Author: Jill Emerson, Integrity One Consulting
When was the last time a compliance risk assessment was completed at your organization? Have there been recent organizational changes, product changes, or other changes that have a significant impact to your compliance program?
The thing about risk assessments and risk is that they aren’t static. A one-time approach to measuring and mitigating compliance risk is like burying your head in the sand, on purpose. A financial institution can avoid compliance violations and penalties for noncompliance by staying on top of its compliance risk. But that involves a constant and consistent approach. One that takes time, but is well worth it. Understanding fundamental basics is the beginning of knowing how to manage compliance risk and how to ride the wave of an everchanging environment.
What is compliance risk?
We often read or hear about legal and/or monetary penalties assessed where noncompliance has occurred or a pattern or practice of violations has been identified over a period of time with a financial institution. The trend for quite some time now is that the bottom line is directly impacted. Compliance risk involves the risk of potential loss and legal penalties as a result of the failure to comply with laws and regulations. Even when there is commitment to comply with applicable laws and regulations, compliance risk can still be an issue if there are breakdowns in processes, monitoring, or oversight.
Do you understand what your compliance risks are? Do you realize that closely tied to your financial institution’s compliance risks are the structure of your financial institution and its products, services, and business lines?
Managing compliance risk is a big deal. It requires commitment from the top and cooperation with business lines. It’s one of the spokes in the wheel of enterprise-wide risk management process, now an integrated approach. And, as a compliance professional, it requires your fine-tuned focus on internal and external forces that impact your organization’s compliance risks. Obviously, you have more control in managing internal forces, and how you respond to external forces requires intention, knowledge, and a sharp eye of what’s happening within the industry.
What entails a compliance risk assessment?
Before undergoing a compliance risk assessment, it’s important to be familiar with key terms: inherent risk and residual risk. A key factor to accept is that risk cannot be completely eliminated; and, once this concept is grasped, inherent and residual risks make sense.
Prior to implementing internal controls or mitigating factors to manage risk, inherent risk is the probability and impact of noncompliance with laws and regulations applicable to your financial institution. There are factors of inherent risk that need to be measured:
- Internal forces: Consider your financial institution’s structure, business model, business strategies, compliance organization, and history of regulation examinations as examples. To dive a bit deeper, take into account the complexity of products, how centralized or decentralized the organization is, product delivery channels, or the complexity of third-party relationships across business lines.
- External forces: Factors outside of your financial institution impact your compliance risk, such as competition, demographics, regulatory changes, and the regulatory environment.
Residual risk involves the effectiveness of implementing mitigating factors or internal controls to minimize inherent risk. Mitigating factors include:
- Board of directors/senior management oversight;
- The three Ps: policies, procedures, processes; and
- Monitoring, which involves management information systems (MIS).
There is no cookie cutter approach regarding the format and scoring of a compliance risk assessment. The key is to make it work for you and that it accurately reflects the level of compliance risk within your financial institution. Do make sure that you measure or rate inherent risks and residual risks, individually.
How do I manage compliance risk?
Once you’ve rated your organization’s compliance risk, the work now begins to execute the internal controls identified in the risk assessment process to reduce risk. The results should impact decisions across business lines. And, this requires collaboration. Or, as readily recognized, teamwork makes the dream work! To be effective at managing compliance risk, key factors need to be in place:
- Tone from the top! Your board of directors and senior management need to be actively providing oversight. It starts with you! Make sure compliance has a seat at the table, so to speak. Reporting to the board and attending board meetings regularly where the compliance voice can be expressed and heard is critical. Educating, informing, reporting are core skills needed by the compliance professional. Build strong relationships!
- Compliance needs to be involved in the front-end of:
- New product development;
- Changes to existing products and services;
- New or updated MIS;
- New or updated third-party relationships across business lines; and
- Strategic changes and/or business strategies of the financial institution.
- Utilize the risk-based approach so that the greatest areas of compliance risk receive the highest attention and resources to manage those risks. This approach requires a commitment and consistent tactic in regularly updating the compliance risk assessment and subsequent internal controls.
- The three Ps are so important! Your policies, procedures, and processes need to be documented and clearly reflect how your financial institution mitigates compliance risks. The three Ps are closely tied to the compliance risk assessment. Whenever you update your risk assessment, it’s natural and required to adjust the three Ps accordingly.
- Monitoring and testing are regular activities for compliance for managing compliance risks. Whether a combination of manual work and automated systems is used, monitoring activities need to be closely tied to internal controls and the risk assessment process. Testing, whether by internal audit or external audits, confirms or validates the effectiveness of your compliance program, which is based on managing compliance risks.
As you can see, your compliance risks can change more frequently than you may think when you see the internal and external forces. Today, we are in a rapid and changing environment in many ways. A siloed approach with compliance may have worked in the past; however, taking a risk-based approach and building relationships across business lines and with your board will allow you to manage your compliance risks more successfully!
Jill Emerson, owner of Integrity One Consulting, maintains over 30 years’ experience in the financial services industry, both as a practitioner and as a federal regulator. She enjoys sharing her experiences and expertise through writing.
Jill can be reached at firstname.lastname@example.org.