Ensure the security of your HCL environment by applying the Zero Trust princi...
2. Risk Management.pptx
1. Washington Bankers Association
Executive Development Program
Audit and Compliance
Risk Management:
The Continuous Program Cycle
Presenter:
David McCrea
U.S. Program Manager
Global Regulatory Compliance Team
Infosys Limited
4. Setting Strategy and Structure
• Strategic Planning = the art and science of
determining where an organization is
going and how it’s going to get there.
5. Setting Strategy and Structure
• What is management’s risk appetite?
– Risk tolerant?
– Risk averse?
– Somewhere in between?
6. Setting Strategy & Structure
• Vision Statement – aka – Mission
Statement
– A brief “big picture” description of your
compliance program purpose and method.
7. Setting Strategy and Structure
• Setting goals and objectives:
– Goals are observable and measurable overall
end results, and
– Objectives are the steps to achieve specific
results within a fixed time frame.
• Compliance Department goals
• Business Unit compliance goals
• Company Goals
8. Setting Strategy and Structure
• Defining a structure – roles and
responsibilities
– Compliance and Audit responsibility
ultimately lies with the board of directors
– Executive management needs to set the tone
– Compliance/Risk Management provides the
expertise and advice
– The business units have responsibility to “do”
risk management
9. Setting Strategy and Structure
• Defining a structure
– Compliance/Audit/Risk Management
department configurations:
Solo;
Committee;
Numerous specialists;
Outsourcing;
Others?
(What about the centralized – decentralized
continuum?)
10. Setting Strategy and Structure
• Defining a structure - continued
– Bank’s asset size;
– Number of employees;
– Number of branches and locations;
– Product mix;
– Services;
– Other?
• Risk Profile (coming soon…)
11. Setting Strategy and Structure
• Defining Scope
– What do you cover?
– What do you NOT cover?
• BSA?
• Fair Lending?
• CRA?
• SOX / BASEL?
• Info Sec?
• Loan Review?
• Other?
Ensure coverage for all out-of-scope functions.
13. Risk Identification
The detection and analysis of potential risks that
may prevent the achievement of the bank’s
objectives
– What type of products and services does the bank offer?
– What types of systems does the bank have in place and
to what extent are processes automated?
– What is your charter structure(s), who is/are your
regulator(s)?
– What regulations apply to the above?
14. Forms of Assessment
Risk assessments can take many different forms and have
different purposes:
• Product/Service specific (e.g., HELOCs, or e-
banking)
– Initial assessment of a new product or ongoing
performance
• Segmented by regulation (e.g., Reg. CC or
Dodd-Frank).
– May be required, such as AML/BSA or Identity
Theft Prevention
• Segmented by Business Line
• Compliance Program (how is the program
functioning)
• Consumer Risk Assessment
• Overall Compliance Performance (how is the
company performing)
15. Risk Types
• Inherent risk – the measure of risk before
controls
• Residual risk – the measure of risk after
controls
Or
Inherent Risk + Controls = Residual Risk
16. Assigning an Inherent Risk Rating
– Inherent compliance risk is risk that is basic
natural and inseparable component or
characteristic of a regulation. (Note: Inherent
risk is risk before the consideration of controls.)
These components could include the following
risk sub-categories:
• Financial
• Litigation
• Transaction
• Reputation risks
• Regulatory Environment
17. Inherent Risk Ranking
–Exposure – the extent of potential
damage
–Likelihood – the probability that an actual
event will occur, and/or that the resulting
exposure from that event will take place
19. Risk Ranking Exposure (High)
Significant or systemic
violations
Severe regulatory criticism
Cease and desist orders
Memorandums
of Understanding
Corrective actions with
large economic impact
and/or reputation damage
Exposure
HIGH
Repeat Violations
20. Risk Ranking Exposure (Moderate)
Exposure
MODERATE
Violations lead to some
regulatory criticism
Some corrective actions with less
significant economic impact and/or less
significant reputation damage
21. Risk Ranking Exposure (Low)
Exposure
LOW
Violations, if any, are not considered
significant or systemic.
Minimal, if any, economic impact
and/or reputation risk.
22. Risk Ranking Likelihood
HIGH Almost certain risk will occur.
LOW Most likely risk will not occur.
MOD 50-50 chance risk will occur.
23. Inherent Risk Heat Map
Likelihood
HIGH
Likelihood
MODERATE
Likelihood
LOW
Exposure
LOW
Exposure
MODERATE
Exposure
HIGH
LOW - 0
LOW - 1 MOD - 3
MOD - 2
MOD - 2 MOD - 3
HIGH - 5
HIGH - 4
HIGH - 4
24. Inherent Risk Rating
Using a Heat Map is not the only way to
visualize Risk. Other possibilities:
-- Use numeric rating
-- Color Code
-- Other?
