Has your financial institution reassessed risk since the COVID-19 pandemic began? If not, it’s way overdue.
That’s my takeaway after reading the OCC’s Semiannual Risk Perspective Spring 2020 released late last month. The agency notes that credit and operational risks, including vendor management and cyber risks, have skyrocketed over the past four months. From high unemployment to implementing new programs and operational approaches with record speed, FIs have coped with a huge volume of changes over a short period of time, creating elevated risk.
The good news is that banks entered the pandemic in a strong position thanks to a strong economy and sound risk management practices, the OCC says. Yet FIs can’t coast on past risk management efforts. It’s unclear how long the economic downturn will last or how new government efforts and other events will further change the banking environment.
The OCC has identified the following heightened risks:
Credit risk. The OCC says credit risk management practices need to be “flexible and proactive” to meet challenges going forward.
Operational risk. FIs had to change operational processes in a stressful environment. They’ve adjusted to a more remote workforce—and the cybersecurity risks that it poses—along with increased absenteeism as staff fell ill or needed to care for family members.
Download our Work-From-Home Risk Assessment
Bank systems, processes, and controls have been impacted by higher transaction volumes related to customers receiving stimulus payments, increased loan demand, and changes to regulatory requirements (e.g., changes in accounting rules).
The OCC warns this can introduce risks like:
- Failure to securely configure teleworking tools and secure personal devices logged into FI systems increasing the risk of fraud and data loss
- Overstressing telecommunications capacity
- Failure for change management to keep pace
- A decline in service levels or delivery times
Third-party risk. Third-party vendors, including fintech firms, have helped some FIs keep pace with change, but that comes with risks of its own. The OCC notes that third-party vendor management is essential due to increased risk.
“Bank risk management programs should maintain effective controls for third-party due diligence monitoring,” the OCC says. The agency also wants risk management to address “other oversight processes, operational errors, heightened cybersecurity risks, and potential fraud related to stimulus programs.”
Cyber risk. The OCC says cyberattacks are going to continue increasing in volume. Risk management should address system and operational resilience, including backups that can protect the FI against cyber risks like malware or ransomware.
OCC Says Keep an Eye on Compliance Risk
Compliance risk is also elevated and may become a “key risk,” the OCC notes.
Many of the issues that have increased operational risk have also put pressure on compliance. Compliance has had to draft and update policies and procedures due to operational and regulatory changes plus the introduction of new government programs. These include the Paycheck Protection Program (PPP) and forbearance and payment modification programs. High transaction volume has increased BSA/AML concerns as well as consumer compliance and Fair Lending risk.
These areas need to be reviewed and monitored to ensure compliance controls are effective and that policies and procedures are performing as expected. Complaints should be monitored.
4 Tips for Managing Heightened Risk
Risk management is an active and ongoing process. The pandemic has created a situation marked by rapid change. Here are four ways to improve risk management when risks are elevated.
- Be proactive with your risk assessments. Don’t rely on risk assessment schedules you used in the past—think about what makes sense today. The operating environment is rapidly changing, impacting your FI’s risk exposure. If you’re not proactively assessing risk, your risk exposure may not align with your FI’s risk appetite. That opens your FI up to all kinds of problems.
Check out our whitepaper Creating Reliable Risk Assessments for more advice
- Audit more frequently. Oversight is essential. Your FI needs to be certain that the controls it has in place are effectively mitigating and managing risk. Just as with risk assessments, you can’t necessarily rely on your traditional audit management schedule for reviews and audits. If you’ve made a lot of changes, you need to be able to gauge if the FI is performing as expected.
- Reconsider audit depth and breadth. New challenges might mean audits need to dig in deeper or focus on new areas.
- Seek out new internal controls. Use insights from your risk assessments and audits to develop new internal controls or enhance existing ones. Your risk management program must have the tools to mitigate risk so the FI can operate in a safe and sound manner.