Compliance: An Exercise in Risk Management

Compliance is a form of risk management. In the case of compliance, most of the risk we manage is based in or created by laws and regulations rather than by market forces or customer behavior. However, some of the core elements of compliance risk are shared with many of the same forces that underlie other risk for the bank. Some key sources of risk are staff turnover, a product complexity, rapid growth of the bank or a bank product, economic forces in the bank's market, and technology. All of these risk sources affect compliance.

Risk is becoming a popular management tool. Bank auditors currently use risk as a key audit tool. Bank examinations are increasingly based on risk assessment. This trend toward risk assessment and risk management is a natural fit for compliance.

The Treadway Commission's Committee of Sponsoring Organizations (COSO) identifies risk in several categories:
external factors,
internal factors, and
risk relating to change.

These are broad, generic categories. In the process of identifying risk, determining its extent, and identifying ways to manage it, it can be useful to break risk into these general categories.

External factors are risk sources over which the bank has no control but may be able to observe and predict. The smart risk manager will see it coming and have a strategy for responding.

Internal factors are risk sources over which the bank (but not necessarily the compliance manager) may have control. The compliance risk manager should use his or her knowledge about the bank to identify internal risk factors and take steps to minimize them. Although the bank has some control over internal risk factors, methods to minimize internal risk are often at the expense of business opportunities. Controlling internal risk therefore involves choosing the optimum balance between risk control and business opportunity.

Risk relating to change involves a combination of factors that are and are not within the bank's control. Change related risk may be the result of the development of new products which trigger a new analysis of compliance risk. The bank has some control of the choices here.

Change may also occur because of changes in the economy, the bank's market, or legislation. In this type of change, the bank is in the position of responding rather than driving the change.

COSO identifies a list of factors of change. These are useful to study for the ways in which compliance is affected. Included in the factors of change listed by COSO are:
changed operating environment,
new personnel,
new or redesigned information systems,
rapid growth, new technology,
new lines and products,
activities and acquisitions, and
corporate restructuring.

The bank supervisory agencies are turning toward risk assessment as a key element of the bank examination, including the compliance examination. The agencies are restructuring the CAMEL rating to account for risk, including compliance risk.

The OCC has identified the following risk categories: credit risk, interest rate risk, liquidity risk, price risk, foreign exchange risk, transaction risk, compliance risk, strategic risk, and reputation risk. Although compliance is listed as one of the risk categories, compliance affects or is affected by the other categories as well. For example, compliance requirements are part of transaction risk. Credit risk is closely tied to many aspects of compliance ranging from rate disclosures to fair lending decisions. Reputation risk may be affected by compliance requirements including CRA, fair lending, and the accuracy and timeliness of disclosures.

To measure risk, the OCC looks at the quantity of risk, the quality of risk management, aggregate risk, and the direction of risk. For risk controls, the OCC looks for policies, processes, personnel, and control systems.

These risk controls should be familiar to compliance managers: they outline a compliance program. Aspects such as the quantity of the risk are how you should be determining your priorities. Like the new OCC approach, the central COSO question is whether there are reliable controls. The goal is not perfection. The goal is the ability to identify, prevent, and minimize problems. The bank that is at risk is the bank with controls that are less than reliable.

Basing a compliance management program on risk management can be an effective communication tool. Bank managers who may be averse to the term "compliance" may respond much more readily to "risk." This approach may therefore provide you with an effective means of getting management to understand and give appropriate attention to compliance priorities.

ACTION STEPS

Make a list of the laws that affect your bank.
To get a quick measurement of risk from these laws, identify what has historically been a problem for your bank.
List the top three sources of compliance risk for your bank.
Review your written compliance program to determine whether it has the elements of a risk management program. Specifically, do you have policies, procedures, and controls for the top three risks you have just identified?
Read the last two reports you wrote to bank management or the Board of Directors. Consider the extent to which your reports identified risk and used risk terminology. Think about how you would re-write the reports using a risk management approach.
Study examination procedures based on risk. Look for tools and strategies you can incorporate into your compliance program.
Post a reminder to yourself to communicate in terms of risk management.