Skip to content
GeoDataVision
Thread Options Tools
#1751074 - 10/22/12 03:15 PM Compliance Risk Rating System
Kelsey D Offline
Platinum Poster
Joined: Aug 2006
Posts: 516
Ohio
I have a formal risk assessment in which I've rated each regulation from 1 (low) to 5 (high) that I use to set my compliance audit schedule. The meat behind the ratings is there; I just need to clearly define my risk rating system beyond the simple low, moderate, and high classification system. Does anyone have sample definitions for high, moderate, and low? I need it to be clear to anyone reviewing my risk assessment that just because BSA, for example, is rated 5, it doesn't mean that I think the quality of risk management is weak in the BSA area.
_________________________
Don't make me say, "I told you so!" Sincerely, your friendly Compliance Officer.

Return to Top
General Discussion
#1751394 - 10/23/12 02:20 PM Re: Compliance Risk Rating System Kelsey D
Banker Offline
100 Club
Joined: Oct 2007
Posts: 128
Southeastern US
In other risk assessments, I have used "inherent risk" (which is risk that is there just by the nature of the beast) then I input a column "control environment effectiveness" (this is all of the mitigating controls, reviews, monitoring, etc that is in place), the final is the "residual risk" which is the remaining risk all things considered (basically the remaining risk with inherent risk along with the control environment effectivess considered). Don't know if this would work in your format?

Return to Top
#1751407 - 10/23/12 02:42 PM Re: Compliance Risk Rating System Kelsey D
ahkcompliance Offline
Diamond Poster
Joined: Sep 2008
Posts: 2,470
Midwest
I look at our previous exams and independent audits to assign high, medium, and low risks. If we have multiple repeat violations then it is a higher risk. Isolated exceptions with no pattern are lower. I also look at the regulatory environment and all the change. Regulations that have had substantial changes are generally a higher risk on my RA. That method seems to work for us and no complaints from examiners. I also use the inhernet/residual risk as MJoyner discussed above.

Return to Top
#1751424 - 10/23/12 03:23 PM Re: Compliance Risk Rating System Kelsey D
manimal Offline
Diamond Poster
manimal
Joined: Feb 2008
Posts: 2,207
Deleted
We do what MJoyner said, give it an inherent risk, then mitigate it down with our controls.
_________________________
We're all here 'cause we've lost control.

Innerpartysystem

Return to Top
#1751425 - 10/23/12 03:24 PM Re: Compliance Risk Rating System manimal
A_G Offline
10K Club
Joined: Jul 2004
Posts: 18,958
fines and penalites for violations may be something else to consider for a compliance risk rating...
_________________________
With the lights out, it's less dangerous.

Return to Top
#1751793 - 10/24/12 02:10 PM Re: Compliance Risk Rating System Kelsey D
Kelsey D Offline
Platinum Poster
Joined: Aug 2006
Posts: 516
Ohio
I've taken into consideration all of the things you have listed above in my risk assessment. The way it is designed, ratings of 1 and 2 (low) are audited every three years, 3's (moderate) are audited every two years, and ratings of 4 and 5 (high) are audited every year. Management questioned the number of 4's and 5's we have and assumed that it meant we weren't doing enough to mitigate those areas down to moderate or low. Obviously some areas require an annual audit, and others deserve frequent reviews because of examiner scrutiny, fines and penalties, reg changes, and/or prior audit findings. I explained to management that we could have very strong internal controls, but the risk rating could still be high due to the nature of the regulation. I explained that a 5 rating doesn't necessarily mean that we are likely to have problems, but that if we do, the consequences are so severe that they could cripple the bank. Their suggestion was that I detail for each rating, 1 through 5, exactly what each means. I'm looking for that language.
_________________________
Don't make me say, "I told you so!" Sincerely, your friendly Compliance Officer.

Return to Top
#1752065 - 10/24/12 06:42 PM Re: Compliance Risk Rating System Kelsey D
Deena Offline
Power Poster
Deena
Joined: Nov 2000
Posts: 2,701
PA
If you check out the linked document titled "Compliance Risk" on this page, it may help you. The other links may be helpful as well.
_________________________
Opinions expressed are mine and not necessarily those of my employer.

Return to Top