How the regulators rank risk

Posted By: wlavoie

How the regulators rank risk - 08/01/02 10:48 PM

Back on June 5 I asked a question about how to rate the risk of each separate issue on my audit reports (high, moderate, low). Liberty replied (can't find an email address) with a risk rating for several regulations. Right to financial privacy rated a 1 while Reg CC was a risk rating of 2 etc. I am wondering if there is any info out there that rates every (or at least most) regulations with a risk factor.

I'm still having a hard time with simple things like how risky are outdated job descriptions, etc, etc?
Posted By: Michelle D

Re: How the regulators rank risk - 08/01/02 11:07 PM

We created a risk weighting processe based on major (key business) controls in each area. The processes assess risk based on probably/likelihood of the control failing and the impact if the control failed (impact could be finacial, regulatory, legal, etc.). Each was given a 1-5 rating and then multiplied for a gross rating.

So now if we have an audit finding, we have a starting point for what we consider the "rating" for that item.

It's no perfect, but it has helped us tremendously.
Posted By: Lestie G

Re: How the regulators rank risk - 08/02/02 02:57 PM

Our approach (borrowed from an accounting firm with their permission) was to do a two-pronged test - one for the inherent risk in the area for the banking industry overall. For instance, wires is always high risk. Then, we risk rated the areas for our particular institutions. Areas where we have a lot of expertise and good controls were weighted moderate or low, areas that were new to the bank or where we'd had some key personnel turnover were rated moderate to high. These rankings dictated the audit frequency and hours assigned.

Our regulators liked the limited number of ratings (low, moderate, high), and they liked this approach. They didn't question any of our rankings after we showed them the approach and our methodology.
Posted By: Andy_Z

Re: How the regulators rank risk - 08/04/02 08:49 AM

Do you update this annually or as an ongoing basis?
Posted By: wlavoie

Re: How the regulators rank risk - 08/07/02 03:44 PM

Andy,
I would like to assess a risk rating to each audit issue to give the Board a better understanding of its' importance. Therefore it is ongoing with each audit report.
Posted By: Lestie G

Re: How the regulators rank risk - 08/07/02 03:48 PM

Andy,

We evaluate the whole picture annually, and update the ratings in each area on an ongoing basis - depending on what's going on in the bank and in the industry.
Posted By: AnonRegulator

Re: How the regulators rank risk - 08/16/02 01:25 PM

If you are asking if the regulators have a general ranking of risk by regulation, e.g., Reg Z is more important than Reg. DD, we don't do that, at least not globally.

In a specific institution, however, we will eventually arrive at such a conclusion by looking at several factors. This is hard to quantify, but the factors may be categorized as either internal, public (or external) and regulatory. The factors include:


o Volume of transactions pertinent to any specific regulation;
o Complexity of transactions (e.g., ARMs with PMI & introductory teaser rates pose more risk of noncompliance than some other loans);
o Reliability/effeciveness of the bank's compliance audits;
o The bank's history of compliance, including the ability to assimilate new regulations;
o Changes that have occurred since the last exam in personnel, policies, procedures, hardware, software, and delivery channels;
o Consumer complaint information

After considering all that, it becomes apparent to us which areas we need to focus on. AR.