Greetings to all Continuity Clients:
First and foremost I want to thank you again for the continued support and collaborative relationship with Continuity and our team over the years. You are our most important stakeholders and your success is our success.
My guess is that you have been inundated with email and social media regarding the COVID 19 virus. So I won’t add to that information overload in this communication. As with most life altering events, there is a flood of information. Some good and some not so good. Those of you who participated in our free Pandemic Risk Management Webinar and/or have taken advantage of the no cost access to our Pandemic Risk Assessment are in good shape to handle this current situation.
That being said, my communications with you today is to reinforce three important facts.
First, Continuity as your Risk and Compliance management partner is in sound financial condition. In addition, the deeply experienced Continuity management team has navigated through numerous financial market ups and downs throughout their extensive careers and will confidently navigate Continuity through this period of uncertainty.
Second, market dynamics are directly impacting your business such as the 50 basis point interest rate reduction by the Federal Reserve. We are positioned to help guide you through this period of increased risk brought on by tighter net interest margins. Continuity’s investment via the acquisition of TraceRisk and its enterprise risk management platform (now the Continuity RiskAdvisor product line) last September allows us to provide you with critical risk assessment tools (such as the aforementioned Pandemic Risk Assessment) which enhance and compliment our comprehensive Compliance platform. We hope you will reach out to us to explore the breadth of our risk solution as well as the accompanying subject matter professional services as the pressure increases on your institutions to delve deeper into risk assessment.
Third, market volatility has us enhancing and further investing in our risk management product set. Unlike some providers whose financial sponsors will be more focused on portfolio liquidity, Continuity is focused exclusively on making sure you have the tools you need to deal with the current challenges, regardless of how long they may last. To that extent, our investment in products and services continues.
Again, I thank you for your patronage. We are prepared and ready to help you deal with the challenges which lie ahead. We will get through this together.
Wishing you all good health,
Michael (Mike) Nicastro
Chief Executive Officer
Michael D. Nicastro
Chief Executive Officer
Reflections on the ABA Regulatory Compliance Conference
Pam Perdue, EVP, Chief Regulatory Officer
Each year when we return from the American Bankers Association Regulatory Compliance Conference, the temptation is to quickly itemize, recap and synthesize everything that we learned and experienced. This year, rather than do that immediate processing, I chose to wait a week. As the conference “high” abated, I was able to more thoughtfully reflect and see what continued to resonate with the passage of time, after the thrill ride of sessions, speakers and socializing came to an end. What was different in this year’s sessions than years past? Which themes were being echoed in our client environments? What could the industry shifts - both subtle and significant - mean to our strategic direction at Continuity? As the first Compliance Management System in our space, having been at this for ten years now, how did we view the innovations that our newer competitors were exploring and introducing to the marketplace? And how are the roles, mindsets and skill sets of compliance and risk professionals shifting in response to the ways compliance management can be delivered?
One of our perpetual strengths at Continuity has been staying ahead of the curve, and being relied upon by our clients and partners (as well as the industry) to deliver practical, pragmatic foresight on emerging issues. In that spirit, here are the high points of the 2019 conference takeaways.
Compliance is no longer an “after-thought.”
Compliance is considered as business processes are designed, developed and executed. It is increasingly embedded into the culture of the organization as well. In larger banks, compliance has been elevated to the C-suite once and for all; smaller banks continue to move in this direction, albeit more slowly. The most innovative and progressive institutions are viewing compliance as a competitive advantage: doing it better than the competition means more resources go into revenue generation versus risk mitigation.
The need for speed in decision-making and execution is accelerating. Thanks to a strong economy and increasing competition for customers, banks are facing a dynamic business environment that calls for bold and fast moves over measured and methodical approaches that have been the hallmark of the banking community. Compliance and risk professionals must be able to adapt to these faster-moving cycles, and provide insight without slowing things down or blocking progress. Although those of us in tech have been familiar with “Agile” management models for over a decade, it took banks a bit longer to embrace the idea that you can design, prototype, test and evaluate without all variables being known up front.
