Skip to content
BOL Conferences
Thread Options Tools
#1898534 - 02/20/14 05:58 PM Cons. Compliance risk assessment
Trees Offline
Power Poster
Joined: Apr 2005
Posts: 4,013
Every bank has its spin on how this document should look. We worked on a version with consultants. Some banks listed the regs and, based on a review of practices, audits, trends, etc, were able to rank the regs high to low and based their testing program on that.
Our assessment includes a review of operation of each area of the bank, products, services, delivery channels, importance of certain products in terms of balance sheet totals, etc. etc. We identified where we needed better controls BUT we did not do a drill down of each regulation that impacts each of the areas. Has anyone taken that approach and then make certain assumptions about the regs impacting the areas and then developed the testing program?

Return to Top
General Discussion
#1898598 - 02/20/14 07:10 PM Re: Cons. Compliance risk assessment Trees
ahkcompliance Offline
Diamond Poster
Joined: Sep 2008
Posts: 2,474
Midwest
I havea RA I've done that lists each product we offer and what regulations affect that product.

Return to Top
#1898859 - 02/21/14 04:18 PM Re: Cons. Compliance risk assessment ahkcompliance
Cornfed Turtle Offline
Diamond Poster
Joined: Mar 2006
Posts: 1,323
"...Somewhere in Middle Americ...
I'm considering a blended approach this year. I have generally been one of those "list the regs" auditors. I have always divided the regs into sections. You know....I audit our AANs per Reg B more frequently than I audit our appraisal disclosures per Reg B. With the risk assessment results this year, I'm considering auditing Z and X with an audit of open-ended, non-HELOC credit, closed-end/ARMs, etc. Just haven't' gotten my arms around how to do it yet. Need to get myself convinced and a good presentation of it before the next audit committee meeting.

Return to Top
#1898938 - 02/21/14 06:04 PM Re: Cons. Compliance risk assessment Cornfed Turtle
Reads Regs Offline
Diamond Poster
Joined: Nov 2004
Posts: 2,307
Here's an interesting article from Trinovus. https://www.trinovus.com/2014/02/19/compliance-risk-management/
_________________________
Opinions expressed are my own and not necessarily those of my employer. They are not legal advice.

Return to Top
#1898981 - 02/21/14 06:57 PM Re: Cons. Compliance risk assessment Reads Regs
Cornfed Turtle Offline
Diamond Poster
Joined: Mar 2006
Posts: 1,323
"...Somewhere in Middle Americ...
Thanks for sharing. I'm going to print and discreetly leave it on my CO's copier!

And I have left my Reg list alone other than the Z's and X's. I have products: Closed-end residential fixed, Closed-end residential ARMs, Constructions, HELOCs, other Consumer, and Credit Cards. Will look at what applies to whom. So I will be addressing APR calculations, for example, six different times, but specifically to a product.

just trying to make it easier on myself as well as a more informative audit report.

Return to Top
#1899589 - 02/25/14 01:53 PM Re: Cons. Compliance risk assessment Trees
Trees Offline
Power Poster
Joined: Apr 2005
Posts: 4,013
Good points. Looks like there is some diversity in defining risk assessment and what it looks like and is used for. The RA is more a high end look at the program and the bank products, services, etc. There is no ranking or of the regs. No high/medium/low. My fear is that we will have our risk assessment criticized because of this. Any experience with the lack of a ranking process?

Return to Top
#1899592 - 02/25/14 02:01 PM Re: Cons. Compliance risk assessment Trees
A_G Offline
10K Club
Joined: Jul 2004
Posts: 18,989
Are you talking about management's risk assessment or audit's risk assessment?
_________________________
With the lights out, it's less dangerous.

Return to Top
#1899603 - 02/25/14 02:17 PM Re: Cons. Compliance risk assessment Trees
#Just Jay Offline
10K Club
#Just Jay
Joined: Oct 2006
Posts: 14,390
Cheeseheadland
I was thinking myself that this doesn't sound so much like a regulatory compliance risk assessment, but a general controls or audit risk assessment as well.
_________________________
I don't repeat gossip, so listen closely...

Return to Top
#1899684 - 02/25/14 04:29 PM Re: Cons. Compliance risk assessment #Just Jay
Cornfed Turtle Offline
Diamond Poster
Joined: Mar 2006
Posts: 1,323
"...Somewhere in Middle Americ...
I was talking audit risk assessment. Sorry if I hijacked your thought process Trees.

Return to Top
#1899973 - 02/25/14 09:47 PM Re: Cons. Compliance risk assessment Trees
Trees Offline
Power Poster
Joined: Apr 2005
Posts: 4,013
The end product mirrors the one indicated in an FRB 8/20/13 webinar called Conducting Consumer Compliance Risk Assessments - Examiner Insights. I just wanted to make sure that the current risk assessment flavor hasn't taken a turn and now we need to list each regulation, rank it, and that is the basis of our testing and monitoring program.

Return to Top
#1901579 - 03/03/14 03:44 PM Re: Cons. Compliance risk assessment Trees
BurntSienna Offline
Diamond Poster
Joined: Aug 2006
Posts: 2,407
Midwest
To look at this another way, if something isn't in your risk assessment, why would you test it or monitor it? In our experience, with this round of examinations, our regulators are looking to our RA's to contain everything with rankings and a narrative describing why we believe the risk to be high or low, etc. Then they are looking for testing and monitoring commensurate with the RA, which is driving the program. It makes a lot of sense to me to take this approach.
_________________________
"Gratitude makes sense of our past, brings peace for today, and creates a vision for tomorrow." - Melody Beattie

Return to Top
#1901597 - 03/03/14 04:18 PM Re: Cons. Compliance risk assessment Trees
HappyGilmore Offline
10K Club
Joined: Jun 2004
Posts: 19,844
Pulling people out of the ditc...
Originally Posted By: Trees
The RA is more a high end look at the program and the bank products, services, etc. There is no ranking or of the regs. No high/medium/low.


not sure how you can have a risk assessment without a ranking...after all, by definition alone an assesment is an evaluation or scoring...

if you want to PM me with an email address i'll send you a copy of one we've used.
_________________________
Providing alternative truths since the invention of time

Return to Top
#1903610 - 03/07/14 11:45 PM Re: Cons. Compliance risk assessment Trees
Wyogirl Offline
Platinum Poster
Wyogirl
Joined: Nov 2001
Posts: 713
Laramie, WY. USA
My compliance risk assessment looks at functions within the banks by regulation risk, (a separate reg risk assessment), performance risk, (a separate spread of all audit findings), and product complexity. We literally inventoried all processes performed in the bank and determined residual risk, based on the above 3 components, for each. High risk gets business unit and compliance monitoring and then audited. Low risk items may get no looks for up to 18 months. Check out the Fed's new Risk Focused Exam Procedures - there's a lot of good information in there, especially if you're a Fed bank. CA-13-19.

Return to Top