SlideShare a Scribd company logo

2. Risk Management.pptx

Download as PPTX, PDF
S
SitiKholifatulRizkia1

Bank

Business
1 of 42
Washington Bankers Association Executive Development Program Audit and Compliance Risk Management: The Continuous Program Cycle Presenter: David McCrea U.S. Program Manager Global Regulatory Compliance Team Infosys Limited
Government Environment Community Competition Influences Refine/Establish Strategy, Goals & Objectives Refine/Establish Control Environment Report Results Measure Performance Through Testing/ Monitoring of Control Environment Take Corrective Action Senior Management Business Compliance Board/ Audit Risk Management Process Ownership
The Continuous Program Cycle Designing Implementing & Checking Correcting & Reporting
Setting Strategy and Structure • Strategic Planning = the art and science of determining where an organization is going and how it’s going to get there.
Setting Strategy and Structure • What is management’s risk appetite? – Risk tolerant? – Risk averse? – Somewhere in between?
Setting Strategy & Structure • Vision Statement – aka – Mission Statement – A brief “big picture” description of your compliance program purpose and method.
Setting Strategy and Structure • Setting goals and objectives: – Goals are observable and measurable overall end results, and – Objectives are the steps to achieve specific results within a fixed time frame. • Compliance Department goals • Business Unit compliance goals • Company Goals
Setting Strategy and Structure • Defining a structure – roles and responsibilities – Compliance and Audit responsibility ultimately lies with the board of directors – Executive management needs to set the tone – Compliance/Risk Management provides the expertise and advice – The business units have responsibility to “do” risk management
Setting Strategy and Structure • Defining a structure – Compliance/Audit/Risk Management department configurations: Solo; Committee; Numerous specialists; Outsourcing; Others? (What about the centralized – decentralized continuum?)
Setting Strategy and Structure • Defining a structure - continued – Bank’s asset size; – Number of employees; – Number of branches and locations; – Product mix; – Services; – Other? • Risk Profile (coming soon…)
Setting Strategy and Structure • Defining Scope – What do you cover? – What do you NOT cover? • BSA? • Fair Lending? • CRA? • SOX / BASEL? • Info Sec? • Loan Review? • Other? Ensure coverage for all out-of-scope functions.
Assessing Risks • Risk identification • Risk types • Risk ranking • Controls Effectiveness
Risk Identification The detection and analysis of potential risks that may prevent the achievement of the bank’s objectives – What type of products and services does the bank offer? – What types of systems does the bank have in place and to what extent are processes automated? – What is your charter structure(s), who is/are your regulator(s)? – What regulations apply to the above?
Forms of Assessment Risk assessments can take many different forms and have different purposes: • Product/Service specific (e.g., HELOCs, or e- banking) – Initial assessment of a new product or ongoing performance • Segmented by regulation (e.g., Reg. CC or Dodd-Frank). – May be required, such as AML/BSA or Identity Theft Prevention • Segmented by Business Line • Compliance Program (how is the program functioning) • Consumer Risk Assessment • Overall Compliance Performance (how is the company performing)
Risk Types • Inherent risk – the measure of risk before controls • Residual risk – the measure of risk after controls Or Inherent Risk + Controls = Residual Risk
Assigning an Inherent Risk Rating – Inherent compliance risk is risk that is basic natural and inseparable component or characteristic of a regulation. (Note: Inherent risk is risk before the consideration of controls.) These components could include the following risk sub-categories: • Financial • Litigation • Transaction • Reputation risks • Regulatory Environment
Inherent Risk Ranking –Exposure – the extent of potential damage –Likelihood – the probability that an actual event will occur, and/or that the resulting exposure from that event will take place
Inherent Risk Ranking Making Sense of Multiple Views • Regulation • Consumer Risk • UDAAP Risk
Risk Ranking Exposure (High) Significant or systemic violations Severe regulatory criticism Cease and desist orders Memorandums of Understanding Corrective actions with large economic impact and/or reputation damage Exposure HIGH Repeat Violations
Risk Ranking Exposure (Moderate) Exposure MODERATE Violations lead to some regulatory criticism Some corrective actions with less significant economic impact and/or less significant reputation damage
Risk Ranking Exposure (Low) Exposure LOW Violations, if any, are not considered significant or systemic. Minimal, if any, economic impact and/or reputation risk.
Risk Ranking Likelihood HIGH Almost certain risk will occur. LOW Most likely risk will not occur. MOD 50-50 chance risk will occur.
Inherent Risk Heat Map Likelihood HIGH Likelihood MODERATE Likelihood LOW Exposure LOW Exposure MODERATE Exposure HIGH LOW - 0 LOW - 1 MOD - 3 MOD - 2 MOD - 2 MOD - 3 HIGH - 5 HIGH - 4 HIGH - 4
