Remember the old Smokey the Bear adage,Ā āOnly you can prevent forest firesā?
Well, it certainly seems true in the case ofĀ USAA Bank being hit with cease-and-desist proceedings for engaging in unsafe or unsound banking practicesĀ (āconsent orderā). I have always believed that it is more cost-efficient and a better business model toĀ prevent the fireĀ than to expend countless resources to continually fight the fire. So, who is the āyouā at USAA Bank responsible for the prevention of these regulatory fires?
Sound risk management practices would tell you that it is everyone from the board down to the front-line staff, including internal audit (three lines of defense), and a review of the consent order appears to follow those risk management practices specifically.
While we do not know with extensive details the deficiencies found by OCC, we certainly understand from theirĀ Article II – FindingsĀ the extent to which the overall sound practices of risk management failed. Those are as follows (emphasis mine):
- The Bank hasĀ failed to implement and maintain an effective Bank-wide Risk Management Program (āERMā)Ā commensurate with the Bankās size, complexity, and risk profile. The Bankās failure to implement and maintain an effective Bank-wide Risk Management Program is an unsafe or unsound practice.
- The BankāsĀ internal controls and information systems do not comply with the guidelines established inĀ 12 C.F.R. Part 30, Appendix A.
- The BankāsĀ internal audit program (āInternal Auditā) is insufficientĀ given the Bankās size, complexity, and risk profile, and is not in compliance with the guidelines established in 12 C.F.R. Part 30, Appendix A.
- The Bank hasĀ failed to implement and maintain an effective compliance management systemĀ that includes processes and practices designed to manage consumer compliance risk, support compliance with consumer protection-related laws and regulations and prevent consumer harm. The Bankās failure to implement and maintain a satisfactory compliance management system is an unsafe or unsound practice.
- The Bank hasĀ failed to implement and maintain an effective, comprehensive IT program, and its IT program is not in compliance with the guidelines established inĀ 12 C.F.R. Part 30, Appendix B.
Throughout all the remediation plans required for the corrective actions needed to address the above deficiencies, we see risk management principles that were either missing or needed vast improvement. The risk management principles are the same for all financial institutions, regardless of regulator, and that is to ensure that you can effectively mitigate risks based upon your financial institutionās size, complexity, and risk profile.
So, what are those basic principles, andĀ do you appropriately exhibit them based upon your size, complexity, and risk profile?Ā The list below, while not comprehensive, should give you a quick āTop 10ā logic check for your governance, risk, and compliance (GRC) basics.
1. Risk Management Policies & Procedures (Tone at the Top)
a. ERM
b. Compliance
c. Vendor Management
d. Information Security
e. Internal Controls
f. Audit
i. Policies to Include:
1. Management and/or Senior Executive Approval Date
2. Board Approval Date
3. Applicable Laws/Regulations
4. Areas of Responsibility
a. Board
b. Committee
c. CEO
d. Head of Risk
e. Risk Department(s)
f. Executives
g. Departments/Staff
h. Internal Audit
5. Summary of Risk Management Approach
6. Purpose of Policy
7. Risk Management Overview
8. Risk Management Mission
9. Risk Management Definitions
10. Risk Appetite
11. RiskĀ Categories
12. Approach to Risk Management
13. Information and Communication
14. Monitoring Activities and Correcting Deficiencies
15. Policy Management/Documentation and Review
ii. Procedures to Support the Execution of Policies
2. Specific Leader to Oversee All Risk Management Programs
a. Required Competencies:
i. Risk identification
ii. Understand the organizationās business
iii. Respected throughout the organization
iv. Highly effective communicator
3. Committee(s) and Charter(s)
a. Charter to Include:
i. Current Board Approval
ii. Previous Board Approval
iii. Purpose
iv. Charter
v. Scope of the Committeeās Responsibilities
vi. Composition and Appointment to Committee
vii. Meetings
viii. Agenda
ix. Minutes
x. Reports
4. Risk Management Framework
a. Clearly Defined:
i. Approach to Risk Management (Strategically and Operationally)
ii. Risk Categories and Definitions
iii.Qualitative & Quantitative
1. Likelihood of Risk
2. Impact of Risk
3. Control Ratings
4. Control Effectiveness
5. Risk Velocity
6. Risk Vulnerability
7. Overall Risk Rating
5. Risk Assessments (Before Change/Decisions Are Made)
a. Strategic Plans
b. Business Operations (Departmental Business Processes)
c. Products/Services
6. Risk Appetite Statement With Thresholds
a. Clearly Articulated Across All Applicable Risk Categories
7. Key Indicators
a. Appropriately updated and monitored (KRI and KPI)
8. Appropriate Reporting to:
a. Board
b. Senior Management
c. Risk Management
d. Risk Committee(s)
e. Audit/Supervisory Committee
f. Employees
9. Appropriate and Continuous Risk Management Training
a. Board
b. Senior Management
c. Management
d. Employees
e. Volunteers
f. Internal Audit
10. Third-Party Independent Testing of All Risk Management Functions
While the above is only a quick check of your overall GRC responsibilities, it is a good place to start. Because in the end,Ā ONLY YOUĀ can prevent a regulatory fire!
About the Author:
When not blogging, Bill is consulting with numerous financial institutions and companies across the country, helping them build and shape their risk management programs. He also works with many associations and professional organizations to teach and enhance their ERM curriculum.