Utah Bankers Association Executive Development Program Audit and Compliance Risk Management: The Continuous Program Cycle

Transcription

1 Utah Bankers Association Executive Development Program Audit and Compliance Risk Management: The Continuous Program Cycle Presenter: David McCrea Manager U.S. Compliance Program Finacle/EdgeVerve

2 Competition Influences Government Risk Management Process Refine/Establish Strategy, Goals & Objectives Report Results Board/ Audit Ownership Senior Management Compliance Business Refine/Establish Control Environment Environment Take Corrective Action Measure Performance Through Testing/ Monitoring of Control Environment Community

3 The Continuous Program Cycle Correcting & Reporting Designing Implementing & Checking

4 Setting Strategy and Structure Strategic Planning = the art and science of determining where an organization is going and how it s going to get there.

5 Setting Strategy and Structure What is management s risk appetite? Risk tolerant? Risk averse? Somewhere in between?

6 Setting Strategy & Structure Vision Statement aka Mission Statement A brief big picture description of your compliance program purpose and method.

7 Setting Strategy and Structure Setting goals and objectives: Goals are observable and measurable overall end results, and Objectives are the steps to achieve specific results within a fixed time frame. Compliance Department goals Business Unit compliance goals Company Goals

8 Setting Strategy and Structure Defining a structure roles and responsibilities Compliance and Audit responsibility ultimately lies with the board of directors Executive management needs to set the tone Compliance/Risk Management provides the expertise and advice The business units have responsibility to do risk management

9 Setting Strategy and Structure Defining a structure Compliance/Audit/Risk Management department configurations: Solo; Committee; Numerous specialists; Outsourcing; Others? (What about the centralized decentralized continuum?)

10 Setting Strategy and Structure Defining a structure - continued Bank s asset size; Number of employees; Number of branches and locations; Product mix; Services; Other? Risk Profile (coming soon )

11 Setting Strategy and Structure Defining Scope What do you cover? What do you NOT cover? BSA? Fair Lending? CRA? SOX / BASEL? Info Sec? Loan Review? Other? Ensure coverage for all out-of-scope functions.

12 Assessing Risks Risk identification Risk types Risk ranking Controls Effectiveness

13 Risk Identification The detection and analysis of potential risks that may prevent the achievement of the bank s objectives What type of products and services does the bank offer? What types of systems does the bank have in place and to what extent are processes automated? What is your charter structure(s), who is/are your regulator(s)? What regulations apply to the above?

14 Forms of Assessment Risk assessments can take many different forms and have different purposes: Product/Service specific (e.g., HELOCs, or e- banking) Initial assessment of a new product or ongoing performance Segmented by regulation (e.g., Reg. CC or UDAAP). May be required, such as AML/BSA or Identity Theft Prevention Segmented by Business Line Compliance Program (how is the program functioning) Consumer Risk Assessment Overall Compliance Performance (how is the company performing)

15 Risk Types Inherent risk the measure of risk before controls Residual risk the measure of risk after controls Or Inherent Risk + Controls = Residual Risk

16 Assigning an Inherent Risk Rating Inherent compliance risk is risk that is basic natural and inseparable component or characteristic of a regulation. (Note: Inherent risk is risk before the consideration of controls.) These components could include the following risk sub-categories: Financial Litigation Transaction Reputation risks Regulatory Environment

17 Inherent Risk Ranking Exposure the extent of potential damage Likelihood the probability that an actual event will occur, and/or that the resulting exposure from that event will take place

18 Inherent Risk Ranking Making Sense of Multiple Views Regulation Consumer Risk UDAAP Risk Reputation Risk

19 Risk Ranking Exposure (High) Exposure HIGH Significant or systemic violations Severe regulatory criticism Cease and desist orders Memorandums of Understanding Corrective actions with large economic impact and/or reputation damage Repeat Violations

20 Risk Ranking Exposure (Moderate) Exposure MODERATE Violations lead to some regulatory criticism Some corrective actions with less significant economic impact and/or less significant reputation damage

21 Risk Ranking Exposure (Low) Exposure LOW Violations, if any, are not considered significant or systemic. Minimal, if any, economic impact and/or reputation risk.

