Journal of Financial Regulation and Compliance

Firm size and compliance costs asymmetries in the investment services

Giampaolo Gabbi Paola Musile Tanzi Loris Nadotti

Article information:

Downloaded by University of Sussex Library At 00:07 02 June 2016 (PT)

To cite this document:

Giampaolo Gabbi Paola Musile Tanzi Loris Nadotti, (2011),"Firm size and compliance costs asymmetries in
the investment services", Journal of Financial Regulation and Compliance, Vol. 19 Iss 1 pp. 58 - 74
Permanent link to this document:
http://dx.doi.org/10.1108/13581981111106176
Downloaded on: 02 June 2016, At: 00:07 (PT)
References: this document contains references to 21 other documents.
To copy this document: permissions@emeraldinsight.com
The fulltext of this document has been downloaded 767 times since 2011*

Users who downloaded this article also downloaded:

(2013),"Managing compliance risk after MiFID", Journal of Financial Regulation and Compliance, Vol. 21
Iss 1 pp. 51-68 http://dx.doi.org/10.1108/13581981311297821
(2013),"Compliance function in Italian banks: organizational issues", Journal of Financial Regulation and
Compliance, Vol. 21 Iss 3 pp. 217-240 http://dx.doi.org/10.1108/JFRC-07-2012-0027
(2008),"Compliance risk in Italian banks: the results of a survey", Journal of Financial Regulation and
Compliance, Vol. 16 Iss 4 pp. 335-351 http://dx.doi.org/10.1108/13581980810918404

Access to this document was granted through an Emerald subscription provided by emerald-srm:573577 []

For Authors
If you would like to write for this, or any other Emerald publication, then please use our Emerald for
Authors service information about how to choose which publication to write for and submission guidelines
are available for all. Please visit www.emeraldinsight.com/authors for more information.

About Emerald www.emeraldinsight.com

Emerald is a global publisher linking research and practice to the benefit of society. The company
manages a portfolio of more than 290 journals and over 2,350 books and book series volumes, as well as
providing an extensive range of online products and additional customer resources and services.
Emerald is both COUNTER 4 and TRANSFER compliant. The organization is a partner of the Committee
on Publication Ethics (COPE) and also works with Portico and the LOCKSS initiative for digital archive
preservation.
*Related content and download information correct at time of download.

The current issue and full text archive of this journal is available at
www.emeraldinsight.com/1358-1988.htm

JFRC
19,1

Firm size and compliance

costs asymmetries in the
investment services

58

Giampaolo Gabbi and Paola Musile Tanzi

SDA Bocconi, Milan, Italy, and

Loris Nadotti
Downloaded by University of Sussex Library At 00:07 02 June 2016 (PT)

University of Perugia, Perugia, Italy

Abstract
Purpose The purpose of this paper is to find out how effectively implemented are measuring
approaches to compliance and whether there is a correlation between the measures implementation,
financial specialisation and international activity. The authors evaluate if the regulatory framework
implies a measure cost asymmetry, depending both on the proportionality principle and on the existence
of different supervisors with an heterogeneous set of enforcement rules.
Design/methodology/approach The analysis is based on a survey involving 84 financial firms
(banks, investment companies and insurance companies). Two criteria have been used to interpret the
results: the prevailing workability within international and domestic intermediaries; the intermediary
typology, creating a distinction between banks other financial intermediaries (FIs) and insurance
companies.
Findings Italian financial firms are sensitive to minimise sanctions, but the reputational impact is
becoming more important. International firms are more sophisticated than domestic ones for their
ability to measure both the probability of non-compliance events and their severity. Banks show
the highest attitude to adopt insurance or financial contracts to minimise the negative impact of
non-compliant behaviours. Small FIs are late in measuring the exposure and losses due to
non-compliance actions.
Originality/value Four years after the Basel Document on compliance, a large percentage of firms
is still managing the process within a function with different purposes; nevertheless, reputational
impact has become more important. Small intermediaries show a lower attitude to implement a risk
management approach, with a capital management sensitivity. This finding addresses the question
about the existence of size effect which could reduce the compliance attitude.
Keywords Financial services, Compliance costs, Regulation, Italy
Paper type Research paper

1. Introduction
The establishment of a specific compliance function in financial firms can be attributed to
a regulatory decision by the Basel Committee which, in 2005, stated that the intermediary
had to organise its compliance function and set priorities for the management of its

Journal of Financial Regulation and

Compliance
Vol. 19 No. 1, 2011
pp. 58-74
q Emerald Group Publishing Limited
1358-1988
DOI 10.1108/13581981111106176

The authors thank all the companies taking part in the survey for their availability. The
Research Group, coordinated by Paola Musile Tanzi, is made up of researchers from SDA
Bocconi School of Management. The research was carried out by Adalberto Alberici, Manuela
Gallo, Raoul Pisani, Maurizio Poli, Daniele Previati, Paola Schwizer, Valeria Stefanelli. Sincere
gratitude for the time and commitment goes to AICOM (Italian Compliance Association) and SIA
SSB. We appreciated all the comments and feedbacks received by Claudio Cola, Paola Sassi,
Deborah Traversa and Sara Tovazzi. All remaining errors are the authors own.

