As a consulting firm working with numerous banks, Doran Jones has insight into many of the challenges facing the industry. This article will cover five issues that banks are facing in 2023, why they need to be addressed quickly and how to successfully make meaningful progress.
A Reactive Versus Proactive Approach to Risk and Compliance
|The Issue||Many banks fail to identify and address business problems until they are discovered in an internal audit or external regulatory examination.|
|Why it Needs to be Addressed||When issues are identified during an audit or regulatory examination, the best-case scenario is that the firm will have to quickly put together and execute a remediation plan. In a worst-case scenario the bank will receive a monetary penalty or other punitive regulatory action (usually accompanied by negative media coverage) in addition to having to remediate the issue within a tight deadline. Extreme examples of failing to address issues have resulted in bank failures like the Silicon Valley Bank, Signature Bank, and First Republic Bank collapse.|
|How to Make Progress||A proactive approach to risk and compliance requires an effective risk and compliance framework that includes processes to self-identify and remediate issues, including:
· Compliance and business assessment processes to identify, document and rate regulatory and operational risks and the controls designed to mitigate those risks.
· Ongoing monitoring of the risks and controls by the business.
· Periodic compliance and control testing by a dedicated team within Compliance.
· Effective Issue Management Policies and Procedures to oversee the remediation of identified issues.
· Effective Change Management policies and procedures to ensure that risk and compliance processes and systems have kept pace with new product offerings and business growth.
· Effective Regulatory Change Management policies and procedures to ensure that the bank complies with regulatory changes.
While most banks have at least some of these elements in place, they are not always comprehensive and effective (some of the reasons for this will be addressed later in this article).
On May 25, The OCC announced revisions to its Policies and Procedures Manual for bank enforcement actions to take actions against banks with persistent risk and compliance related weaknesses, which could include “three or more weak or insufficient quality of risk management assessments, for more than three years; failure by the bank to adopt, implement, and adhere to all the corrective actions required by a formal enforcement action in a timely manner; or multiple enforcement actions against the bank executed or outstanding during a three-year period.”
Possible actions taken against a bank that exhibits persistent weaknesses may include additional requirements and restrictions, such as requirements that a bank improve “composite or component ratings or quality of risk management assessments,” as well as restrictions on the bank’s growth, business activities, or payments of dividends. A bank may also be required “to take affirmative actions, including making or increasing investments targeted to aspects of its operations or acquiring or holding additional capital or liquidity.”
Insufficient Enterprise-Wide System/Data Integration
|The Issue||The rapid pace at which banks have been growing, whether through acquisition or organic means, often results in the use of disparate systems that cannot “speak to each other” in order to efficiently share data. This lack of integration requires manual processes to move data from one system to another, which is highly inefficient and prone to errors. While the business operational implications are obvious, the adverse effect this has on reporting should not be overlooked.|
|Why it Needs to be Addressed||From a risk and compliance perspective, data reporting errors could result in:
· Erroneous risk metrics potentially hindering management’s ability to allocate risk management resources where they are most needed and determine effectiveness of operational controls;
· Inaccurate reports to regulators; and
· Operational losses that could adversely impact the financial integrity of the bank.
Any one of these are likely to result in regulatory actions, including sanctions and fines, reputational damage and a loss in depositor and shareholder confidence.
According to the OCC, ”Information provided by management in reports should be accurate,
timely, and sufficiently detailed to oversee the bank’s safe and sound operation…” and that “Development of meaningful systems and their proper use lessen the probability that erroneous decisions will be made because of inaccurate or untimely information. Erroneous decisions invariably misallocate or waste resources, which may adversely affect earnings or capital.”
|How to Make Progress||There are a number of approaches to system integration and a thorough assessment needs to be performed to identify the most efficient and cost-effective solution. While a detailed discussion is beyond the scope of this article, common approaches include:
· Data Integration- The process of gathering data through an Application Programming Interface (API), or other method, to bring data from various sources to one centralized access point.
· Legacy System Integration- If a business is using legacy systems that are critical to day-to-day operations, they will often modernize them to communicate with newer information systems.
· Enterprise Application Integration (EAI)- Brings data from different programs and applications together into one business environment.
Whatever method is used, a robust data governance infrastructure should be built into the architecture.
A Propensity to Underestimate Risk
|The Issue||Banks are required to perform ongoing compliance and operational risk assessments. Because higher risk processes and controls require more resources for monitoring and maintaining the appropriate level of risk mitigation, the business (and sometimes even Compliance) often has a bias towards understating the level of higher risk items.|
|Why it Needs to be Addressed||Underestimating risk can have serious consequences:
· Monetary Losses- Resulting from losses to investment or loan portfolios, embezzlement, fraud, system breaches and other operational control failures.
· Regulatory- We have seen numerous examples of regulators seeing through inaccurate risk ratings and taking regulatory action against management for failing to understand and effectively manage their institution’s risk.
· Reputational- Serious operational losses and regulatory actions make for compelling headlines and can result in losing business and the confidence of depositors and shareholders.
