Approach to regulation and risk - Does the way you talk about compliance pass the 'granny test'?

28 June 2018

Written by Wayne Atkinson

In the latest in a series of regulatory columns for Compliance Matters by experts in Guernsey’s legal sector, Collas Crill Group Partner Wayne Atkinson moves away from technical issues and takes a look at the approach to regulation and risk, issuing a special plea for the avoidance of self-defeating jargon at financial firms that are trying to tackle it. 

Last week, a colleague and I were discussing SARs - or to be more precise we were both talking about SARs but not making much progress with our discussion. You see, we were talking about confidential information and more specifically my colleague was asking about Suspicious Activity Reports while I was replying about Subject Access Requests. Needless to say, it took a couple of moments of confused stares before we got on the same page.

It’s a silly example of an increasingly problematic issue in the regulatory space however; a preponderance of jargon. Jargon is great – it lets one technically skilled person speak to another quickly and efficiently. It can however be isolating to those who are only tangentially linked to a field but who need to communicate with people deeply embedded in a technical culture. In the regulatory world many of my financial services clients operate in, the acronyms are currently flowing thick and fast: MIFID, MIFID II, MIFIR, SARs (both kinds), GDPR, MLROs, AML, KYC, CFT, FATCA, OFAC……I could go on…..for quite a long time.

But the problem goes beyond the increasing use of jargon and acronyms. It's about the actual understanding of the terminology and the potential effect it has on your business. In the last week, GDPR will likely be one of the most talked about topics and, while the majority of people have a basic understanding of what it means (because they'll have received 1,000 emails from every company they've had any kind of involvement with), that doesn't mean they truly understand the minutia or even the overall intent of the regulation.         

A clear trend in the regulatory space at the minute is the need for board level buy-in on projects and concepts. Regulatory compliance can no longer be assigned to a silo with periodic reporting back at board level. Instead, all members of the board need to understand and engage with difficult regulatory concepts. But buy-in at board level requires a degree of both trust and understanding – the language we use can increasingly be an obstacle to that trust and understanding and that buy-in. An inability to give clear advice is a fatal flaw many lawyers are accused of; one of the things I find myself telling the trainees and young lawyers at Collas Crill is that you can't really be sure you understand something until you can explain it to someone else. At a panel discussion on data security last year, one of my fellow panelists confessed to applying the ‘Granny Test’, i.e. could he explain the issue to his grandmother? Coherent explanations are not rooted in acronyms and technical jargon but in a firm grasp of the concepts those terms represent.

Writing this article got me thinking about one the most impressive bits of public speaking I've ever seen. It was given by a man called Jarrod Jablonksi. Wikipedia describes Jablonksi as a ‘record-setting cave diver’ who once undertook a dive traversing 11km of continuous cave, which required his team to spend 21 hours underwater. You see, cave diving is by its nature very dangerous. If something goes wrong in a submerged cave, a diver can't surface without making their way out of the cave. Normal diving issues become more complicated with the added risk of getting lost or stuck and drowning. Lots of cave divers drown and amongst their community there are, as a result, strong opinions about the best (i.e. safest) way to cave dive. As this is fairly technical in nature, it is also a jargon-rich environment. Jablonksi had some strong opinions that disagreed with others. In his speech, he answered the questions of a crowd with varying degrees of understanding of cave diving and varying degrees of scepticism and understanding of his methods (with no notes), explaining how he had formed those opinions and why. He did so with remarkably simple explanations of remarkably complicated issues and very little jargon.

Essentially, every answer to every question followed a pattern. When asked why he did something a certain way, Jablonski responded by pointing to the risks in the environment and the activity, and explained how his team had approached comparing and mitigating the specific risks involved. Despite the complex subject, every one of his answers passed the ‘Granny Test’. What was impressive about the talk wasn't that Jablonksi's approach was risk-free – it could never be risk free, he was spending hours at a time kilometres inside underwater caves. What was impressive was Jablonksi's depth of understanding of the risks and how best to mitigate them. Everything he did or didn't do, wear or take with him had a rationale attached and had been considered. He also explained that he wouldn't work with anyone who didn't operate to the same standards as him.

I often reflect on that talk when I speak to financial services businesses about their approach to compliance. In addition to being perhaps the ultimate in taking a risk-based approach, it was an approach full of lessons that could be applied to business. No-one is going to drown in our industry, but financial services businesses still deal with risk every day and manage that risk. We embrace innovative technologies such as blockchain or crypto-currencies, we share our expertise with emerging economies and markets and we deal with new clients regularly. Meanwhile, even the most vanilla of structures is open to abuse. In compliance terms, we embrace (or should be embracing) risk.

As in cave diving, success is not having compliance policies which cut risk to zero – that is impossible if you want to conduct business. Rather, the key to success is truly understanding the risks in your business environment and, like Jablonksi, working out how to mitigate them as far as possible. Mitigating risk requires directors and compliance teams to understand risk – they can't work in silos. It is essential that the directors can understand what risk compliance concerns are aimed at controlling and, equally essential, compliance teams understand how the business operates in the real world so they can identify the inherent risks in the business environment. An off-the-peg, one-size-fits-all set of policies is unlikely to be a perfect fit. Whereas an accurate assessment allows a business to tailor their processes and policies to address specific concerns, a generic precedent document may not even identify the concerns in question.

A second lesson is that having fabulous processes may not get you anywhere if a teammate goes rogue and ignores them. That is why Jablonski required buy-in on his methods from everyone on his team. Regulatory compliance requires a similar level of buy-in at all levels of a business with everyone embracing a compliance culture. Having someone who takes a go-it-alone approach to risk management is not an option, it exposes the whole team to the risk of a critical failure.

Thirdly, and coming back to my starting point, the use of jargon is a barrier to entry for those unfamiliar with it. Jablonski's presentation was not powerful because he fired out jargon to demonstrate his understanding, rather it was powerful because he was able to demonstrate that understanding by explaining the issues in plain English. Will all the members of a business really jump on board with a new project when they have to google half the words in the roll-out email? Even worse, will well-meaning team members unwittingly breach policies because they don't understand what they're being asked to do?

Speaking to a panel discussion last year on the new data protection legislation, a question was asked of us as to how less technologically-able board members might add value when speaking with IT consultants or IT team members. I made the point that if the board members in question asked me a question as a lawyer they wouldn't accept an answer from me in what is frequently derided as ‘legalese’ but instead would demand a plain English explanation. Why would they not make the same demands of other consultants and service providers?

So if I may finish with a plea, let's try and re-address risk and regulatory issues in a transparent, inclusive and considered way. Let's embrace our wider teams and understand what they do and the risks it poses so we can make easy to follow processes that get results rather than forcing standard procedures upon them. Let's ensure our businesses work as one and no-one feels the need to buck the system with catastrophic results and let's do so with the bare minimum of unnecessary jargon.

An original version of this article first appeared in Compliance Matters, May 2018.

Download Find a related practitioner