In Part 1 of this writeup, we discussed the approach that the Office of the Comptroller of the Currency (OCC) has taken in recent enforcement actions related to the Heightened Standards guidelines.
In contextualizing their oversight, it’s worth noting that the OCC also recently issued the Director’s Book: Role of Directors for National Banks and Federal Savings Associations and, in so doing, referenced back to their other guidebook on Corporate and Risk Governance. As with other publications and advisories, these guidebooks are an opportunity for financial institutions and covered entities to conduct an impact analysis using Key Risk Indicators (KRI) to ensure that there are no gaps between their compliance programs and the updated guidance.
To that end, there are a few remaining facets of the OCC’s Q4 consent orders that may need to be factored into such a review.
READ MORE: OCC’s Heightened Standards [Part 1/2]
Making Metrics Matter
There has been a recent trend in the enforcement action space for regulators to focus on data quality and more technological issues within those assessments, oftentimes noting the poor quality or lack of data validation and system integration. In both of the late-year consent orders, the OCC focused on data risk management and data governance.
The OCC also called out the need for processes in the collection, review, and dissemination of compliance-related metrics. Both KRIs and general metrics seem to be within scope in these consent orders, with the call of the consent orders’ articles speaking to the need to have processes and procedures to ensure that:
1) Compliance-related metrics are collected;
2) are robust;
3) support informed decision-making in regards to both the objective risks at issue, as well as the banks’ overall risk governance framework, and;
4) that there is senior management and board-level review of the same.
Who Watches the Watchers?
Expectations of Senior Management
As noted in part one of this review, the OCC is focused on how staff throughout the organization support the risk governance framework. The consent orders flat out state that governance and oversight at the upper echelons of the organization are just as significant. While onlookers aren’t privy to the nature of the subjective findings at organizations, those of us in the analysis space can glean that either robust metrics were not being collected, were not of sufficient quality to support the risk governance framework, or were not being sufficiently reviewed at senior levels within the organization. Senior management, through boards or committees, should be apprised of risk-related metrics and KRIs. As stated in the consent orders, the metrics and KRIs themselves should be granular and have both warning lines and limits related to their subjective risk categories. Ostensibly, the OCC expects to see that there are:
1) Procedures for the collection and validation of risk governance framework-related metrics, which include the frequency of submission to and seniority levels of the reviewers;
2) Charters or other supporting documentation noting that those governing committees (or comparable entities) are in fact being given those metrics; and
3) Minutes or other supporting information to show that senior management is providing credible evidence for the same.
Many Hands Make Light Work
A More Connected Risk Management Framework
As with other areas of compliance, the risk governance framework is an all-hands endeavor. The gist of these enforcement actions is that certain areas of the organization may have been waning in their support of the banks’ compliance posture, without compensating from other areas. While the Corporate and Risk Governance expectations have been in place for over six years, the consent orders at issue were on a multi-hundred-million dollar scale, which should give any onlooker pause.
As with other trigger events, this is an opportunity for financial institutions to pause and evaluate, for better or worse, where their compliance programs are in comparison to these reiterated expectations. Regulatory technology can help firms with this evaluation, connecting disparate systems and teams within their organizations, spotlighting areas of risk, and, in turn, enabling a more unified culture of compliance.
LEARN MORE: What is RegTech?
End-to-End Compliance with Ascent
When it comes to identifying the risks associated with regulatory compliance, it’s important to start from the beginning. At Ascent, we use world-class AI to help firms rapidly and accurately identify their regulatory obligations, at the most granular level possible. This granularity, or precision, is especially important when trying to set a regulatory compliance framework for the first time or address any gaps within your existing regulatory compliance framework. Ascent then keeps your obligations up to date automatically.
READ MORE: 3 Definitions of Regulatory Mapping
To help firms build a more connected risk governance framework, Ascent seamlessly integrates with GRC platforms. With a single source of regulatory truth, the three lines of defense can all work from the same data towards the same goals.
To learn more about Ascent and its API integrations, contact us directly. For more information about risk and compliance strategies such as IRM and the technology that powers them, subscribe to our monthly newsletter Cliff Notes below.