Inherent Risk Rating Using a Heat Map is not the only way to visualize Risk. Other possibilities: -- Use numeric rating -- Color Code -- Other? The Key is to know your audience.
Inherent Risk Rating (sample 1) Regulation Regulatory Compliance Inherent Risk / Comments Likelihood Exposure B High High HIGH: High scrutiny; impacts all customers; high fines and rep risk C Moderate High HIGH: High scrutiny; high reputation risk E Moderate Moderate MODERATE: Could be new focus with CFPB FDCPA Moderate Moderate MODERATE: Trending up due to economic environment
Assessing Risks • Risk Controls Definition – Preventive Controls – Detective Controls • Assessing Control Effectiveness – Primary Controls – Secondary and other controls
Control Activities Help ensure that directives are carried out. They can either be preventive or detective: – Preventive controls are generally applied at points where errors or irregularities could occur in the process – Detective controls discover errors during or after occurrence
Preventive Controls  Automated controls (e.g., system edit features for data entry control)  System processing controls (e.g., editing, balancing and internal control checks)  Written procedures and Training can be controls  Independent checks to determine if assigned responsibilities are completed and recorded amounts are accurate (e.g., account reconciliation, computer-programmed controls, management review of reports)  Approval and authorizations for transactions and activities
Detective Controls  Review of exception reports, reconciliations, SAR reports, and other ad hoc reports to detect erroneous or improper processing of transactions  Asset control activities, including periodic asset counts, comparison of physical counts to accounting records, investigation of discrepancies, establishment of physical safeguards, and maintenance of proper purchase authorizations
Inventory the Preventive & Detective Controls Primary controls: These represent the most effective of the controls deployed to this risk. Your control effectiveness rating is essentially the rating of this particular control.
Inventory the Preventive & Detective Controls Secondary or additional controls: Where they exist can include compensating controls that indirectly assist in achieving control objectives (such as third party review of transactions). They may also include policies and procedures referenced by the business in their risk self-assessment.
Rating the Control Environment • Evaluate overall risks (stratify your inherent vs. residual risks) • Establish level of confidence in control effectiveness ratings • Evaluate the “tone from the top” • Anticipate regulatory scrutiny
Risk Ranking Control Strength Strong Controls prevent risk from occurring. Adequate Control typically prevents risk from occurring. Weak Control is non-existent or ineffective in controlling risk.
Control Strength Example 1 Reg B / Section Owner Control Comments Rating 202.4(b) No discouragem ent Loan Consultants Agents are scripted to ensure application process is consistent and non- discriminatory: Annual Training is also required Rating is based on primarily manual nature of controls Adequate 202.4(c) Written Applications Marketing Legal Marketing produces all applications, which have been approved by Legal Adequate
Control Strength Example 2 Requirement & Citation Business units Impacted Inherent Risk Rating Controls and mitigations Control Effective- ness Rating Residual Risk Rating Suspicious Activity Reporting 31 CFR 103.21 All High Automated forensic system review of transactions Compliance Operations agent reviews Annual training Strong Moderate
Residual Risk Ratings Residual risk ratings should be based upon the inherent risk rating and the controls effectiveness rating for each regulation A residual risk rating of high, moderate or low can be assigned. The basic formula is inherent risk + control effectiveness = residual risk
Residual Risk Ratings Residual risk ratings can then be plotted on a matrix, or “heat map” as shown below: Control Effectiveness Rating Strong Adequate Weak High Moderate Moderate High Moderate Low Moderate Moderate Inherent Risk Rating Low Low Low Low Residual Risk Rating
Risk Trend The direction of risk and probable change over the next 12 months. Increasing – suggests additional controls or increased review. Stable – may require no action. Decreasing – may suggest controls can be decreased.
Implementing Your Risk Assessment Develop a methodology document: • State risk tolerance • Develop heat map scales • Discuss and socialize • Consider collaborating with other Risk Teams in your bank
Implementing Your Risk Assessment Risk Assessment can be developed / segmented by: • Regulation • Business Unit / Department / Manager • Product / Services If you discovered any gaps in controls, develop a mitigation plan
Updating Your Risk Assessment Inherent Risk Ratings • Update at least annually • Document ratings Controls / Residual Risk Ratings • Review outstanding issues regularly • Update quarterly
Updating Your Risk Assessment To ensure your Risk Assessment stays current, you will also want to update it for: • New or Revised Products / Services • New / Amended Regulations