Downloaded by University of Sussex Library At 00:07 02 June 2016 (PT)

compliance risk in a way that is consistent with its own risk management strategy and
structures.
Ten principles were defined by the Committee in order to regulate the responsibilities
of the board of directors (no. 1), senior managers (2-4), the compliance function itself (5),
and the resources involved (6-8). Two final principles were addressed to manage cross
border issues and outsourced processes, respectively.
Our paper focuses on principle no. 7 aimed at describing compliance function
responsibilities which should be to assist senior management in managing effectively
the compliance risks faced by the bank [. . .] If some of these responsibilities are
carried out by staff in different departments, the allocation of responsibilities to each
department should be clear. Particularly, sub points 37, 38 and 39 are devoted to the
identification, measurement and assessment of compliance risk. This raises both a
technical and an organisational concern for compliance officers. Technically, there is no
universally accepted set of metrics to measure the compliance risk, apart from taking into
consideration, on the one hand, legal and regulatory sanctions, and on the other, material
financial losses as operational events. Organisationally, investment firms are expected to
re-engineer their processes in order to map and control all the procedures that could lead
to non-compliance behaviours, in some cases running the risk of overlapping the
responsibilities assigned to other offices, such as risk management, auditing and legal.
Through the analysis of the Italian financial services industry, our objectives can be
listed coherently with the identification, measurement and assessment of compliance
risk assessed by the Committee.
First, according to principle 7.37 (Basel Committee on Banking Supervision, 2005),
the compliance function should, on a pro-active basis, identify, document and assess
the compliance risks associated with the banks business activities, including the
development of new products and business practices, the proposed establishment of new
types of business or customer relationships, or material changes in the nature of such
relationships. As a result, our survey finds out if and how the definition and identification
of compliance factors has been established in financial firms operating in the Italian market.
Second, principle 7.38 (Basel Committee on Banking Supervision, 2005) suggests
that the compliance function should also consider ways to measure compliance risk
and use such measurements to enhance compliance risk assessment. We find out how
effectively measuring approaches to compliance are implemented and whether there is
a significant correlation between the implementation of measuring models, financial
specialisation and international activity of the intermediaries.
Third, principle 7.39 (Basel Committee on Banking Supervision, 2005) recommends
that the compliance function should assess the appropriateness of the banks
compliance procedures and guidelines, promptly follow up any identified deficiencies,
and, where necessary, formulate proposals for amendments. Our objective is to analyse
how financial institutions carry out the compliance risk management, by assessing
controls and tools to transfer economic losses generated by non-compliant behaviours.
Besides the goals previously described to verify whether financial intermediaries
(FIs) operating in Italian markets have developed an effective compliance function
within their organisations, we also evaluate whether the regulatory framework implies
a cost asymmetry due to compliance risk measurement approaches, depending both
on the proportionality principle and on the existence of different supervisors with
a heterogeneous set of enforcement rules (Coffee, 1981; Braithwaite, 2002; Parker, 2006;

Firm size and

compliance costs

59

JFRC
19,1

Downloaded by University of Sussex Library At 00:07 02 June 2016 (PT)

60

Financial Services Authority, 2009). In particular, our last objective is to verify whether
the actual regulation on compliance induces financial firms clustered by size, business
and area orientation to invest in measuring and managing solutions to face the
compliance risk, generating asymmetric costs.
In Italy, the goals and characteristics of the Compliance Function in banks, financial
and insurance companies are addressed by different regulators. These range from the
supervisory instructions of the Bank of Italy for banks ( July 2007), to the adoption of the
MiFID Directive the MiFID Directive in the Italian financial markets and related banks
and investment companies regulations set out by the Bank of Italy (2007) and Consob
(2008), to the Regulatory Agency for Private and Public Insurance Companies (ISVAP)
rules for insurance companies (2008). External and internal regulations that potentially
fall within the compliance perimeter, cover a wide range of items: from market abuse to
conflicts of interest, from transparency and correct behaviour towards its customers in
money laundering, from privacy to safety at work, up to covering issues of integrity and
business ethics that are endorsed by the companys ethical code. There is no doubt that
this suggests continuing, where company size allows, to set up the function according to
a specialisation criterion for each business area, or to create specialised compliance units
for certain sectors, such as data protection, money laundering and prevention of crimes
of terrorism (Basel Committee, 2005). As already stated, there is also the objective of
integrating compliance risk management by establishing a second level control
structure. This is, however, a weak hypothesis because the specificity of the models and
the measuring and management mechanisms of each type of risk would require a
specialist approach and hence a large differentiation of the roles and responsibilities
within such a function.
Adherence to the external and internal rules of the game is particularly critical
when there is a change in regulation, as is actually occurring in European investment
services because of the MiFID implementation process. This could be considered a
critical point of the current Italian regulation: while the Bank of Italy (2007) for banks
and the ISVAP (2008) for insurance companies are clearly dedicated to defining a list of
measurement guidelines for the compliance function (such as identification of events,
metrics and mitigation), Consob (2008) appears to be more focused on the MiFID
regulation. In particular, the Bank of Italy and ISVAP precisely define the importance of
mapping and measuring the compliance risk, for banks and insurance companies,
respectively. Consob regulation appears to be less measurement oriented for the
compliance risk process.
The impact of these asymmetries can be estimated for intermediaries operating not
only in the domestic areas and with a scale of higher concern for supervisors, especially
after the recent debate on the too-big-to-fail doctrine.
The survey takes an in-depth look at the degree of development of the compliance
risk management process, namely those phases that enable the measurement and,
consequently, active management of the positions at risk. In particular, what emerged
was the priority assigned to the compliance risk management.
Section 2 shows the survey methodology and the characteristics of the interviewed
sample of financial firms. We present our findings: in Section 3, we illustrate the priorities
assigned to the compliance function; Section 4 describes how financial companies
measure the risk; Section 5 explains whether and how financial firms manage and
mitigate losses due to non-compliant behaviours; in Section 6, we discuss our outcomes

