The Office of the Comptroller of the Currency (OCC) published final guidelines that establish minimum standards for risk governance frameworks for OCC regulated institutions with over $50 billion in assets. While that asset threshold would seem to specifically exclude most community banks, the OCC has reserved the right to apply the guidelines to other organizations if the OCC determines there is a heightened risk or highly complex state of operations.
The guidance sets clear “tone at the top” requirements for active participation in risk management by regulated financial institution boards of directors. By labeling the requirements as guidelines vs. regulations the OCC provides some flexibility to apply risk management discretion if remediation plans are not meeting their expectations. Required compliance effective dates are staggered based on asset size, resulting in a cadence of implementation across financial institutions for the next eighteen months. Future enforcement actions by the OCC will provide insights to how they view the adequacy of an organization’s adoption of the guidelines.
While media headlines continue to focus on cyber security risk, the published risk management guidance from either oversight of third parties or consumer protection, demonstrate the need to broaden risk management and controls to non-information technology areas of focus. Operational risk and regulatory compliance audits and assessments require formalized oversight mechanisms to demonstrate compliance.
The implementation of the heightened expectations risk requirements will influence the risk and control activities across multiple compliance topics for the larger institutions. The resulting up-tick in the focus on overall governance may actually become a tipping point for even smaller organizations to apply the heightened expectations principals more as a best practice. The guidance is broken into three parts:
Regardless of the size of your financial institution, implementing sound risk management controls is good for your business. Risk management and control activities should be assessed and reviewed on a periodic basis as the risk environment changes. Here are three simple steps any organization can take to review their existing risk management program to reflect the current market landscape:
1. Assess risk management structures within your organization
Review your current regulatory inventory of the laws, rules, regulations, and standards that apply to your business. Create a checklist to identify your current risk management and control mechanisms to determine any new topic areas that need to be addressed. Assess your internal processes, oversight committees, working groups and update their charter, with clearly identified purpose, scope and roles/responsibilities for policy governance and oversight. Review the current skill sets and expertise at your Board of Directors to identify any gaps in risk management knowledge or experience. Build a timeline to show staffing levels for key assurance and audit functions to assess capacity and sufficiency of resources to manage oversight. Create operational risk talking points – the “elevator speech” to help executive management more effectively communicate and articulate how they are addressing risk and compliance in their functional areas. Create reminder training to business line leaders, and front line staff regarding their role in risk management and compliance.
2. Update risk management reporting scope and frequency
Management level risk reporting can no longer simply be a status update exercise. Assess your criteria for risk management status: Red, Yellow, Green status may need crisper definition or trigger points for escalation at a more frequent basis to demonstrate accountability. Review and refresh the scope and frequency of risk management reporting for the Board of Directors, Audit Committees, Senior Management, and Lines of Business. With broader obligations for regulatory compliance and operational risk, determine the need to conduct education on risk for board members and executives. Broaden the depth of risk management content provided to the Audit Committee and Board of Directors with enhanced reporting so that the Board can more actively participate in evaluating the effectiveness of executive management in managing risk. While only larger institutions will be immediately examined for their risk appetite statement, the process to define and create that statement can identify gaps in risk coverage for your existing risk management reporting.
3. Leverage industry frameworks for risk management and controls
Changes in business and operating environments require updates to risk approaches. Information Technology functions have focused on leveraging the National Institute of Standards and Technology (NIST) cyber security framework. Publicly held companies subject to Sarbanes-Oxley (SOX) Section 404 compliance may be upgrading to 2013 COSO Framework. Leverage the industry resources available for assessing key functions, including: control environment, risk assessment, control activities, information & communication, and monitoring functions. Identify tools to conduct self-assessments of the adequacy of control committees, or roles and responsibilities for control process owners within your organization.
The pendulum for risk management and corporate governance has shifted sharply in today’s regulatory landscape. Initial compliance to the heightened expectations requirements will shift resource allocation within larger financial institutions to risk and audit functions. The themes and principles for governance learned from enforcement actions can be a good indicator for community banks for areas of focus to apply within their own organization. Building a three year strategic plan on how to address your financial institution’s current and expected risks will enable your organization to respond more effectively to further shifts in regulatory expectations. Most financial institutions and service providers have codes of conduct or value statements – today’s landscape makes those statement an integral aspect to your risk management program. The principles of the minimum standards can serve as a building block to the risk management program foundation your organization maintains. The heightened expectations raise the profile of the risk management and compliance function for all players in the financial services landscape.
Linnea Solem is the Chair of the Shared Assessments Program and is Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.
Reposted with permission from Deluxe Blogs