Managing Compliance Risk
Risk management is the management style of the day. Everyone seems to agree on that. But what exactly is risk management? Deciding what constitutes risk management is where things get murky.Some elements of risk management are fairly clear. Managing risk is all about avoiding unwanted costs and problems. However we define them, this means the avoidance of things going wrong, especially if they cost money.
Another element of risk management is choice. A business chooses how much risk to take. Total risk avoidance can be self-defeating. It is prohibitively expensive. It can also be crippling. So the question for the business is what level of risk to accept. Then the next question is how to achieve that level, without going over or under the target.
For the compliance manager, preparation for and survival of the compliance examination is a basic exercise in risk management. Before so much attention was given to risk management, the compliance manager's science was managing scarce resources while still surviving the examination. Now, with the attention given to risk, the process, compliance issues are included in the bigger picture and the compliance manager is (or should be) part of the risk management team.
Given this opportunity and mandate, how should a compliance manager look at risk? In the context of overall risk management, how is compliance risk defined, measured, and managed?
Under the old scheme of compliance management, we looked to common violations as a guide. The common violation was the first one to look for because it was the most likely to occur. This has proved to be a useful method for managing compliance examinations - until examiners come up with new violations or a new regulation lands with no common violation guideposts.
With the unknown just over the horizon, compliance risk management needs more than the common violation guideposts. In order to manage risks, it is necessary to understand what factors contribute to or allow common violations to occur.
A key component of compliance risk management is analysis of what causes errors, exceptions or violations and ways to minimize these causes. In the process of doing this, it is not possible to ignore the compliance management classics of board oversight and support, policies and procedures, a well-designed compliance program, controls, monitoring and auditing, and training.
But the risk management question is where to concentrate the program's attention. This involves determining where the most risk exists or occurs. To do this, we have to look at organizations, systems and procedures, people, and regulations. None of these can be omitted.
This issue of Compliance Action begins a series of risk analysis guides to help you with the risk management process. This and future issues will contain a risk management grid that identifies components of risk for specific functions, jobs, or regulatory requirements.
In this issue, we look at the regulatory risk components of providing notifications and disclosures to mortgage applicants. Our grid identifies the key requirements and the compliance tasks attached to them. Each task represents a point at which something can go wrong.
Then we identify risk levels associated with the requirement or task. We have looked at risk in three ways. First, the frequency of occurrence is one way to measure risk by how often something happens. If it is done wrong, it will happen a lot. Our first risk measurement identifies the occurrence as high ("H") medium ("M") or low ("L").
Second are the consequences of something going wrong. Some regulatory requirements have enormous consequences, such as civil money penalties or restitution. Others involve no more than brief mention in the report of examination. Again, we use the high, medium or low rating.
Third is the quality and effectiveness of controls that can be put into place to prevent or minimize errors. Controls include a wide variety of tools from checklists to software. Instead of placing a rating on the control, we have identified possible controls to manage the risk. Which controls are used will have an impact on the overall risk rating. Strong controls would reduce the risk rating while weak controls could actually increase the risk.
When placing risk priorities, it is useful to look both at frequency and consequences as well as the ability to control them. All three factors interact to result in a formula for the risk of the specific institution.
Frequency and consequences may vary some from institution to institution but the major variable in this analysis is the controls available to manage risk. How the job is done makes an enormous difference. Controls also come at a variety of costs. If the cost of a control is very high, the risk may be of less consequence to the institution than the cost of preventing that risk.
Ultimately, a risk management program must look at all of these components - and possibly more - and then make choices. The choice is how much risk to accept, how much to avoid, and what costs to incur. We hope these grids help.
- Review the risk factors - requirement, consequences and controls- for your institution.
- Consider the effectiveness of available controls in your institution.
- Now set priorities. Determine which risk is the most important to manage effectively.
- Just for kicks, choose a risk that is a low level of concern and calculate what you can gain in controls for other risks by reducing attention to this one.
Copyright © 2005 Compliance Action. Originally appeared in Compliance Action, Vol. 10, No. 1, 1/05
First published on 01/01/2005