Keep Pace with Change: Proactive Risk Management for Banks

Double check your processes and controls—take four steps to make sure that changes in the enterprise aren’t affecting your control environment.

Simply stated, change is constant. Banks need to change to remain relevant, gain efficiency and improve control. But the accelerated pace of change we are experiencing these days can increase risk if it is not effectively managed. So, based on our experience and that of our colleagues, we’ve curated here what we see as the top four steps to proactive risk management for banks. You can successfully keep pace with change and mitigate risk by focusing on process and controls.

Why Proactive Risk Management Should be a Priority for Banks

Change is essential in financial services.  Customer preferences, regulatory requirements, training and employee satisfaction all give way to the need to stay relevant and be willing to evolve with changing times.  Lately, we’ve noticed an acceleration of the pace of change at financial institutions.  And, here’s the current proof of the change we’re seeing:

• Increased number of Agile/Sprint-based projects
• High staff turnover, both internal and external
• New cyber threats
• ESG initiatives
• Aged core systems in need of replacement in pursuit of digital nirvana
• Moving functions to 3rd parties and offshoring

You likely have a robust control infrastructure in place. But the volume and breadth of change exposes existing processes and controls to considerable strain.  Then, add regulatory pressure from the CFPB. They continue to cite firms for some familiar violations such as:

• Failure to gain consent for overdraft fees
• Improper sales tactics
• Failure to accurately report to credit bureaus
• Failure to conduct reasonable dispute investigations
• Wrongful repossessions
• Deposits account failures such as failure to remove holds and timely honor stop payment requests

The pressure is on and with change being so rapid at banks, it’s hard to keep track and make sure that the control environment isn’t adversely affected. The next four steps will help.

4 Steps: Proactive Risk Management for Banks in a Change Environment

To implement change with peace of mind that you’ve mitigated risk, you need to actively interrogate controls in the pursuit of ongoing continuous improvement.  Warren Buffet once said, “Risk comes from not knowing what you’re doing.” So, make sure you are regularly assessing and monitoring your controls.

Step 1:  Know your processes and the risk associated with each so that you can prioritize high-risk processes for the most frequent and intense review

Start by evaluating the risks associated with each unique business process. Create a matrix to rate these important elements:

• the likelihood of error
• whether errors have potential to create customer harm
• recent loss experience
• recent complaints experience

We recommend the best practice of creating process maps for each process. Executed thoroughly, process maps are useful tools, not just something to provide to regulators or the second or third lines of defense.

A process map is most valuable when it shows the process as you expect it is being done and reflects the controls that indicate the process is working as expected.  If process maps already exist, review them for accuracy and include regulatory / operational risk expectations and corresponding controls.  Managers often think they know how a process should work, but when push comes to shove, if it is not mapped in detail, surprises are most likely lurking within the details.

PRACTICAL PERSPECTIVE

I worked with a client to map a process from end-to-end; literally sitting with all the different agents involved in the process from start to finish. I sat with one agent who painstakingly prepared a detailed report and sent it to the next group to handle the next steps in the process. When I sat with an agent in that next group, they opened the report and threw it right in the trash! I asked why. They said, “We have no idea why they send this – We don’t need it to do our part of the process.”

Ultimately, we uncovered that the second group had made changes to their process and no longer needed the report. But the people upstream didn’t know about the changes, so they continued to create the unnecessary report. -Senior Delivery Manager, Bridgeforce

Step 2:  Assess the control environment to determine the strength of individual controls

After identifying all the processes, the next step is to review the control inventory. At this point, you rate each control on its ability to mitigate risk associated with each process.  This requires a deep level of interrogation to truly understand the purpose of every control.  Far too often, organizations focus on the number rather than effectiveness of controls.

PRACTICAL PERSPECTIVE

Controls are only effective if somebody is going to do something when an exception is identified to prevent repeat occurrences.  Controls must be measured and must drive action when triggered. – Senior Delivery Manager, Bridgeforce

Use these Critical Questions to Assess Your Existing Controls:

• Is there undue reliance on manual controls when automation is a viable option and more accurate?
• Is there over-reliance on “directive” controls such as policies, procedures, training and job aides?
  • We consider policies, procedures, training and job aides to be directive controls, because while they are critically important in letting people know what is expected, they do nothing to assure that people DO what is expected.
  • Preventive and detective controls ensure compliance with the directive controls. For example, a preventive control prevents an error from happening, such as a field level system control that prohibits invalid entries. And, a detective control identifies the error after it has happened, such as a report that identifies all invalid system entries so that someone can fix them.
• Do controls cover all transactions in the process, or are there some transactions that can avoid the control?
• If a control wasn’t enforced, due to human error or someone leaving their position, would anyone notice? Or would the process continue without that control in place?
• Do detective and preventive control results align or is there an excessive number of exceptions on either end of the process?
• Are there appropriate corrective activities in place to confirm that as exceptions are identified, you perform root cause analysis and take corrective action to prevent future exceptions?
• Does the sample methodology ensure a non-biased, statistical representation of the process?

The output of this kind of assessment determines whether the control itself is conceptually strong and executed properly.

Step 3:  Determine whether control coverage is adequate to control the end-to-end process

Step 3 brings the process and control pieces together. Here, you determine if the controls associated with a particular process provide full coverage.

Ask these Critical Questions to Assess Your Coverage:

• Is there an appropriate mix of preventive and detective controls?
  • Ideally you want at least one of each for key control points in a process.
• Do the controls cover all regulatory expectations within a given process?
  • Compliance and legal partners should be able to provide the discrete requirements for a given process. Then, evaluate your controls against the requirements for coverage adequacy.
• Do controls cover handoffs to other departments?
• Have there been instances where exceptions occurred downstream of the process that the control missed?
• Are there appropriate corrective controls in place to confirm that as exceptions arise, you perform root cause analysis, and take corrective action to prevent future exceptions?

PRACTICAL PERSPECTIVE

You need both preventive and detective controls, but I would rather have a really good preventive control than 100 detective controls that tell me I made a mistake after it already happened and can’t be reversed. – Senior Delivery Manager, Bridgeforce

Step 4: Confirm assessment results to prove the controls and coverage are as good as you think they are

The final step is to confirm the assessment results. Pull a statistically significant sample of process outputs and see if the controls worked as you expected. Test controls that routinely perform well less frequently over time. Conversely, test controls with high error rates or variance with increased intensity, particularly after control enhancements have been implemented.

Review testing results monthly with a critical and questioning mindset. Don’t let it become a “check the box” activity. Test other data points such as incoming complaints, loss events, and other issues that are relevant to the process. Ask the team whether control enhancements could have avoided these complaints, losses or issues.

Tweak controls accordingly and deploy technology to drive continuous monitoring for high-risk areas with either suspect controls or outsized exposure (such as zero error tolerance components).

Tune in to Changes that Affect Processes

Finally, stay connected with changes that are impacting the process. You won’t know how some changes may alter the structure of a process.  Look for trigger areas, such as:

• Automating a piece of the process
• Moving a process to another group
• Contracting a process out,
• Changing things upstream of your process

If you are unaware of how changes may adversely affect your control structure you may face regulatory, reputational and customer issues down the line. So, the only way to prevent harm is to place significant time and energy into change control activities. That’s why we say this is basically an “all the time” job.

Bridgeforce has experts who can help you evaluate your control environment. We’ve developed proactive risk management programs for banks and credit unions. Give us a call.