Recommended

Presentation_20110802213554
Presentation_20110802213554Presentation_20110802213554
Presentation_20110802213554
P Karlin Panggalo.SE.MM.Ak.CA.CFA.CCM
 
Risk Assessment Framework
Risk Assessment FrameworkRisk Assessment Framework
Risk Assessment Framework
Jhurt7103
 
Monitoring
MonitoringMonitoring
Monitoring
WajahatAli810625
 
Risk Assessments Best Practice and Practical Approaches Webinar
Risk Assessments Best Practice and Practical Approaches WebinarRisk Assessments Best Practice and Practical Approaches Webinar
Risk Assessments Best Practice and Practical Approaches Webinar
Aviva Spectrum™
 
WHATs NEW IN RISK ASSESSMENT
WHATs NEW IN RISK ASSESSMENTWHATs NEW IN RISK ASSESSMENT
WHATs NEW IN RISK ASSESSMENT
Fred Travis
 
SFC Plan of engagement
SFC Plan of engagementSFC Plan of engagement
SFC Plan of engagement
Jonathan Lamboi
 
IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop
Ersoy AKSOY
 
It62015 slides
It62015 slidesIt62015 slides
It62015 slides
Jim Kaplan CIA CFE
 

Recommended

Presentation_20110802213554
Presentation_20110802213554Presentation_20110802213554
Presentation_20110802213554
P Karlin Panggalo.SE.MM.Ak.CA.CFA.CCM
 
Risk Assessment Framework
Risk Assessment FrameworkRisk Assessment Framework
Risk Assessment Framework
Jhurt7103
 
Monitoring
MonitoringMonitoring
Monitoring
WajahatAli810625
 
Risk Assessments Best Practice and Practical Approaches Webinar
Risk Assessments Best Practice and Practical Approaches WebinarRisk Assessments Best Practice and Practical Approaches Webinar
Risk Assessments Best Practice and Practical Approaches Webinar
Aviva Spectrum™
 
WHATs NEW IN RISK ASSESSMENT
WHATs NEW IN RISK ASSESSMENTWHATs NEW IN RISK ASSESSMENT
WHATs NEW IN RISK ASSESSMENT
Fred Travis
 
SFC Plan of engagement
SFC Plan of engagementSFC Plan of engagement
SFC Plan of engagement
Jonathan Lamboi
 
IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop
Ersoy AKSOY
 
It62015 slides
It62015 slidesIt62015 slides
It62015 slides
Jim Kaplan CIA CFE
 
Operational risk ppt
Operational risk pptOperational risk ppt
Operational risk ppt
NehaKamboj10
 
CML Group GRCaaS Dashboard
CML Group GRCaaS Dashboard CML Group GRCaaS Dashboard
CML Group GRCaaS Dashboard
Jim Robins
 
Internal Audit Best Practices for Safety, Environment, and Quality Audits
Internal Audit Best Practices for Safety, Environment, and Quality AuditsInternal Audit Best Practices for Safety, Environment, and Quality Audits
Internal Audit Best Practices for Safety, Environment, and Quality Audits
Nimonik
 
Risk Management Training
Risk Management TrainingRisk Management Training
Risk Management Training
Quality Improvement Consulting
 
Brief About IMS, QMS, ISO 9001, 14001, 18001
Brief About IMS, QMS, ISO 9001, 14001, 18001Brief About IMS, QMS, ISO 9001, 14001, 18001
Brief About IMS, QMS, ISO 9001, 14001, 18001
Chetan Rathi
 
Understanding and Managing Risks in Management Systems Auditing
Understanding and Managing Risks in Management Systems AuditingUnderstanding and Managing Risks in Management Systems Auditing
Understanding and Managing Risks in Management Systems Auditing
PECB
 
1 -corinne_berinstein
1 -corinne_berinstein1 -corinne_berinstein
1 -corinne_berinstein
Ramaica Ona
 
1 -corinne_berinstein
1 -corinne_berinstein1 -corinne_berinstein
1 -corinne_berinstein
Aahil Malik
 
1 -corinne_berinstein
1 -corinne_berinstein1 -corinne_berinstein
1 -corinne_berinstein
Sukumar Reddy
 
Risk Based Approach to Auditing Financial Statements.pptx
Risk Based Approach to Auditing Financial Statements.pptxRisk Based Approach to Auditing Financial Statements.pptx
Risk Based Approach to Auditing Financial Statements.pptx
hesnib
 
Review of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementReview of Enterprise Security Risk Management
Review of Enterprise Security Risk Management
Rand W. Hirt
 
Risk Assessment For Internal Auditors
Risk Assessment For Internal AuditorsRisk Assessment For Internal Auditors
Risk Assessment For Internal Auditors
minkhollow
 
2016 - IQPC - Understanding and Assessing Corruption Risk
2016 - IQPC - Understanding and Assessing Corruption Risk2016 - IQPC - Understanding and Assessing Corruption Risk
2016 - IQPC - Understanding and Assessing Corruption Risk
Dr Darren O'Connell AGIA
 
Pm0016 set-1
Pm0016 set-1Pm0016 set-1
Pm0016 set-1
Paul Hunt
 
An introduction to finance
An introduction to financeAn introduction to finance
An introduction to finance
Robert Reed
 