CMS technology is quickly becoming a “must-have” versus a “nice-to-have.” Thanks to revised examination guidelines and elevated expectations for board and management oversight, the supervisory impetus for using technology solutions is now more than a friendly suggestion. Even without the regulatory pressure, the intense focus on operational efficiencies and economies of scale are driving institutions of all sizes to evaluate how technology can aid their programs by reducing risk and improving performance at lower cost. A broader range of competitors introducing versions of compliance management systems to the market can signal only one thing: that the market is ready to embrace technology approach to CMS oversight and that sufficient resources exist to support a broader competitive landscape. This is great news for those of us who pioneered the space, as it means the market has matured. It’s also great news for bankers, who benefit from increased competition that helps separate the excellent from the average from the not-so-great choices.
The compliance professional is expected to have a wide range of skills. In addition to being well-versed in regulatory requirements, the compliance leader of today must also have technology proficiency and data literacy, and master a wide range of managerial and “soft” skills, in order to be successful. It is also clear that a renaissance of the “generalist” leader is underway: the top executive is expected to know a little of everything versus a lot of one thing. Smaller organizations have always had to structure themselves this way, but in larger banks, the CRO or CCO are now managing highly diverse teams ranging from centralized complaint management units to CRA/HMDA collection and reporting groups and many other functions in the second line of defense.
Preparing yourself as a professional for these shifts in how compliance is viewed, how you get your work done, and how you demonstrate that your individual and organizational efforts have been effective, is the FUN part of being in the risk and compliance space. Riding the rapids of regulatory change management, controls oversight, risk management for your teams AND third parties, and monitoring your performance keeps us all alert, is truly for the thrill-seekers among us. Who says compliance is boring?!
With all of the changes we witnessed, one thing hasn’t changed: our desire to provide actionable insights and relevant product offerings to our friends and colleagues in banks of every size and every location. As life gets back to its daily rhythms here in Continuity’s Regulatory Operations CenterTM and we resume helping the tens of thousands of bankers who rely on our solutions every day, we are already dreaming of the 2020 event in National Harbor. We hope to see you there!
Retrospective On 2018’s Top Regulatory Trends
Pam Perdue, EVP, Chief Regulatory Officer
Every year, our experts in the Regulatory Operations Center take a stroll back through the data to identify trends and themes that shaped the industry during the previous twelve months. Read on to see the disturbing discoveries we made during our deep dive into the wild ride that was 2018!
Regulatory “relief” was anything but relaxing.
2018 saw a record number of regulatory pronouncements issued that affected banks and credit unions. The 265 regulatory pronouncements issued in 2018 reflected a 20% increase from the 220 issued in 2017. On the first business day of 2019, there were 21 items already in the queue for processing by the Regulatory Operations Center.
Banks and credit unions are both still spending too much on compliance.
Because regulatory relief didn’t reduce regulatory activity, the work of managing regulatory change remained burdensome and pervasive. A number of “red flags” across multiple organizations shows that compliance operations failed to gain efficiency. Most FIs still rely too heavily on human effort and too little on technology adoption, resulting in inconsistent outcomes flowing from duplicative or redundant business processes.
Enforcement actions with fines and penalties against individual directors and officers rose sharply.
An increase of 500% over the prior year included a dramatic spike in the number of actions taken against individual officers for wrongdoing, even in cases where no action was taken against their financial institution. The trend of director-focused actions persisted, with fines escalating into the hundreds of thousands of dollars per incident.
Changes in executive role expectations for risk and compliance officers are transforming the skill sets needed for peak performance.
Today’s regulatory environment demands incumbents with modern proficiencies, in areas like data literacy, business intelligence and technology implementation and integration. The domain is no longer ruled by box-checkers or grammar-sticklers, and even those with MBAs or JDs now find themselves falling behind their more tech-savvy peers who understand how to leverage and rely upon regulatory technology and business intelligence tools.
Until recently, we could predict with some accuracy, based on past performance and behaviors, how the future might unfold. No more! The year is already off to a strange start: 21 items already waiting to be analyzed by our experts (from before the shutdown) and a government shutdown that leaves us with a Federal Register that isn't being maintained, Agency websites and support channels unattended, key public data like call reports unavailable for access and no clear idea on when the shutdown might end. Rules issued in 2018 raising more questions than they've answered. Our prediction for 2019: Greater volatility and more uncertainty. Buckle up for the wild ride ahead!
