Enhancing Compliance and Risk Management Strategies for Washington Bankers

Washington Bankers Association Executive Development Program Audit and Compliance Risk Management: The Continuous Program Cycle Presenter: David McCrea U.S. Program Manager Global Regulatory Compliance Team Infosys Limited

Influences Government Risk Management Process Refine/Establish Strategy, Goals & Objectives Report Results Ownership Refine/Establish Control Environment Environment Senior Competition Management Board/ Audit Business Compliance Take Corrective Action Measure Performance Through Testing/ Monitoring of Control Environment Community

The Continuous Program Cycle Correcting & Reporting Designing Implementing & Checking

Setting Strategy and Structure Strategic Planning = the art and science of determining where an organization is going and how it s going to get there.

Setting Strategy and Structure What is management s risk appetite? Risk tolerant? Risk averse? Somewhere in between?

Setting Strategy & Structure Vision Statement aka Mission Statement A brief big picture description of your compliance program purpose and method.

Setting Strategy and Structure Setting goals and objectives: Goals are observable and measurable overall end results, and Objectives are the steps to achieve specific results within a fixed time frame. Compliance Department goals Business Unit compliance goals Company Goals

Setting Strategy and Structure Defining a structure roles and responsibilities Compliance and Audit responsibility ultimately lies with the board of directors Executive management needs to set the tone Compliance/Risk Management provides the expertise and advice The business units have responsibility to do risk management

Setting Strategy and Structure Defining a structure Compliance/Audit/Risk Management department configurations: Solo; Committee; Numerous specialists; Outsourcing; Others? (What about the centralized decentralized continuum?)

Setting Strategy and Structure Defining a structure - continued Bank s asset size; Number of employees; Number of branches and locations; Product mix; Services; Other? Risk Profile (coming soon )

Setting Strategy and Structure Defining Scope What do you cover? What do you NOT cover? BSA? Fair Lending? CRA? SOX / BASEL? Info Sec? Loan Review? Other? Ensure coverage for all out-of-scope functions.

Assessing Risks Risk identification Risk types Risk ranking Controls Effectiveness

Risk Identification The detection and analysis of potential risks that may prevent the achievement of the bank s objectives What type of products and services does the bank offer? What types of systems does the bank have in place and to what extent are processes automated? What is your charter structure(s), who is/are your regulator(s)? What regulations apply to the above?

Forms of Assessment Risk assessments can take many different forms and have different purposes: Product/Service specific (e.g., HELOCs, or e- banking) Initial assessment of a new product or ongoing performance Segmented by regulation (e.g., Reg. CC or Dodd-Frank). May be required, such as AML/BSA or Identity Theft Prevention Segmented by Business Line Compliance Program (how is the program functioning) Consumer Risk Assessment Overall Compliance Performance (how is the company performing)

Risk Types Inherent risk the measure of risk before controls Residual risk the measure of risk after controls Or Inherent Risk + Controls = Residual Risk

Assigning an Inherent Risk Rating Inherent compliance risk is risk that is basic natural and inseparable component or characteristic of a regulation. (Note: Inherent risk is risk before the consideration of controls.) These components could include the following risk sub-categories: Financial Litigation Transaction Reputation risks Regulatory Environment

Inherent Risk Ranking Exposure the extent of potential damage Likelihood the probability that an actual event will occur, and/or that the resulting exposure from that event will take place

Inherent Risk Ranking Making Sense of Multiple Views Regulation Consumer Risk UDAAP Risk

Risk Ranking Exposure (High) Exposure HIGH Significant or systemic violations Severe regulatory criticism Memorandums of Understanding Cease and desist orders Corrective actions with large economic impact and/or reputation damage Repeat Violations

Risk Ranking Exposure (Moderate) Exposure MODERATE Violations lead to some regulatory criticism Some corrective actions with less significant economic impact and/or less significant reputation damage

Risk Ranking Exposure (Low) Exposure LOW Violations, if any, are not considered significant or systemic. Minimal, if any, economic impact and/or reputation risk.

Risk Ranking Likelihood HIGH Almost certain risk will occur. MOD 50-50 chance risk will occur. LOW Most likely risk will not occur.

