Washington Bankers Association

Executive Development Program

Audit and Compliance

Risk Management:
The Continuous Program Cycle

Presenter:
David McCrea
U.S. Program Manager
Global Regulatory Compliance Team
Infosys Limited
 Influences
Government
M
rs ed
sto Risk Management ia
e
Inv Process
Refine/Establish
ess Ass
Ass ess
Strategy, Goals
& Objectives Ris
Risk k

Report Results Ownership Refine/Establish

Environment
Senior
Competition

Control
Management Environment
Board/
Business
Risk
Assess

Audit

Ris

Ass
Compliance

ess
Take Corrective Measure Performance
Action Assess Through Testing/
Le Monitoring of Control
ga Risk
l ess
Iss Environment
u si n s
es Bu ange
Ch
Community
The Continuous Program Cycle

Correcting
Designing
&
Reporting

Implementing
&
Checking
 Setting Strategy and Structure
Strategic Planning = the art and science of determining where an organization is going and how it’s going to get there.
 Setting Strategy and Structure
What is management’s risk appetite?

– Risk tolerant?
– Risk averse?
– Somewhere in between?
 Setting Strategy & Structure
Vision Statement – aka – Mission Statement

– A brief “big picture” description of your

compliance program purpose and method.
 Setting Strategy and Structure
Setting goals and objectives:

– Goals are observable and measurable overall

end results, and
– Objectives are the steps to achieve specific
results within a fixed time frame.
Compliance Department goals
Business Unit compliance goals
Company Goals
 Setting Strategy and Structure
Defining a structure – roles and responsibilities

– Compliance and Audit responsibility

ultimately lies with the board of directors
– Executive management needs to set the tone
– Compliance/Risk Management provides the
expertise and advice
– The business units have responsibility to “do”
risk management
 Setting Strategy and Structure
Defining a structure

– Compliance/Audit/Risk Management
department configurations:
Solo;
Committee;
Numerous specialists;
Outsourcing;
Others?
(What about the centralized – decentralized
continuum?)
 Setting Strategy and Structure
Defining a structure - continued

– Bank’s asset size;

– Number of employees;
– Number of branches and locations;
– Product mix;
– Services;
– Other?
Risk Profile (coming soon…)
 Setting Strategy and Structure
Defining Scope

– What do you cover?

– What do you NOT cover?
• BSA?
• Fair Lending?
• CRA?
• SOX / BASEL?
• Info Sec?
• Loan Review?
• Other?

Ensure coverage for all out-of-scope functions.

 Assessing Risks
Risk identification
Risk types
Risk ranking
Controls Effectiveness
 Risk Identification
The detection and analysis of potential risks that
may prevent the achievement of the bank’s
objectives
– What type of products and services does the bank offer?
– What types of systems does the bank have in place and
to what extent are processes automated?
– What is your charter structure(s), who is/are your
regulator(s)?
– What regulations apply to the above?
 Forms of Assessment
Risk assessments can take many different forms and have
different purposes:

Product/Service specific (e.g., HELOCs, or e-banking)

– Initial assessment of a new product or ongoing
performance
Segmented by regulation (e.g., Reg. CC or Dodd-
Frank).
– May be required, such as AML/BSA or Identity Theft
Prevention
Segmented by Business Line
Compliance Program (how is the program
functioning)
Consumer Risk Assessment
Overall Compliance Performance (how is the
company performing)
 Risk Types
Inherent risk – the measure of risk before controls

Residual risk – the measure of risk after controls

Or
Inherent Risk + Controls = Residual Risk
 Assigning an Inherent Risk Rating
– Inherent compliance risk is risk that is basic
natural and inseparable component or
characteristic of a regulation. (Note: Inherent
risk is risk before the consideration of controls.)
These components could include the following
risk sub-categories:
• Financial
• Litigation
• Transaction
• Reputation risks
• Regulatory Environment
 Inherent Risk Ranking
– Exposure – the extent of potential
damage
– Likelihood – the probability that an actual
event will occur, and/or that the resulting
exposure from that event will take place
 Inherent Risk Ranking
Making Sense of Multiple Views

• Regulation
• Consumer Risk
• UDAAP Risk
Risk Ranking Exposure (High)
Exposure
HIGH

Significant or systemic
Severe regulatory criticism
violations

Memorandums
Cease and desist orders
of Understanding

Corrective actions with

large economic impact Repeat Violations
and/or reputation damage
Risk Ranking Exposure (Moderate)
Exposure
MODERATE

Violations lead to some

regulatory criticism

Some corrective actions with less

significant economic impact and/or less
significant reputation damage
Risk Ranking Exposure (Low)
Exposure
LOW

Violations, if any, are not considered

significant or systemic.

Minimal, if any, economic impact

and/or reputation risk.
Risk Ranking Likelihood
HIGH Almost certain risk will occur.

MOD 50-50 chance risk will occur.

LOW Most likely risk will not occur.