Enterprise-wide Risk Assessment Presentation, dated 03-08-11
Enterprise-wide Risk Assessment Presentation, dated 03-08-11Enterprise-wide Risk Assessment Presentation, dated 03-08-11
Enterprise-wide Risk Assessment Presentation, dated 03-08-11
wcooling
 
module_1.pptx
module_1.pptxmodule_1.pptx
module_1.pptx
ssuser432862
 
2019 Compliance Testing Plan for RBs (2).pptx
2019 Compliance Testing Plan for RBs (2).pptx2019 Compliance Testing Plan for RBs (2).pptx
2019 Compliance Testing Plan for RBs (2).pptx
josephjohnronquillo
 
Dealing with Operational and Ecosystem Risk
Dealing with Operational and Ecosystem RiskDealing with Operational and Ecosystem Risk
Dealing with Operational and Ecosystem Risk
Financial Services Innovators
 
Card Processing Risks.pptx
Card Processing Risks.pptxCard Processing Risks.pptx
Card Processing Risks.pptx
RashadMutallimov1
 
5. ANALISA_KINERJA_BANK.pptx
5. ANALISA_KINERJA_BANK.pptx5. ANALISA_KINERJA_BANK.pptx
5. ANALISA_KINERJA_BANK.pptx
SitiKholifatulRizkia1
 
Treasury Management in an Islamic Financial Institution.pptx
Treasury Management in an Islamic Financial Institution.pptxTreasury Management in an Islamic Financial Institution.pptx
Treasury Management in an Islamic Financial Institution.pptx
SitiKholifatulRizkia1
 

More Related Content

Similar to 2. Risk Management.pptx

CML Group GRCaaS Dashboard
CML Group GRCaaS Dashboard CML Group GRCaaS Dashboard
CML Group GRCaaS Dashboard
Jim Robins
 
Internal Audit Best Practices for Safety, Environment, and Quality Audits
Internal Audit Best Practices for Safety, Environment, and Quality AuditsInternal Audit Best Practices for Safety, Environment, and Quality Audits
Internal Audit Best Practices for Safety, Environment, and Quality Audits
Nimonik
 
1 -corinne_berinstein
1 -corinne_berinstein1 -corinne_berinstein
1 -corinne_berinstein
Ramaica Ona
 
1 -corinne_berinstein
1 -corinne_berinstein1 -corinne_berinstein
1 -corinne_berinstein
Aahil Malik
 
Review of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementReview of Enterprise Security Risk Management
Review of Enterprise Security Risk Management
Rand W. Hirt
 
Risk Assessment For Internal Auditors
Risk Assessment For Internal AuditorsRisk Assessment For Internal Auditors
Risk Assessment For Internal Auditors
minkhollow
 
2016 - IQPC - Understanding and Assessing Corruption Risk
2016 - IQPC - Understanding and Assessing Corruption Risk2016 - IQPC - Understanding and Assessing Corruption Risk
2016 - IQPC - Understanding and Assessing Corruption Risk
Dr Darren O'Connell AGIA
 
Pm0016 set-1
Pm0016 set-1Pm0016 set-1
Pm0016 set-1
Paul Hunt
 

Similar to 2. Risk Management.pptx (20)

Operational risk ppt
Operational risk pptOperational risk ppt
Operational risk ppt
 
CML Group GRCaaS Dashboard
CML Group GRCaaS Dashboard CML Group GRCaaS Dashboard
CML Group GRCaaS Dashboard
 
Internal Audit Best Practices for Safety, Environment, and Quality Audits
Internal Audit Best Practices for Safety, Environment, and Quality AuditsInternal Audit Best Practices for Safety, Environment, and Quality Audits
Internal Audit Best Practices for Safety, Environment, and Quality Audits
 
Risk Management Training
Risk Management TrainingRisk Management Training
Risk Management Training
 
Brief About IMS, QMS, ISO 9001, 14001, 18001
Brief About IMS, QMS, ISO 9001, 14001, 18001Brief About IMS, QMS, ISO 9001, 14001, 18001
Brief About IMS, QMS, ISO 9001, 14001, 18001
 
Understanding and Managing Risks in Management Systems Auditing
Understanding and Managing Risks in Management Systems AuditingUnderstanding and Managing Risks in Management Systems Auditing
Understanding and Managing Risks in Management Systems Auditing
 
1 -corinne_berinstein
1 -corinne_berinstein1 -corinne_berinstein
1 -corinne_berinstein
 
1 -corinne_berinstein
1 -corinne_berinstein1 -corinne_berinstein
1 -corinne_berinstein
 
1 -corinne_berinstein
1 -corinne_berinstein1 -corinne_berinstein
1 -corinne_berinstein
 
Risk Based Approach to Auditing Financial Statements.pptx
Risk Based Approach to Auditing Financial Statements.pptxRisk Based Approach to Auditing Financial Statements.pptx
Risk Based Approach to Auditing Financial Statements.pptx
 
Review of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementReview of Enterprise Security Risk Management
Review of Enterprise Security Risk Management
 
Risk Assessment For Internal Auditors
Risk Assessment For Internal AuditorsRisk Assessment For Internal Auditors
Risk Assessment For Internal Auditors
 
