Remember the old Smokey the Bear adage, “Only you can prevent forest fires”?
Well, it certainly seems true in the case of USAA Bank being hit with cease-and-desist proceedings for engaging in unsafe or unsound banking practices (“consent order”). I have always believed that it is more cost-efficient and a better business model to prevent the fire than to expend countless resources to continually fight the fire. So, who is the “you” at USAA Bank responsible for the prevention of these regulatory fires?
Sound risk management practices would tell you that it is everyone from the board down to the front-line staff, including internal audit (three lines of defense), and a review of the consent order appears to follow those risk management practices specifically.
While we do not know with extensive details the deficiencies found by OCC, we certainly understand from their Article II – Findings the extent to which the overall sound practices of risk management failed. Those are as follows (emphasis mine):
- The Bank has failed to implement and maintain an effective Bank-wide Risk Management Program (“ERM”) commensurate with the Bank’s size, complexity, and risk profile. The Bank’s failure to implement and maintain an effective Bank-wide Risk Management Program is an unsafe or unsound practice.
- The Bank’s internal controls and information systems do not comply with the guidelines established in 12 C.F.R. Part 30, Appendix A.
- The Bank’s internal audit program (“Internal Audit”) is insufficient given the Bank’s size, complexity, and risk profile, and is not in compliance with the guidelines established in 12 C.F.R. Part 30, Appendix A.
- The Bank has failed to implement and maintain an effective compliance management system that includes processes and practices designed to manage consumer compliance risk, support compliance with consumer protection-related laws and regulations and prevent consumer harm. The Bank’s failure to implement and maintain a satisfactory compliance management system is an unsafe or unsound practice.
- The Bank has failed to implement and maintain an effective, comprehensive IT program, and its IT program is not in compliance with the guidelines established in 12 C.F.R. Part 30, Appendix B.
Throughout all the remediation plans required for the corrective actions needed to address the above deficiencies, we see risk management principles that were either missing or needed vast improvement. The risk management principles are the same for all financial institutions, regardless of regulator, and that is to ensure that you can effectively mitigate risks based upon your financial institution’s size, complexity, and risk profile.
So, what are those basic principles, and do you appropriately exhibit them based upon your size, complexity, and risk profile? The list below, while not comprehensive, should give you a quick “Top 10” logic check for your governance, risk, and compliance (GRC) basics.
1. Risk Management Policies & Procedures (Tone at the Top)
c. Vendor Management
d. Information Security
e. Internal Controls
i. Policies to Include:
1. Management and/or Senior Executive Approval Date
2. Board Approval Date
3. Applicable Laws/Regulations
4. Areas of Responsibility
d. Head of Risk
e. Risk Department(s)
h. Internal Audit
5. Summary of Risk Management Approach
6. Purpose of Policy
7. Risk Management Overview
8. Risk Management Mission
9. Risk Management Definitions
10. Risk Appetite
11. Risk Categories
12. Approach to Risk Management
13. Information and Communication
14. Monitoring Activities and Correcting Deficiencies
15. Policy Management/Documentation and Review
ii. Procedures to Support the Execution of Policies
2. Specific Leader to Oversee All Risk Management Programs
a. Required Competencies:
i. Risk identification
ii. Understand the organization’s business
iii. Respected throughout the organization
iv. Highly effective communicator
3. Committee(s) and Charter(s)
a. Charter to Include:
i. Current Board Approval
ii. Previous Board Approval
v. Scope of the Committee’s Responsibilities
vi. Composition and Appointment to Committee
4. Risk Management Framework
a. Clearly Defined:
i. Approach to Risk Management (Strategically and Operationally)
ii. Risk Categories and Definitions
iii.Qualitative & Quantitative
1. Likelihood of Risk
2. Impact of Risk
3. Control Ratings
4. Control Effectiveness
5. Risk Velocity
6. Risk Vulnerability
7. Overall Risk Rating
5. Risk Assessments (Before Change/Decisions Are Made)
a. Strategic Plans
b. Business Operations (Departmental Business Processes)
6. Risk Appetite Statement With Thresholds
a. Clearly Articulated Across All Applicable Risk Categories
7. Key Indicators
a. Appropriately updated and monitored (KRI and KPI)
8. Appropriate Reporting to:
b. Senior Management
c. Risk Management
d. Risk Committee(s)
e. Audit/Supervisory Committee
9. Appropriate and Continuous Risk Management Training
b. Senior Management
f. Internal Audit
10. Third-Party Independent Testing of All Risk Management Functions
While the above is only a quick check of your overall GRC responsibilities, it is a good place to start. Because in the end, ONLY YOU can prevent a regulatory fire!
About the Author:
When not blogging, Bill is consulting with numerous financial institutions and companies across the country, helping them build and shape their risk management programs. He also works with many associations and professional organizations to teach and enhance their ERM curriculum.