Lifeblood of your Compliance Program – Risk Assessments and Auditing Internal Controls

Posted by: Raza Shahid

Home/ Blog / Lifeblood of your Compliance Program – Risk Assessments and Auditing Internal Controls

So here you are, it’s either the beginning of a new year, maybe a new quarter, or more poignant, the examiners have just finished their review of your bank.  Whatever, the impetus, there you sit at your desk with an all –to- familiar task ahead of you; it’s time to perform a risk assessment and audit of your internal controls.

 Not Just an exercise, it’s an opportunity!

More often than not, we come to see risk assessments as an exercise specifically for the purpose of meeting a regulatory requirement.  In many cases, these assessments are completed and put away without being looked at until it is time to do an annual update.  But there is another way to view the process.  Instead, it is an excellent idea to take a look at the following at a minimum:

  • The areas where there have been regulatory or internal audit findings in the past
  • The types of products that your Bank offers and the risks associated with those products
  • New products or services that are being contemplated
  • The management reports that are currently being generated by software
  • Changes in regulations that might affect the bank
  • Changes in staff that have occurred or are planned.

Really tell the story of your Bank

Like all good coaches, as a compliance or risk officer you know the areas where your team is the weakest.  The risk assessment process provides the opportunity to lay out the strengths and weakness in your overall program and to coach around the weakness while playing to its strengths. The risk assessment process helps you make sure that your compliance plan is designed to address the areas of greatest need from the outset.  If training has been a concern for example, then make sure that you have addressed the root of the problem.

Know what the Risks Really Are

After all of the information necessary for completing the analysis has been compiled, we suggest using analyses that doesn’t necessary assign numbers to risk, but prioritizes the potential for findings.  Remember the effectiveness of your compliance program is ultimately judged by the level and frequency of findings.   The effective risk assessment reviews those areas that are most likely to result in findings and develops a plan for reduction of risk.

Make sure that the scope of the audits that you are getting will actually meet your needs and gives you information on how things are going.   We note that regulators have become increasingly critical of audit scopes that are too general or that do not cover specific areas of compliance weakness at the bank.   The internal audit is an important tool that should be used to help find areas that need attention.  It is true that the auditor is your friend, even if it may not seem that way during the audit!  The results of audits should be taken seriously and positively as this is your opportunity to determine levels of compliance without having regulatory problems.

Checkout Predict360 – Fully Configurable Audit Management Software

 Don’t be afraid to ask for help

To complete the analysis it is necessary to be self-reflective, honest and brutal!  If staff is weak in its understanding of the requirements of Regulation B, it is necessary to state that and make a plan to address the weakness.   If more training is necessary, or, if heaven forbid, a consultant is needed in certain areas, it really is appropriate as part of the assessment to say so and attempt to make the case to management.  We have found that the cost of compliance goes up geometrically when a bank is faced with enforcement action.  It is much more efficient to seek the assistance when there are only potential problems as opposed to when actual problems have been found.

 Make the Risk Assessment Dynamic

There is a parable that says that if you want to prove that God has a sense of humor- then try making your own plans.  There is no question even the most comprehensive risk assessment can change.  For example, regulators could announce a new focus on a particular area which heretofore had been de-emphasized.  Therefore, it is important that you build flexibility into your risk assessment.  Even though you may have determined that flood insurance testing should be a major focus in the first quarter, you might find that the bigger area of risk is compliance is with HMDA.  Even though flood insurance will always be a “hot button” issue, there are times when the greater area of risk can be somewhere else.  Your risk assessment must be dynamic and flexible as things change.

Use the Risk Assessment as a Resource

Once the compliance assessment is complete, make sure to make use of it!  The assessment can and should be used to help with planning and scoping audits that are to be performed during the year.  The areas of the highest risk should be addressed early and should have the most extensive scope.

The use of monitoring and reporting software should be directly tied to your risk assessment.  The OCC and the Federal Reserve have issued guidance that requires a direct link between your risk assessments and software use.

Rather than setting a basic training schedule, use the assessment to make sure that classes are focused on areas where the potential for findings and violations occur.

As part of developing the assessment, the policies and procedures that require updating and approval should be evident.

The assessment can also be the basis for requesting additional compliance resources including software, Professional assistants or additional certifications.

Let your Risk Assessment grow into a part of your CMP 

Despite the negative emotions that the thought of a risk assessment may produce, we believe that a comprehensive risk assessment is a critical component of planning your compliance year and implementing your compliance program.  We believe that the compliance risk assessment should be the living breathing basis for the way the compliance year unfolds.

 

Remain up-to-date on industry news / updates through our  Twitter & Linkedin profiles.

*All images are property of their respective owners.

Request a Demo

Request a Demo

Complete the form below and our business team will be in touch to schedule a product demo.

By clicking ‘SUBMIT’ you agree to our Privacy Policy.

Stay Informed About Upcoming Webinars & Events!