CFPB Readiness Series:
Making Risk Assessment Work For You
Who is KirkpatrickPrice?
KirkpatrickPrice is a licensed CPA firm, providing
assurance services to over 250 clients in more
than 40 states, Canada, Asia and Europe. The
firm has over 10 years of experience in
information assurance by performing
assessments, audits, and tests that strengthen
information security, and compliance controls.
Welcome
Todd Stephenson is an Information Security
Specialist helping collection agencies and law firms
prepare for a CFPB examination.
– Certified Information Systems Auditor (CISA)
– Information Security Specialist
– Over four years working with the ARM industry
What is Risk Assessment?
• A systematic process of evaluating the
potential risks that may be involved in a
projected activity or undertaking.
• It involves evaluating:
– Operational risks
– Compliance risks
– Reputational risks
Why Care About Risk
Assessment?
• The CFPB is mandated
• Why should you care?
– To maintain revenue and business operations –
Operational Risk
– Insure future growth and opportunities –
Reputational Risk
– Avoid costly lawsuits and fines –
Compliance Risk
Risk Assessment is
Interconnected
A Look at Vendor Risk
• “The Office of the Comptroller of the Currency (OCC)
expects a bank to practice effective risk management
…A bank’s use of third parties does not diminish the
responsibility of its board of directors and senior
management to ensure that the activity is performed
in a safe and sound manner and in compliance with
applicable laws.”
OCC: Third-Party Relationships: Risk Management
Guidance (OCC 2013-29)
A Look at Vendor Risk
• “The institution’s officials are expected to have a
clearly defined system of risk management controls
built into the management system that governs the
institution’s compliance operations, including
controls over activities conducted by affiliates and
third-party vendors.”
FDIC Compliance Manual — January 2014
Making it Work for You
• Confidence
– I know where my risks are and I’ve addressed
them. I sleep better at night.
• Clear Direction
– I know what we need to be doing and what we
don’t need to be doing.
• Ex: Internal Audit
• Cost savings
– Ex: My vendor has a SOC 2 or PCI RoC and CFPB
Welcome
Jessie Skibbe is a former Chief Compliance Officer
with 10 years of ARM industry experience. As
Director of Compliance Services for KirkpatrickPrice,
she is focused on assisting clients in meeting
regulatory compliance & information security
objectives.
–
–
–
–
ACA Certified Credit & Collections Compliance Officer (CCCO)
ISC2 Certified Information Systems Security Professional (CISSP)
DBA Certified Receivables Compliance Professional (CRCP)
PCI SSC Qualified Security Assessor (QSA)
Common Uses for Risk
Assessment
• Business Continuity Planning
– Disaster Preparation
– Identifying Critical Business Components
• Information Security Compliance
– PCI DSS
– ISO 27001
– SSAE 16
– HIPAA
Compliance Risk Assessment
• Where do I begin?
– Begin by having a clear understanding of what
federal, state and local laws are applicable to you.
• State Law Resources:
– http://www.acainternational.org/state-collection-laws-andpractices.aspx
– http://www.nationallist.com/white_papers
– Stay up to date
• Review consent order and recent litigation.
Compliance Risk Assessment
• What’s Next?
– Determine the most likely way a violation of these
laws will occur.
• Consumer telephone calls
• Letters
• Non-compliant vendors
Compliance Risk Assessment
• Begin the process
– Policies and Procedures
• Risk Assessment Policy
• Risk Assessment Procedure
• Risk Assessment Template
– Document Document Document
• Remediation action needed
• Changes as a result of the risk assessment
Compliance Risk Assessment
Compliance Risk Assessment
Compliance Risk Assessment
• Next Steps
– Perform Third-Party Risk Assessments
– Internal Audit Procedures
– Internal Monitoring Procedures
– Third-Party Audit Procedures
– Third-Party Monitoring Procedures
• Risk Levels should determine what to monitor
and how often
Third-Party Risk Assessment
Thank you for attending
Q&A
For further information contact:
Todd Stephenson
[email protected]
800.977.3154 Ext. 202
Jessie Skibbe
[email protected]
800.977.3154 Ext 103
Coming up Next
CFPB Readiness Series: Developing Your Vendor
Audit Framework and Questionnaire
When: May 29, 2014 at 2:30pm EST