Washington Bankers Association
Executive Development Program
Audit and Compliance
Risk Management:
The Continuous Program Cycle
Presenter:
David McCrea
U.S. Program Manager
Global Regulatory Compliance Team
Infosys Limited
Influences
Government
Risk Management
Process
Refine/Establish
Strategy, Goals
& Objectives
Competition
Ownership
Senior
Management
Board/
Audit
Refine/Establish
Control
Environment
Business
Compliance
Take Corrective
Action
Measure Performance
Through Testing/
Monitoring of Control
Environment
Community
Environment
Report Results
The Continuous Program Cycle
Correcting
&
Reporting
Designing
Implementing
&
Checking
Setting Strategy and Structure
• Strategic Planning = the art and science of
determining where an organization is
going and how it’s going to get there.
Setting Strategy and Structure
• What is management’s risk appetite?
– Risk tolerant?
– Risk averse?
– Somewhere in between?
Setting Strategy & Structure
• Vision Statement – aka – Mission
Statement
– A brief “big picture” description of your
compliance program purpose and method.
Setting Strategy and Structure
• Setting goals and objectives:
– Goals are observable and measurable overall
end results, and
– Objectives are the steps to achieve specific
results within a fixed time frame.
• Compliance Department goals
• Business Unit compliance goals
• Company Goals
Setting Strategy and Structure
• Defining a structure – roles and
responsibilities
– Compliance and Audit responsibility
ultimately lies with the board of directors
– Executive management needs to set the tone
– Compliance/Risk Management provides the
expertise and advice
– The business units have responsibility to “do”
risk management
Setting Strategy and Structure
• Defining a structure
– Compliance/Audit/Risk Management
department configurations:
Solo;
Committee;
Numerous specialists;
Outsourcing;
Others?
(What about the centralized – decentralized
continuum?)
Setting Strategy and Structure
• Defining a structure - continued
– Bank’s asset size;
– Number of employees;
– Number of branches and locations;
– Product mix;
– Services;
– Other?
• Risk Profile (coming soon…)
Setting Strategy and Structure
• Defining Scope
– What do you cover?
– What do you NOT cover?
•
•
•
•
•
•
•
BSA?
Fair Lending?
CRA?
SOX / BASEL?
Info Sec?
Loan Review?
Other?
Ensure coverage for all out-of-scope functions.
Assessing Risks
•
•
•
•
Risk identification
Risk types
Risk ranking
Controls Effectiveness
Risk Identification
The detection and analysis of potential risks that
may prevent the achievement of the bank’s
objectives
– What type of products and services does the bank offer?
– What types of systems does the bank have in place and
to what extent are processes automated?
– What is your charter structure(s), who is/are your
regulator(s)?
– What regulations apply to the above?
Forms of Assessment
Risk assessments can take many different forms and have
different purposes:
•
–
•
–
•
•
•
•
Product/Service specific (e.g., HELOCs, or ebanking)
Initial assessment of a new product or ongoing
performance
Segmented by regulation (e.g., Reg. CC or
Dodd-Frank).
May be required, such as AML/BSA or Identity
Theft Prevention
Segmented by Business Line
Compliance Program (how is the program
functioning)
Consumer Risk Assessment
Overall Compliance Performance (how is the
company performing)
Risk Types
• Inherent risk – the measure of risk before
controls
• Residual risk – the measure of risk after
controls
Or
Inherent Risk + Controls = Residual Risk
Assigning an Inherent Risk Rating
– Inherent compliance risk is risk that is basic
natural and inseparable component or
characteristic of a regulation. (Note: Inherent
risk is risk before the consideration of controls.)
These components could include the following
risk sub-categories:
• Financial
• Litigation
• Transaction
• Reputation risks
• Regulatory Environment
Inherent Risk Ranking
– Exposure – the extent of potential
damage
– Likelihood – the probability that an actual
event will occur, and/or that the resulting
exposure from that event will take place
Inherent Risk Ranking
Making Sense of Multiple Views
• Regulation
• Consumer Risk
• UDAAP Risk
Risk Ranking Exposure (High)
Exposure
HIGH
Significant or systemic
violations
Severe regulatory criticism
Cease and desist orders
Memorandums
of Understanding
Corrective actions with
large economic impact
and/or reputation damage
Repeat Violations
Risk Ranking Exposure (Moderate)
Exposure
MODERATE
Violations lead to some
regulatory criticism
Some corrective actions with less
significant economic impact and/or less
significant reputation damage
Risk Ranking Exposure (Low)
Exposure
LOW
Violations, if any, are not considered
significant or systemic.
Minimal, if any, economic impact
and/or reputation risk.
Risk Ranking Likelihood
HIGH
Almost certain risk will occur.
MOD
50-50 chance risk will occur.
LOW
Most likely risk will not occur.
