Risk management helps financial institutions anticipate and guard against all kinds of risks—everything from cyber threats to compliance mistakes to careless third-party vendors. But did you know it can also help prepare for exams?
According to a recent American Bankers Association compliance survey, “Examiner review of a bank’s risk management system appears to reduce examination length (38.4%) and scope of review (51.9%), suggesting that a good compliance risk management program may reduce the bank’s regulatory burdens.”
Financial regulators have been doubling down on risk-focused exams. Recent examples include:
- FDIC’s Information and Technology Risk Examination (InTREx) Program. Implemented in 2017, it outlines “an enhanced, risk-based approach for conducting IT examinations”
- The CC Rating System. Updated in 2017, it realigned the transaction-based system created in the 1980s with today’s focus on risk based on an institution’s size, complexity and risk profile.
They’ve also provided more detail of what a risk-based exam looks like. For example, the Federal Financial Institutions Examination Council (FFIEC) offered insight into key principles of a “risk-based exam” based on reviews of FDIC, Fed, OCC & NCUA principles and processes in 2018. They include:
- Low-risk financial institutions or areas often require minimal examination.
- Higher-risk areas receive more exam resources than lower-risk areas.
- Risk-focused exams should consider an institution’s ability to identify and control risks.
- Between exams there should be follow-up on findings and areas that need improvement.
In short, examiners will invest their time and resources on identifying and examining areas of increased risk. Less attention is dedicated to areas of minimal risk.
That’s where the benefit of strong risk management comes into play. The risk management life cycle has five key stages:
A financial institution that actively engages in these steps benefits from self-awareness of its riskiest areas. It knows what risks it faces, where risk is the greatest, and allocates resources to mitigating and monitoring these areas. Meanwhile, the board and management are confident in risk management efforts thanks to regular reporting.
When examiners ask for pre-exam documentation and visit for the exam, these FIs encounter few surprises. That’s because:
- They know where risk is greatest and expect regulators to address these areas.
- They’ve already dedicated extra resources to high-risk areas.
- They’ve considered compliance risk (the risk that an institution or its third-party vendors will fail to follow laws, regulations or internal policies) when measuring the risk of an activity.
- Activities with increased compliance risk have sufficient resources and controls.
Consider Bank Secrecy Act / Anti-Money Laundering, a risky area that is the source of many enforcement actions. A risk-aware institution recognizes that BSA/AML is an area that requires special attention and devotes resources to ensuring its controls are effective.
It also knows that the scope of a BSA/AML exam varies by FI, as an agency joint statement released in July on Risk-Focused BSA/AML Supervision reminds us. It notes that FIs are responsible for setting their own risk appetites and implementing effective controls for risk mitigation based on their complexity.
Examiners Care About Risk Management
The statement also reminds us that examiners are looking at risk management, stating that, “Examiners review risk management practices to evaluate and assess whether a bank has developed and implemented effective processes to identify, measure, monitor, and control risks.”
Thus, not only do strong risk management practices help an FI prepare for an exam by identifying and mitigating risk, in many cases the examiners will actually consider the FI’s risk management when assessing compliance.
Exam-Prep & Follow-Up Tool
Don’t make the mistake of thinking of risk management as an overhead cost. Beyond the benefits of uncovering potential opportunities, it also helps ward off regulatory enforcement actions and fines by creating an environment where an FI is aware of its risk challenges. Risk management systems for tracking audit and exam findings also ensure an FI is promptly remediating findings, whether they are discovered internally or by an outside party.
FIs that recognize risk and leverage this information for ongoing mitigation will be well prepared come exam time.