In 2012, the Office of the Comptroller of the Currency (OCC) issued its “heightened expectations” for the risk management and governance practices at large national banks and federal savings associations. Since then, each regulatory agency has issued its own version of the expectations’ six core principals to the segments it regulates — CFPB, SEC, FINNRA, etc.
The guidance provided by the regulators requires all financial services institutions (FSIs), regardless of segment, to adopt and provide traceability around these six principals to exhibit a “strong culture of compliance” across the enterprise:
- Risk and Strategy Alignment across the enterprise at all levels
- Board Responsibility to set the culture from the top down
- Three Lines of Defense with clearly defined roles and responsibilities for each line of defense
- Robust Internal Audit Program consisting of internal self-assessments of controls, triggers and compliance initiatives
- Risk Data and Infrastructure with a strong data governance model to facilitate monitoring, analysis and measurement of risk and exposure
- Staff Training and Culture that sets expectations, roles and responsibilities to manage risk
The new core principals were enacted by regulators in response to their assessment that FSIs were not adopting a culture of compliance and risk management that would improve their ability to identify, manage and mitigate risks. Regulators also intended these principals to help integrate all the functions of a heightened risk management framework. In their view, successful implementation depends on a holistic approach to managing risk in which tone and culture are emphasized from the top down and strategy, roles and responsibilities are clearly defined.
But the stepped-up aggression from regulatory agencies toward the compliance activities of FSIs is only adding to the challenges they face by:
- Further confusing guidance for FSIs regarding the “operationalization” of risk and regulatory requirements across the enterprise
- Further complicating the ability of FSIs to calculate ROI and interpret how these changing requirements will impact business
- Further burdening budgets and resources — and sidetracking critical strategic initiatives — by requiring investment to meet the minimum new regulatory requirements
New regulatory response model required
Unfortunately, the existence and more vigilant enforcement of these core principals by no means ensures they will be effectively implemented or that a true culture of compliance will be established at all FSIs. To be successful in meeting regulators’ expectations, FSIs must migrate from the current reactionary response approach (based on internal and/or external events such as audit issues and consent orders), to a more advanced one that puts FSIs on a detective and preventive path (monitoring and testing, data analytics, remediation/document review) that uncovers trends, gaps and exposures for corrective action.
An organization’s regulatory response model is vital to its transition from reactionary mode to detective/preventive mode. To be truly effective, the model must address the five key areas of a proactive risk management enterprise: controls, governance, process, technology and data and analytics.
Risk and compliance executives should understand how their institutions rate in regard to the status of their current regulatory response model against the following categories:
- Running Behind — You have a purely reactionary program in place that uses a variety of approaches and produces unpredictable levels of effectiveness and accuracy.
- Running in Place — You’re incurring extremely high costs with this model due to the inconsistent setup and performance of the primary levers that drive a robust response program. This misalignment produces varied results across the enterprise.
- Running Ahead — You’re using a detective, predictive and proactive approach that facilitates accurate and timely risk identification, measurement and effective treatment activity. This model combines the insights as generated from core capabilities for 1) monitoring and testing, 2) data and analytics and 3) document review/remediation to identify and correct operational risks and gaps in the process.
Taking it to the next level: risk and control self-assessment (RCSA)
A risk and control self-assessment (RCSA) is used to assess the effectiveness of risk management and control processes. In contrast to a traditional audit, tests and checks are made by staff whose day-to-day responsibilities are within the business unit being assessed.
In today’s environment of heightened regulatory scrutiny, this model is where the industry is headed: a commercial or formal RCSA process that includes tools, approaches and the ability to effectively rank order enterprise risk. Post-2008 foundational models were put in place to address crises, but it’s time to ask: “Has our model evolved to become more detective/preventive to satisfy regulatory expectations, or is it still in reactionary mode?” If the answer is the latter, then you are exposing your institution to a higher level of external regulator and/or internal board scrutiny, and changing your course is imperative.
Building out the model to drive change
Moving away from a purely reactionary response mode is essential in today’s market. The goal of a mature model is to improve the organization’s ability to proactively identify issues and operationalize required change. Solutions must to be practical to implement, economical to run and unwavering in terms of quality assurance and customer experience. Monitoring and control mechanisms are critical elements of all regulatory-response review processes to ensure the organization adheres to the action plan’s timeline and can show fulfillment of all commitments. Such evidence is a prerequisite to an FSI’s release from any regulatory write-up, as the FSI must be able to clearly demonstrate it has accomplished the necessary compliance tasks while reducing the risk of its ongoing business practices. Embracing the new normal and reaching this mature state is by no means easy — it requires equal amounts of thoughtful planning and determined execution — but it is more than worth it for the future of your business.
Post Date: 18/09/2016