Outsourcing and Collaboration - The Time Has Come
A Three-Part Series. Part Two -Outsourcing Requires
Vigilance
In Part One of this series we talked about some of the
reasons why a financial institution may want to outsource and/or
collaborate. In summary, we detailed:
- Leveraging the experience
and resources of outside firms - this allows an institution to augment the
resources that is has onsite.
- Allowing the additional
resources to be used to offer new and different products. New
products and services have a learning curve associated with them and by
using outsourced resources, the learning curve can be shortened.
- Increasing the overall
effectiveness of the BSA program. Outsourcing helps get a different
perspective to the internal operations of the Bank. In this manner,
outsourcing can make the BSA program more effective.
While the reasons for looking to collaborate are generally positive,
it is also important to remember that there are certain steps that must be
taken to make collaboration successful.
Know Your Product
or Service
Engaging an outside resource shouldn’t be done at the
expense of the knowledge base of the financial institution. While you may
not have specific expertise, there should be at least a clear understanding of
the basics of product or service being offered.
Knowing the inherent risks and rewards of the product should be the
basis for the decision to offer it to the public. Having a general
understanding of how the products works,
issues and concerns that have resulted from offering the product in the
past, the experiences of other financial institutions are important
considerations. At the end of the day,
there must be enough knowledge to understand whether or not the product or service
is performing well.
Risk Assessments
Are a Key
Think of the risk assessment as a matrix – not the type
where you get to choose a red pill or a blue pill, just a square with several
blocks. There is a formula that you can use to complete an
effective risk assessment. The basic formula is INHERENT RISK
(minus) INTERNAL CONTROLS (equals) MITIGATED RISK.
Inherent Risk
Inherent risk is the risk associated with the products,
customers and overall compliance structure at your Bank.
An inherent risk is a risk category that really relates
broadly to the activities and operations of a company without considering
necessarily the company. For example, unsecured lending is inherently riskier
than secured lending. If I were auditing an institution that was primarily
involved in unsecured lending, then I would have a higher assessment of
inherent risk in that organization than, let’s say, secured lending. And that’s
a fairly simple example, but that type of a risk assessment is done for each critical
business component[1].
When considering the level of inherent risk of a new product
or service, consider all the worst-case scenarios lurking in the background.
For example, supposed you are considering the inherent risk associated with
consumer lending. The inherent risk might look something like
this:
Consumer Loans- Inherent Risk
Compliance Risk
- The risk associated with the regulatory requirements for making consumer
loans, e.g. disclosures, accurate calculations, etc.
Reputation Risk-
The risk that the products will result in consumer complaints, UDAAP violations
or potential fair lending concerns.
Transactional Risk-
The risks associated with the systems in place that are being used to
support offering the product. Can your core support the loan types
being offered?
Strategic Risk-
Are your products really meeting the credit needs of the community you
serve?
The point of this part of the exercise should be to
determine the level of risks that are part of offering the products at
all. This level of risk doesn’t consider anything of your compliance
program.
Internal Controls
Once you have identified the risks inherent in the products
you offer, the customers you serve and the overall current compliance program,
the next step is to review the steps your institution has taken to address
them. This is where your policies, procedures, training and
independent audits come in. There is really an opportunity to
self-reflect and simultaneously project your aspirations during this part of
the risk assessment. It is one thing to note you have policies
and procedures in place. It is a far different consideration to
determine how effective they are. Are the policies and procedures
written and updated on an annual basis? How much of the policies and
procedures are internally developed and how much have been “borrowed” from
other institutions? (Note: This is not to imply that
borrowing is a bad thing, if the information truly reflects the situation at
your institution). The risk assessment should contain an
analysis of the current state of the internal
controls. What would excellent controls look like and
what would it take for the compliance department to get there? These
considerations should be included.
Mitigated Risk
Your overall assessment of how well the internal controls at
your institution address the possibility of problems is the mitigated
risk. For the risk assessment to be a most effective tool, it is
necessary for this process to truly consider potential problems with internal
controls. Written policies and procedures, for example, can be
comprehensive and up to the minute accurate, but totally ineffective if staff
don’t use them. Training is an area often taken for granted. The
online training that most institutions offer is a great start for
training. However, for a full in-depth understanding, additional
training that includes case-studies is a best practice.
A word about Strategic Risk
For the banking industry in general regulators have put
strategic risk at the forefront. For example, its semiannual risk
perspective for spring 2016, the OCC noted that strategic risk is a
concern:
“Banks are several years into the risk accumulation phase of
the economic cycle. The banking environment continues to evolve, with growing
competition among banks, nonbanks, and financial technology firms. Banks are
increasingly offering innovative products and services, enabling them to better
meet the needs of their customers. While doing so may heighten strategic risk
if banks do not use sound risk management practices that align with their
overall business strategies, failure to innovate to meet evolving needs or
financial services may place a bank at a competitive disadvantage.”[2]
As part of the risk process it is important to consider
whether your institution is keeping up with trends in technology and
innovation. The financial industry is being disrupted in a way that
will significantly impact the relationship between customers and institutions.
Without the right technology and business plan, it will be easy to be left
behind.
In Part Three will we will discuss the process for picking
outsourcing partners.
James DeFrantz is the
Principal of Virtual Compliance Management Services LLC. He can be
reached directly at JDeFrantz@VCM4you.com
[1]William
Lewis, Price Waterhouse Coopers Comptroller of Currency
Administrator of National Banks Audit Roundtable, Part 1 Risk Assessment and
Internal Controls .
No comments:
Post a Comment