Amid the current digital transformation of the financial services industry, controlling risk should be a fundamental part of banks’ innovation strategies—a point that has been underscored by the Comptroller’s Office.
“Banks are understandably motivated to seek out and implement operational efficiencies and pursue innovations to grow income,” according to an October 2017 OCC bulletin, 2017-43, pointing to the expanded use of artificial intelligence, machine learning, algorithms, and cloud data storage.
“Given the breadth and speed of change, bank management and boards of directors should understand the impact of new activities on banks’ financial performance, strategic planning process, risk profiles, traditional banking models, and ability to remain competitive,” OCC wrote.
The bulletin listed principles it expects banks to follow “to prudently manage the risks associated with offering new, modified, or expanded products and services.”
While many of the concepts that OCC outlines are not new, its bulletin should serve as a clear reminder that the industry’s new activities are no exception to regulatory standards for risk management.
Given the nature of digital technology and fintech partnerships, in fact, risk could be even higher.
Risk and control self-assessments—RCSAs—are a crucial tool for effectively managing risk in new as well as established bank products and services. This article provides a framework for applying RCSAs.
OCC Bulletin 2017-43
OCC’s bulletin highlights the primary risks that arise in developing and introducing these new activities. Additionally, the bulletin lays out the four components of an effective and principles-based risk management system as follows:
1. Adequate due diligence and approvals before introducing a new activity.
2. Policies and procedures to properly identify, measure, monitor, report, and control risks.
3. Effective change management for new activities or affected processes and technologies.
4. Ongoing performance monitoring and review systems.
This OCC issuance reiterated a message that federal banking regulators and private sector internal control experts have embraced for several years. This can be found in control frameworks published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in 1992 and the Basel Committee on Banking Supervision in 1998 through to today. Each of the federal banking regulators has incorporated the concepts of risk assessments and internal controls in their bank supervision manuals.
Financial institutions are encouraged to assess their risks and test their internal controls as part of their ongoing risk management.
Why an RCSA?
An RCSA is a critical component of an effective risk management framework—one that involves employees from the first lines of defense (business units) through upper management to enable growth and mitigate risk. Large national banks, medium-sized federal savings associations, and small community banks all face the same challenges. They must comply with regulations and control risk without unduly impeding profits or hindering innovation and growth. (Of course, state-chartered banks can benefit from these practices as well.)
In this context, adequately assessing risks and controls related to third parties is increasingly important. As companies pursue a competitive edge, they are more frequently turning to third parties to develop innovative products and services or to assist with risk management.
The OCC singled out fintechs, in this regard: “Consistent with prudent risk management of third-party relationships, management at banks that partner or contract with fintech companies to offer new products or services should understand the technologies that these companies offer; risk and controls associated with those technologies; and the effect that the new delivery channel will have on existing operational controls.”
A robust RCSA effectively applied to new, modified, expanded, and existing products, services, processes, and vendor relationships will help institutions ensure they meet the regulatory expectations in OCC Bulletin 2017-43.
What is an RCSA?
An RCSA is a systematic framework for documenting and evaluating the existing and future risks and associated controls of business processes, technologies, and third-party service providers. In particular, RCSAs can assist financial institutions in determining whether their controls are adequate in light of the current risk environment, business strategy, and growth plans.
A vigorous RCSA will assist the institution in:
• Identifying material risks.
• Classifying the level of each material risk.
• Reviewing the existence, type, and effectiveness of controls.
• Identifying any control gaps.
The RCSA’s findings can be used to formulate appropriate action plans to close or mitigate control gaps and to monitor management’s progress in completing those action plans.
In addition, the RCSA process will increase business unit risk awareness, as well as improving the consistency and transparency of risk reporting.
A company’s RCSA methodology should be customized to meet internal and external needs but should include at least the following components:
• Data gathering—process maps, policies, procedures, and audit and compliance issues.
• Process validation—with the business line, validate the process and update as needed.
• Assessment—with the business line, determine review frequency, analyze the risks and controls, identify control and metric gaps.
• Remediation—build or update measurable controls and establish frequency of metrics reporting.
• Management concurrence—establish reporting frequencies, report results, and obtain responses.
In addition to establishing regular risk control self-assessments, companies should establish an operational incident reporting and escalation process. By addressing risks as they are identified, a company will be able to react quickly to implement controls and mitigate risk.
Who should be involved?
Risk management is not just an operational risk activity. A robust risk management program begins with the board of directors and senior management and extends down to employees at the first level line of business.
Strong risk management systems and risk assessments include all categories of risk including, but not limited to, strategic, reputational, legal, compliance, credit, operational, interest rate, price, and liquidity risks.
Line-of-business representatives, compliance personnel, legal representatives, and internal auditors may all be part of a risk management program.
The use of third parties further complicates risk management and should be assessed, remediated, and controlled. Technology partners and fintech companies should be included in a company’s risk management program.
A good risk management framework should be understandable at all levels. The effectiveness of assessing and controlling risk depends upon input from all employee and third-party levels.
As a result, successful RCSA programs must include business units. However, they also must incorporate effective challenge, standards, guidance, and oversight from the second line of defense (compliance team).
The third line of defense (audit team) is responsible for providing assurance that risk management processes, including RCSAs, are well-designed and operating effectively to provide reliable and appropriate assessments of risk and control status.
When to assess risk
Managing risk should be part of every employee’s daily work. Identifying risks and assessing controls should be done at least annually or when implementing a new activity. Material changes to products, processes, regulations, and technologies require that risk associated with the changes be assessed and controls be built.
New products, services, and activities should be monitored and tested more frequently, as should activities with higher risk or weaker controls.
Best practices for introducing new products and implementing new processes include reassessing risks and controls post-implementation to ensure that the original RCSA adequately captured risks and appropriately rated controls.
Following both the initial RCSA and any re-assessments, self-identified risks that are reported during the non-assessment period should be immediately addressed and mitigated as needed.
Rigorous testing is a common theme for a mature risk management program.
Finally, the RCSA process should be well documented with process maps, policies, procedures, testing schedules, and metrics. The process, itself, should be assessed for risk and controls.
Closing the loop
Eliminating risk is virtually impossible in the financial environment—and particularly now, as rapid and continuous digital innovation transforms the industry.
As companies regularly seek to improve processes and technology, they are faced with the challenge of assessing the risk inherent in new products and services.
A complete assessment will end with a report to management—and a response from management—accepting or rejecting the reported risk and agreeing to or denying support for plans to remediate uncontrolled high risks.
The goal of an RCSA is to present management with the risk of a process or technology that enables the decision-makers to determine whether the risk is acceptable and aligns with the risk appetite of the company, whether it needs to be better controlled—or whether it is unacceptable.
About the authors
Lynn Woosley, Engagement Director at Treliant, has extensive senior executive experience in regulatory compliance, consumer protection, consumer and commercial credit risk, credit and compliance risk modeling, model governance, regulatory change management, acquisition due diligence, and operational risk. Over the last two decades, Woosley has held leadership positions within the enterprise risk management division of a Top 10 bank. She has also served as Senior Examiner and Economist at the Federal Reserve Bank of Atlanta. [email protected]
Ellen Rose, Director, is a financial services professional with executive experience in all facets of commercial and residential mortgage banking. She has over 30 years of industry experience in directing originations, secondary marketing, servicing, support, and vendor activities. At Treliant, she advises clients on compliance and operational needs, including design, improvement, and transformation of business processes. [email protected]