Downloaded by University of Sussex Library At 00:07 02 June 2016 (PT)

in order to find out whether multiple regulation could generate cost asymmetries for FIs.
The paper ends with some concluding remarks.
2. Data and methods
Data were collected between January and February 2009 using a questionnaire.
The structure of the questionnaire was analogous to a previous one (hereafter, 2007
Survey)[1] although the survey was integrated and improved with various in depth
sections (Birindelli and Ferretti, 2008). The questionnaire contains the company
descriptive data section and the investigative section with 11 questions (Appendix).
Some questions are of the closed type with a predefined grid of alternatives, with an
ordinal evaluation (a scale from 0 min; 10 max is used) and a few open questions
(free/spontaneous reply). For an in-depth study, the sample was subdivided and
analysed according to two different drivers:
(1) the context where intermediaries work, analysed according to international and
domestic orientation (Table I, panel A); and
(2) the financial category, which identifies four groups: banks, from which, given
the large size of the sample, we were able to highlight the group of cooperative
banks (CBs), other FIs (asset management firms and investment companies)[2]
and insurance companies (Table I, panel B).

Firm size and

compliance costs

61

Table II gives how domestic (panel A) and international (panel B) intermediaries can be
classified by core activity.
Business lines where FIs mainly work are as follows:
.
retail banking;
.
asset management;
.
wealth management;
.
investment banking;
.
trading; and
.
insurance.
Panel A: market
Domestic
International
Number
Percentage

55
65.5

Banks

29
34.5

43
51.2

Panel A: domestic
Number
Percentage
Banks
Cooperative
Banks CBs
Other FIs
Insurances
Total

Panel B: financial firms

CBs
FIs
Insurance
19
22.6

11
13.1

11
13.1

Table I.
2009 survey sample:
classification of FIs by
geographic operability
and type of
intermediaries

Panel B: international
Number
Percentage

28
19

50.9
34.5

15
0

51.8
0.0

4
4
55

7.3
7.3
100.0

7
7
29

24.1
24.1
100.0

Table II.
2009 survey sample:
classification by area and
typology of intermediary

JFRC
19,1

62

The concentration, as expected because of the focus on investment services, as in the

trading business area (52), in retail banking (51) and insurance (47). The latter, in this
survey, is used in the broad sense, and is limited to the distribution stage of insurance
services. Asset management (35), wealth management (26) and investment banking
(22) followed.
Company departments involved in our survey show that 71.4 per cent appeared to be
organised in a specific compliance function; in 13.1 per cent the compliance was added as
an objective to other offices, such as legal, risk management and internal controls;
the remaining 15.5 per cent was assumed by other functions, which in some cases are
planning to split into a separate compliance function.

Downloaded by University of Sussex Library At 00:07 02 June 2016 (PT)

3. The priorities assigned to the compliance function

The first factor characterising the risk management process of the compliance risk is the
mission. This is even more significant in the function of abiding by the laws which, due
to their vastness and heterogeneity, require a precise definition of the legal perimeter to
monitor. Italian bank regulators defined the compliance risk as the risk leading to legal
or administrative sanctions, financial losses or reputational damage, as a result of
violating rules of conduct.
Within this survey, intermediaries were asked to state if their mission was dominated
either by a legal vision or by an economics and law approach, in order to evaluate the
impact of the rulings of market opportunities.
Compared to the results of the 2007 survey, the number of intermediaries not
answering the question dropped from 36.9 to 10.7 per cent. What remains unchanged
is the proportion of intermediaries minimising administrative and penal sanctions
resulting from non-compliance behaviours.
Intermediaries addressing their efforts to optimise the companys reputation
increased from 20.3 to 33.3 per cent. A quarter of the sample follows the regulatory
definition, stating that their aim is not to incur sanctions and, at the same time, minimise
reputational damage.
The analysis based on the geographic perimeter of the business (Table III, panel A)
shows how only 3.4 per cent of financial firms working on an international basis do not
answer the question regarding the objective associated with the compliance function.
Another distinctive element is the acknowledged importance that international
intermediaries give the function to defend the companys reputation. About 65.5 per cent
Panel A: market
Panel B: financial firms
Domestic International Bank CBs Insurance FIs

Table III.
Distribution of the
objectives assigned
to the compliance
function based on main
area of activity of
intermediary (%)

Not to incur in civil, administrative or penal

sanctions
Minimise operating losses
Minimise reputational damages linked to
violation of external or internal laws
Not to incur in sanctions and minimise
reputational damages
No answer
Total

30.9
1.9

38.0
3.4

41.9
2.3

31.6
0.0

27.3
0.0

9.1
9.1

30.9

27.6

20.9

31.6

54.5

36.3

21.8
14.5
100.0

27.6
3.4
100.0

25.6 15.7
9.3 21.1
100.0 100.0

9.1
9.1
100.0

45.5
0.0
100.0

Downloaded by University of Sussex Library At 00:07 02 June 2016 (PT)

