Monday, February 18, 2019


Outsourcing and Collaboration - The Time Has Come




A Three-Part Series.  Part Two -Outsourcing Requires Vigilance

In Part One of this series we talked about some of the reasons why a financial institution may want to outsource and/or collaborate.  In summary, we detailed:   
  • Leveraging the experience and resources of outside firms - this allows an institution to augment the resources that is has onsite.  
  • Allowing the additional resources to be used to offer new and different products.  New products and services have a learning curve associated with them and by using outsourced resources, the learning curve can be shortened. 
  • Increasing the overall effectiveness of the BSA program.  Outsourcing helps get a different perspective to the internal operations of the Bank.  In this manner, outsourcing can make the BSA program more effective.      
While the reasons for looking to collaborate are generally positive, it is also important to remember that there are certain steps that must be taken to make collaboration successful.  




Know Your Product or Service  

Engaging an outside resource shouldn’t be done at the expense of the knowledge base of the financial institution.  While you may not have specific expertise, there should be at least a clear understanding of the basics of product or service being offered.  Knowing the inherent risks and rewards of the product should be the basis for the decision to offer it to the public. Having a general understanding of how the products works,  issues and concerns that have resulted from offering the product in the past, the experiences of other financial institutions are important considerations.   At the end of the day, there must be enough knowledge to understand whether or not the product or service is performing well.   

Risk Assessments Are a Key

Think of the risk assessment as a matrix – not the type where you get to choose a red pill or a blue pill, just a square with several blocks.   There is a formula that you can use to complete an effective risk assessment.  The basic formula is INHERENT RISK (minus) INTERNAL CONTROLS (equals) MITIGATED RISK.  

Inherent Risk

Inherent risk is the risk associated with the products, customers and overall compliance structure at your Bank.  

An inherent risk is a risk category that really relates broadly to the activities and operations of a company without considering necessarily the company. For example, unsecured lending is inherently riskier than secured lending. If I were auditing an institution that was primarily involved in unsecured lending, then I would have a higher assessment of inherent risk in that organization than, let’s say, secured lending. And that’s a fairly simple example, but that type of a risk assessment is done for each critical business component[1].

When considering the level of inherent risk of a new product or service, consider all the worst-case scenarios lurking in the background. For example, supposed you are considering the inherent risk associated with consumer lending.  The inherent risk might look something like this: 


Consumer Loans- Inherent Risk



Compliance Risk - The risk associated with the regulatory requirements for making consumer loans, e.g. disclosures, accurate calculations, etc.
Reputation Risk- The risk that the products will result in consumer complaints, UDAAP violations or potential fair lending concerns.
Transactional Risk- The risks associated with the systems in place that are being used to support offering the product.  Can your core support the loan types being offered?
Strategic Risk- Are your products really meeting the credit needs of the community you serve? 

The point of this part of the exercise should be to determine the level of risks that are part of offering the products at all.  This level of risk doesn’t consider anything of your compliance program.  

Internal Controls
Once you have identified the risks inherent in the products you offer, the customers you serve and the overall current compliance program, the next step is to review the steps your institution has taken to address them.  This is where your policies, procedures, training and independent audits come in.  There is really an opportunity to self-reflect and simultaneously project your aspirations during this part of the risk assessment.   It is one thing to note you have policies and procedures in place.  It is a far different consideration to determine how effective they are.  Are the policies and procedures written and updated on an annual basis?  How much of the policies and procedures are internally developed and how much have been “borrowed” from other institutions?  (Note:  This is not to imply that borrowing is a bad thing, if the information truly reflects the situation at your institution).   The risk assessment should contain an analysis of the current state of the internal controls.    What would excellent controls look like and what would it take for the compliance department to get there?  These considerations should be included.  

Mitigated Risk
Your overall assessment of how well the internal controls at your institution address the possibility of problems is the mitigated risk.  For the risk assessment to be a most effective tool, it is necessary for this process to truly consider potential problems with internal controls.  Written policies and procedures, for example, can be comprehensive and up to the minute accurate, but totally ineffective if staff don’t use them.   Training is an area often taken for granted.  The online training that most institutions offer is a great start for training.  However, for a full in-depth understanding, additional training that includes case-studies is a best practice.  
A word about Strategic Risk

For the banking industry in general regulators have put strategic risk at the forefront.  For example, its semiannual risk perspective for spring 2016, the OCC noted that strategic risk is a concern: 

“Banks are several years into the risk accumulation phase of the economic cycle. The banking environment continues to evolve, with growing competition among banks, nonbanks, and financial technology firms. Banks are increasingly offering innovative products and services, enabling them to better meet the needs of their customers. While doing so may heighten strategic risk if banks do not use sound risk management practices that align with their overall business strategies, failure to innovate to meet evolving needs or financial services may place a bank at a competitive disadvantage.”[2]

As part of the risk process it is important to consider whether your institution is keeping up with trends in technology and innovation.  The financial industry is being disrupted in a way that will significantly impact the relationship between customers and institutions. Without the right technology and business plan, it will be easy to be left behind.   


In Part Three will we will discuss the process for picking outsourcing partners.




James DeFrantz is the Principal of Virtual Compliance Management Services LLC.  He can be reached directly at JDeFrantz@VCM4you.com








[1]William Lewis, Price Waterhouse Coopers  Comptroller of Currency Administrator of National Banks Audit Roundtable, Part 1 Risk Assessment and Internal Controls .   
[2] OCC Semiannual Risk Perspective from the National Risk Committee  Spring 2016

No comments:

Post a Comment