2016 - IQPC - Understanding and Assessing Corruption Risk
2016 - IQPC - Understanding and Assessing Corruption Risk2016 - IQPC - Understanding and Assessing Corruption Risk
2016 - IQPC - Understanding and Assessing Corruption Risk
 
Pm0016 set-1
Pm0016 set-1Pm0016 set-1
Pm0016 set-1
 
An introduction to finance
An introduction to financeAn introduction to finance
An introduction to finance
 
Enterprise-wide Risk Assessment Presentation, dated 03-08-11
Enterprise-wide Risk Assessment Presentation, dated 03-08-11Enterprise-wide Risk Assessment Presentation, dated 03-08-11
Enterprise-wide Risk Assessment Presentation, dated 03-08-11
 
module_1.pptx
module_1.pptxmodule_1.pptx
module_1.pptx
 
2019 Compliance Testing Plan for RBs (2).pptx
2019 Compliance Testing Plan for RBs (2).pptx2019 Compliance Testing Plan for RBs (2).pptx
2019 Compliance Testing Plan for RBs (2).pptx
 
Dealing with Operational and Ecosystem Risk
Dealing with Operational and Ecosystem RiskDealing with Operational and Ecosystem Risk
Dealing with Operational and Ecosystem Risk
 
Card Processing Risks.pptx
Card Processing Risks.pptxCard Processing Risks.pptx
Card Processing Risks.pptx
 

More from SitiKholifatulRizkia1

Treasury Management in an Islamic Financial Institution.pptx
Treasury Management in an Islamic Financial Institution.pptxTreasury Management in an Islamic Financial Institution.pptx
Treasury Management in an Islamic Financial Institution.pptx
SitiKholifatulRizkia1
 

More from SitiKholifatulRizkia1 (7)

5. ANALISA_KINERJA_BANK.pptx
5. ANALISA_KINERJA_BANK.pptx5. ANALISA_KINERJA_BANK.pptx
5. ANALISA_KINERJA_BANK.pptx
 
Treasury Management in an Islamic Financial Institution.pptx
Treasury Management in an Islamic Financial Institution.pptxTreasury Management in an Islamic Financial Institution.pptx
Treasury Management in an Islamic Financial Institution.pptx
 
Manajemen-Perbankan-Pertemuan-2.ppt
Manajemen-Perbankan-Pertemuan-2.pptManajemen-Perbankan-Pertemuan-2.ppt
Manajemen-Perbankan-Pertemuan-2.ppt
 
3BDavidChefneuxSector.ppt
3BDavidChefneuxSector.ppt3BDavidChefneuxSector.ppt
3BDavidChefneuxSector.ppt
 
RPS ALMA Pbs.pdf
RPS ALMA Pbs.pdfRPS ALMA Pbs.pdf
RPS ALMA Pbs.pdf
 
MR-Sesi-1.ppt
MR-Sesi-1.pptMR-Sesi-1.ppt
MR-Sesi-1.ppt
 
Bab+5+Treasury_ANALISIS+KINERJA+KEUANGAN.pdf
Bab+5+Treasury_ANALISIS+KINERJA+KEUANGAN.pdfBab+5+Treasury_ANALISIS+KINERJA+KEUANGAN.pdf
Bab+5+Treasury_ANALISIS+KINERJA+KEUANGAN.pdf
 

Recently uploaded

Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
amitlee9823
 
Cracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptxCracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptx
Workforce Group
 
Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageInsurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usage
Matteo Carbone
 
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
Renandantas16
 
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
rajveerescorts2022
 
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Delhi Call girls
 
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Dipal Arora
 
VVVIP Call Girls In Greater Kailash ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Greater Kailash ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...VVVIP Call Girls In Greater Kailash ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Greater Kailash ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
Call Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine ServiceCall Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine Service
ritikaroy0888
 
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
dollysharma2066
 

Recently uploaded (20)

Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
 
Cracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptxCracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptx
 
RSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors DataRSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors Data
 
Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageInsurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usage
 
Regression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear RegressionRegression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear Regression
 
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
 
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
 
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
Best VIP Call Girls Noida Sector 40 Call Me: 8448380779
 
It will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 MayIt will be International Nurses' Day on 12 May
It will be International Nurses' Day on 12 May
 
HONOR Veterans Event Keynote by Michael Hawkins
HONOR Veterans Event Keynote by Michael HawkinsHONOR Veterans Event Keynote by Michael Hawkins
HONOR Veterans Event Keynote by Michael Hawkins
 
Pharma Works Profile of Karan Communications
Pharma Works Profile of Karan CommunicationsPharma Works Profile of Karan Communications
Pharma Works Profile of Karan Communications
 
John Halpern sued for sexual assault.pdf
John Halpern sued for sexual assault.pdfJohn Halpern sued for sexual assault.pdf
John Halpern sued for sexual assault.pdf
 
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
 
Monte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMMonte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSM
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023
 
VVVIP Call Girls In Greater Kailash ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Greater Kailash ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...VVVIP Call Girls In Greater Kailash ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Greater Kailash ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
 
How to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityHow to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League City
 
Call Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine ServiceCall Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine Service
 
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
 
Ensure the security of your HCL environment by applying the Zero Trust princi...
Ensure the security of your HCL environment by applying the Zero Trust princi...Ensure the security of your HCL environment by applying the Zero Trust princi...
Ensure the security of your HCL environment by applying the Zero Trust princi...
 

