Fed Remarks to Fundamentally Change

Risk Management and Compliance practices

Consider these two recent quotes from the Federal Reserve Board and what the impact will be on the banks:

“Our initial assessment of the weaknesses at individual firms indicates that risk management systems and senior management oversight at some institutions were not sufficiently robust. As supervisors, we must redouble our efforts to ensure risk management practices and controls keep pace with changes in financial markets and business models”

Vice Chairman Donald L. Kohn
Condition of the U.S. banking system
Before the Committee on Banking, Housing, and Urban Affairs, U.S. Senate
March 4, 2008

“Risk management shortcomings need to be addressed not only to improve the health and viability of individual institutions, but also to maintain stability for the financial system as a whole”

Federal Reserve Governor Randall S. Kroszner

At the Risk Management Association Annual Risk Management Conference, Baltimore Maryland on October 20, 2008 and the National Conference on the Securities Industry, New York, New Your, on October 30, 2008

Many believe there will more and more regulations facing the banking community, we believe there will at least be a shift of focus. There will certainly be a push for more robust risk management systems than in the past. The FDIC, OTS and other FFIEC members are requiring banks to perform more rigorous and complete risk assessments. But Governor Kroszner’s comments will fundamentally change how banks treat compliance and how the auditors will audit the banks, at least in how it applies to Risk Management.

After Vice Chair Kohn’s remarks, the auditors, at both the federal and state level, started demanding more robust Risk Assessments from Banks. Additional detail, direction or consistency was not provided. However the banks were told their risk assessment processes needed to improve. The auditor focus seemed to be oriented to banking operations and that subjectivity needed to be removed (as much as possible) from the assessment process.

Kroszner is linking Risk Management practices to business strategy, which will necessitate a change in the way banks perform their Risk Assessments. Because community banks typically operate with a lean staff and the number of regulations they are subject to doesn’t decrease,  many banking executives are forced to approach compliance as “the minimum effort required to comply”.  They are more likely to approach a Risk Assessment in the same manner by building a matrix in a spreadsheet, developing some logic for the scoring system, building support for the results, reviewing it with the board, and then presenting the results to the auditor.

Linking the Risk Assessments to business strategy is not a new concept. The COSO Enterprise Risk Management Framework identified the need in 2004. However, the new focus requires board involvement and oversight from the onset of the Risk Assessment process rather than a final review. This requires more thought than adding an additional Risk Factor and a few more Risk Events to an existing matrix. A proactive board will be demanding more and more information so they can make better decisions. The quality of the data presented to the board will have to improve, suggesting a more robust system of gathering information. Since business strategy is involved, more senior executives will need to participate in the entire Risk Assessment process and it will be more of a full time job. Risks, as well as controls will have to be linked to Strategy and the associated business processes.

Lastly, the role and culture of the auditor will fundamentally have to change. Auditors have traditionally approached audits with a checklist mentality. Business strategy is a difficult concept to validate with a check list. It is not a black and white area, but is full of gray. Auditors will have to be more business analyst then the traditional auditor and have to comment on your fundamental business strategy and not merely the operations of the business.

Community banks should get in front of this tsunami instead of waiting for the auditor to demand action. They should:

·         Upgrade their Risk Assessment processes from a simple spreadsheet with High Low Medium Designations

·         Build a framework that is flexible and allow you to respond to changing regulations

·         Get the board and executive management more involved at the beginning of the Risk Assessment process

·         Remove some of the hats (CFO, CIO, CCO, CAO, etc) from your Risk Officer

·         Align your Risks, Controls and Business Processes to Strategy and not just operations

·         Look for a flexible, cost effective software solution that will allow you to meet the changing demands of the board and auditor

For Kroszner’s full transcript click http://www.federalreserve.gov/newsevents/speech/kroszner20081020a.htm

Our Team
Our team is comprised of experienced executives, managers and consultants who will assist your banking organization in the development, implementation and execution of comprehensive risk management and compliance strategies.  From the initial passage of  Sarbanes-Oxley in 2002, Visage has provided solutions to a client base ranging from private, entrepreneurial companies to large multinationals.