Fortify Your Banking Risk Controls for Regulatory Compliance

Thousands of controls don’t necessarily equal protection. See how to get controls that perform as they should.

Over time, banks have reacted to operational risk by adding more controls with the assumption that more controls equal stronger risk mitigation.  Yet, even with thousands of banking risk controls, lenders continue to receive consent orders and fines. Frustrated leaders wonder why.

One answer is that the banking risk controls aren’t performing as expected; they aren’t effective at mitigating the associated risk.  When lenders come to us for help with their controls, we start by reviewing their control inventory and getting agreement on what components make up an effective control.

This blog walks you through a high-level representation of what we define as an effective control, and will only focus on two control types:

• Preventive – Preventive controls monitor steps within a process as they occur and are usually systemic and keep erroneous actions from occurring.

• Detective – Detective controls occur after the completion of a process to identify errors and anomalies that preventive controls failed to stop.

A strong control framework will have a proper balance of preventive and detective controls but it’s important to know that each control is performing optimally.  A few key components can help define what that looks like.

Four Components of Banking Risk Controls to Achieve Compliance

1. Automated functionality will increase efficiency and thoroughness.

• Allows for greater coverage rather than a sampling.
• Highlights quickly any inadvertent changes made to a process.
• Assists during regression testing efforts.
• Requires fewer resources to execute.

A note on automation: Although preferred, automated controls are not fail-proof and should always be tested to ensure they continue to work as expected.  This is also why all preventive controls should be accompanied by a corresponding detective control.

2. Control frequency impacts timeliness of error identification and corresponding actions.

Ask yourself these questions to identify the frequency for when banking risk controls should be performed:

• How often does the process occur?
• What consequences are associated with timing between executing the process and identifying errors?
• Does an automated, preventive control exist?

A note on control frequency: A control performed once per month for a process that occurs daily won’t provide the risk mitigating coverage needed.  A control performed at the proper frequency will identify errors quickly. Then, corrective actions can be implemented in time to prevent future errors for the same reason.

3. Manage sample size and selection criteria to ensure a representative and random population.

Ideally, a banking risk control covers the full population. However, some controls must rely on samples of the full population, especially manual controls. Considerations when determining if the control is strong for sample populations:

• The sample size represents the full population.
• Select samples randomly, without bias, for the reviews being performed.
• Use an independent source to select samples and deliver them to the person performing the review. This way, the reviewer should never self-select their own samples.
• Samples include all variations that could be present in the process. This means considering the traditional process flow and all possible variations that could result from normal customer behavior or processing variations.

4. Corrective action shows how errors are addressed.

Address errors through distinct corrective controls or include them as part of existing preventive or detective controls.  Either way, consider the following to determine if a control has the proper corrective actions steps:

• Timely action will remediate any customer impacts as quickly as possible.
• Proper root cause analysis should provide all reasons for the error.
• Errors are tracked and trended. Then, additional analysis will determine if the current controls need modifications or new controls need to be added.

Mitigate Your Risk Through Controls One Step at a Time

Reviewing each control through the lens of these four components will help to ensure that controls are operating as expected. Also, this review helps mitigate the risk that the controls were created for, which further strengthens your risk management activities.

The next blog in this series will focus on how to use the information that you already have available to determine which controls need to modified, which need to be retired, and where there are gaps and new controls that should be added.