authorized,” McNamara argues. Unlike some of its peers, who may have struggled in the first year to get to grips with the scope of SOX, Merrill took a “very much risk-based approach” from the start.

McNamara describes what this meant in practice: “We sat down with our public accountants and really sharpened our pencils, and decided what really was relevant to financial reporting risk, which is what SOX is all about.” At heart the approach was a process of differentiating financial risk from operational and reputational risk, and it’s a process that McNamara feels Merrill has “got right this year”.

Given the headaches SOX has caused the entire industry, this is a bold claim – does he really think Merrill has got to grips with SOX? McNamara is clear: “We do. It was no small effort over three years.” Indeed it sounds a phenomenal effort – what did it look like on the ground? “Basically, there’s a lot of education and awareness that had to take place within what I would call the ‘middle-management level’ of the technology organization to train them in what it’s like to think as an auditor.” He describes this process as the “essence” of what Sarbanes-Oxley is all about. “It’s controlled self-assessment. We’re asking them to document what their controls are, to come up with test plans, and then to actually execute the tests. It’s a professional audit approach that we’re instilling into people who are technology professionals.”

And is thinking like an auditor a winning formula when it comes to aligning the company with the needs of SOX we ask? McNamara thinks it is just that. And as he explains, implicit in this approach is the need to change the mindset in the technology group and stop treating SOX compliance as a project, and view it as a process – making it part of the “everyday, every week, every month, every quarter” work flow as he puts it. “Where management currently does and reviews a lot of controls, these are all integral to SOX compliance,” McNamara argues. “We have to take credit because it happens naturally, rather than trying to put your pencils down and do the SOX work in October.”

Business case
It will come as no surprise that teaching technologists to think like auditors is at the heart of McNamara’s approach – he spent his first seven years at Merrill Lynch heading up technology audit in the corporate audit function. Having moved over over into compliance three years ago to set a technology strategy for that function, McNamara found himself getting very involved in electronic communications as he explored the regulatory issues around things like e-mail archiving, surveillance.

As this developed he started to push up against the challenge of pushing the compliance agenda from the outside. As he worked more and more closely with the technology infrastructure group it made sense for him to move over and embed the regulatory focus within that team’s management ranks. As McNamara puts it, working from the audit side there is always a challenge of “validating the value proposition”. He compares this to the dilemma of assessing the value of a lighthouse: “How many ships were saved by the lighthouse? No. You can’t really count them. You can count how many crashed, but not how many didn’t.”

When it comes to assessing issues like current risks and controls, or technology security, you can run into similar problems of quantifying that benefit. “The business challenges are really around making the business case for these types of control functions, whether they be audit compliance or anything else that are currently run, in order to do the right thing and to grow,” McNamara argues. The added benefit is that the firm that avoids just “leaning back” on the regulators to tell it what to do and establishes best practice should insulate itself to some degree against future regulatory changes. It also offers a more attractive proposition to customers and shareholders.

New technology risk
Away from SOX specific issues, we pick up on McNamara’s experience of getting more involved in technologies such as e-mail from a regulatory standpoint. What impact have these kind of new technologies had on compliance processes in the industry? The first point is that the new technologies have lead involvement from the regulators: “The regulations have obviously gotten much more stringent and they’re costly to the firm.” If anything McNamara muses that the stringency of the regulations may be “over the top”, though he puts the explanation for this firmly on the shoulders of the industry: “the response of the regulators in hindsight was because the firms were not properly, in large part, self-policing themselves.”

Pointing to specific regulations, McNamara suggests that for example rules on e-mail archiving are costing firms “a lot” of money and perhaps has more “downside than upside.” However, it’s not a point he particularly dwells on, preferring to focus on another impact that the growth of technology channels has brought; increased transparency in the enterprise.

“To me, changes in technology have put an added emphasis on proper controls, compliance, and security from the standpoint that we’re now open with our clients. So every firm has direct contact with retail clients and with capital markets compliance. If our systems have problems, that’s very transparent to our customer base,” he explains.

He compares this environment to the days before the internet really developed as a mass-market tool in the mid-90s. “Going back ten years, pre-internet, you could hide your mistakes,” he admits. “You could hide your flaws, your control breakdowns, your security problems. They were internalized. Now, everything’s externalized. My clients know it.”

Rather than relying on technology for solutions to this pressure, McNamara returns to the themes he discussed with regards SOX compliance – getting people and process right. “From the people side, you need the education, the training. You need the tone at the top from management that this is very serious.” This serious tone is needed, McNamara suggests, for the wellbeing of shareholders and customers, let alone the enterprises own intellectual property.

Once the right tone is in place, with the right people to execute that tone, compliance processes flow from that, and getting the right processes in place is crucial. Once these foundations are in place, McNamara suggests, then is the time to think about technology. “You worry about technology third. How does it make the processes more efficient and more effective? If you jump right at a technology tool or solution, you often times miss the mark. That’s what I’ve learned over the years.”
Going forward

Looking to the overall state of the regulatory environment, we ask McNamara to gaze forward. How does he think, for example, that regulatory authorities can work to make the enforcement of regulations smoother? “Is the government doing enough? Yes. Are they doing more than enough? Probably.” McNamara points to the recent reforms of SOX as a “welcome relief”, he thinks this will benefit smaller companies than his own. He is also even handed when drilling down further on the role of the regulators.

“The regulators are in large part, I think, practical, pragmatic, and risk-based. We go out of our way to develop good relationships with them. We are very much in a self-recording mode when we do have incidents that come up that we feel we should get the regulators attention. We’re much more forthcoming than we used to be and that’s because of good dialogue with the regulators and that’s a two-way dialogue.”

This McNamara feels is part of a trend in the “right direction”. He points to how global regulators are increasingly aligning themselves, which is of obvious benefit as it creates a level playing field. However he does raise the issue of privacy within the US as something that needs attention. “Each state in the US is coming up with slightly different twists and wrinkles and tweaks to things like privacy, notifications, and what to do in the case of data, customer data being lost. We would benefit and all firms will benefit from a consistent playing field.”

For McNamara this level playing field is important not for competitive reasons, but simply for industry efficiency reasons. As he puts it: “Regulatory compliance is not a competitive advantage. Behind closed doors, the industry is pretty open with one another in the challenges that we face and our thoughts about the regulations. One firm suffers and all the other firms tend to take a stock hit as well.”

And what challenges does McNamara think will become major trends within the industry? He mentions the emphasis on privacy as an issue still trending upwards, and this will continue, but he also thinks the surveillance space is going to become increasingly important from a firm’s point of view. “I see the convergence of regulatory compliance issues in technology are coming together in this space,” he says.

As he point out almost all firms are implementing surveillance type systems – whether it’s to stay on top of employee activity, financial advisor type activity, capital markets transactions, or e-mail surveillance and supervision – and he suspects a lot of companies will be active launching products. “Everyone’s trying to come out with toolsets and surveillance type products that provide alerts and bells and whistles when something goes wrong based upon a certain set of rules. I think we’ll see more and more use of – and a rationalization of those products and how they fit into the mainstream of doing business.”