Regulators expect every single financial institution (i.e. bank, thrift or a credit union) to have in place a risk management process to manage all of the risks involved with being in the business of banking such as:

• Credit risk
• Interest rate risk
• Operations risk
• Legal / compliance risk
• Reputation risk

While each financial institution has flexibility to implement a risk management system and process that is commensurate with its size, resources and operations, regulators have articulated through various pronouncements certain minimum requirements.

Quick links to the other Top 5 Risk Issues

One of the key requirements is that the risk management system and process must be commensurate with the institution's risk profile and remain current. This makes sense because if it is not then the risk management will be ineffective and the institution will not operate in a safe and sound manner and in compliance with applicable rules.

Recent regulatory enforcement actions and cases indicate that many institutions have not kept up their risk management system and process with its changing risk profile.

Either from a close examination of the cases involving rapidly deteriorating capital levels and request for financial bail out requests or routine or targeted safety and soundness and compliance examinations, regulators are uncovering that many institutions have outdated risk management systems and processes.

The systems and process in place are incapable of managing or identifying risks timely and precisely and have not kept pace with the institution’s rapidly changing risk profile and are not commensurate.

The following are recent examples:

1. A bank decided to expand into sub-prime mortgage lending based on higher yields and fees from such mortgages over conventional mortgage lending. It decided to acquire a mortgage lender specializing in sub-prime lending. It then securitized the sub-prime loans and sold it to Wall Street for additional fee income. It decided to retain the servicing to generate additional servicing fees. While the pre-acquisition due diligence process was detailed, post-acquisition the institution's risk management system and process was not updated to incorporate and monitor the risks related to the new mortgage lending subsidiary. The subsidiary decided to increase its mortgage broker loan originations aggressively. This third party risk was not properly accounted for and monitored. In ensuing months, defaults from mortgage broker loans increased dramatically. Subsequent audits uncovered broker fraud, non-compliance with TILA, federal and state UDAP statutes and state anti-predatory lending laws and reverse redlining. The institution not only faced significant credit losses but also federal and state regulatory enforcement action and private plaintiff attorney lawsuits.
2. A credit union previously focused on consumer banking, decided to expand into business banking including serving money service businesses. The money service businesses were primarily ignored by local banks. The addition of business banking services generated additional deposits and liquidity as well as new fee income. The institution's risk management system and process was not updated to incorporate and monitor the new risks related to business banking, in particular money service businesses. A subsequent regulatory agency examination uncovered multiple unreported suspicious activities and possible money laundering incidents involving a number of money services businesses. The institution was assessed a cease and desist order to immediately improve its risk management and compliance process and systems. The credit union's plans to acquire a smaller credit union were put on hold until it improved its risk management and compliance with anti-money laundering laws.

Risk Management Best Practices – How do you Rate?
If you answer Yes, that means you are utilizing the best practice. A No answer will indicate a missing best practice at your institution:

1. Do you have a written enterprise-wide Risk Management Program that is approved by the board of directors?
2. Does your risk management program and process cover all of the types of risks faced by your institution?
3. Is your risk management program and process updated regularly to reflect the changing risk profile of your institution?
4. Is your risk management program and process updated prior to rolling out new products or lines of business?
5. Does your risk management program and process assign clear responsibilities and accountabilities and are these people trained on the program, process and their duties?

How can Compliance Coach assist you?

1. Consulting Services – We can provide you with a team of our nationally recognized experts to review your risk management system, process and practices. We will provide you with industry best practices and recommendations for improvements.
2. Risk Management Training - We can provide you with an in-person or online training program specifically tailored for your personnel involved in implementing your risk management program and process. If it is in-person, we can assign one of our nationally recognized experts to deliver the training via a presentation at your offices or via a webinar. If you prefer online, we can provide you access to a suite of risk management courses, plus a customized online course specifically addressing your institution’s risk management program and process. The training can be taken anytime from anywhere, plus reporting for the examiners.

Below are two sample pages from the Commercial Lending Credit Risk Management training modules.

Below is a sample page from the Sarbanes-Oxley training module.

Below is a sample page from the Mortgage Fraud training module. It teaches not only what are the red flags, but also how to detect them to prevent mortgage fraud.

Below are two sample pages from the Ethics training module. This course teaches how to identify examples of unethical behavior and how to respond properly when faced with ethical dilemmas.

For further information on how we can assist you and pricing, please e-mail info@compliancecoach.com