2. Risk Management.pptx

  • 1. Washington Bankers Association Executive Development Program Audit and Compliance Risk Management: The Continuous Program Cycle Presenter: David McCrea U.S. Program Manager Global Regulatory Compliance Team Infosys Limited
  • 2. Government Environment Community Competition Influences Refine/Establish Strategy, Goals & Objectives Refine/Establish Control Environment Report Results Measure Performance Through Testing/ Monitoring of Control Environment Take Corrective Action Senior Management Business Compliance Board/ Audit Risk Management Process Ownership
  • 3. The Continuous Program Cycle Designing Implementing & Checking Correcting & Reporting
  • 4. Setting Strategy and Structure • Strategic Planning = the art and science of determining where an organization is going and how it’s going to get there.
  • 5. Setting Strategy and Structure • What is management’s risk appetite? – Risk tolerant? – Risk averse? – Somewhere in between?
  • 6. Setting Strategy & Structure • Vision Statement – aka – Mission Statement – A brief “big picture” description of your compliance program purpose and method.
  • 7. Setting Strategy and Structure • Setting goals and objectives: – Goals are observable and measurable overall end results, and – Objectives are the steps to achieve specific results within a fixed time frame. • Compliance Department goals • Business Unit compliance goals • Company Goals
  • 8. Setting Strategy and Structure • Defining a structure – roles and responsibilities – Compliance and Audit responsibility ultimately lies with the board of directors – Executive management needs to set the tone – Compliance/Risk Management provides the expertise and advice – The business units have responsibility to “do” risk management
  • 9. Setting Strategy and Structure • Defining a structure – Compliance/Audit/Risk Management department configurations: Solo; Committee; Numerous specialists; Outsourcing; Others? (What about the centralized – decentralized continuum?)
  • 10. Setting Strategy and Structure • Defining a structure - continued – Bank’s asset size; – Number of employees; – Number of branches and locations; – Product mix; – Services; – Other? • Risk Profile (coming soon…)
  • 11. Setting Strategy and Structure • Defining Scope – What do you cover? – What do you NOT cover? • BSA? • Fair Lending? • CRA? • SOX / BASEL? • Info Sec? • Loan Review? • Other? Ensure coverage for all out-of-scope functions.
  • 12. Assessing Risks • Risk identification • Risk types • Risk ranking • Controls Effectiveness
  • 13. Risk Identification The detection and analysis of potential risks that may prevent the achievement of the bank’s objectives – What type of products and services does the bank offer? – What types of systems does the bank have in place and to what extent are processes automated? – What is your charter structure(s), who is/are your regulator(s)? – What regulations apply to the above?
  • 14. Forms of Assessment Risk assessments can take many different forms and have different purposes: • Product/Service specific (e.g., HELOCs, or e- banking) – Initial assessment of a new product or ongoing performance • Segmented by regulation (e.g., Reg. CC or Dodd-Frank). – May be required, such as AML/BSA or Identity Theft Prevention • Segmented by Business Line • Compliance Program (how is the program functioning) • Consumer Risk Assessment • Overall Compliance Performance (how is the company performing)
  • 15. Risk Types • Inherent risk – the measure of risk before controls • Residual risk – the measure of risk after controls Or Inherent Risk + Controls = Residual Risk
  • 16. Assigning an Inherent Risk Rating – Inherent compliance risk is risk that is basic natural and inseparable component or characteristic of a regulation. (Note: Inherent risk is risk before the consideration of controls.) These components could include the following risk sub-categories: • Financial • Litigation • Transaction • Reputation risks • Regulatory Environment
  • 17. Inherent Risk Ranking –Exposure – the extent of potential damage –Likelihood – the probability that an actual event will occur, and/or that the resulting exposure from that event will take place
  • 18. Inherent Risk Ranking Making Sense of Multiple Views • Regulation • Consumer Risk • UDAAP Risk
  • 19. Risk Ranking Exposure (High) Significant or systemic violations Severe regulatory criticism Cease and desist orders Memorandums of Understanding Corrective actions with large economic impact and/or reputation damage Exposure HIGH Repeat Violations
  • 20. Risk Ranking Exposure (Moderate) Exposure MODERATE Violations lead to some regulatory criticism Some corrective actions with less significant economic impact and/or less significant reputation damage
  • 21. Risk Ranking Exposure (Low) Exposure LOW Violations, if any, are not considered significant or systemic. Minimal, if any, economic impact and/or reputation risk.
  • 22. Risk Ranking Likelihood HIGH Almost certain risk will occur. LOW Most likely risk will not occur. MOD 50-50 chance risk will occur.
  • 23. Inherent Risk Heat Map Likelihood HIGH Likelihood MODERATE Likelihood LOW Exposure LOW Exposure MODERATE Exposure HIGH LOW - 0 LOW - 1 MOD - 3 MOD - 2 MOD - 2 MOD - 3 HIGH - 5 HIGH - 4 HIGH - 4
