I am wondering if there is anything in print that deals with the risk factor/priority of an audit issue.  Once an issue has been identified (i.e. 2 of 10 files reviewed did not contain required disclosures), I would like to be able to rate whether it is a high, moderate, or low risk issue.  Is this totally subjective, or are there guidelines somewhere?  Does monetary value of the fine involved factor into the risk?  Would 90% error-free be ranked the same as 50% for the same audit issue?

While there is no hard and fast guidelines from the regulators. Generally they will factor into the compliance rating the number of errors per file in relation to the number of files reviewed. Different regulations have been categorized by the regulators as being more of a high risk.

When you perform your scope you need to break out each product or service you offer and then rate the following characteristics of the product: management - ability and expertise of management to deal with compliance issues, managements compliance history with the product, and tenure of management; materiality - relative importance of product as compared to other products, dollar volume, and activity volume; stability - newness of product, growth of product, any complex issues, automation used to comply with applicable regulations, any recent changes to regulations affecting the product; and market share- bank size, market share of product line. Ratings are based on a low, moderate, and high or 1,2,3 scale. Assign each of the four above a number, then add these numbers. Overall product risk scores will fall into a low (score 4-6 pts), moderate (7-9 pts.), and high (10+).

The next step is to rate the regulation risk affecting the product. Low risk Risk Rated 1, regulations are RESPA(mortgage servicing disclosure only), Right to financial privacy, Fair Debt Collections Practices Act, Unfair Deceptive Practices (reg AA), FCRA. Risk rated 2, Expedited Funds (Reg CC), TISA (reg DD), Reserve requirements (reg D), consumer leasing (reg M), interest on deposits (reg q). Risk rated 3, RESPA (all other provisions), Flood (Reg H), TILA (Reg Z), EFTA (Reg E), Fair Lending (Reg B and FHA) ex. denial notices, appraisals, forms, all items not covered under fair lending procedures. Risk rated 4, TILA (Reg Z) APR and FC and Recission, Homeowners Protection Act (PMI disclosures), Privacy ACT (GLB). You would then follow the attached matrix for the level of review to conduct. Product Risk
Regulation Risk Low (4-6) Mod (7-9) High (10+)
Low - 1 Level I Level I Level II
2 Level I Level I Level II
3 Level I Level II Level II
4 Level II Level II Level III
High - 5 Level II Level III Level III
There are different levels of review, 1 is the most risk focused with a sample size of at most three files, 2 is up to 10 files, and 3 is full scope review. Remember if you start out at a level I review and find problems always expand your scope and select more files.

In one of the handouts used during Barbara Reidy's presentation on "How to do a Compliance Risk Assessment" during the ABA NRCC, there was an initial risk rating form for new business lines. It rates the compliance risk as Low, Moderate, or High in six different areas, paraphrased below:
1. The new product, service, delivery channel, strategic or other initiative (then it ranges from Low -- where the NBI is substantially similar to an existing product; to High -- where the NBI is substantially new or different.)
2. Experience level of the project team management with the product or service.
3. The level of awareness/attention, etc. of the line of business management.
4. What it will take in the way of systems and technology to support the initiative -- existing systems or new or significant changes, for example.
5. Internal environment -- which includes everything from staffing to expected transaction volume. Is it stable, moderately stable, or volatile?
6. Same analysis, but on the external environment.

Some folks would advocate assigning an initial Low, Moderate or High risk using this type of analysis, then using a penalty matrix to figure out how serious the consequences of the risk could be. The higher the risk and the higher the penalties, the more time and attention should be directed to it.

I am by no means an expert in this field either, keep that in mind while you continue to read my reply.

From what I have read, including the OCC's risk assessment handbook, and what I have learned at school/conference this year, risk assessment is both subjective and objective. It is objective to the degree that you use your agencies guidances, but it is subjective by whom ever is conducting the assessment. Same as an audit (in my opinion). I think the assessment takes it further into the specifics of identifying the risk (which would be reflected by your risk assessment worksheet and is either quantitative or qualitative), measuring the risk (which is usually either numerical or low, moderate, high), and then prioritizing by the risk evaluation.