Inherent Risk Heat Map Likelihood HIGH Likelihood MODERATE Likelihood LOW MOD - 2 HIGH - 4 HIGH - 5 LOW - 1 MOD - 3 HIGH - 4 LOW - 0 MOD - 2 MOD - 3 Exposure LOW Exposure MODERATE Exposure HIGH

Inherent Risk Rating Using a Heat Map is not the only way to visualize Risk. Other possibilities: -- Use numeric rating -- Color Code -- Other? The Key is to know your audience.

Inherent Risk Rating (sample 1) Regulation Regulatory Compliance Inherent Risk / Comments Likelihood Exposure HIGH: High scrutiny; impacts all customers; high fines and rep risk B High High HIGH: High scrutiny; high reputation risk C Moderate High MODERATE: Could be new focus with CFPB E Moderate Moderate MODERATE: Trending up due to economic environment FDCPA Moderate Moderate

Assessing Risks Risk Controls Definition Preventive Controls Detective Controls Assessing Control Effectiveness Primary Controls Secondary and other controls

Control Activities Help ensure that directives are carried out. They can either be preventive or detective: Preventive controls are generally applied at points where errors or irregularities could occur in the process Detective controls discover errors during or after occurrence

Preventive Controls Automated controls (e.g., system edit features for data entry control) System processing controls (e.g., editing, balancing and internal control checks) Written procedures and Training can be controls Independent checks to determine if assigned responsibilities are completed and recorded amounts are accurate (e.g., account reconciliation, computer-programmed controls, management review of reports) Approval and authorizations for transactions and activities

Detective Controls Review of exception reports, reconciliations, SAR reports, and other ad hoc reports to detect erroneous or improper processing of transactions Asset control activities, including periodic asset counts, comparison of physical counts to accounting records, investigation of discrepancies, establishment of physical safeguards, and maintenance of proper purchase authorizations

Inventory the Preventive & Detective Controls Primary controls: These represent the most effective of the controls deployed to this risk. Your control effectiveness rating is essentially the rating of this particular control.

Inventory the Preventive & Detective Controls Secondary or additional controls: Where they exist can include compensating controls that indirectly assist in achieving control objectives (such as third party review of transactions). They may also include policies and procedures referenced by the business in their risk self-assessment.

Rating the Control Environment Evaluate overall risks (stratify your inherent vs. residual risks) Establish level of confidence in control effectiveness ratings Evaluate the tone from the top Anticipate regulatory scrutiny

Risk Ranking Control Strength Strong Controls prevent risk from occurring. Adequate Control typically prevents risk from occurring. Weak Control is non-existent or ineffective in controlling risk.

Control Strength Example 1 Reg B / Section Owner Control Comments Rating 202.4(b) No discouragem ent Loan Consultants Agents are scripted to ensure application process is consistent and non- discriminatory: Annual Training is also required Rating is based on primarily manual nature of controls Adequate 202.4(c) Written Applications Marketing Legal Marketing produces all applications, which have been approved by Legal Adequate

Control Strength Example 2 Requirement & Citation Business units Impacted Inherent Risk Rating Controls and mitigations Control Effective- ness Rating Residual Risk Rating Suspicious Activity Reporting 31 CFR 103.21 All High Automated forensic system review of transactions Strong Moderate Compliance Operations agent reviews Annual training

Residual Risk Ratings Residual risk ratings should be based upon the inherent risk rating and the controls effectiveness rating for each regulation A residual risk rating of high, moderate or low can be assigned. The basic formula is inherent risk + control effectiveness = residual risk

Residual Risk Ratings Residual risk ratings can then be plotted on a matrix, or heat map as shown below: Control Effectiveness Rating Strong Adequate Moderate Moderate Moderate Low Low Residual Risk Rating High Moderate Low Low Weak High Moderate Low Inherent Rating Risk

Risk Trend The direction of risk and probable change over the next 12 months. Increasing suggests additional controls or increased review. Stable may require no action. Decreasing may suggest controls can be decreased.

Implementing Your Risk Assessment Develop a methodology document: State risk tolerance Develop heat map scales Discuss and socialize Consider collaborating with other Risk Teams in your bank

Implementing Your Risk Assessment Risk Assessment can be developed / segmented by: Regulation Business Unit / Department / Manager Product / Services If you discovered any gaps in controls, develop a mitigation plan

Updating Your Risk Assessment Inherent Risk Ratings Update at least annually Document ratings Controls / Residual Risk Ratings Review outstanding issues regularly Update quarterly

Updating Your Risk Assessment To ensure your Risk Assessment stays current, you will also want to update it for: New or Revised Products / Services New / Amended Regulations