22 Risk Ranking Likelihood HIGH Almost certain risk will occur. MOD chance risk will occur. LOW Most likely risk will not occur.

23 Inherent Risk Heat Map Likelihood HIGH Likelihood MODERATE Likelihood LOW MOD - 2 LOW - 0 Exposure LOW HIGH - 4 LOW - 1 MOD - 3 MOD - 2 MOD - 3 Exposure MODERATE HIGH - 5 HIGH - 4 Exposure HIGH

24 Inherent Risk Rating Using a Heat Map is not the only way to visualize Risk. Other possibilities: -- Use numeric rating -- Color Code -- Other?

25 Inherent Risk Rating Sample Regulation Regulatory Compliance Inherent Risk / Likelihood Exposure Comments B High High HIGH: High scrutiny; impacts all customers; high fines and rep risk C Moderate High HIGH: High scrutiny; high reputation risk E Moderate Moderate MODERATE: Could be new focus with CFPB FDCPA Moderate Moderate MODERATE: Trending up due to economic environment

26 Assessing Risks Risk Controls Definition Preventive Controls Detective Controls Assessing Control Effectiveness Primary Controls Secondary and other controls

27 Control Activities Help ensure that directives are carried out. They can either be preventive or detective: Preventive controls are generally applied at points where errors or irregularities could occur in the process Detective controls discover errors during or after occurrence

28 Preventive Controls Automated controls (e.g., system edit features for data entry control) System processing controls (e.g., editing, balancing and internal control checks) Written procedures and Training can be controls Independent checks to determine if assigned responsibilities are completed and recorded amounts are accurate (e.g., account reconciliation, computer-programmed controls, management review of reports) Approval and authorizations for transactions and activities

29 Detective Controls Review of exception reports, reconciliations, SAR reports, and other ad hoc reports to detect erroneous or improper processing of transactions Asset control activities, including periodic asset counts, comparison of physical counts to accounting records, investigation of discrepancies, establishment of physical safeguards, and maintenance of proper purchase authorizations

30 Inventory the Preventive & Detective Controls Primary controls: These represent the most effective of the controls deployed to this risk. Your control effectiveness rating is essentially the rating of this particular control.

31 Inventory the Preventive & Detective Controls Secondary or additional controls: Where they exist can include compensating controls that indirectly assist in achieving control objectives (such as third party review of transactions). They may also include policies and procedures referenced by the business in their risk self-assessment.

32 Rating the Control Environment Evaluate overall risks (stratify your inherent vs. residual risks) Establish level of confidence in control effectiveness ratings Evaluate the tone from the top Anticipate regulatory scrutiny

33 Risk Ranking Control Strength Strong Adequate Controls prevent risk from occurring. Control typically prevents risk from occurring. Weak Control is non-existent or ineffective in controlling risk.

34 Residual Risk Ratings Residual risk ratings should be based upon the inherent risk rating and the controls effectiveness rating for each regulation A residual risk rating of high, moderate or low can be assigned. The basic formula is inherent risk + control effectiveness = residual risk

35 Residual Risk Ratings Residual risk ratings can then be plotted on a matrix, or heat map as shown below: Inherent Risk Rating Control Effectiveness Rating Strong Adequate Weak High Moderate Moderate High Moderate Low Moderate Moderate Low Low Low Low Residual Risk Rating

36 Risk Trend The direction of risk and probable change over the next 12 months. Increasing suggests additional controls or increased review. Stable may require no action. Decreasing may suggest controls can be decreased.

37 Updating Your Risk Assessment Inherent Risk Ratings Update at least annually Document ratings Controls / Residual Risk Ratings Review outstanding issues regularly Update quarterly

38 Updating Your Risk Assessment To ensure your Risk Assessment stays current, you will also want to update it for: New or Revised Products / Services New / Amended Regulations

39 Questions? 39