The Risk Focused Examination
In times past, examiners used checklists to conduct examinations. Each regulation had a checklist and the examiner worked through the checklist. The policy experts in Washington made sure that the checklists were thorough and up-to-date. Examiners could, without a great deal of creative thought, work their way through the checklist and complete the exam. The hard work involved plowing through loan files, checking numbers, and recalculating APRs.
Under the checklist regime, we all knew where we stood. There was certainty. Examiners knew when they were done and we all knew what they found. Add up the red marks and you knew your compliance score.
Things are different now. Now we use a risk-based approach, whatever that is. And therein lies the question. No one, not even the carefully trained examiner, is quite sure how to evaluate risk. And even if we were certain about how to evaluate risk, there would remain the question of what to do if risk management was found to be inadequate.
But the procedures look so much better. There aren't all those checklists and APR formulas. The instructions look reasonable and logical. Evaluate the process. Evaluate the thinking. See whether the management system works.
The real question is whether risk-based examinations are actually getting at risk, or are simply a cosmetic change for the old checklist approach. Consider what is actually happening.
Examiners walk in asking to see your policies and procedures. This is nothing new. They have always loved those three-ring binders. With a quiet corner, a cup of coffee, and a three ring notebook your examiner is underway. When they need a break from policies and procedures, they'll ask to see your training files - yet another three-ring binder if not several.
So far, nothing actually different is going on. Or is it? In the old days, examiners reviewed policies, procedures and training materials to make sure everything was covered. Then they swung into the checklists and dug into the "real" part of the exam.
Now they review policies and procedures very differently. Not only must they be reviewed, they must be evaluated. The examiner has to come to a conclusion about whether the procedures are accurate, adequate, and properly targeted at the risk the institution faces. They must do all this without a checklist. It's a bit like "look Ma, no hands!"
And then, after examiners have come to a conclusion about the institution's approach to risk as measured by policies and procedures, the examiner must decide how and whether the approach works. And they have no checklists to help with this step. Now what? What happens is that examiners start looking at the audits. This is part of the exam procedure. The examiner should look at the audits, internal or independent, and determine that the audits are adequate and appropriate. The audits must cover the requirements and assess the risk management of the institution.
Something funny starts to happen. Not many examiners are confident about the institution's risk assessment after reading those three-ring binders. They knew where they were when they had those checklists. But for examiners comfortable with checklists, only relying on those words in the three-ring binders is like standing in quicksand.
So, seeking some form of quantifiable certainty, examiners examine the audit. There, in the audit, they hope to find those checklists, the guideposts of certainty. And if they don't find them in the audits, what do they do? They write up the auditors.
The real question is: does this risk based approach really work? Have examiners actually caught on, or are they substituting one check list for another?
Copyright © 2005 Compliance Action. Originally appeared in Compliance Action, Vol. 10, No. 15, 12/05
First published on 12/01/2005