Developing an Effective Compliance Risk Assessment
We come across many a risk assessment in our practice. The ugly truth about most of the assessments that we see is that they are prepared specifically to meet a regulatory requirement and not much more. Perform an annual risk assessment for BSA, get it approved and for the most part, put it away and don’t think about it again until the next year. Let’s face it, this is really the rule and not the exception when it comes to preparing assessments.
Despite the negative emotions that the thought of a risk assessment may produce, we believe that a comprehensive risk assessment is a critical component of planning your compliance year and implementing your compliance program. We believe that the compliance risk assessment should be the living-breathing basis for the way the compliance year unfolds
The Component Parts of a strong Compliance Risk Assessment
Past examination and audit results: It goes without saying that the past can be prelude to the future, especially in the area of compliance. Prior findings are an immediate indication of problems in the compliance program. It is important that the root cause of the finding or recommendations from regulators for enhancements is determined and addressed. The compliance risk assessment has to include a description of the cause of the findings and the steps being taken to mitigate the risk of a repeat. We recommend that the action has to be more than additional training. Training tends to be the number one answer and of course it is important. However, without testing to determine whether or not the training is effective, the risk of repeat findings remains high.
Changes in staff and management: change is inevitable and along with changes comes the possibility that additional training should be implemented or that the resources available to staff should also change. For example, supposed the head of note operations is brand new. This new manager will want to process loans using her/his own system. Loan staff that may be used to doing compliance checks at certain times during the loan origination process might become confused. This increases the possibility of findings or mistakes. Your compliance risk assessment should take into account the risks associated with changes and how best to address them.
Changes in products, customers or branches: continuing on with the idea that change is going to happen, it is important that your risk assessment consider all the different aspects of changes that have occurred or will occur in the Bank during the year. This will include any new products or services, new vendors, marketing campaigns that are designed to entice new types of customers. The risk assessment should consider what resources will be required and how they should best be deployed. Before new products are introduced, the compliance team has to consider the time necessary to make sure that all of the processes are in place. New advertising means both technical and fair lending compliance considerations.
Changes in Regulations: Over the past five years, there have been a huge number of changes to regulations, guidance and directives from Federal and State agencies. Many of these changes do not impact community banks directly, but many do. Moreover, there are often regulations that are finalized in one year that don’t become effective until the following year. Part of your risk assessment process has to consider changes that affect your bank or will affect you bank. For your review, we have upload a list of regulatory changes to the website. We do not warrant that the list is comprehensive. It is a good place to start however, to ensure that you have “covered the bases” for compliance.
Monitoring systems in place: the systems that you use to monitor compliance should be considered. For many community banks, this system is comprised of word of mouth and the results of audits and examinations. Part of your assessment should include a plan to do some basic testing of compliance on a regular basis. After all an ounce of prevention……
Once you have gathered all of the information necessary for completing the analysis, we suggest using analyses that doesn’t necessary assign numbers to risk, but prioritizes the potential for findings. Remember the effectiveness of your compliance program is ultimately judged by the level and frequency of findings. The effective risk assessment reviews those areas that are most likely to result and findings and develops a plan for reduction.
To complete the analysis it is necessary to be self-reflective honest and brutal! If staff is weak in its understanding of the requirements of Regulation B, it is necessary to state that and make a plan to address the weakness. If more training is necessary or if, heaven forbid, a consultant is needed in certain areas, it really is appropriate as part of the assessment to say so and attempt to make the case to management. We have found that the cost of compliance goes up geometrically when a bank is faced with enforcement action. It is much more efficient to seek the assistance when there are only potential problems as opposed to when actual problems have been found.
Creating the Compliance Environment
Probably the greatest untapped asset for any compliance officer is the staff at your bank. The fact is that without the support and input of the people who are actually contacting customers and performing day-to-day operations, the effectiveness of your compliance program will be greatly limited. Of course one of the greatest impediments to getting the “buy-in” of staff is the perception that many in the banking industry have of compliance. There is generally dislike and disdain for anything compliance related. However the fact of the matter is that the compliance rules have been developed over time in response to unfair and sometimes immoral behavior on the part of banks. Most of the regulations have a history that is interesting and can help explain what it is that the regulation is attempting to address. Taking the time to discuss the history of the regulations and what it is that they are trying to address can go a long way toward getting staff involvement.
Making sure that senior management accepts the importance of compliance and the costs of non- compliance can help increase support.
Using the document
Once the compliance assessment is complete, make sure to make use of it! The assessment can and should be used to help with planning and scoping audits that are to be performed during the year. The areas pf the highest risk should be addressed early and should have the most extensive scope.
Rather than setting a basic training schedule, use the assessment to make sure that classes are focused on areas where the potential for findings and violations occur.
As part of developing the assessment, the policies and procedures that require updating and approval should be evident.
The assessment can also be the basis for requesting additional compliance resources including software. Professional assistant or additional certifications.
A comprehensive compliance risk assessment should be the key to a strong compliance program.
James DeFrantz is a Partner in Atlanta-based financial services industry consulting firm Bank Solutions Group. firstname.lastname@example.org