The Key is to know your audience.
25. Inherent Risk Rating (sample 1)
Regulation Regulatory Compliance Inherent Risk /
Comments
Likelihood Exposure
B High High HIGH: High scrutiny;
impacts all customers;
high fines and rep risk
C Moderate High HIGH: High scrutiny; high
reputation risk
E Moderate Moderate MODERATE: Could be new
focus with CFPB
FDCPA Moderate Moderate MODERATE: Trending up
due to economic
environment
26. Assessing Risks
• Risk Controls Definition
– Preventive Controls
– Detective Controls
• Assessing Control Effectiveness
– Primary Controls
– Secondary and other controls
27. Control Activities
Help ensure that directives are carried out.
They can either be preventive or detective:
– Preventive controls are generally applied at
points where errors or irregularities could
occur in the process
– Detective controls discover errors during or
after occurrence
28. Preventive Controls
Automated controls (e.g., system edit features for
data entry control)
System processing controls (e.g., editing,
balancing and internal control checks)
Written procedures and Training can be controls
Independent checks to determine if assigned
responsibilities are completed and recorded
amounts are accurate (e.g., account reconciliation,
computer-programmed controls, management
review of reports)
Approval and authorizations for transactions and
activities
29. Detective Controls
Review of exception reports, reconciliations, SAR
reports, and other ad hoc reports to detect
erroneous or improper processing of
transactions
Asset control activities, including periodic asset
counts, comparison of physical counts to
accounting records, investigation of
discrepancies, establishment of physical
safeguards, and maintenance of proper
purchase authorizations
30. Inventory the Preventive &
Detective Controls
Primary controls:
These represent the most effective of the controls
deployed to this risk. Your control effectiveness
rating is essentially the rating of this particular
control.
31. Inventory the Preventive &
Detective Controls
Secondary or additional controls:
Where they exist can include compensating
controls that indirectly assist in achieving control
objectives (such as third party review of
transactions). They may also include policies and
procedures referenced by the business in their risk
self-assessment.
32. Rating the Control Environment
• Evaluate overall risks (stratify your
inherent vs. residual risks)
• Establish level of confidence in control
effectiveness ratings
• Evaluate the “tone from the top”
• Anticipate regulatory scrutiny
33. Risk Ranking Control Strength
Strong Controls prevent risk from
occurring.
Adequate Control typically prevents risk
from occurring.
Weak Control is non-existent or
ineffective in controlling risk.
34. Control Strength Example 1
Reg B /
Section
Owner Control Comments Rating
202.4(b) No
discouragem
ent
Loan
Consultants
Agents are scripted to
ensure application
process is consistent
and non-
discriminatory:
Annual Training is also
required
Rating is
based on
primarily
manual
nature of
controls
Adequate
202.4(c)
Written
Applications
Marketing
Legal
Marketing produces
all applications, which
have been approved
by Legal
Adequate
35. Control Strength Example 2
Requirement
& Citation
Business
units
Impacted
Inherent
Risk
Rating
Controls and
mitigations
Control
Effective-
ness
Rating
Residual
Risk
Rating
Suspicious
Activity
Reporting
31 CFR 103.21
All High Automated
forensic system
review of
transactions
Compliance
Operations
agent reviews
Annual training
Strong Moderate
36. Residual Risk Ratings
Residual risk ratings should be based upon the
inherent risk rating and the controls
effectiveness rating for each regulation
A residual risk rating of high, moderate or low
can be assigned. The basic formula is inherent
risk + control effectiveness = residual risk
37. Residual Risk Ratings
Residual risk ratings can then be plotted on a
matrix, or “heat map” as shown below:
Control Effectiveness Rating
Strong Adequate Weak
High Moderate Moderate High
Moderate Low Moderate Moderate
Inherent
Risk
Rating
Low Low Low Low
Residual Risk Rating
38. Risk Trend
The direction of risk and probable change
over the next 12 months.
Increasing – suggests additional controls or
increased review.
Stable – may require no action.
Decreasing – may suggest controls can be
decreased.