out of them regarded it as a priority compared to 52.7 per cent of the domestic
intermediaries.
This feature makes a distinction based on the typology of the intermediaries
(Table III, panel B): 67.4 per cent of banks associate compliance with safeguarding their
reputation; this compares to 47.4 per cent of CBs (which are mainly small banks),
54.5 per cent of FIs and 36.4 per cent of insurance companies. The latter seem
particularly oriented to minimising the sanctioned implications, with a more traditional
vision of the compliance function. The figures show how the size seems to be more
correlated to a mission that is not merely limited to minimising sanctions.
The exposure to compliance risks was compared in three different situations: failure
to adjust to laws and regulations, to adjust internal codes of conduct and inadequacy of
customer management.
The incapacity to behave coherently with the changing laws and regulations is
widely alleged to be the main source of compliance risk. It is equally correct to believe
that the negligence or non-fulfilment of banks and other intermediaries in protecting
the interests of clients can generate the same risk.
The comparison between national and international operators demonstrates that
the latter show a higher degree of sensitivity to the perception of compliance risk and a
lower variance in behaviour.
4. Measuring the compliance risk
According to the regulatory statements, compliance losses are associated with:
.
legal or regulatory sanctions;
.
financial losses; and
.
reputational impact resulting from the failure to comply with laws, regulations,
rules, related self-regulatory standards and codes of conduct.
Expected and unexpected compliance losses depend on two main factors: the probability
of the event (PE) and its severity. Probability can be estimated both via qualitative and
quantitative approaches. The most commonly used dichotomous approach for
determining compliance with disclosure requirements by a company is the un-weighted
disclosure index, where the behaviour can be either compliant or non-compliant (Yeoh,
2005; Ali et al., 2004; Patton and Zelenka, 1997; Cooke, 1996; Ahmed and Nicholls, 1994;
Wallace et al., 1994). In order to avoid this problem, an alternative method, is the partial
compliance un-weighted approach (Street and Gray, 2002; Al-Shiab, 2008) in which
the degree of compliance is measured by adding the degree of compliance for each
standard and then dividing this sum by the number of standards applicable to each
financial firm (Al-Shiab, 2008; Tsalavoutas et al., 2009). Demirguc-Kunt et al. (2006)
measure compliance using a four-point scale, in order to find out whether behaviours
are, respectively, compliant, largely compliant, materially non-compliant, and
non-compliant.
Severity depends on the impact once the event has been experienced. Expected
sanctions could be the first way to measure the risk. A more effective measurement
process should attempt to estimate the unexpected loss, which needs a time series and,
if necessary, the capability to model a distribution for it. If compliance estimates the
reputational impact for the financial firm, more sophisticated solutions should be
implemented (Gabbi and Patarnello, 2010).

Firm size and

compliance costs

63

JFRC
19,1

Downloaded by University of Sussex Library At 00:07 02 June 2016 (PT)

64

The investigation into the use of a model to measure compliance risk showed a slight
increase compared to the 2007 survey. While in 2007, only 42 per cent of the sample
stated that they had at least completed the qualitative/quantitative phase of the
measuring process, in 2009 the percentage rose to 46.8 per cent.
What has changed is the spread found when comparing intermediaries, in particular,
those who mainly cover the domestic sector with those more oriented to international
activities or direct foreign governance. In the 2007 survey, only 26.3 per cent of
intermediaries working domestically had an estimation model; in 2009, the percentage
rose to 44.9 per cent. The widening of the sample results in a rebalance for the
intermediaries covering foreign areas: for the international sub-sample, the weight of
those implementing risk measures went from 66.7 to 50.0 per cent (Figure 1).
In 2007, financial firms who measured the compliance risk consisted of 42.1 per cent
of banks and 41.7 per cent of FIs, specialised in asset investing (Securities Investment
Companies (SIMs)) and portfolio managing (Asset Management Companies (SGRs)).
The 2009 survey shows how the variance fell even among the other categories that were
taken into consideration (Table IV).
The main difference lies between insurance companies and CBs: the latter show a
lower value, although not prominent, compared to the average. This could depend on the
different degree of complexity of the CBs that on various occasions do not directly use
risk measurement models, preferring to outsource the process to a network organisation,
and to show how the size affected the investment made in compliance measures.
Nevertheless, we found a significant improvement for measurement approaches.
To evaluate the effectiveness and the degree of progress of the measuring process,
compliance officers were asked to state which phases of risk management were
actually included in the model. The phases were split up into seven estimating steps:
80
2007
2009

70
60
50
40
30

Figure 1.
Domestic and
international financial
firms who adopt
compliance measuring
methodologies (2007 and
2009 surveys, %)
Table IV.
Use of a qualitative or
quantitative measuring
model based on the
typology of the
intermediary (%)

20
10
0
Does measure
Does not
Domestic activity

2007 survey
2009 survey

Does measure
Does not
International activity

Banks

CBs

FIs

Insurances

53.8
47.5

0.0
43.8

31.6
45.5

50.0

Downloaded by University of Sussex Library At 00:07 02 June 2016 (PT)

(1)
(2)
(3)
(4)
(5)
(6)
(7)

identification of the risk factors;

exposure;
occurrence probability;
severity;
expected loss; (EL)
unexpected loss; and
capital allocation.

The 2009 survey confirms that the values more frequently observed are concentrated
in the first phases of the measuring process: 57.5 per cent of the sample stated that
they had carried out the identification steps of the risk factors and/or the exposure
estimate. This figure is greater than the 2007 survey (48 per cent) due to the inclusion
in the sample of intermediaries that were smaller in size and in organisational
complexity.
The importance of intermediaries capable of estimating the probability with which
an event occurs, and the effect in terms of loss of given events, increases by 2.5 per cent.
Few firms completed the risk management process to determine the expected and
unexpected losses to allocate the capital.
Table V gives the significant increase of the intermediaries that achieved the first
four stages of compliance risk management. In general terms, the question was
asked following a sequential step process, where the identification of risk factors
is expected to be the first phase of the measurement and the capital allocation the
last one. Therefore, the values of implementation of the steps would normally decrease.
Only one exception is recorded, in which the estimation of the exposure indicator
(step 2) shows a lower percentage of implementation than subsequent steps. This can
be explained by looking at the possibility of estimating the EL with two methods:
(1) multiplying the exposure indicator (EI), the PE and the loss given event rate; and
(2) multiplying the PE and the loss given event (LGE) estimated as a money variable.
Since the second approach requires less effort, it is likely that financial firms prefer to
skip step 2, which would explain our findings. We found that measuring orientation is
substantially higher among intermediaries who mainly work on an international basis
with greater aptitude in determining losses and the capital at risk than that of domestic
banks. Despite the two samples being composed of different participants, it is possible
to compare the dynamics for banks and other intermediaries (Table V) confirming their
ability to map the risk factors and estimate the probability and impact of the events.
The percentage of those estimating the loss generated by missing compliance is still
very low if one excludes a number of exceptions within the large banks.
FIs show the highest capacity to identify the risks. This primacy in our 2009
investigation would however seem to have been substantially filled by other firms,
including smaller sized banks (62.3 per cent), that have equipped themselves to map risk
factors.
Insurance companies and CBs also appear to have invested in the mapping phase of
risk factors; we found only in a few cases in which solutions to estimate probability and
severity of events were introduced. What clearly emerges from the survey is that the

