I recently looked back at 2010, and the predictions I made a year ago. This post begins a series of the top regulatory compliance trends for the current year. I’m going to focus on the top 5, and my sources for these are the following:
- Recent audit and examination experience from our customers
- Recently released regulatory guidance
- Discussions with my compliance advisory committee (consisting of a policy consultant, and 3 IT field auditors.)
- A recent survey conducted among bank auditors and examiners.
For a topic to be included in this list, it had to have been validated in at least two of the four sources. My first trend was validated in all four:
Enterprise-Wide Risk Assessments
If this one sounds familiar, it was on last years list as well. And I would have left it out this year except for the fact that just last week an institution had a finding from a State examiner that moved it from off the list, to the top of the list.
My original motivation for this was an article that appeared in the FDIC Supervisory Insights newsletter in November, 2009. The article was titled: From the Examiner’s Desk: Customer Information Risk Assessments: Moving Toward Enterprise-wide Assessments of Business Risk. (The article is excerpted here.) As you can tell from the title, it’s pretty clear that enterprise-wide risk assessments are the future. The only question was how quickly the new standard would be adopted by the regulators. I thought it would have been in 2010, and apparently it just made it.
According to the State examiners finding:
“…the bank’s internal auditor, in conjunction with department heads and the Board, should develop an enterprise-wide risk assessment that identifies and assigns a risk grade to every major function of bank operations.”
I’m not surprised that this new standard found it’s way into examinations, but I am a bit surprised that we first saw it in a State exam. Nevertheless, the fact that the guidance is out there, and that we are now seeing it reflected in examiner expectations, means this is trend #1.
And just to underscore the point, the survey (more on that in a future post) had the following responses when asked: What is the current regulatory expectation and standard for documenting the assessment of risk?
Customer Information Risk Assessment 0.0%
Information Security Risk Assessment 30.0%
Enterprise-wide Assessment of Risk 70.0%
AND my advisory committee agrees, so a clean sweep of all sources. So how do you document adherence to this enterprise-wide standard of risk assessment? The full answer is too complicated to adequately address in this post (I promise to give it justice in a future post), but in short, make sure you include the following risk categories in your risk assessment:
- Strategic Risk
- Operational/Transactional Risk
- Reputation Risk, and
- Legal/Regulatory Risk
Also, make sure you document both the inherent risk (prior to the application of control measures), and the residual risk (after controls).