Today’s best practices for compliance risk assessment
Data, data and even more data. Data ad infinitum. Data absurdum. Data ad nauseum. It’s enough to clog up your computers and boggle your mind.
Executives at TD Bank know that data feeling, especially when they prepare compliance risk assessments. On the one hand, TD typically finds staff members more cooperative and knowledgeable than in the past.
But on the other, the growing amount of data required from those staff members can be daunting. And the challenge of linking data across various business units doesn’t help, either.
“The largest concern our business units raise now is the sheer number of risk assessment processes covering multiple risks,” says Ken Marcuse, executive vice president and chief compliance officer for TD Bank. “This is generally executed in silos, leading to inefficiency. Integrating these disparate risk assessment processes is now a major focus.”
The data is needed in large part because regulators and examiners today know more about the process than even five years ago. Thus, they ask more probing questions—and request more relevant data—than in the past.
“When you talk about your degree of inherent risk, regulators want more proof,” says Salvatore LaScala, managing director and co-head of global investigations and compliance for Navigant Consulting. “They want a lot of documentation and they want banks to make the whole process more transparent.”
Additionally, many more areas of banking need to conduct risk assessments.
Once limited to anti-money laundering and bank secrecy issues, risk assessment has expanded to include areas such as fair lending and data security concerns, says Carl Pry, managing director of Treliant LLC.
Technology can help ease the data collection burden, though improvements are needed on the software integration and analysis side. That said, the available technology has improved greatly.
“Especially with community banks, there had been a lot of temptation to do the work on Excel spread sheets,” Pry says. “But increasingly, banks are taking advantage of the governance, risk management and compliance [GRC] systems out there. That can make the process a lot easier.”
But compliance-savvy banks shouldn’t rely too much on technology to do their jobs. “You have to make sure your people are trained to handle the oversight of the technology,” says LaScala. “You need to govern the process effectiveness from pre- to post-implementation.”
“Oftentimes compliance training is not linked closely enough to the day-day work of the bank, its compliance issues and overall strategic goals,” says BAI managing director Karl Dahlgren. “Instilling a compliance culture in a bank through training and leadership support not only helps the organization avoid regulatory fines; it also leads to a better customer experience and more robust bottom line.”
Commitment and consistency in compliance
All this requires full staff commitment from all the business units affected. Marcuse says the staff at TD Bank has increasingly given its buy-in to address risk in their units as they become more comfortable with the process and understand what it requires of them. But Pry says that isn’t always the case at many banks.
“Compliance risk belongs to the business units,” Pry notes. “The compliance department exists to assist the business units in identifying and developing controls to mitigate risks. But controls should be performed within the lines and business units must take ownership of the process.”
Pry points out that buy-in isn’t a given. And management at many banks present the process as something that must be done solely to meet regulatory requirements. To get the best results, management must present the process as an opportunity for business units to better understand their operations.
“It’s easy to get bogged down in the methodology and analysis,” Pry says. “But a good assessment gives banks a better understanding of their units and can drive important decisions dealing with resources and priorities. If you view risk assessment as an academic exercise just to satisfy regulations, you will fail. You won’t get meaningful insight into your business.”
LaScala agrees with the need to involve staff in the process: “You’re taking up their time and energy, so educate them on what you’re doing and show them the process. If you can get them to have a meaningful discussion about their risk and what they’re doing to mitigate it, you’ll have a better product.”
Thus all staff involved need to understand exactly what “inherent risk” is.
“We do not focus on the confusing ‘imagine there were absolutely no controls in place’ concept,” Marcuse says. “Instead, we look at the risk of the external regulatory and business environment for the particular rule and business, product or service in question.”
Meanwhile, some tricky ratings issues need addressing. One involves the correct scale to use in assessing risk. There has been debate as to whether “low-moderate-high” risk assignment is better than a “1 to 5” designation.
Experts cite merit in both systems. Marcuse says TD chose the low-moderate-high scale because it aligns to company-wide risk assessment scales.
Consistency is the best variable to consider. “It’s important to use the same methodology throughout,” Pry contends. “Your anti-money laundering and bank security should be the same scale as used to evaluate risk in lending and information security.”
Ultimately, conformity among business units, staff cooperation and advanced technology can help banks deal with the flood of data that goes into the whole risk assessment process.
And in the end, they’ll come up with reports that get the regulators off their backs—while leaving their operations with the wind at their backs.
Now how about data?
Want more Banking Strategies? Sign up for our free newsletter!
Lauri Giesen has spent more than 25 years writing about banking technology and payments for numerous business and financial publications. In the 1990s, she founded and edited Financial Service Online, a magazine covering Internet-based forays into banking and investment services.
With hundreds of high-impact courses serving more than 1,700 financial services organizations, BAI’s compliance training helps reduce risk and administrative burdens while maximizing compliance budgets, creating a more focused and efficient training experience for all.