Firm size and

compliance costs

65

Table V.
Adoption of
measurement phases of
compliance risk (total
sample, domestic and
international
intermediaries, typology
of intermediaries, 2007
and 2009 comparison;
percentage of the total
number of intermediaries
in the survey)

Total sample
Domestic
International
Banks
CBs
FIs
Insurance companies

50.0
66.7
40.0
36.8
n/a
69.2
n/a

69.0
67.3
72.4
72.1
63.2
72.7
63.6

25.0
41.7
15.0
21.1
n/a
25.0
n/a

31.0
32.7
27.6
34.9
26.3
27.3
27.3

Exposure
estimate
2007
2009
28.1
41.7
20.0
15.8
n/a
28.1
n/a

35.7
30.9
44.8
39.5
26.3
45.5
27.3

Probability of
events
2007
2009
15.6
25.0
10.0
10.5
n/a
15.6
n/a

2007

LGE
28.6
23.6
37.9
37.2
15.8
27.3
18.2

2009

21.9
25.0
20.0
10.5
n/a
21.9
n/a

2007

EL
7.1
5.5
10.3
9.3
5.3
9.1
0.0

2009

9.4
8.3
10.0
10.5
n/a
9.4
n/a

1.2
0.0
3.4
2.3
0.0
0.0
0.0

Unexpected
loss
2007
2009

66

Identification
of risk factors
2007
2009

Downloaded by University of Sussex Library At 00:07 02 June 2016 (PT)

6.3
0.0
10.0
5.3
n/a
6.3
n/a

1.2
0.0
3.4
2.3
0.0
0.0
0.0

Capital
allocation
2007
2009

JFRC
19,1

compliance functions within the various FIs have generally not developed solutions
capable of estimating a priori expected and unexpected losses.
Beyond the development of the risk measurement process, the mission of the
compliance function is to prevent the occurrence of the events identified by all the
intermediaries, in order to watch over the companys reputation that, to a large extent,
could depend on non-adherent behaviours (Section 3).

Firm size and

compliance costs

International

Domestic

100
90
80
70
60
%

Downloaded by University of Sussex Library At 00:07 02 June 2016 (PT)

67
5. Mitigating and managing the compliance risk
The compliance risk exposure allows financial firms to reduce the impact of losses,
through the optimisation of control systems and the use of insurance contracts and
alternative risk transfer solutions, particularly devoted to relocating the economic
impact of sanctions and/or operational losses (i.e. legal expenses, rogue trading).
Among mitigating solutions, we found the use of codes of conduct and of tableaux de
bord to control how risk factors change during time and within different processes.
As far as the use of a compliance code of conduct is concerned, there is only one
negative piece of evidence among domestic operators. Since 2007, the use of codes of
conduct has been increasing for domestic firms, from 93 to 99 per cent.
Only banks showed a few cases where the code of conduct was not implemented.
The presence of a code of conduct based on the different business lines allows for the
analysis of different degrees of susceptibility among operators when it comes to
compliance in the different activity areas they cover. There are no significant differences
between the international and domestic fields, except for retail banking depending on
the few international firms working in this business line (Figure 2).

50
40
30
20
10
0
Retail
banking

Private
banking

Asset
Investment Trading and
Life
management banking
sales
insurance

Non-life
insurance

Figure 2.
Presence of a specific
code of conduct in
international and domestic
intermediaries by business
line (%)

JFRC
19,1

68

On the other hand, Table VI shows that CBs are mostly oriented to the implementation of
codes of conduct, particularly in retail banking. Asset management appears to be
the activity where codes are applied by all the different kinds of intermediaries.
Both commercial banks and CBs show the orientation to cover, in their codes, all the
operational areas, while insurance and financial firms are specialised in their core
business lines.
According to the recommendations of the Basel Committee (2005):
[. . .] a bank should hold itself to high standards when carrying on business and at all times
strive to observe the spirit as well as the letter of the law. Failure to consider the impact of its
actions on its shareholders, customers, employees and the markets may result in significant
adverse publicity and reputational damage, even if no law has been broke.

Downloaded by University of Sussex Library At 00:07 02 June 2016 (PT)

Therefore, we wished to find out whether financial firms were applying a tableau de bord
to control and manage the compliance risk. The outcome is that this tool is still scarcely
used by those interviewed that work mainly in the domestic field (28 per cent) compared
to slightly more than half (52 per cent) of those that work internationally who declared
using it.
The same instrument shows that there is a circumstance in which banks transfer
information to sales managers, clients and shareholders. However, there is a clear
statement by all firms that a summary report of the configuration and an exposure to
compliance risk are mostly intended as a report for top managers and supervisors
(Figure 3).
Once the mitigation tools have been implemented, compliance managers must define
their transferring approach. The survey shows the practice of compliance management,
particularly relating to the methods and tools used to pursue such an objective.
There is a difference in the domestic and international areas of activity.
By interpreting the absence of answers as a lack of specific tools used to manage risk,
it emerged that only 9.0 per cent of the domestic candidates apply instruments aimed at
limiting risk. The same percentage rose to 28.0 per cent for international firms. Overall,
only 15.5 per cent of the sample implemented tools to manage the compliance risk.
A minority of banks (23.3 per cent among large and 5.3 per cent among BCs) stated that
they used compliance risk mitigation tools, while insurance companies claimed that they
did not use any kind of tool to transfer the risk.
6. Compliance, regulatory conflicts and asymmetries opportunities for FIs
The analysis of the process followed by FIs to introduce the compliance function within
their organisations addresses the fundamental question about the drivers of their

