Thread Options
#26485 - 08/01/02 10:48 PM How the regulators rank risk
wlavoie Offline
Gold Star
wlavoie
Joined: Jul 2002
Posts: 338
Hell's Canyon
Back on June 5 I asked a question about how to rate the risk of each separate issue on my audit reports (high, moderate, low). Liberty replied (can't find an email address) with a risk rating for several regulations. Right to financial privacy rated a 1 while Reg CC was a risk rating of 2 etc. I am wondering if there is any info out there that rates every (or at least most) regulations with a risk factor.

I'm still having a hard time with simple things like how risky are outdated job descriptions, etc, etc?
_________________________
Wendy LaVoie

Return to Top
Audit
#26486 - 08/01/02 11:07 PM Re: How the regulators rank risk
Michelle D Offline
Gold Star
Michelle D
Joined: Oct 2001
Posts: 313
Terminator Country
We created a risk weighting processe based on major (key business) controls in each area. The processes assess risk based on probably/likelihood of the control failing and the impact if the control failed (impact could be finacial, regulatory, legal, etc.). Each was given a 1-5 rating and then multiplied for a gross rating.

So now if we have an audit finding, we have a starting point for what we consider the "rating" for that item.

It's no perfect, but it has helped us tremendously.
_________________________
The opinions are mine and do not necessarily reflect those of my employer.

Return to Top
#26487 - 08/02/02 02:57 PM Re: How the regulators rank risk
Lestie G Offline

Power Poster
Joined: May 2002
Posts: 3,605
Near the Land of Enchantment
Our approach (borrowed from an accounting firm with their permission) was to do a two-pronged test - one for the inherent risk in the area for the banking industry overall. For instance, wires is always high risk. Then, we risk rated the areas for our particular institutions. Areas where we have a lot of expertise and good controls were weighted moderate or low, areas that were new to the bank or where we'd had some key personnel turnover were rated moderate to high. These rankings dictated the audit frequency and hours assigned.

Our regulators liked the limited number of ratings (low, moderate, high), and they liked this approach. They didn't question any of our rankings after we showed them the approach and our methodology.
_________________________
Opinions my own.

Return to Top
#26488 - 08/04/02 08:49 AM Re: How the regulators rank risk
Andy_Z Offline
10K Club
Andy_Z
Joined: Oct 2000
Posts: 27,353
On the Net
Do you update this annually or as an ongoing basis?
_________________________
AndyZ CRCM
My opinions are not necessarily my employers.
R+R-R=R+R
Rules and Regs minus Relationships equals Resentment and Rebellion. John Maxwell

Return to Top
#26489 - 08/07/02 03:44 PM Re: How the regulators rank risk
wlavoie Offline
Gold Star
wlavoie
Joined: Jul 2002
Posts: 338
Hell's Canyon
Andy,
I would like to assess a risk rating to each audit issue to give the Board a better understanding of its' importance. Therefore it is ongoing with each audit report.
_________________________
Wendy LaVoie

Return to Top
#26490 - 08/07/02 03:48 PM Re: How the regulators rank risk
Lestie G Offline

Power Poster
Joined: May 2002
Posts: 3,605
Near the Land of Enchantment
Andy,

We evaluate the whole picture annually, and update the ratings in each area on an ongoing basis - depending on what's going on in the bank and in the industry.
_________________________
Opinions my own.

Return to Top
#26491 - 08/16/02 01:25 PM Re: How the regulators rank risk
AnonRegulator Offline
Gold Star
AnonRegulator
Joined: Mar 2002
Posts: 451
Everywhere, USA
If you are asking if the regulators have a general ranking of risk by regulation, e.g., Reg Z is more important than Reg. DD, we don't do that, at least not globally.

In a specific institution, however, we will eventually arrive at such a conclusion by looking at several factors. This is hard to quantify, but the factors may be categorized as either internal, public (or external) and regulatory. The factors include:


o Volume of transactions pertinent to any specific regulation;
o Complexity of transactions (e.g., ARMs with PMI & introductory teaser rates pose more risk of noncompliance than some other loans);
o Reliability/effeciveness of the bank's compliance audits;
o The bank's history of compliance, including the ability to assimilate new regulations;
o Changes that have occurred since the last exam in personnel, policies, procedures, hardware, software, and delivery channels;
o Consumer complaint information

After considering all that, it becomes apparent to us which areas we need to focus on. AR.

Return to Top

Moderator:  Andy_Z