Regulatory pressures continue to push banks to manage and mitigate consumer compliance risks more effectively. Regulators expect financial institutions to establish and execute risk management programs that competently address both existing and emerging risks. This article delves into the essential role that a risk inventory plays in compliance risk management.
Compliance Risk Management Elements
The Office of the Comptroller of the Currency’s (OCC’s) Compliance Management Systems Handbook provides guidance on the fundamental elements of sound compliance risk management:
- Identify and understand risks: The risk inventory lays the foundation for the entire compliance management system. Inventorying encompasses the continual identification of existing and emerging risks at the transactional, portfolio, and enterprise levels. Risk inventories also need to incorporate risks that arise within subsidiaries, in third-party relationships, and from regulatory changes. Additionally, they entail understanding the risks and associated root causes, to assist in mitigating future occurrences. Absent the ability to adequately identify, understand, and inventory risk exposures, the risks cannot be appropriately addressed and may be heightened.
- Measure risk: Accurate and timely measurement of inventoried risks is another important element in order to ensure effective risk management. The lack of strong performance measures can impact a bank’s ability to manage and self-regulate its regulatory control environment.
- Control risk: The board and senior management need to set risk limits and require the escalated reporting of exceptions, as a means to control compliance risk exposures.
- Monitor risk: Management also needs to continuously monitor adherence to these established risk levels. A well-designed monitoring system assists senior management and the board in holding management ranks accountable for operating within a bank’s risk appetite.
Risk Inventory: How-To
While all four compliance risk management elements mentioned above are important, the identification/inventorying process is foundational to the success of each of the other three. And key to the success of the inventory is its thoroughness.
An incomplete inventory, or an inventory that is not sufficiently detailed, will not produce the full value that a comprehensive regulatory inventory can generate for a bank, and may actually result in increased risk to the institution. For example, if risks are missed or not properly identified, controls will not be developed or documented. Further, metrics that monitor control effectiveness may produce positive results though they do not fully assess all risks applicable to the bank, thus understating the actual risk present. If risks are not captured at a granular enough level, the specifics and intricacies of each regulatory requirement applicable to the organization will not be appropriately measured, and the corresponding controls will be written at a level that fails to protect against the actual compliance risk exposures.
An effective risk identification process is initiated by first identifying the statutory and regulatory requirements applicable to the bank. Then, for each section of each applicable law, regulation, or guidance, identify the distinct regulatory requirements that need to be followed. This requires capturing and recording the following data: the specific regulatory citation, the regulatory requirement language, and a risk statement documenting the impact of noncompliance.
Risk Inventory Benefits
Once a consumer compliance risk inventory is completed and the full universe of the regulatory risks applicable to the organization are identified and documented, an array of opportunities is available to banks to utilize the data and strengthen their regulatory control environment. These include:
- Assigning ownership: Accountability needs to be identified for each risk inventory item. The accountable owner is responsible for developing and maintaining detailed controls, control monitoring activities, and a comprehensive suite of metrics and measures that evidence regulatory compliance. This risk documentation effort not only enables institutions to better understand the regulations that are applicable to the bank, but defines the individual lines of business responsible for them. Resulting benefits include improvements in training, line-of-business awareness, departmental procedures, and control environments. Institutions will also be better prepared for regulatory examinations, internal audits, and compliance testing. Ultimately, the number of issues surfaced should reduce over time.
- Enabling self-assessment: Institutions should also consider utilizing the risk inventory’s output to conduct regular risk control self-assessments, tying the inventory of existing controls to the risks and then assessing the controls’ design effectiveness, operational effectiveness, and related performance metrics. Weaknesses, gaps, and missing controls will be surfaced and remedied as part of this exercise, as will instances of customer impact or regulatory violations. Effective self-regulation is reflective of a strong compliance management system. Alternatively, a control library could capture the potential gaps and weaknesses along with control behaviors (e.g., preventive/detective control, manual/automated control, in-house/third-party control, etc.). This approach is often initiated by the development of a process map, or use of an existing one. The regulatory requirements applicable to each step in the process are reviewed against the controls documented within the process map. For any weakness or missing control observed, a control description is developed, and the accountable owner is required to implement, document, and strengthen controls and the associated measurement activities.
- Supporting other compliance strategies: Upon the completion of the consumer compliance risk and control assessments, the data can be utilized by institutions as an input into the overall governance, risk management, and compliance (GRC) strategies deployed by the bank. Additionally, the data can be used as an input into numerous compliance-related assessments conducted by banks, in areas such as anti-money laundering or safety and soundness.
- Tying into complaint management: Another benefit is related to issues and complaint management. When a complaint is surfaced, for instance, the concern can be immediately tied back to a specific regulatory requirement and the owner of the control. Failures identified would result in the need to review and reevaluate the related control’s design effectiveness, operational effectiveness, and associated performance measures. As appropriate, root cause analysis could also be included—all supporting the objective of proactively addressing the risk and executing appropriate and end-to-end corrective action. Future instances of repeat issues should also be mitigated as control weaknesses are effectively identified and addressed.
These examples are only a sampling of the benefits that can be derived from the development of a strong consumer regulatory risk inventory. However, the inventory’s benefits will only be as strong as the value of the effort expended in creating it.
Regulatory scrutiny related to the adequacy of an institution’s consumer compliance risk management will continue to intensify. Examiners continue to expect that institutions will implement effective compliance risk management programs consistent with the size and complexity of the institution. The deployment of a strong risk inventory will assist with in the execution of an effective compliance management system. The frequency and the intensity of the risk inventory approach will determine the effectiveness of the effort, as well as the benefits a bank can realize.