The hallmark of an effective compliance management system is a meaningful risk assessment that provides actionable data to the compliance team and executive management. In this age of regulatory uncertainty, it is as important as ever to maintain and enhance the risk assessment process to ensure it provides valuable data that allows a bank’s compliance department to effectively prioritize risk and efficiently address areas needing enhanced or updated controls.
A detailed risk assessment, covering all regulations, products, processes, business units, and their accompanying risks, provides additional risk-based justification to both your executives and regulators to support the focus of your limited compliance resources. These risks and other details can be scored and used to compare one control to another. This data can then help answer questions about how much risk is present and justify why executives should fund various business initiatives that impact the compliance risk of a company.
To further that objective, this article will discuss best practices in scoring risks during the risk assessment process, the appropriateness of manual score overrides by the compliance team, and how results should influence compliance monitoring and testing schedules.
Scoring inherent risk is the backbone of the entire risk assessment. The risk inherent in the business of banking is the underlying reason to have a control environment. If the inherent risk in day-to-day activities is not accurately defined and assessed, the entire risk assessment will be skewed, and something will be missed.
Often, however, the compliance department is more focused on the accuracy of control data provided by lines of business and not the inherent risk ratings. Control scoring is important to determine the validity of risk mitigation efforts. But it does not yield valuable results if the risk you are attempting to mitigate remains essentially undefined.
Inherent risk needs to be given ample attention, and inherent risk questions need to be evaluated each year for changing internal and external factors, such as innovations in product suites and the shifting regulatory landscape.
A “check the box” approach is not the best way to capture inherent risk. Rather, you should be as qualitative and descriptive as possible. Indeed, regulators have been suggesting that banks report more inherent and residual risk scores at greater levels of detail. To increase granularity at the inherent risk level (and consequentially in the residual risk score), inherent risk questions need to capture a more detailed picture of the risk environment that exists at the institution and in the industry.
Typically, a “check the box” question surrounding legal risk would be worded to say, “Has the institution had litigation surrounding this regulatory area in the past 12 months?” However, this question only serves to quantify something that is already known by the compliance team, where a “yes” would provide a higher inherent risk score, and a “no” would provide a lower inherent risk score. Another downside of this question is that the respondent is stuck choosing between two extremes—there is no leeway to explain or quantify industry trends or other factors that could impact the risk. It is critical that inherent risk questions move away from binary extremes, and toward qualitative descriptions, as shown in the below example.
This question not only accounts for legal issues at the institution, but also benchmarks the wider industry to capture risk that is inherent in failure to comply with the regulation. It also allows the compliance department to factor the bank’s overall risk appetite into the structure of scoring each response. In the example, the highest risk was assigned to ongoing litigation at the institution.
When inherent risk responses require the compliance department to determine what constitutes low- and high-risk activities, those responses should align with the amount of risk the institution is comfortable maintaining. By adding more granularity to the scoring for inherent risk, the risk assessment gains the ability to further differentiate between risks and provide additional focus where needed. This level of granularity allows for a more pinpoint accuracy that will further test a control’s ability to properly mitigate the risk.
Control strength scoring is another area of the risk assessment that needs to move away from the two standard choices—automated or manual. Most controls will be a mix of automated features and manual processes. While some may be fully automated or fully manual, there must be room in the scoring methodology to allow for an accurate depiction of what the control is doing. It is also possible that the same control can be used to mitigate several different risks, and the task for which the control is used dictates the level of automation. In capturing the level of automation, the method that is scoring for the control becomes increasingly valuable because of the higher level of accuracy.
The combination of descriptive, qualitative-based inherent risk questions with more accurate control scoring yields a true gold mine for the compliance team—an accurate assessment of the risks inherent in the bank, with a control environment designed to mitigate those risks.
Manual Overrides of Scores
When the risk assessment is answered and data begins to pour in, this is the time that the compliance department must assess each resulting score and put it in the context of the team’s knowledge of the bank. While it is critical to maintain a uniform methodology for scoring the risk assessment, it is equally important to call out scores that do not align with reasonable expectations based upon a working knowledge of the bank.
If the entire risk assessment yields unexpected results, a change in the overall methodology is most likely the correct solution. Where the majority of the risk assessment is scored within reasonable expectation, but only a small number of areas show unexpected scores, this is where manually overriding scores is advisable. A risk assessment is only as good as the questions asked and the respondent’s knowledge of the answers to those questions.
While enhancements like the ones described in this article can lead to more accurate scores, a sanity check by those who know the bank best is critical. High-risk areas that yield low or moderate residual risk scores may satisfy some risk owners (no one wants to have the highest risks), but their satisfaction is off base if the area is truly high-risk. Using sound judgment, the compliance department must weigh the respondent’s inputs on the control environment with the department’s intimate knowledge of the risks associated with the area in question, and raise a challenge if appropriate. In the event that scores are manually overridden, the methodology for this action should be documented and applied uniformly across the risk assessment.
Using the Results
With the more precise, robust risk assessment scores finalized, now is the time to determine exactly what should be done with these scores. Simply put, the risk assessment is a check on the bank’s risk management health. The scores demonstrate how well the bank is mitigating inherent risks while providing key data points on which areas may have seen significant increases or decreases in their inherent risk.
Taking action on the results can take many forms, such as implementing new controls or updating product suites. However, a more important use of scores is in compliance monitoring and testing schedules. The risk assessment data provides a roadmap for adjusting the frequency of control testing. If a product saw its residual risk fall from moderate to low, its control environment may not need monthly testing. Whereas if an area that was previously low-risk shows indications of control weakness moving the risk higher, the compliance team can similarly adjust control testing frequency.
Risk assessment results are like the market—they dictate where resources need to be focused based upon who (or what) needs it most. In markets, products with high demand receive the most resources; similarly, in a risk assessment, the higher risk-rated areas should receive the most attention in the forthcoming year. The risk assessment, when executed properly, can serve as a key instrument for success. By enhancing inherent risk and control responses, the value of that instrument skyrockets. It becomes a guide to maintaining compliance and staying agile in an uncertain landscape that is bound to continue changing at a moment’s notice.
View as PDF
Treliant, LLC, Compliance, Risk Management, and Strategic Advisors to the Financial Services Industry and Consumer-Oriented Businesses, brings to you New Coordinates, a quarterly newsletter offering insights and information regarding pertinent issues affecting the financial services industry. This article appeared in its entirety in the Fall 2018 issue. To subscribe to our quarterly newsletter, please Contact Us.