I further look at risk assessment in different ways now.

I use four different approaches to the risk program. First is regulations, second is specific areas/services through internal audit, third is an average between my assessment and managements, and the fourth would be for new products and/or services (such as Internet banking, since we are just starting on it).

I look at the regulations separately, trying to identify the risk level inside each item of the regulation. For instance, the measure assigned to one area of BSA may be different than another area of BSA. We use numbers of 1 being low to 5 being high. But all of the areas would be totaled and averaged to give me an average for the BSA regulation. I accomplish this risk assessment through employee monitoring which is both qualitative and quantative. (A certain amount of files are reviewed identifying deficiencies.) A ratio identifies the accurracy level which management will assign a threshold to. Say management assigns a threshold to a specific item of 90% tolerance, and the monitoring identifies an accuracy ratio of 80%, we have some problems. I received part of this format at ABA school so I can not take credit.

Second, each time I do an internal audit I do a risk assessment based upon the OCC's nine definitions of risk. I only assign a rating of low, moderate, high. Since I only started this process this year, it will take time to complete this assessment throughout the bank.

Third, I have a risk model that someone at ABA school shared with me. I will send it to Mary Beth to post. It is great!! I wanted something simple to understand and be able to work with management. This is both. It is a risk assessment that permits audit/compliance to risk assess items and a separate column permits management to risk assess the same items. Both columns are averaged and the totals flow into a summary page that identifies the areas that the audit department should prioritize their audits. I have not used it yet, but plan on starting with management on theirs in Sept. By then I will have all of the compliance regs risk assessed (step one above) so they will flow into this worksheet. The column that audit/compliance uses is hidden (column D) so management can not see the numbers when you print it. Again numbers 1 through 5 are used. 1 being low, 5 being high.

Last is specific detailed risk assessments for new products, services, specific functions, etc. I am just finishing a detailed one for information security/internet banking. It uses the concept of completely implemented being a 1, partially implemented being a 2, aware but not implemented being a 3, and no awareness is a 5 for each item reviewed. An overall ranking for each area assessed will be asigned a level of low to high based on the average numbers for that area.

My point being is (after this lengthy message, ha ha)that I continually use the same number system and the same level of risk definition to the numbers.

I hope I am on the right track too. So far I feel comfortable with what I am doing although I too need more worksheets for detailed assessments.

Hope this helps you and it was what you were looking for.

Opinions and requests are mine not my employer. No legal advice is intended.

Liberty,
I am wondering where you got the information regarding risk ranking for specific regulations (and even issues within each regulation). I would love to know if there is a more complete list somewhere?

Wendy

Wendy - I am sorry I don't have any information that I can send via e-mail regarding how the risk ratings are derived. I used to be an examiner so the information I have is hard copy. Esentially, the regulators formed a committee to create a risk focus examination process and as part of the process they risk rated regulations and also incorporated product risk. I know that it is hard to understand and read this information from the post, if you like I can you a couple of items that may help, just post your e-mail address. I read the other post concerning why Reg CC is risk rated 2 versus RTFPA and other miscelaneous regs as low risk. This is due to the fact that the legal, reputation, and financial harm to the bank is greater under Reg CC with funds avaiability and proper holds then compared to taking the appropriate steps to ensure federal agencies have the correct documentation to request financial information of your customer. They also based the regulation risk based on history of industry compliance, how new the law is, and the burden of corrective action and civil penalties. Thanks

Liberty,
Thank you for your help, I really appreciate any insight you can provide.

I can be reached at:

FirstBank Northwest
Wendy LaVoie, CPA
Corporate Auditor
920 Main Street, P.O. Box 996
Lewiston, ID 83501
(208)750-7116 * Fax (208)750-7117
mailto:wlavoie@fbnw.com
www.fbnw.com

I am interested in learning more about your approach. Could you contact me ses343@aol.com and reference Risk Assessment. Let me know how I can contact your further if possible.
Thanks for your assistance.