How do I Implement ERM?
Derek Yankoff, Chief Strategy Officer
What does ERM do, actually?
- Defines and assigns Risk Values (i.e., Inherent Risk, Threats, Vulnerabilities, Annual Rates of Occurrence, Annual Loss Expectancy, Risk Appetite, Risk Tolerance, and Audit Frequency) for every Subject to be assessed.
- Provides ‘use cases’ that give context to the Subjects to be assessed by risk owners and managers.
- Provides Key Risk Indicators (KRIs) which will be rated for Probability and Impact.
- Sums up Probability and Impact ratings to reach Residual Risk outcomes and help determine audit frequencies.
- Provides “How We Reached Our Conclusion” for explaining current Residual Risk outcomes and offers links your own policies, procedures, forms, memos and other documentation that support Residual Risk outcomes.
- Provides an decision making custom reports specifically designed for risk owners and managers, senior management, the Board and your regulators.
- Provides a method for performing comprehensive “bottom up” risk assessments and for performing risk assessments on emerging products, services and activities before they are deployed.
- Provides flexibility when assigning risk owners and risk managers while maintaining full administrative control and oversight by the Chief Risk Officer.
- Includes supplementary policies, procedures, accessories, tools, resources, forms and immediate, one-touch access to relevant regulatory guidance (no need to ever leave the TraceRisk website to do regulatory research).
Who should perform the risk assessments?
Most banks today have assigned the responsibility for risk management to a Chief Risk Officer. Typically, he or she will be the “gatekeeper” for managing enterprise risk and overseeing the risk assessment process. But, it’s your bank’s risk owners and risk managers who actively participate in the risk assessment process and the TraceRisk implementer can help the Chief Risk Officer identify who they are.
What will the implementation process look like?
Ideally, assign a risk expert to assist your bank with implementing the solution of choice and maximizing all its capabilities and features. The implementer will be performing risk assessments with your staff and should also furnish the bank with a set of supplementary tools and resources including but not limited to:
- ERM Policy, Procedures and Committee Charter (editable)
- Checklist - Addressing Risk Management Shortfalls (for Board of Directors’ use)
- Report Descriptions and Who Should Get Them (reporting TraceRisk outcomes)
- “Chief Risk Officer’s Risk Management Report to the Board” template
- Glossary & Definitions; Illustrations; Tips & Tricks when using TraceRisk
What does the Implementer do, exactly?
The Implementer assigned to your bank will ideally decades of enterprise risk management experience and be thoroughly familiar with all aspects of the your chosen solution. This individual will work closely with your risk owners and risk managers to accomplish the following:
- Identify relevant business objectives before meetings or visitation commences.
- Conduct an initial on-site meeting with senior management, risk managers and risk owners.
- Identify the events or conditions that could affect the achievement of objectives.
- Explain what Key Risk Indicators (KRIs) are and how they are used.
- Assist risk owners and managers in assessing the likelihood and impact of risks across their assigned risk subjects. (This is the fun stuff)
- Provide insight and tips on how to use the rich data sets captured on each of the 4 Dimensions of Risk: Subject, Silo, COSO & Risk Inventory. (More fun stuff)
- Provide detailed guidance on how to succinctly and uniformly write conclusions on risk assessment outcomes (outcomes are called “Residual Risk”) and how to develop risk mitigation plans and techniques.
- Demonstrate how to quickly produce meaningful reports for the Board, the regulators and Executive Management. The variations of the reports are entirely intended audience driven.
- Train on use of the “New Product/Service - Risk Analysis”
- Train on use of the “Risk Response” (for indicating how problematic conditions on higher risk Subjects will be handled).
- Share Best Practices in all aspects of risk assessment and ERM program development.
When should you get started?
Now is the time to start performing your risk assessments. The FRB, OCC, FDIC and CFPB have issued plenty of guidance on risk management and they expect your bank to have your risk assessments done and ready for their field examiners to review.
Let’s get started so you can see what your bank’s risk profile looks like and get some risk mitigation in place beforeyour next regulatory examination.
