ABA Conference Highlights: Are Your Compliance Risk Assessments Outdated?
Too many financial institutions view compliance risk assessments as one-time events. They gather up requirements and prohibitions, assess risks, draft and implement policies and procedures, and then assume their work is done.
That’s a mistake, as we were reminded at the 2022 ABA Regulatory Compliance Conference in the session The World Has Changed – Your Risk Assessment Should, Too!
As the speakers noted, a compliance risk assessment isn’t an event or an item that can be completed once and crossed off a checklist. Circumstances are always evolving, and a compliance risk assessment may lose its relevance, impacting an institution’s compliance risk exposure.
Jim Bedsole, senior vice president, chief compliance and risk officer at $1.3 billion-asset BankSouth, offered great examples of times when you should review your risk assessments. He suggests updating risk assessments when there are changes in:
I’d also add that risk assessments should be updated whenever your institution’s risk tolerance changes. We always tell our clients that financial institutions must actively engage in compliance risk management, assessing risk and adjusting risk management practices to ensure their compliance risk exposure is aligned with their risk tolerance.
Here are some of our best practices and top tips.
Where’s the compliance risk?
Before updating compliance risk assessments, it’s important to look for sources of new or increased compliance risk.
Checklists, roundtable discussions, and existing management reports and data can be great sources for brainstorming potential compliance risks. Take advantage of events like budgeting, performance reviews, and strategic planning sessions to solicit information about new, emerging, and changing risks.
Bedsole also recommends:
- Keep your ears open. When you talk to people around the bank, you will find out about changes that need to trigger a review of your risk assessment
- Meeting with different people at all levels. Those involved in the day-to-day are generally more aware of process changes, while people at the second line will help you identify regulatory change.
- Review your audits for comments regarding ineffectiveness of controls. This should trigger review of risk assessment.
Go beyond the obvious, easy-to-spot risks. This takes time and creativity, but it will result in a vastly improved risk assessment.
Also think globally about the broad range of things that can go wrong at institutions of a similar size and type. A mid-sized community institution shouldn’t necessarily compare itself to a multi-national organization, nor should it rely exclusively only on its own experiences.
Not every change will require a full risk assessment revision. Sometimes it’s enough to just note a growing trend and keep an eye on it. Regular monitoring prevents mission creep, where strategy shifts over time, making risk assessments obsolete.
4 tips for keeping compliance risk assessments fresh
While every financial institution faces its share of surprises and setbacks, many of the risks of doing business can be identified and mitigated with the help of thoughtful compliance risk assessments.
The key word here is thoughtful. When conducted properly, risk assessments are highly effective tools that help ensure risk is aligned with an institution’s strategic objectives. A well-executed risk assessment digs into real-world risks and the specific controls an institution uses to mitigate their impact, allowing the board and management to make better, more insightful decisions. From big picture ideas to specific areas of concern, a good risk assessment looks at the good and bad in every situation to provide a thorough understanding of threats and opportunities.
How can you keep your compliance risk assessments up to date?
1. Be proactive with your compliance risk assessments. Don’t rely on risk assessment schedules you used in the past—think about what makes sense today. The operating environment is rapidly changing, impacting your institution’s compliance risk exposure. If you’re not proactively assessing risk, your risk exposure may not align with your institutions risk appetite. That opens your institution up to all kinds of problems—even enforcement actions, lawsuits, and financial penalties.Be proactive with your compliance risk assessments. Don’t rely on risk assessment schedules you used in the past—think about what makes sense today. The operating environment is rapidly changing, impacting your institution’s compliance risk exposure. If you’re not proactively assessing risk, your risk exposure may not align with your institutions risk appetite. That opens your institution up to all kinds of problems—even enforcement actions, lawsuits, and financial penalties.
Reconsider assessment depth and breadth. New challenges might mean compliance risk assessments need to dig in deeper or focus on new areas.
For instance, fair lending should already be on your radar. Now that the Consumer Financial Protection Bureau (CFPB), Office of the Comptroller of the Currency (OCC), the Justice Department and others have announced fair lending is a major enforcement priority and promised “vigorous enforcement,” it’s a good idea to revisit your fair lending risk assessment.
2. Reconsider assessment depth and breadth. New challenges might mean compliance risk assessments need to dig in deeper or focus on new areas.
Also recall that examiner focus is no longer limited to the current exam cycle. As recent enforcement actions have shown, when examiners encounter an issue, they aren’t content to just look at the year where they encounter the problem. They are prepared to dig deep into previous years to understand the depth and breadth of the problem.
Your risk assessments should consider this change, and what, if anything, must be done to understand historical compliance practices and data—and make proactive changes, if needed.
3. Audit more frequently. Oversight is essential. Your financial institution needs to be certain that the controls it has in place are effectively mitigating and managing compliance risk. This is essential data for conducting accurate risk assessments. If a control has lost its effectiveness or wasn’t working in the first place, you’re exposing your institution to greater risk.
Just as with risk assessments, you can’t necessarily rely on your traditional audit management schedule for reviews and audits. From work-from-home to cryptocurrency and fintech partnerships, a lot is changing both inside and outside your institution. You need to be able to gauge if your institution is performing as expected—and you need to uncover those problems before the regulators do.
4. Seek out new internal controls. Use insights from your risk assessments and audits to develop new internal controls or enhance existing ones. Your risk management program must have the tools to mitigate risk so the institution can operate in a safe and sound manner.
Seek out new internal controls. Use insights from your risk assessments and audits to develop new internal controls or enhance existing ones. Your risk management program must have the tools to mitigate risk so the institution can operate in a safe and sound manner.
Want to learn more about compliance risk assessments? You might like:
Blog article: 3 Steps to a Proficient Risk Assessment
Pre-recorded Webinar: 2022 Regulations: Expectations & Insights
Pre-recorded Webinar: Risk Assessments: Making the Most of Your Secret Weapon
Topics: Risk & Compliance