What Is Supposed
to be in my Risk Assessment
2017 is here! Now is
the time for new resolutions, renewed plans for success and… if you’re in
compliance, now is the time for new compliance risk assessments. As we
have discussed in previous blogs, the risk assessment is often discussed and
sometimes reviled as a meaningless regulatory requirement. When attempting to prepare a risk assessment,
a frequent question is presented; what are the essential items in my risk
assessment? Per regulatory guidance produced by the Federal Reserve:
"Principles of sound management should apply to the
entire spectrum of risks facing an institution including, but not limited to,
credit, market, liquidity, operational, compliance, and legal risk."
This guidance applies to general principals of risk
assessment preparation. The compliance
risk assessment is something of a different animal because questions of market
risk, credit risk and liquidity risk are relatively minor concerns when
considering risks in compliance. The
focus instead should be on compliance, transactional, strategic, financial and
reputational risks associated with compliance activity.
Think of the risk assessment as a matrix – not the type
where you get to choose a red pill or a blue pill, just a square with several
blocks. There is a formula that you can
use to complete an effective risk assessment.
The basic formula is INHERENT RISK (minus) INTERNAL CONTROLS (equals)
MITIGATED RISK.
Inherent Risk
Inherent risk is the risk associated with the products,
customers and overall compliance structure at your bank.
An inherent risk is a risk category that really relates
broadly to the activities and operations of a company without considering
necessarily the company. For example, unsecured lending is inherently more
risky than secured lending. If I were auditing an institution that was
primarily involved in unsecured lending, then I would have a higher assessment
of inherent risk in that organization than, let’s say, secured lending. And
that’s a fairly simple example, but that type of a risk assessment is done for
each critical business component[1]
When considering the level of inherent risk at your
institution, consider all the products that you offer and the worst-case
scenarios lurking in the background. For example, supposed you are considering
the inherent risk associated with consumer lending. The inherent risk might look something like
this:
Consumer Loans- Inherent Risk
|
Type of Risk
|
Comment
|
|
Compliance Risk
|
The risk associated with the regulatory requirements for making
consumer loans, e.g. disclosures, accurate calculations, etc.
|
|
Transactional Risks
|
The risks associated with the systems in place that are being used to
support offering the product. Can your
core support the loan types being offered?
|
|
Reputation Risks
|
The risk that the products will result in consumer complaints, UDAAP
violations or potential fair lending concerns.
|
|
Strategic Risk
|
Are your products really meeting the credit needs of the community
you serve?
|
The point of this part of the exercise should be to
determine the level of risks that are part of offering the products at all. This level of risk doesn’t consider anything
of your compliance program.
Internal Controls
One you have identified the risks inherent in the products you
offer, the customers you serve and the overall current compliance program, the
next step is to review the steps your institution has taken to address
them. This is where your policies,
procedures, training and independent audits come in. There is really an opportunity to
self-reflect and simultaneously project your aspirations during this part of
the risk assessment. It is one thing to
note you have policies and procedures in place.
It is a far different consideration to determine how effective they
are. Are the policies and procedures
written and updated on an annual basis?
How much of the policies and procedures are internally developed and how
much have been “borrowed” from other institutions? (Note:
This is not to imply that borrowing is a bad thing, if the information
truly reflects the situation at your institution). The risk assessment should contain an
analysis of the current state of the internal controls. What would excellent controls look like and
what would it take for the compliance department to get there? These considerations should be included.
Mitigated Risk
Your overall assessment of how well the internal controls at
your institution address the possibility of problems is the mitigated
risk. For the risk assessment to be a
most effective tool, it is necessary for this process to truly consider
potential proems with internal controls.
Written policies and procedures, for example, can be comprehensive and
up to the minute accurate, but totally ineffective if staff don’t use
them. Training is an area often taken
for granted. The online training that
most institutions offer is a great start for training. However, for a full in-depth understanding,
additional training that includes case-studies is a best practice.
A word about
Strategic Risk
For the banking industry in general regulators have put
strategic risk at the forefront. For
example, its semiannual risk perspective for spring 2016, the OCC noted that
strategic risk is a concern:
“Banks are several years into the risk accumulation phase of
the economic cycle. The banking environment continues to evolve, with growing
competition among banks, nonbanks, and financial technology firms. Banks are
increasingly offering innovative products and services, enabling them to better
meet the needs of their customers. While doing so may heighten strategic risk
if banks do not use sound risk management practices that align with their
overall business strategies, failure to innovate to meet evolving needs or
financial services may place a bank at a competitive disadvantage.”[2]
As the risk assessment process is
completed this year, it is important to consider whether your institution is
keeping up with trends in technology and innovation. The financial industry is being disrupted in
a way that will significantly impact the relationship between customers and
institutions. Without the right technology and business plan, it will be easy
to be left behind. Make sure that your
risk assessment considers strategic risk.
James DeFrantz is the Principal of
Virtual Compliance Management Services LLC. He can be reached directly at JDeFrantz@VCM4you.com
No comments:
Post a Comment