 Inherent Risk Heat Map

Likelihood MOD - 2 HIGH - 4 HIGH - 5

HIGH
Likelihood LOW - 1 MOD - 3 HIGH - 4
MODERATE
Likelihood LOW - 0 MOD - 2 MOD - 3
LOW
Exposure Exposure Exposure
LOW MODERATE HIGH
 Inherent Risk Rating

Using a Heat Map is not the only way to

visualize Risk. Other possibilities:

-- Use numeric rating

-- Color Code
-- Other?

The Key is to know your audience.

 Inherent Risk Rating (sample 1)
Regulation Regulatory Compliance Inherent Risk /
Comments
Likelihood Exposure

B High High HIGH: High scrutiny;

impacts all customers; high
fines and rep risk

C Moderate High HIGH: High scrutiny; high

reputation risk

E Moderate Moderate MODERATE: Could be new

focus with CFPB

FDCPA Moderate Moderate MODERATE: Trending up

due to economic
environment
 Assessing Risks
Risk Controls Definition

– Preventive Controls
– Detective Controls
Assessing Control Effectiveness

– Primary Controls
– Secondary and other controls
 Control Activities
Help ensure that directives are carried out. They can either be preventive or detective:

– Preventive controls are generally applied at

points where errors or irregularities could
occur in the process

– Detective controls discover errors during or

after occurrence
 Preventive Controls
 Automated controls (e.g., system edit features for
data entry control)
 System processing controls (e.g., editing,
balancing and internal control checks)
 Written procedures and Training can be controls
 Independent checks to determine if assigned
responsibilities are completed and recorded
amounts are accurate (e.g., account reconciliation,
computer-programmed controls, management
review of reports)
 Approval and authorizations for transactions and
activities
 Detective Controls
 Review of exception reports, reconciliations, SAR
reports, and other ad hoc reports to detect
erroneous or improper processing of
transactions

 Asset control activities, including periodic asset

counts, comparison of physical counts to
accounting records, investigation of
discrepancies, establishment of physical
safeguards, and maintenance of proper
purchase authorizations
 Inventory the Preventive &
Detective Controls

Primary controls:
These represent the most effective of the controls
deployed to this risk. Your control effectiveness
rating is essentially the rating of this particular
control.
 Inventory the Preventive &
Detective Controls
Secondary or additional controls:
Where they exist can include compensating
controls that indirectly assist in achieving control
objectives (such as third party review of
transactions). They may also include policies and
procedures referenced by the business in their risk
self-assessment.
 Rating the Control Environment
Evaluate overall risks (stratify your inherent vs. residual risks)
Establish level of confidence in control effectiveness ratings
Evaluate the “tone from the top”
Anticipate regulatory scrutiny
Risk Ranking Control Strength

Strong Controls prevent risk from

occurring.

Adequate Control typically prevents risk

from occurring.

Weak Control is non-existent or

ineffective in controlling risk.
Control Strength Example 1
Reg B / Owner Control Comments Rating
Section
202.4(b) No Loan Agents are scripted to Rating is Adequate
discouragem Consultants ensure application based on
ent process is consistent primarily
and non- manual
discriminatory: nature of
Annual Training is also controls
required

202.4(c) Marketing Marketing produces Adequate

Written Legal all applications, which
Applications have been approved
by Legal
 Control Strength Example 2
Requirement Business Inherent Controls and Control Residual
& Citation units Risk mitigations Effective- Risk
Impacted Rating ness Rating
Rating
Suspicious All High Automated Strong Moderate
Activity forensic system
Reporting review of
31 CFR 103.21 transactions

Compliance
Operations
agent reviews

Annual training
 Residual Risk Ratings

Residual risk ratings should be based upon the

inherent risk rating and the controls
effectiveness rating for each regulation

A residual risk rating of high, moderate or low

can be assigned. The basic formula is inherent
risk + control effectiveness = residual risk
 Residual Risk Ratings
Residual risk ratings can then be plotted on a matrix, or “heat map” as shown below:

Control Effectiveness Rating

Strong Adequate Weak
High Moderate Moderate High
Inherent

Rating
Risk

Moderate Low Moderate Moderate

Low Low Low Low
Residual Risk Rating
 Risk Trend
The direction of risk and probable change over the next 12 months.

Increasing – suggests additional controls or

increased review.

Stable – may require no action.

Decreasing – may suggest controls can be

decreased.
Implementing Your Risk Assessment

Develop a methodology document:

• State risk tolerance
• Develop heat map scales
• Discuss and socialize
• Consider collaborating with other Risk Teams in
your bank
Implementing Your Risk Assessment
Risk Assessment can be developed /
segmented by:
• Regulation
• Business Unit / Department / Manager
• Product / Services
If you discovered any gaps in controls,
develop a mitigation plan
 Updating Your Risk Assessment
Inherent Risk Ratings
Update at least annually
Document ratings

Controls / Residual Risk Ratings

Review outstanding issues regularly
Update quarterly
 Updating Your Risk Assessment
To ensure your Risk Assessment stays current, you will also want to update it for:
New or Revised Products / Services
New / Amended Regulations