  • 24. Inherent Risk Rating Using a Heat Map is not the only way to visualize Risk. Other possibilities: -- Use numeric rating -- Color Code -- Other? The Key is to know your audience.
  • 25. Inherent Risk Rating (sample 1) Regulation Regulatory Compliance Inherent Risk / Comments Likelihood Exposure B High High HIGH: High scrutiny; impacts all customers; high fines and rep risk C Moderate High HIGH: High scrutiny; high reputation risk E Moderate Moderate MODERATE: Could be new focus with CFPB FDCPA Moderate Moderate MODERATE: Trending up due to economic environment
  • 26. Assessing Risks • Risk Controls Definition – Preventive Controls – Detective Controls • Assessing Control Effectiveness – Primary Controls – Secondary and other controls
  • 27. Control Activities Help ensure that directives are carried out. They can either be preventive or detective: – Preventive controls are generally applied at points where errors or irregularities could occur in the process – Detective controls discover errors during or after occurrence
  • 28. Preventive Controls  Automated controls (e.g., system edit features for data entry control)  System processing controls (e.g., editing, balancing and internal control checks)  Written procedures and Training can be controls  Independent checks to determine if assigned responsibilities are completed and recorded amounts are accurate (e.g., account reconciliation, computer-programmed controls, management review of reports)  Approval and authorizations for transactions and activities
  • 29. Detective Controls  Review of exception reports, reconciliations, SAR reports, and other ad hoc reports to detect erroneous or improper processing of transactions  Asset control activities, including periodic asset counts, comparison of physical counts to accounting records, investigation of discrepancies, establishment of physical safeguards, and maintenance of proper purchase authorizations
  • 30. Inventory the Preventive & Detective Controls Primary controls: These represent the most effective of the controls deployed to this risk. Your control effectiveness rating is essentially the rating of this particular control.
  • 31. Inventory the Preventive & Detective Controls Secondary or additional controls: Where they exist can include compensating controls that indirectly assist in achieving control objectives (such as third party review of transactions). They may also include policies and procedures referenced by the business in their risk self-assessment.
  • 32. Rating the Control Environment • Evaluate overall risks (stratify your inherent vs. residual risks) • Establish level of confidence in control effectiveness ratings • Evaluate the “tone from the top” • Anticipate regulatory scrutiny
  • 33. Risk Ranking Control Strength Strong Controls prevent risk from occurring. Adequate Control typically prevents risk from occurring. Weak Control is non-existent or ineffective in controlling risk.
  • 34. Control Strength Example 1 Reg B / Section Owner Control Comments Rating 202.4(b) No discouragem ent Loan Consultants Agents are scripted to ensure application process is consistent and non- discriminatory: Annual Training is also required Rating is based on primarily manual nature of controls Adequate 202.4(c) Written Applications Marketing Legal Marketing produces all applications, which have been approved by Legal Adequate
  • 35. Control Strength Example 2 Requirement & Citation Business units Impacted Inherent Risk Rating Controls and mitigations Control Effective- ness Rating Residual Risk Rating Suspicious Activity Reporting 31 CFR 103.21 All High Automated forensic system review of transactions Compliance Operations agent reviews Annual training Strong Moderate
  • 36. Residual Risk Ratings Residual risk ratings should be based upon the inherent risk rating and the controls effectiveness rating for each regulation A residual risk rating of high, moderate or low can be assigned. The basic formula is inherent risk + control effectiveness = residual risk
  • 37. Residual Risk Ratings Residual risk ratings can then be plotted on a matrix, or “heat map” as shown below: Control Effectiveness Rating Strong Adequate Weak High Moderate Moderate High Moderate Low Moderate Moderate Inherent Risk Rating Low Low Low Low Residual Risk Rating
  • 38. Risk Trend The direction of risk and probable change over the next 12 months. Increasing – suggests additional controls or increased review. Stable – may require no action. Decreasing – may suggest controls can be decreased.
  • 39. Implementing Your Risk Assessment Develop a methodology document: • State risk tolerance • Develop heat map scales • Discuss and socialize • Consider collaborating with other Risk Teams in your bank
  • 40. Implementing Your Risk Assessment Risk Assessment can be developed / segmented by: • Regulation • Business Unit / Department / Manager • Product / Services If you discovered any gaps in controls, develop a mitigation plan
  • 41. Updating Your Risk Assessment Inherent Risk Ratings • Update at least annually • Document ratings Controls / Residual Risk Ratings • Review outstanding issues regularly • Update quarterly
  • 42. Updating Your Risk Assessment To ensure your Risk Assessment stays current, you will also want to update it for: • New or Revised Products / Services • New / Amended Regulations