Inherent Risk Heat Map
Likelihood
HIGH
Likelihood
MODERATE
Likelihood
LOW
MOD - 2
HIGH - 4
HIGH - 5
LOW - 1
MOD - 3
HIGH - 4
LOW - 0
MOD - 2
MOD - 3
Exposure
Exposure
Exposure
LOW
MODERATE
HIGH
Inherent Risk Rating
Using a Heat Map is not the only way to
visualize Risk. Other possibilities:
-- Use numeric rating
-- Color Code
-- Other?
The Key is to know your audience.
Inherent Risk Rating (sample 1)
Regulation
B
Regulatory Compliance Inherent Risk /
Likelihood Exposure Comments
HIGH: High scrutiny;
High
High
C
Moderate
High
HIGH: High scrutiny; high
reputation risk
E
Moderate
Moderate
MODERATE: Could be new
focus with CFPB
FDCPA
Moderate
Moderate
MODERATE: Trending up
due to economic
environment
impacts all customers;
high fines and rep risk
Assessing Risks
• Risk Controls Definition
– Preventive Controls
– Detective Controls
• Assessing Control Effectiveness
– Primary Controls
– Secondary and other controls
Control Activities
Help ensure that directives are carried out.
They can either be preventive or detective:
– Preventive controls are generally applied at
points where errors or irregularities could
occur in the process
– Detective controls discover errors during or
after occurrence
Preventive Controls
 Automated controls (e.g., system edit features for
data entry control)
 System processing controls (e.g., editing,
balancing and internal control checks)
 Written procedures and Training can be controls
 Independent checks to determine if assigned
responsibilities are completed and recorded
amounts are accurate (e.g., account reconciliation,
computer-programmed controls, management
review of reports)
 Approval and authorizations for transactions and
activities
Detective Controls
 Review of exception reports, reconciliations, SAR
reports, and other ad hoc reports to detect
erroneous or improper processing of
transactions
 Asset control activities, including periodic asset
counts, comparison of physical counts to
accounting records, investigation of
discrepancies, establishment of physical
safeguards, and maintenance of proper
purchase authorizations
Inventory the Preventive &
Detective Controls
Primary controls:
These represent the most effective of the controls
deployed to this risk. Your control effectiveness
rating is essentially the rating of this particular
control.
Inventory the Preventive &
Detective Controls
Secondary or additional controls:
Where they exist can include compensating
controls that indirectly assist in achieving control
objectives (such as third party review of
transactions). They may also include policies and
procedures referenced by the business in their risk
self-assessment.
Rating the Control Environment
• Evaluate overall risks (stratify your
inherent vs. residual risks)
• Establish level of confidence in control
effectiveness ratings
• Evaluate the “tone from the top”
• Anticipate regulatory scrutiny
Risk Ranking Control Strength
Strong
Controls prevent risk from
occurring.
Adequate
Control typically prevents risk
from occurring.
Weak
Control is non-existent or
ineffective in controlling risk.
Control Strength Example 1
Reg B /
Section
Owner
Control
202.4(b) No Loan
Agents are scripted to
discouragem Consultants ensure application
ent
process is consistent
and nondiscriminatory:
Annual Training is also
required
202.4(c)
Written
Applications
Marketing
Legal
Marketing produces
all applications, which
have been approved
by Legal
Comments Rating
Rating is
based on
primarily
manual
nature of
controls
Adequate
Adequate
Control Strength Example 2
Requirement
& Citation
Business
units
Impacted
Inherent Controls and
Risk
mitigations
Rating
Control
Effectiveness
Rating
Residual
Risk
Rating
Suspicious
Activity
Reporting
31 CFR 103.21
All
High
Strong
Moderate
Automated
forensic system
review of
transactions
Compliance
Operations
agent reviews
Annual training
Residual Risk Ratings
Residual risk ratings should be based upon the
inherent risk rating and the controls
effectiveness rating for each regulation
A residual risk rating of high, moderate or low
can be assigned. The basic formula is inherent
risk + control effectiveness = residual risk
Residual Risk Ratings
Inherent
Risk
Rating
Residual risk ratings can then be plotted on a
matrix, or “heat map” as shown below:
High
Moderate
Low
Control Effectiveness Rating
Strong
Adequate
Weak
Moderate Moderate
High
Low
Moderate
Moderate
Low
Low
Low
Residual Risk Rating
Risk Trend
The direction of risk and probable change
over the next 12 months.
Increasing – suggests additional controls or
increased review.
Stable – may require no action.
Decreasing – may suggest controls can be
decreased.
Implementing Your Risk Assessment
Develop a methodology document:
• State risk tolerance
• Develop heat map scales
• Discuss and socialize
• Consider collaborating with other Risk
Teams in your bank
Implementing Your Risk Assessment
Risk Assessment can be developed /
segmented by:
• Regulation
• Business Unit / Department / Manager
• Product / Services
If you discovered any gaps in controls,
develop a mitigation plan
Updating Your Risk Assessment
Inherent Risk Ratings
• Update at least annually
• Document ratings
Controls / Residual Risk Ratings
• Review outstanding issues regularly
• Update quarterly
Updating Your Risk Assessment
To ensure your Risk Assessment stays
current, you will also want to update it for:
• New or Revised Products / Services
• New / Amended Regulations