In his January 7, 2011 testimony before the Committee on the Budget, Federal Reserve Chairman Ben S. Bernanke presented a cautiously optimistic economic outlook, stating that “Overall, the pace of economic recovery seems likely to be moderately stronger in 2011 than it was in 2010.” As reported in the American Banker newspaper, Bernanke also expressed concern about overburdening community banks with regulations targeted at larger institutions. "The intent of both Basel III and the Dodd-Frank Act is to focus on the largest, so-called 'too big to fail' banks and to make them not 'too big to fail,'" Bernanke said, "We want to make sure we do all we can not to increase the regulatory burden that small banks face."
While the intent may have been to focus on the largest banks, the reality is that neither excludes community banks from the requirements. And, waiting for exclusionary amendments is simply not a prudent option. With changes to everything from deposit insurance coverage and the regulatory structure to capital, privacy, anti-money laundering, community reinvestment, and much, much more, compliance officers and risk managers are facing an unprecedented amount of work over the next three years. The key to success – and survival – is an effective change management process!
Although not a new concept, change management, as set forth by the Office of the Comptroller of the Currency in OCC 2004-20 is generally associated with new, expanded, or modified bank products and services. However, the due diligence process defined by the OCC in this bulletin is equally effective when applied to regulatory changes. The three stated goals of an effective risk management system are: 1) performing adequate due diligence prior to introduction, 2) developing and implementing controls and processes to ensure risks are properly measured, monitored, and controlled, and 3) developing and implementing appropriate performance monitoring and review systems.
Developing and maintaining a calendar of expected regulatory amendments is the first step in the process. Once the timelines have been determined, the due diligence process begins. For each amendment, the first step is to identify the existing products, services, and processes that will likely be impacted by the change. Enlist the help of representatives from the relevant functional areas, such as credit, compliance, accounting, audit, risk management, legal, operations, and information technology, to analyze the affect of each amendment, the scope of impact, the timeline and resource needed to complete implementation of the requirements, and any third-party or vendor relationships that may be impacted (existing) or needed to accommodate the change (new). This evaluation will identify the changes to the inherent risks associated with each activity (at a minimum, an increase in inherent risk associated with the regulatory change will be noted) and provides the basis for the next phase.
The internal controls associated with the identified products, services, and processes were evaluated in your initial risk assessment. A preliminary new residual risk level can be calculated using the revised inherent risk values against your initial mitigating controls. This preliminary residual risk should be compared against the institution’s defined risk appetite. The results of this comparison will serve to highlight those changes that have the most significant impact on the institution’s risk profile, thus assisting in effective allocation of limited resources toward enhancing your control environment.
As during your initial risk assessment, each associated control activity will be reviewed to identify enhancements needed to accommodate the regulatory changes. This review will include policies, procedures, personnel, and internal controls. The review provides an identification of the specific action steps needed to implement each regulatory revision within the risk parameters established by the institution.
An evaluation of the existing monitoring and review systems should also be completed to identify changes needed to these systems to support the regulatory revisions. During this phase of the process, you will examine existing systems to verify that risks associated with the new regulations are captured in the ongoing process. This process will include: revisiting the key assumptions, data sources, procedures, and risk indicators currently employed; analyzing accountability and exception monitoring, management information systems reporting, integrating the changes into existing audit and compliance processes; and evaluating the effectiveness and timeliness of reports and other communications to management and the board. And, again, this process provides a road map of revisions needed to maintain the institution’s risk profile.
Of utmost importance throughout this process is the timely and continual flow of information to management and the board. Given management’s and the board’s responsibility to establish and maintain a comprehensive and effective risk management program, a thorough understanding of the risks is vital. Apprising them of proposed amendments, the potential risks associated with each, and the planned enhancements to controls provides them the tools they need to execute their responsibilities. Importantly, it also provides them with a detailed understanding of the challenges you face, and promotes an increased awareness of the level of resource needed to succeed.
No comments:
Post a Comment