Editor's Notes

  1. 9:00 Meg 20 minutes / 14 slides
  2. 9:03 3 minutes Yesterday: The Tools Today: The Blue Ring – Compliance Risk Management Tomorrow: Deeper Dive on Blue -- Vendor Management, Managing Change, Managing Training (control or corrective) Next Day: Red Ring -- CEO Panel, Exam Management, Root Cause Last Day: Green Ring -- Regulator Panel, Reputation Risk, Complaints
  3. 9:04 1 minutes This Morning: Designing Your Program – Strategy and Goals Risk Assessment Basics and Implementation After Lunch: Developing a Monitoring Program to Check your work Corrective Action Reporting your findings Case Study Exercises throughout the day. By the end of today, you will have your virtual bank thought out.
  4. --- How often does your bank go through this exercise? Annually? 3 year plan? 5 year plan? More?
  5. 9:05 1 minute The Board should set your risk appetite Where is it for your institution? Do you want to be best in class? Just good enough? Reactive?
  6. 1 minute 9:06 First Step The terms can be used interchangeably
  7. 2 minutes 9:10 Second Step Company Goals Compliance Goals Personal Goals BU Compliance Goals -- watch out for something you can control (e.g. # of audit findings for BU)
  8. 2 minute 9:14 THIRD Also part of strategy is defining how you will structure the team. The first aspect is assigning responsibilities. Board – ultimately responsible for compliance Exec Team – set the tone Compliance – provides advice All employees – responsible for compliance ** Board approved Program document to make sure everyone is aware of their duty.
  9. 2 minutes 9:16 Also part of structure is determining how you will structure the team No right or wrong way. How are you set up? May not have as much leeway here. Don’t need to re-evaluate this as frequently.
  10. 1 minute 9:17 Take the following into consideration when setting structure. Program should be commensurate with the size, location and product mix of your institution.
  11. 1 minute 9:18 Last, but not Least: State what you cover AND what you don’t Make sure the Board can get a full view of compliance, regardless of how it is covered.
  12. We should contrast the general risk assessment with the required say BSA Program or Fair Lending assessment. First determine your regulatory controls and gaps, then use that as a stepping stone for developing the program assessment.
  13. Note the addition of Consumer Risk Assessment as it is woven throughout the class
  14. See Inherent Risk handout
  15. We will want to have some conversation around this one.
  16. Give reference?
  17. Step 1
  18. 11:00 Greggles 30 minutes / 22 slides
  19. State as a control rather than just the procedure.
  20. Litigation risk to deem a control non-existent
  21. Another way to do it versus Slide 47 Holistic view of regulation here Shows process all the way through
  22. Q: Is this calculated strictly or can you modify based on additional factors?
  23. CFPB also notes the date the direction last changed.
  24. Methodology document – state risk tolerance Scales can be 1-3 or 1-5 Work with Audit / Info Sec / Etc to develop a common language
  25. Determine which regs apply Document this step so there are no questions about why something does not apply Depending on your situation, may want to classify regulations Document likelihood, exposure and rationale and trend (reg or category thereof) BSA is High; FCRA rate affiliate transactions, credit reporting and red flags separately Calculate inherent from this according to your methodology   Develop the RA ASK: how have you all done it? BU -- complicated or varied businesses (e.g. CAM) Regulation --one set of controls through the bank or smaller unit (e.g. BML or Reg O) Product (Mortgage) Other? Business process   One week per reg Good first step when start; meet people and learn business   Discuss the completed RA with the BU You determine inherent risk Ensure docs are accurate / All stakeholders agree You get final say on control strength (rest is set)   5. Mitigation (covering this afternoon) If you find gaps in controls, mitigate them Assign an owner Stay on top of plans   6. This is first step to AML RA
  26. Once you have completed the RA, you will want to keep it current Inherent Risk Ratings Gather the experts Legal / Others? Review and Update at least annually Best practice is 6 months Document the ratings for posterity Vote by Committee Controls / Residual Risk Ratings Review outstanding issues regularly for updates, esp mitigation Includes anything outside of risk tolerance Sit down with the BU at least quarterly Discuss anything that has changed (process, product, personnel) You will discover something new every time and they learn the reg.
  27. 11:30 As you implement new products, complete a risk assessment. Don’t wait for quarterly updates If there is a new rule to be implemented, also complete an assessment to make sure you are covered. Don’t let you hard work lapse! Maintenance is much easier than starting over It provides the basis for your program direction (resources, systems, headcount, etc) so you want it to be current QUESTIONS about implementing your RA? Take a minute to write down something you want to do with your risk assessment when you get home.