39. Implementing Your Risk Assessment
Develop a methodology document:
• State risk tolerance
• Develop heat map scales
• Discuss and socialize
• Consider collaborating with other Risk
Teams in your bank
40. Implementing Your Risk Assessment
Risk Assessment can be developed /
segmented by:
• Regulation
• Business Unit / Department / Manager
• Product / Services
If you discovered any gaps in controls,
develop a mitigation plan
41. Updating Your Risk Assessment
Inherent Risk Ratings
• Update at least annually
• Document ratings
Controls / Residual Risk Ratings
• Review outstanding issues regularly
• Update quarterly
42. Updating Your Risk Assessment
To ensure your Risk Assessment stays
current, you will also want to update it for:
• New or Revised Products / Services
• New / Amended Regulations
Editor's Notes
9:00
Meg
20 minutes / 14 slides
9:03
3 minutes
Yesterday: The Tools
Today: The Blue Ring – Compliance Risk Management
Tomorrow: Deeper Dive on Blue -- Vendor Management, Managing Change, Managing Training (control or corrective)
Next Day: Red Ring -- CEO Panel, Exam Management, Root Cause
Last Day: Green Ring -- Regulator Panel, Reputation Risk, Complaints
9:04
1 minutes
This Morning:
Designing Your Program – Strategy and Goals
Risk Assessment Basics and Implementation
After Lunch:
Developing a Monitoring Program to Check your work
Corrective Action
Reporting your findings
Case Study Exercises throughout the day. By the end of today, you will have your virtual bank thought out.
---
How often does your bank go through this exercise?
Annually?
3 year plan?
5 year plan?
More?
9:05
1 minute
The Board should set your risk appetite
Where is it for your institution?
Do you want to be best in class? Just good enough? Reactive?
1 minute
9:06
First Step
The terms can be used interchangeably
2 minutes
9:10
Second Step
Company Goals
Compliance Goals
Personal Goals
BU Compliance Goals
-- watch out for something you can control (e.g. # of audit findings for BU)
2 minute
9:14
THIRD
Also part of strategy is defining how you will structure the team.
The first aspect is assigning responsibilities.
Board – ultimately responsible for compliance
Exec Team – set the tone
Compliance – provides advice
All employees – responsible for compliance
** Board approved Program document to make sure everyone is aware of their duty.
2 minutes
9:16
Also part of structure is determining how you will structure the team
No right or wrong way.
How are you set up?
May not have as much leeway here. Don’t need to re-evaluate this as frequently.
1 minute
9:17
Take the following into consideration when setting structure.
Program should be commensurate with the size, location and product mix of your institution.
1 minute
9:18
Last, but not Least:
State what you cover AND what you don’t
Make sure the Board can get a full view of compliance, regardless of how it is covered.
We should contrast the general risk assessment with the required say BSA Program or Fair Lending assessment. First determine your regulatory controls and gaps, then use that as a stepping stone for developing the program assessment.
Note the addition of Consumer Risk Assessment as it is woven throughout the class
See Inherent Risk handout
We will want to have some conversation around this one.
Give reference?
Step 1
11:00
Greggles
30 minutes / 22 slides
State as a control rather than just the procedure.
Litigation risk to deem a control non-existent
Another way to do it versus Slide 47
Holistic view of regulation here
Shows process all the way through
Q: Is this calculated strictly or can you modify based on additional factors?
CFPB also notes the date the direction last changed.
Methodology document – state risk tolerance
Scales can be 1-3 or 1-5
Work with Audit / Info Sec / Etc to develop a common language
Determine which regs apply
Document this step so there are no questions about why something does not apply
Depending on your situation, may want to classify regulations
Document likelihood, exposure and rationale and trend (reg or category thereof)
BSA is High; FCRA rate affiliate transactions, credit reporting and red flags separately
Calculate inherent from this according to your methodology
Develop the RA
ASK: how have you all done it?
BU -- complicated or varied businesses (e.g. CAM)
Regulation --one set of controls through the bank or smaller unit (e.g. BML or Reg O)
Product (Mortgage)
Other? Business process
One week per reg
Good first step when start; meet people and learn business
Discuss the completed RA with the BU
You determine inherent risk
Ensure docs are accurate / All stakeholders agree
You get final say on control strength (rest is set)
5. Mitigation (covering this afternoon)
If you find gaps in controls, mitigate them
Assign an owner
Stay on top of plans
6. This is first step to AML RA
Once you have completed the RA, you will want to keep it current
Inherent Risk Ratings
Gather the experts
Legal / Others?
Review and Update at least annually
Best practice is 6 months
Document the ratings for posterity
Vote by Committee
Controls / Residual Risk Ratings
Review outstanding issues regularly for updates, esp mitigation
Includes anything outside of risk tolerance
Sit down with the BU at least quarterly
Discuss anything that has changed (process, product, personnel)
You will discover something new every time and they learn the reg.
11:30
As you implement new products, complete a risk assessment. Don’t wait for quarterly updates
If there is a new rule to be implemented, also complete an assessment to make sure you are covered.
Don’t let you hard work lapse!
Maintenance is much easier than starting over
It provides the basis for your program direction (resources, systems, headcount, etc) so you want it to be current
QUESTIONS about implementing your RA?
Take a minute to write down something you want to do with your risk assessment when you get home.