Pandemic Preparedness & BCP Department-by-Department Series: COVID-19 & Compliance and Risk (Part 4)
The rest of our series:
Earlier this year, if you had asked a compliance professional if they expected any major compliance changes during the first quarter, they’d have answered no. That was before COVID-19 began spreading across the U.S., readjusting the regulatory agency’s top priorities.
This month has seen numerous guidance from regulators delaying exams, postponing reporting, and prioritizing helping customers during these challenging economic and social conditions.
While many necessary compliance and risk functions continue, it’s by no means business as usual. COVID-19 is creating new operational risks that need to be identified, assessed, mitigated, and monitored.
In this fourth blog in Ncontracts’ series breaking down key operational risk considerations department-by-department, we’re addressing two departments: compliance and risk.
Business Continuity Management (BCM): What Compliance Needs to Consider Right Now
In theory, the compliance department should be prepared for COVID-19. A pandemic doesn’t upend compliance or risk management policies or procedures. Business continuity plans, a regulatory requirement, should be in place.
Yet, there are still some questions that need answering:
- When is the last time we conducted a Pandemic Test? What were the results? What were the material weaknesses and successes?
- Can compliance and risk access everything they need to collaborate remotely?
- How do we ensure those working from home follow policies & procedures?
- How will we communicate with regulators?
- Are there shifts in regulatory expectations that require changes to policies & procedures?
- Do we need to develop new policies and procedures in response to new lending programs created by Congress?
- What, if any, new compliance challenges does COVID-19 create? (increased fraud, difficulty keeping pace with suspicious activity reports (SARs), insufficient staffing, etc.)
BCM: Considering the Regulators’ Response
Regulators have limited ability to respond to a pandemic because the financial distress was not created by a financial event. Their main goal is to promote confidence and stability in the financial system.
One of the most significant ways regulators have helped with the COVID-19 response is through preparation. Regulators provide guidance on business continuity planning, management, and resiliency and are a check on your controls. They’ve used past exams to check in on your planning and point out shortfalls.
The Federal Financial Institutions Examination Council (FFIEC) recently released an Interagency Statement on Pandemic Planning reminding FIs that their BCPs should address the threat of a pandemic outbreak to critical services. That includes a:
- Prevention program
- Documented strategy scaled to the stages of a pandemic outbreak
- A comprehensive framework to ensure the continuance of critical operations
- Testing program
- Oversight program to ensure that the plan is reviewed and updated.
Regulators can also ease requirements to free up resources that would best be used to help customers in crisis. Compliance departments should consider:
- What are the regulators going to do? What have they done with past pandemics? What have they already done?
- What role will the regulators play if customers and members affected by the coronavirus can’t pay back their loans?
- Will regulators be critical of our efforts to aid customers/members?
- Will regulators expedite requests, if needed?
- How will scheduled exams be impacted?
- How will reporting requirements be impacted?
- Will deadlines for things like resolving non-critical supervisory findings be extended?
BCM: What Risk Management Needs to Consider Right Now
FIs with enterprise risk management (ERM) programs in place will be in the best position to ensure that different areas of the institution are working together to identify, assess, mitigate, and monitor risk. When risk information is centrally reported, it makes it possible to leverage each other’s work for a cohesive response.
Every risk function should be asking questions like:
- Do all necessary parties have a seat at the risk table?
- Have new risks been introduced?
- What risks need to be reassessed due to the increasing probability of occurrence?
- What, if any, new controls are needed?
- Should the frequency of board and management reporting change?
- Are remote workers from different departments still collaborating on risk?
While risk management should be leading the charge on these questions, it shouldn’t work alone when it comes to managing the operational risks of COVID-19. Compliance and risk management should coordinate its efforts with other departments, including human resources, operations/back office, frontline/branch management, IT, vendor management, and credit/lending, among others.
Risk management can’t work in a vacuum. We may be self-quarantining or sheltering in place, but when it comes to risk management, we all need to come together.
For more insights into how COVID-19 is impacting operational risk and resiliency, join us for our webinar Unprecedented: COVID-19, Vendor Management and Managing the New Normal, on Wednesday, April 8, 2020 @ 2:00 PM CT.