Table VI.
Presence of a specific
code of conduct by
business areas and by
category (%)

Banks
CBs
FIs
Insurance
Total

Retail
banking

Private
banking

Asset
management

Investment
banking

Trading
and sales

Life
insurance

Nonlife
insurance

20.0
80.0
0.0
0.0
100.0

71.4
28.6
0.0
0.0
100.0

50.0
10.0
30.0
10.0
100.0

44.4
22.2
33.3
0.0
100.0

54.5
18.2
27.3
0.0
100.0

50.0
0.0
0.0
50.0
100.0

50.0
0.0
0.0
50.0
100.0

Firm size and

compliance costs

Insurance
Financial intermediaries
Cooperative banks Banks
100
90

69

80
70

Downloaded by University of Sussex Library At 00:07 02 June 2016 (PT)

60
50
40
30
20
10
0
For
stakeholders

For
shareholders

For top
managers

For sales
managers

For clients

For
regulators

behaviour. In particular, we wanted to find out whether there were any cost asymmetries
among banks, insurance companies, and FIs (SIMs and SGRs), due to the different
approaches of authorities described in Section 1. The asymmetry could be priced
approximately as the cost of a measurement solution and its organisational impact,
potentially creating an unlevelled playing field for specialised financial agents.
We analyse whether this concern emerges within the three risk management steps
we found in Sections 3-5, respectively, mapping the compliance risk event types,
measuring losses and managing the risk.
First, FIs, who are expected to follow the Consob regulation[3] more closely, cite the
main purpose of the compliance function as that of minimising the impact of sanctions in
9.1 per cent of cases, while banks (both commercial and CBs) only in 40 per cent and
insurances in 27 per cent of the sample (Table III). On the other hand, the behaviour
of domestic and international firms appears analogous. This means that the size factor
does not affect the compliance mission, while the specialisation either in banking or in
financial markets appears to be more significant. Since these financial firms report to
different regulators, the question about the impact of multiple control for financial
firms arises.
Second, the adoption of measurement solutions is below average for CBs and FIs
(Table IV). The case for CBs can be explained both by the possibilities granted by the
regulatory authority to small banks to reduce the risk management cost, and by the
outsourcing process which generally characterises small and medium banks.

Figure 3.
Use of a tableau de bord to
manage compliance risk
based on the different
subjects the information
concerns (%)

JFRC
19,1

Downloaded by University of Sussex Library At 00:07 02 June 2016 (PT)

70

Nevertheless, our findings, particularly the low variance among outcomes by type of
financial firm, do not prove the existence of a cause-effect relationship between rules and
behaviour.
Third, banks are more quantitatively oriented, as given in Table V. In fact,
approximately 37 per cent of banks estimate the impact of compliance losses (LGE)
against 27 per cent of FIs. This evidence could also depend on the timing of Consob and
Bank of Italy regulations, lagged by about one year, just like that of the ISVAP. Table V
also gives that internationally oriented financial companies are more oriented to
measuring the risk, in order to estimate probability, severity and losses. The rationale
for this evidence is probably due to the stronger European attitude to compliance
controls within FIs. This result suggests that in the financial industry the cost
asymmetry could be generated both by the different country approaches to MiFID
introduction and by the size of the financial firm.
Finally, the compliance risk management demonstrates that FIs are very similar to
banks in using tools to transfer losses (18 vs 23 per cent), while none of the insurance
companies answered the question positively. This last finding would seem to go against
previous results regarding measurement approaches over compliance risk among
intermediaries. Nonetheless, large banks show a more active transfer policy, since they
use not only insurance contracts but also financial ones (in 9 per cent of our sample). This
could be interpreted as a sign of a more active risk management approach, due to more
efficient methods of quantifying the exposure to non-compliance behaviours. Small
financial firms confirm a delay in completing the compliance risk management process.

7. Conclusions
The research helps to address four issues:
(1) The main purpose associated with the compliance function after the regulators
imposed the creation of an independent office within the FIs. We found that
specialised agents in the Italian financial markets are sensitive to minimising
civil, administrative or penal sanctions, even though the reputational impact
due to non-adherent behaviours is becoming more important, especially when
compared to the 2007 survey. Few intermediaries associate the compliance
function mission with the minimisation of operational losses. Only small banks
record a high frequency (21 per cent) of failure to answer.
(2) The approach to compliance risk measures. Our sample is almost perfectly
balanced between firms who implemented some methodologies to measure the
risk (47 per cent) and those who did not (53 per cent). During the last two years a
significant improvement was recorded particularly among domestic FIs.
International firms appear to be more sophisticated than domestic ones in their
ability to measure both the probability of non-compliance events and their
severity. There is no substantial difference between the two groups when asked
about the implementation of methods to estimate the unexpected losses and the
capital absorption. Looking at the state of the art by type of firms, large banks
appear to be more measuring oriented, especially in terms of event probability
and LGE. Insurance companies and small banks exhibit lower sensitivity for
the most sophisticated steps of the risk management process.

