Simply stated, change is constant. Banks need to change to remain relevant, gain efficiency and improve control. But the accelerated pace of change we are experiencing these days can increase risk if it is not effectively managed. So, based on our experience and that of our colleagues, we’ve curated here what we see as the top four steps to proactive risk management for banks. You can successfully keep pace with change and mitigate risk by focusing on process and controls.
Change is essential in financial services. Customer preferences, regulatory requirements, training and employee satisfaction all give way to the need to stay relevant and be willing to evolve with changing times. Lately, we’ve noticed an acceleration of the pace of change at financial institutions. And, here’s the current proof of the change we’re seeing:
You likely have a robust control infrastructure in place. But the volume and breadth of change exposes existing processes and controls to considerable strain. Then, add regulatory pressure from the CFPB. They continue to cite firms for some familiar violations such as:
The pressure is on and with change being so rapid at banks, it’s hard to keep track and make sure that the control environment isn’t adversely affected. The next four steps will help.
To implement change with peace of mind that you’ve mitigated risk, you need to actively interrogate controls in the pursuit of ongoing continuous improvement. Warren Buffet once said, “Risk comes from not knowing what you’re doing.” So, make sure you are regularly assessing and monitoring your controls.
Start by evaluating the risks associated with each unique business process. Create a matrix to rate these important elements:
We recommend the best practice of creating process maps for each process. Executed thoroughly, process maps are useful tools, not just something to provide to regulators or the second or third lines of defense.
A process map is most valuable when it shows the process as you expect it is being done and reflects the controls that indicate the process is working as expected. If process maps already exist, review them for accuracy and include regulatory / operational risk expectations and corresponding controls. Managers often think they know how a process should work, but when push comes to shove, if it is not mapped in detail, surprises are most likely lurking within the details.
I worked with a client to map a process from end-to-end; literally sitting with all the different agents involved in the process from start to finish. I sat with one agent who painstakingly prepared a detailed report and sent it to the next group to handle the next steps in the process. When I sat with an agent in that next group, they opened the report and threw it right in the trash! I asked why. They said, “We have no idea why they send this – We don’t need it to do our part of the process.”
Ultimately, we uncovered that the second group had made changes to their process and no longer needed the report. But the people upstream didn’t know about the changes, so they continued to create the unnecessary report. -Senior Delivery Manager, Bridgeforce
After identifying all the processes, the next step is to review the control inventory. At this point, you rate each control on its ability to mitigate risk associated with each process. This requires a deep level of interrogation to truly understand the purpose of every control. Far too often, organizations focus on the number rather than effectiveness of controls.
Controls are only effective if somebody is going to do something when an exception is identified to prevent repeat occurrences. Controls must be measured and must drive action when triggered. – Senior Delivery Manager, Bridgeforce
Use these Critical Questions to Assess Your Existing Controls:
The output of this kind of assessment determines whether the control itself is conceptually strong and executed properly.
Step 3 brings the process and control pieces together. Here, you determine if the controls associated with a particular process provide full coverage.
Ask these Critical Questions to Assess Your Coverage:
You need both preventive and detective controls, but I would rather have a really good preventive control than 100 detective controls that tell me I made a mistake after it already happened and can’t be reversed. – Senior Delivery Manager, Bridgeforce
The final step is to confirm the assessment results. Pull a statistically significant sample of process outputs and see if the controls worked as you expected. Test controls that routinely perform well less frequently over time. Conversely, test controls with high error rates or variance with increased intensity, particularly after control enhancements have been implemented.
Review testing results monthly with a critical and questioning mindset. Don’t let it become a “check the box” activity. Test other data points such as incoming complaints, loss events, and other issues that are relevant to the process. Ask the team whether control enhancements could have avoided these complaints, losses or issues.
Tweak controls accordingly and deploy technology to drive continuous monitoring for high-risk areas with either suspect controls or outsized exposure (such as zero error tolerance components).
Finally, stay connected with changes that are impacting the process. You won’t know how some changes may alter the structure of a process. Look for trigger areas, such as:
If you are unaware of how changes may adversely affect your control structure you may face regulatory, reputational and customer issues down the line. So, the only way to prevent harm is to place significant time and energy into change control activities. That’s why we say this is basically an “all the time” job.
Bridgeforce has experts who can help you evaluate your control environment. We’ve developed proactive risk management programs for banks and credit unions. Give us a call.