· Operational Disruption- Leading to delays, downtime, or even failure of critical business functions.
In January, the Basel Committee for Banking Supervision issued a report on risk weighted assets for market risk that indicated they found banks that were more aggressive with their risk assessments provided risk ratings that were one eight as risky as their more conservative counterparts, and stated, “While some variation in risk weightings should be expected, excessive variation arising from bank modelling choices is undesirable when it does not reflect actual risk-taking.”
|How to Make Progress||In an operational risk assessment, a bank should assess the processes underlying its operations by:
· Creating a library of potential threats and vulnerabilities and consider their potential impact in Risk Control Self Assessments (RCSA);
· Evaluate inherent risks for each process based on clearly defined criteria;
· Evaluate the effectiveness of existing controls designed to mitigate those risks;
· Apply the control score to the inherent risk score to determine a residual risk rating; and
· Create scorecards based on the RCSAs by weighting residual risks to provide a means of translating the RCSA output into metrics that ranks the control environment.
Compliance risk assessments follow the same procedures, but a library of applicable regulations are assigned risks to evaluate against each process.
To ensure accurate and comparable scores, it is important that the factors for evaluation be precisely defined in the procedures.
Insufficient Resources Allocated to Risk and Compliance
|The Issue||As a non-revenue generating cost center, risk management and regulatory compliance are often not allocated sufficient resources to provide the level of support that the regulators expect.|
|Why it Needs to be Addressed||Banks are learning the hard way that such a myopic approach is going to cost them more in the long run. There have been many examples of banks with under-resourced risk and compliance programs facing regulatory actions that require them to spend large sums to remediate the gaps in addition to substantial fines that significantly inflate the cost. When you also factor in the potential loss of business from reputational damage, it should be clear that such an approach is not cost effective in the end.|
|How to Make Progress||Banks need to find cost-effective ways to build risk and compliance programs that will meet regulatory expectations and recognize it as a necessary long-term investment in the organization. Banks should perform a realistic assessment of the current state of their risk and compliance programs and identify any gaps that need to be addressed before the regulators do. Costs can be controlled through careful planning and taking a risk-based tiering approach to address the gaps. It can also be more cost-effective to outsource the assessment and remediation process, rather than hire permanent staff. Once an effective program is established, the bank can effectively maintain it with existing resources.|
Over-Dependence on Manual Processes and EUCs
|The Issue||As banks grow their business with new products and services they heavily rely on manual processes and ad-hoc End User Computing (EUC) tools, particularly spreadsheets, to support business operations. While they are usually intended to be temporary, they tend to remain in place indefinitely as management pursues short-term profits at the expense of long-term efficiency.|
|Why it Needs to be Addressed||As new operations grow these short-term solutions become more complicated, cumbersome and prone to errors. In the case of important risk and compliance control functions, these errors put the bank at significant risk of financial loss, adverse publicity, and punitive regulatory actions, including monetary fines. The regulators take a dim view of important risk and compliance functions that are overly dependent on manual processes and EUCs.
Spreadsheet based EUCs (estimated to comprise 95% of all EUCs) are particularly risky as they are not only subject to data entry error, but errors resulting from erroneous spreadsheet logic, formulas and links to outside data. In fact, studies by Raymond Panko at the University of Hawaii show that 90% of spreadsheets with more than 150 rows contain errors and the European Spreadsheet Risks Interest Group estimated that more than 90% of all spreadsheets contain errors. Another risk associated with EUCs is that turnover can create a problem if critical knowledge of the EUC is lost.
|How to Make Progress||Considering the risks associated with EUCs, Banks need to have in place a robust EUC Management process that:
· Inventories EUCs;
· Assign criticality ratings to the EUCs based on the quantitative (dollar loss) and qualitative (reputational risk, financial exposure, loss of business functionality, regulatory enforcement actions) impact on the business if these files were lost or otherwise unknowingly damaged or altered;
· Create a policy that includes rules for documenting, testing and maintaining the inventory of EUCs based on their criticality categorization; and
· Closely monitor EUC related errors to identify trends that would warrant additional actions, including replacing the EUC with an automated solution.
Given the level of effort required to manage EUC’s and the vast numbers of EUCs used by the typical bank, it makes sense for banks to employ automated solutions for the bank’s most critical processes. In addition to reducing operational and compliance risks, the investment in automated solutions can bring about extensive savings in the long-term by eliminating the need to rely on cumbersome and labor-intensive manual processes.
It is worth pointing out that there are several recurring themes as it relates to these issues and how regulators are reacting to the recent banking crisis:
- Regulators are holding senior Management and boards responsible for identifying, understanding and remediating the risks of their business;
- Banks cannot afford to limit resources for risk and compliance functions that are critical to their ongoing safety and soundness;
- When it comes to risk and compliance, solutions that save money over the short term can end up costing dearly over the long term; and
- Regulators are taking a more aggressive approach to identifying and dealing with risk and compliance issues.
In light of the recent bank failures and the response of regulators, Doran Jones has created a Risk and Compliance service offering.