Don’t Confuse a Control Risk Assessment with an Enterprise Risk Assessment
Derek Yankoff, Chief Strategy Officer
In managing the internal audit function, the institution’s Audit Committee is responsible for commissioning a Control (or “Auditor’s”) Risk Assessment, developing audit plans and the overseeing the execution of the audit program. A Control Risk Assessment documents the internal auditor’s or outsourced audit service provider’s understanding of the institution’s significant business activities and their associated risks. These assessments typically consider the risks inherent in a given business line, the mitigating control processes and the resulting aggregate risk exposure to the institution. The assessments should be updated annually by the auditors to reflect changes to the system of internal control or work processes and to incorporate new lines of business.
Conversely, an Enterprise Risk Assessment can be described as a risk-based approach to managing an enterprise, integrating concepts of internal control, the Sarbanes–Oxley Act and strategic planning (remember: Strategy Drives Risk). ERM addresses the needs of various stakeholders (i.e., risk owners, risk managers, C-Suite executives, Board members) who need to understand the broad spectrum of risks facing the institution to ensure they are appropriately managed. Put another way, enterprise risk management is accomplished in large part by performing an enterprise risk assessment.
With that groundwork paid, let’s take a look at the Control (or “Auditor’s”) Risk Assessment first. The Control Risk Assessment methodology performed by the auditor identifies all auditable areas, provides a narrative basis for the auditor’s (not management’s) determination of relative risks, and, is consistent from one auditable area to another. The Control Risk Assessment quantifies Credit Risk, Interest Rate Risk, Liquidity Risk, Operational Risk, Compliance Risk, Strategic Risk, Reputational Risk, BSA Risk and Fair Lending Risk (if applicable). Some specific functions and activities may be embedded within larger categories; for example, some information technology risks are addressed in the Operational Risk area while certain other IT risks can be found in the Compliance Risk area. The auditor’s Control Risk Assessment considers the potential that deficiencies in the system of internal control would expose the institution to potential loss and provides the auditor with data sufficient to develop the scope, coverage, timing, frequency and budget for the audits planned for the year.
When appropriate, the auditor should consider of the introduction of new products and departmental changes which factor into the audit plan. It should be noted that ratings of particular business activities or corporate functions may change with time and the auditor should revise the method for assessing risk accordingly. A properly drafted internal audit plan is based on the auditor’s Control Risk Assessment and typically includes an evaluation of key internal controls within each significant business activity. Ideally, the auditor’s only role should be to independently and objectively evaluate and report on the effectiveness of an institution’s risk management, control and governance processes for the purpose of audit plan development. The assessment should be periodically updated to reflect changes in the system of internal control, work processes, business activities or the business environment.
Conversely, the institution’s Enterprise Risk Assessment provides management with actionable outcomes that facilitate risk mitigation, controls development and process remediation and includes the methods and processes used to seize opportunities related to the achievement of institutional strategic objectives by assessing them in terms of likelihood and magnitude of impact, determining a response strategy and monitoring progress. By identifying and proactively addressing risks and opportunities, the institution protects and creates value for its shareholders, employees and customers.
Enterprise risk assessment frameworks describe an approach for identifying, analyzing, responding to and monitoring risks and opportunities within the internal and external environment facing the institution. Management selects a risk response strategy for specific risks identified and analyzed, which may include:
• Avoidance: exiting the activities giving rise to risk
• Harnessing: taking action to reduce the likelihood or impact related to the risk
• Alternative Actions: deciding and considering other feasible steps to minimize risks
• Transferring: or sharing a portion of the risk
• Accept: no action is taken due to a cost/benefit decision
Monitoring is typically performed by management as part of its internal control activities, such as review of analytical reports or conducting management committee meetings with relevant experts to understand how the risk response strategy is working and whether the objectives are being achieved.
So, you can see that each of these two risk assessment approaches have distinct objectives, methodologies and outcomes and therefore, should not be combined or mistaken for one another. Moreover, your regulatory examiners expect to see both approaches in operation at your shop. The bad news is that employing both approaches can be costly and time consuming. The good news is that there is a simple, cost-effective way to get them both done and achieve remarkable results that will impress your examiners and Board of Directors and keep your bank compliant with risk management mandates set forth by the OCC, FDIC and FRB.