Downloaded by University of Sussex Library At 00:07 02 June 2016 (PT)

(3) The compliance risk management attitude. We recorded a fairly small

orientation to the application of a tableau de bord to control and manage the
compliance risk, while the use of a code of conduct is almost generally pervasive
among the financial companies we interviewed. Banks, particularly those
internationally oriented, show the highest tendency, among intermediaries
operating in financial markets, to adopt insurance or financial contracts to
transfer the economic impact of non-compliant behaviours.
(4) The last objective of the study was to ascertain whether the actual regulation on
compliance induces financial firms to invest in measuring and managing the
compliance risk, creating a different compliance management cost for
intermediaries. Our findings show that small financial firms are relatively
slow in measuring the exposure and the expected and unexpected losses.
Our conclusions may depend on three factors:
(1) different domestic regulatory approaches to measuring the compliance risk,
which follows a proportionality doctrine, making the largest firms more
suitable for introducing risk measuring solutions;
(2) different timing to introduce rules for intermediaries (in the case of the Italian
financial market, regulations on compliance function were not simultaneously
approved); and
(3) the cross border regulatory asymmetry which differentiates between the
approaches for banks and intermediaries working on an international basis.
Our research showed that large and international financial firms were oriented to
introduce compliance measures in Italy that had already been tested abroad.
Some of our findings may appear surprising enough to be underlined:
.
Four years after the Basel Document on compliance, 15 per cent of firms we
interviewed are still managing the process within a function aimed at different
purposes.
.
Protection from reputational impact appears to be as important as the goal of
minimising sanctions applied to non-compliant behaviours. This could be explained
either in a proactive or in a residual way: on the one hand, the defence of company
reputation could be considered the most important (and sophisticated) purpose
associated with the compliance function. This would reveal a strong awareness of
the meaning of the compliance within FIs operating in the Italian market. On the
other hand, since regulators in their instructions cited reputation among the
objectives to be assigned to the compliance function, the answers we collected could
depend on the attitude to a formal respect of the regulators expectations.
.
Comparing the 2007 survey with the 2009 survey, FIs (such as SIMs and SGRs)
show a lower tendency to implement a risk management approach, with capital
management sensitivity.
.
We expected insurance firms to be more skilled than any other intermediary in
transferring the compliance risk using their own contracts and the re-insurance
system, but none of the companies we interviewed is actually managing the risk
to minimise the impact of losses on return.

Firm size and

compliance costs

71

JFRC
19,1

72

Approximately all the financial firms of our sample stated that they adopted a
code of conduct, particularly within trading and sales, asset management and
investment banking, without any significant gap between the international and
domestic firms, while size particularly affects the business line of retail banking.

All these outcomes need to be monitored, in order to find out whether the compliance
functions that had to be organised by the regulatory framework have become more
effective in mapping, measuring and managing the factors generating losses for
financial firms.

Downloaded by University of Sussex Library At 00:07 02 June 2016 (PT)

Notes
1. In the 2007 survey the poll consisted of 35 financial firms.
2. In our paper, financial intermediaries means players not actually operating as banks or
insurance companies, such as asset managers (SGR) and distributors of financial services
(SIM). Financial firms means all the various intermediaries working in the financial
services industry.
3. This is particularly true for our sample, since other intermediaries essentially developed the
business lines of asset management and trading.

References
Ahmed, K. and Nicholls, D. (1994), The impact of non-financial company characteristics on
mandatory disclosure compliance in developing countries: the case of Bangladesh,
The International Journal of Accounting, Vol. 29 No. 1, pp. 62-77.
Ali, J.M., Ahmed, K. and Henry, D. (2004), Disclosure compliance with national accounting
standards by listed companies in South Asia, Accounting and Business Research, Vol. 34
No. 3, pp. 183-99.
Al-Shiab, M. (2008), The effectiveness of international financial reporting standards adoption on
cost of equity capital: a vector error correction model, International Journal of Business,
Vol. 13 No. 3, pp. 271-98.
Bank of Italy (2007), Disposizioni di Vigilanza, No. 688006, Bank of Italy, Rome, 10 luglio.
Basel Committee on Banking Supervision (2005), Compliance and the Compliance Function in
Banks, Basel Committee on Banking Supervision, Basel, April.
Birindelli, G. and Ferretti, P. (2008), Compliance risk in Italian banks: the results of a survey,
Journal of Financial Regulation and Compliance, Vol. 16, pp. 335-51.
Braithwaite, J. (2002), Restorative Justice and Responsive Regulation, Oxford University Press,
Oxford.
Coffee, J. (1981), No soul to damn: no body to kick: an unscandalised inquiry into the problem
of corporate punishment, Michigan Law Review, Vol. 79, pp. 386-459.
Consob (2008), Avvio del Livello 3 sul nuovo Regolamento Intermediari Confronto con il
mercato, Esito delle consultazioni, 2 maggio.
Cooke, T. (1996), The influence of the keiretsu on Japanese corporate disclosure, Journal of
International Financial Management and Accounting, Summer, pp. 191-214.
Demirguc-Kunt, A., Detragiache, E. and Tressel, T. (2006), Banking on the principles:
compliance with Basel core principles and bank soundness, WP/06/242, IMF,
Washington, DC.

