Risk Management & Compliance Programs
by Lucy Griffin, BOL Guru
Risk management is the mantra of the day. Everything comes down to risk assessment or risk management or something else with risk in the title.
There is also a lot of talk about compliance programs. Just in case you haven't noticed, many of the recent enforcement cases involving BSA or other forms of non-compliance require the institution to develop and maintain an effective compliance program. It is clear that in the minds of the regulators, an effective compliance program has something to do with risk management. The question is how to put the two concepts together.
Elements of a Compliance Program
Here, we are on fairly firm ground. We know the elements of compliance programs: policies, procedures, training, monitoring, controls, and audit. While there may not yet be such a thing as a perfect compliance program, we have a pretty good idea of what it should be.
What is less clear is how to fit risk into the familiar formula. The challenge is to design and maintain a program with risk in mind so that the goals of risk management are also met. We tend to focus on certainties. That is why we look to common violations and other patterns in examination reports for guidance. As a result, compliance programs are often built around the predictable and the predictable misses the point of risk.
Risk can be defined a number of ways, but one would be what cannot accurately be predicted. What this means for a compliance program is that reliance on the known problems is not enough for an effective risk management program. The program must understand sources of risk, anticipate them, and be ready to react quickly. To build on the Boy Scout motto, a risk manager's motto should be "Be prepared for the unknown."
Another way of thinking about defining risk and risk management is to compare the experience of the Little Dutch Boy with the approach of an architect. The Little Dutch Boy, living as he did in a very high risk flood hazard zone (below sea-level), understood the threat of a leak in the dyke holding back the sea. So when walking home late one evening, he spotted a leak, he plugged the leak with his finger and held on until morning when help arrived. He was a hero. He stopped the flood that would have occurred when the break in the dyke got bigger.
Now let's look at the architect. Someone designed that dyke. The design had to accommodate the pressures of the sea, the effect of storms, and of wear and tear. The architect must look at the entire design and plan that design to withstand whatever Mother Nature dishes out. This is much more than plugging a hole overnight - this is a long range plan that takes risks into account. Looked at in this context, good architectural design is a form of risk management.
Regulators tend to define risk as problems that can occur in certain categories: operational, legal, and reputational. These are clearly the areas where risk can hit an organization. However, risk management programs should anticipate the sources or causes of risk.
Causes of Risk
Risk comes from change such as changes to regulations, changes to the organization and even changes in the market or the economy. Risk also comes from slippage which can include staff forgetting something they were taught in training, a breakdown of a system, or planning a new product without all necessary participants (including compliance.)
Sometimes errors occur - both minor and major - because of slippage in tools, or simply because staff is overworked. Tight reins on employment can simply add to the strain and indirectly cause compliance violations, along with other problems.
Managing risk involves more than using common violations as benchmarks. Risk management involves designing a system that won't blow over in a hurricane or be swept away in a flood. This means that in addition to using common violations as benchmarks, you should do a root cause analysis. A root cause analysis should take you to the architecture of what was built so that you can evaluate what went wrong. Often, knowing why something happened is as important as knowing that it happened. For example, is there a new glitch in software or did someone make a mistake? Or did it happen because training was deficient?
Compliance violations have some common denominators - their source. Violations happen for a variety of reasons but these causes can occur in any department of the institution. First, anyone with the authority (or the ability even without the authority) to make changes has the ability to cause compliance problems.
Second, change must be supervised. If change is allowed or encouraged without supervision and evaluation of consequences, there may be unintended consequences.
Third, compliance in any form always faces duels with business priorities of growth, sales, and cost savings. To be effective in managing compliance and risk, it can be important to take business goals into account and to identify ways that compliance requirements or techniques can actually support business goals. Customer service is one way to do this.
Finally, almost all compliance managers bemoan the lack of adequate resources to get the job done. Resources are essential not only in the compliance department, but in each area of the institution that carries out compliance. For example, tellers need training and tools to accomplish what is required by Regulations D, DD, CC, and ,E to name only a few.
Assessing risk is a fundamental process. It must also be dynamic - ongoing. A risk assessment must also look both outside of the organization and inside it. There are a number of issues to consider when assessing risk.
First, is the organization complex or simple? The number of affiliates and the ways in which business lines are structured will have a significant impact on risk. Generally, the more complex the organization, the higher the risk quotient. For example, communications are more complex and decision making may be made in separate parts of the organization.
Second, how much change does the organization absorb? Change occurs with management changes - both structure and personnel. Change occurs with growth, which causes necessary changes to the organization. Change also occurs whenever the organization enters a new market or introduces a new product.
Third, what risk does the market present? Different markets carry different types and levels of risk. These risks result from economics, demographics, competition, and even the propensity of people to sue.
Fourth, what are the business strategies of the organization and what do these strategies present in the way of risk? Key business lines carry different risks. Also, dependence on one or more lines of business, such as car loans, carries risk. The ways in which products are delivered can present risk. Finally, marketing and competition affect the pressures and risks in the context of business strategies.
Fifth, your customers present risk, depending on who they are and what they want. Just as CRA requires you to know the credit needs of your assessment area, you should know your customers and their product needs as a matter of good business and good risk management. If you are delivering products that your market wants and delivering in ways that your market likes, your risk is lower than if product deliver is not such a good match.
To assess the risk in your compliance program - and in your institution - review these risk factors in your business context. Also, remember that risk management is never completed. It is an ongoing process.
- Review your written compliance program. Decide whether your program was written by the Little Dutch Boy or the architect.
- If you don't have a written compliance program, get cracking. It should place clear responsibilities and accountabilities and provide for channels of communication.
- Assess the risk in your organization, using the five steps in this article.
- Identify the authorities for making change to products and procedures and design safety valves for changes that could lead to violations.
- Develop a process for managing and assessing change as it occurs.
- Periodically remind senior management and the board of the delicate balance between business decisions and compliance goals.
Copyright © 2004 Compliance Action. Originally appeared in Compliance Action, Vol. 9, No. 11, 10/04
First published on 10/01/2004