Transcript Compliance Risk Management

Regulatory Requirements &
Compliance: Ensuring
Effective Outcomes
Presented By: John E. Palmer, CPA
Managing Director/Principal
Agenda
• Compliance Management System
• Risk-Based Approach
• Compliance Training
• Monitoring and Internal Audit
• Communication
• Recommended Steps
Compliance Management System
CMS
•
•
•
•
•
Compliance Management System
Reflect the bank’s business, culture, vision
Identify and quantify compliance risks
Build compliance into business processes
and culture – who is responsible?
Supported by a risk – based compliance
program
Demonstrate strong communication and
accountability
CMS
Interdependent Elements
• Board and Management oversight
• Compliance program
• Compliance monitoring and audit
Management Responsibilities
•
•
•
•
•
•
•
Clear and unequivocal expectations
Clear policy statements
Authority and accountability
Adequate resources
Periodic compliance audits
Reports to the Board
Issue tracking and resolution
Board Responsibilities
•
•
•
•
•
Understand Requirements
Delegate Authority, but not Responsibility
Ensure Qualified Management
Provide Adequate Resources
Supervise Management
–
–
–
–
Establish policies
Monitor implementation
Provide for independent reviews
Address supervisory reports
• Maintain Independence
Risk-Based Approach
Compliance Risk-Based Program
•
•
•
•
Risk Matrix/Applicability
Risk Assessments
Risk Assessment Concepts/Methods
Success Factors
Regulator
Institution Type
Applicable Universe of
Laws, Regulations, and
Guidance
Business Lines, Delivery
Channels, Products/Services,
and Practices
Applicability Matrix
REQUIREMENTS
Risk
Assessment
Policies and
Procedures
Internal
Controls
Training
Internal Audit
Self Assessment
Monitoring
Risk Assessments
•
•
•
•
Compliance
BSA/OFAC/Customer Risk Rating
Information Security - GLBA
ACH (Cash Management/Electronic
Banking)
• Red Flag Assessment
Risk Assessment Terms and
Concepts
• Inherent Risk vs. Residual Risk
• Exposure – Extent of Possible Damage
• Likelihood- Probability of an Event
Occurring
• Risk Tolerance Measurements
• Risk Controls
• Risk Ranking and Heat Map
Risk Tolerance Measurements
• Events that Establish Managements
Tolerance for Risk.
• Examples:
– Regulatory Violations and fines
– Customer Complaint Letters
– Regulatory Exam Criticism
Risk Controls
• Risk controls relate to activities that are
implemented to reduce the likelihood of an
exposure event occurring. These activities
include both preventive and detective
controls:
• Preventive measure
– Training/automated system
• Detective measure
– Review after the fact. Can also mean audit
and monitoring activities
Mitigating Controls
Effective oversight, comprehensive policies, accurate reporting and strong internal
controls.
Strong
Business Unit/Department: Consumer Lending - Underwriting
Acceptable
Average oversight, good policies, fair reporting and adequate internal controls.
Manager: John Doe
Ineffective oversight, inappropriate or missing policies, minimal reporting and/or
insufficient internal controls.
Weak
Date: June, 2007
Inherent Risk Level
(Risk Without Controls)
Potential
Likelihood of
Impact
Occurrence
1=Low
1=Low
5=High
5=High
5
3
5
3
5
3
4
3
4
4
5
3
4
4
5
4
Risk Components
#
1 Credit / Concentration
2 Interest Rate
3 Liquidity
4 Operations
5 Regulatory Compliance
6 Strategic
7 Price / Market
8 Reputation
Residual Risk Level
(Risk With Controls)
Potential
Likelihood of
Impact
Occurrence
1=Low
1=Low
5=High
5=High
5
3
5
3
4
2
2
2
3
3
5
3
3
3
5
4
Mitigating Controls (Strong - Acceptable - Weak)
Sr. Executive
Risk Measurement,
Policies and Procedures
Management Oversight
Monitoring & Reporting
Internal Control
Environment
Acceptable
Weak
Strong
Strong
Strong
Strong
Acceptable
Weak
Acceptable
Weak
Acceptable
Strong
Acceptable
Weak
Acceptable
Weak
Weak
Weak
Acceptable
Strong
Acceptable
Weak
Acceptable
Weak
Acceptable
Weak
Weak
Acceptable
Acceptable
Weak
Acceptable
Weak
Strong
Acceptable
Weak
Acceptable
Weak
Acceptable
Weak
Acceptable
9 Transaction
10 Information Technology
4
4
11 Reporting
total
items
3
4
45
10
3
34
10
3
35
9
Business Unit/Department
Consumer- Underwriting
4.5
3.4
3.9
26
9
weighted total
# of items
average
2.9
36
10
0.0
n/a
0
0
0.0
n/a
0.0%
0
0
0.0
n/a
0.0%
0
0
0.0
n/a
0.0%
0.0%
Success Factors
• Measurable outcomes from a risk – based
compliance program should include:
– Risks are identified, measured and subject to
a control structure
– Supported by tailored policies procedures
and functional controls at the business level
– The compliance monitoring schedule and
testing program has been set around the risk
profile
– Results are reported effectively and tracked
Compliance Training
Compliance Training
• Board, Management, Staff
• Job-specific, Role-based
• Blended learning
– Online
– Classroom
• Recordkeeping
Compliance Monitoring and
Auditing
Compliance Monitoring
• Risk-based, proactive testing
• Self-monitoring at the department level
• Monitoring by the Compliance Department
– New products, services, delivery channels
– New or amended regulations
– New staff
• Tracking corrective actions
Compliance Auditing
• Integrated Audits
– Test compliance with high-risk laws and
regulations during operational audits
• Targeted Compliance Audits
• Compliance Function Audit
– Evaluate the effectiveness of the compliance
function
Communication
Communication
• The biggest challenge in communication
is to first think through the following basic
concepts:
– Audience
– Purpose of the communication
– How do you need the audience to respond
– Level of detail needed for the purpose
– Risk level of content
– Importance of timing and frequency
Types of Communication
•
•
•
•
•
•
•
Risk Assessments
Program and Scope overviews
Monitoring/Audit reports
Board/Management reports
Open issue tracking reports
Program status and progress reports
Business unit monitoring results
Recommended Steps
•
•
•
•
•
Take a deep breath
Sit back and relax
Review where you are
Consider is your message heard
Does your program have the right risk
based balance
• Write down 5 action steps to improve your
program
Thank You
John E. Palmer, CPA
Managing Director/Principal
[email protected]
Office: (954) 489-2712
Cell: (954) 806-1863