Downloaded by University of Sussex Library At 00:07 02 June 2016 (PT)

Financial Services Authority (2009), The Turner review, A Regulatory Response to the Global
Banking Crisis, Financial Services Authority, London, March.
Gabbi, G. and Patarnello, A. (2010), Il valore della reputazione bancaria tra risk management
e scelte strategiche, Banca Impresa e Societa`, Vol. 29 No. 2, pp. 305-28.
ISVAP (2008), Regolamento recante disposizioni in materia di controlli interni, gestione dei
rischi, compliance ed esternalizzazione delle attivita` delle imprese di assicurazione, No. 20,
26 marzo, Regulatory Agency for Private and Public Insurance Companies, Rome.
Parker, C. (2006), The Compliance trap: the moral message in responsive regulatory
enforcement, Law & Society Review, Vol. 40, pp. 591-622.
Patton, J. and Zelenka, I. (1997), An empirical analysis of the determinants of the extent of
disclosure in annual reports of joint stock companies in the Czech Republic, European
Accounting Review, Vol. 6 No. 2, pp. 605-26.
Street, D. and Gray, S. (2002), Factors influencing the extent of corporate compliance with
international accounting standards: summary of a research monograph, Journal of
International Accounting, Auditing and Taxation, Vol. 11 No. 1, pp. 51-76.
Tsalavoutas, I., Evans, L. and Smith, M. (2009), Comparison of two methods for measuring
compliance with IFRS mandatory disclosure requirements, mimeo.
Wallace, R.S.O., Naser, K. and Mora, A. (1994), The relationship between the comprehensiveness
of corporate annual reports and firm characteristics in Spain, Accounting and Business
Research, Vol. 25 No. 97, pp. 41-53.
Yeoh, J. (2005), Compliance with mandatory disclosure requirements by New Zealand listed
companies, Advances in International Accounting, Vol. 18, pp. 245-62.
Further reading
Al-Shiab, M. (2003), Financial consequences of IAS adoption: the case of Jordan, PhD thesis,
University of Newcastle Upon Tyne, Newcastle Upon Tyne.
(The Appendix follows overleaf.)
Corresponding author
Giampaolo Gabbi can be contacted at: gabbi@sdabocconi.it

To purchase reprints of this article please e-mail: reprints@emeraldinsight.com

Or visit our web site for further details: www.emeraldinsight.com/reprints

Firm size and

compliance costs

73

JFRC
19,1

Appendix. Methodology of measurement, transfer and mitigation of compliance

risk in the field of investment services. Questionnaire (extract)
Methodology of measurement, transfer and mitigation of Compliance risk in the
field of investment services. Questionnaire (extract)

74

1. Compliance risk within your Function is associated with the objective of:
a) not incurring civil, administrative or penal sanctions
b) minimising operating losses
c) minimising reputational damage related to the violation of external or internal regulations
d) other (specify) _______________________________________

Downloaded by University of Sussex Library At 00:07 02 June 2016 (PT)

2. Does the Compliance function use risk evaluation models to estimate Compliance risk?
a) Yes
b) No
3. Of these models, which are used to measure compliance risk (multiple answers are allowed)
a) Identify and map risk factors;
b) Estimate exposure;
c) Estimate the occurrence probability;
d) Estimate severity;
e) Estimate expected loss;
f) Estimate unexpected loss;
g) Estimate the capital at risk
h) Other (specify) _______________________________________
4. Specify which tools are used to mitigate compliance risk
5. Which tools are used to transfer compliance risk:
a) Insurance tools (specify) _______________________________________
b) Financial tools (specify) _______________________________________
c) both
6. Is there a company code of conduct?
a) Yes
b) No
7. Is there a different code of conduct according to the business lines (multiple answers are allowed)?
a) retail banking
b) private banking
c) asset management
d) investment banking
e) trading and sales
f) life insurance
g) non-life
h) other (specify) _______________________________________
8. With reference to investment services, which are the most frequent causes of compliance risk Assign a
score to each risk source (0 = min-10 = max)
a) no adequate compliance with legislative/regulatory norms
b) no adequate internal codes of conduct
c) no protection of clients interestsd) other (specify) _______________________________________
9. Has the Compliance function developed and does it use a Tableau de Bord?
a) Yes
b) No
10. If so, describe how: _______________________________________
11. If so, indicate for which group it has been prepared (multiple answers are allowed):
a) for the stakeholders
b) for the shareholders
c) for top management
d) for the commercial structure
e) for the clients
f) for the control authorities
g) other (specify) _______________________________________

Downloaded by University of Sussex Library At 00:07 02 June 2016 (PT)

This article has been cited by:

1. Giuseppe D'Onza Department of Economics and Management , University of Pisa, Pisa, Italy Rita
Lamboglia Department of Economics and Management , University of Pisa, Pisa, Italy Roberto Verona
Department of Economics and Management , University of Pisa, Pisa, Italy . 2015. Do IT audits satisfy
senior manager expectations?. Managerial Auditing Journal 30:4/5, 413-434. [Abstract] [Full Text] [PDF]
2. Paola Musile TanziBusiness and Law Department, Perugia University, Perugia, Italy and Banking and
Insurance Department, SDA Bocconi School of Management, Milan, Italy Giampaolo GabbiDepartment
of Business and Social Studies, Siena University, Siena, Italy and Banking and Insurance Department, SDA
Bocconi School of Management, Milan, Italy Daniele PreviatiBusiness and Law Department, Roma Tre
University, Rome, Italy and Banking and Insurance Department, SDA Bocconi School of Management,
Milan, Italy Paola SchwizerDepartment of Economics, Parma University, Parma, Italy and Banking and
Insurance Department, SDA Bocconi School of Management, Milan, Italy. 2013. Managing compliance
risk after MiFID. Journal of Financial Regulation and Compliance 21:1, 51-68. [Abstract] [Full Text]
[PDF]
3. Oran VongsuraphichetAsian Institute of Technology, Kluangluang, Thailand Lalit JohriSaid Business
School, University of Oxford, Oxford, UK. 2011. Insurer and intermediary perceptions on the response
of Thai local nonlife insurance companies to deregulation. Journal of Advances in Management Research
8:2, 178-194. [Abstract] [Full Text] [PDF]