Ask a Risk Manager: How Can Risk Management & Compliance Work Together?
How can risk management and compliance work together as partners at a financial institution? There’s no one better to ask than someone who has worn both of those hats.
Enter Denise Guira, senior vice president of integrated risk at $5.2 billion MIDFLORIDA Credit Union in Lakeland, Florida. Denise spent 17 years in compliance before transitioning to risk management in 2017, giving her keen insights into how risk management and compliance can support each other.
She shared these insights in a recent episode of the Ncast podcast, talking with Ncontracts Vice President of Compliance Stephanie Lyon about what it takes to really integrate risk and compliance management. (You can listen to this episode, or any of our podcasts featuring industry experts, anytime on-demand.)
Here’s an edited excerpt of that conversation.
Stephanie Lyon: How do you define a risk-based approach to compliance?
Denise Guira: I would say it’s the only path forward. Risk and compliance work in tandem. It's one of the seven categories of risk as far as then NCUA is concerned, so I feel like it's kind of the foundation and the lowest-hanging fruit, especially if you're new to this risk environment. It’s the easiest path forward to try to get some traction in your risk program and start evaluating risk at your organization.
I would also say that compliance is probably the most listened to risk in the organization. When you talk about other types of risks, they're kind of subjective in nature. You can sit around the table and have a discussion where people can say “That’s within my tolerance, we want to take that risk.” When you get to compliance, it’s very black and white. It’s very easy to say “This is acceptable risk” or “This is not acceptable risk.”
Compliance risk is easy for people to understand. They've been dealing with it for a very long period of time, so it's an easy place to start.
Related: Ncontracts Compliance Management Resource Page
Stephanie: We've been hearing a lot about enterprise risk management (ERM), and you said compliance has been around forever. How do you compile the two into one?
Denise: You should really use compliance as a tool when you take a look at your ERM landscape. There are so many different options and ways that you can take that program within your organization. Using compliance as a road map, especially when you're just getting started, shows you where you want to have those focuses and where you want to set strategic pillars.
We just went through this over the past couple of years. We sat down, put all of our processes on paper, and then tried to correlate them against regulation and then our products and services. The next thing you know, I'm looking at the list of 600 and 700 different things.
Where am I going with this and what am I going to do as far as board reporting is concerned? What am I going to do as far as really creating a risk narrative that is not overwhelming and really makes sense to everyone?
The best way to start is to evaluate the risk exposure of compliance is to take a look at all those regulations and see where your violations are, what type of lending products you have, what complaints you have out there in the marketplace, and what kind of procedures you have. What does fair lending look like in your organization? Processes like fair lending that have such a big impact to the organization have so many different components that really relate to risk.
Evaluating these areas will make you feel better as a risk practitioner because it will give you confidence in your organization's practices. If you go through that process, take a look at those procedures, and start really evaluating the seven concentrations of risk, you can say OK, my credit unions has got this.
You can use compliance as a tool to really figure out where your credit union is and use it as the barometer to figure out where you need to set your focus.
Stephanie: You mentioned fair lending. We know that fair lending is made up of a lot of regulations and guidance. How much compliance knowledge do you feel a risk manager has to have to effectively manage compliance?
Denise: You have to decide what your environment looks like. Do you have a dedicated compliance department? What is that compliance department comprised of? How many employees? What's their background? How much education do they have? What is your company's culture in relation with risk?
We're the consulting body. We get to come in and say, “You can accept the risk or not. This is your business unit's decision.” It allows you to be able to have purposeful and educational conversations.
I was a compliance officer for 17 years before I moved into risk and that knowledge serves me incredibly well. Do you need 17 years of knowledge to be able to be a risk practitioner? No. But if you have someone like that in your compliance department, be friends with that person. Leverage the resources that are out there. Partner with great partners like Ncontracts that hire incredibly intelligent people. Read and learn and take a look at the different things that are out there from a risk standpoint. Compliance is going to say this is what the regulations say black and white. Their role is 100% adherence with zero risk tolerance.
You get to have a different conversation. You get to say this is what the rules of the playground are. We’re okay that there’s glass in this sandbox and this slide has been in the sun for days and it’s really hot. These are the ways that we can play and keep safe.
Stephanie: How do you feel a risk manager can help compliance effectively communicate the importance of compliance?
Denise: The best way to help that risk and compliance conversation is by being a partner to compliance. People are more willing to let you come to their lunch table than compliance.
I was having a conversation with a member of the management team in my organization, and he equated me to that character from Monsters Inc. who is always asking about paperwork. I get to have those kinds of tongue in cheek conversations where he knows that I'm going to keep him protected. He knows that my role is to tell him where those traps are in the playground but not to keep him from playing.
Sometimes compliance can really fall into that Chicken Little trap where the sky is falling. We can really help facilitate an understanding of “This is what compliance is saying. Here's what it means for our organization.”
For more insights from Denise, including the role of internal committees in creating a culture of risk and compliance management, listen to the Ncast.