BankDirector.com: Charting a course for America's banking leaders

BankDirector Cover

Board Issues : Regulation

Part II: The Inspection Process - Compliance Lessons from the Construction Industry

October 22nd, 2012 |

quality-guarantee.jpgIn the first article of this series I compared the optimal compliance program to a well-built house. You may recall that the construction of a house and a sound compliance program share three key elements: the blueprint, foundation and framework. In this installment, we’ll talk about two more elements that compliance and construction have in common: inspections and maintenance. For the staff involved, this work can be painful to endure, but altogether necessary.

Just like a home inspection, a banking inspection ensures the safety and soundness of the structure. An overlooked mistake can spell a failed inspection, or worse, a structural collapse—and perhaps liability. Even after a passed inspection, periodic maintenance is required. Prompt detection, and swift and thorough remediation of the problem areas, can halt concerns before they worsen, thereby protecting your institution.

So how do you know whether your institution is ready to pass inspection? How do you determine whether you’re conducting the proper periodic maintenance check-ups and routines to keep your compliance programs as effective as possible? The answer is simple: By exercising proper oversight of these programs at the board level. This oversight is carried out by reviewing the right reports with the right content at the right times. 

Boards of directors must ensure that they gather solid intelligence to carry out their fiduciary duties and make informed decisions. One way to do this is to demand high quality reports at predictable intervals. Reports that are flawed or delivered too infrequently may conceal weaknesses that should be addressed. Reports should occur at three basic intervals:  monthly, quarterly, and annually.

Monthly Report

Monthly reports should focus on tactical execution, delivering performance data and metrics. These reports, typically delivered by the compliance team, should cover frontline activity and demonstrate whether the day-to-day work of compliance is being done on time and accurately. Monthly reporting should shine a bright light where weaknesses may exist, and should state the measures being taken to remedy the deficiencies. 

Quarterly Report

Quarterly reports should focus on trends and analytics that demonstrate whether risk exposures are increasing or decreasing. The quarterly report gives insight into how the compliance program is functioning over time. This report should contain information about regulatory trends, upcoming or changing rules and should consider the environmental and operating conditions that could affect the institution’s progress and performance.

These reports should also summarize the results of compliance monitoring activities that occurred during the quarter and which activities are planned in the quarter ahead. This data allows directors to conclude what, if any, internal events or changes will influence the institution. In general, these reports show the up-to-the-minute state of preparedness for exams and audits.

Annual Report

Finally, annual activities such as audits or reviews generate reports on the program’s effectiveness. This annual look-back reflects how well the institution kept its risk exposures to acceptable levels. These types of reports often opine on the overall capabilities of the executive team and compliance management group in carrying out their responsibilities. These reports take an independent look at the program to gauge its effectiveness, efficiency and performance over a historical period.  

Indicators of Poor Reporting

Good intentions can nonetheless produce bad results if the content of reports is inadequate.  When reviewing your institution’s reports, keep in mind these signs of flawed reporting:

  • Reports that are too long or too detailed. Key points cannot be extracted when the volume of information presented obscures the meaning. 
  • Reports that state only facts but provide no evaluative statements. The board needs to understand whether the data being presented is positive or negative.
  • Reports that fail to identify the root causes of weaknesses. Failure to identify the root cause delays implementing corrections. 
  • Reports that identify the root causes of deficiencies, but do not suggest appropriate corrective action. Solutions should be offered in reports. 
  • Reports that only emphasize weaknesses and ignore strengths. Focusing only on the negatives may inappropriately exaggerate the scope or materiality of an identified problem. 
  • Reports that do not reflect the materiality or severity of an issue. Treating every issue uniformly is a sign that perspective may be lacking.

Financial institution boards have a tough assignment: Overseeing the construction of a stable structure that can withstand not only regulatory scrutiny, but the storms of changing economic and regulatory conditions. Maintaining this structure after it’s built is equally daunting. It requires vigilance toward the review and interpretation of quality data, and applying that information to managing risks in an ever-changing climate. Proper reporting ensures proper maintenance of the compliance program, and a well-maintained program that can be clearly articulated to examiners is the key to passing future inspections. 

But, what if, during the inspection process, you realize that something has gone wrong? In the next article of this series I will go over the corrective steps and actions the board should take to repair the compliance program. 

pperdue

Continuity Control’s Chief Compliance Strategist Pam Perdue is a former federal examiner, chief compliance officer and consultant with more than 20 years of compliance experience.  Continuity Control’s complete compliance platform enables community financial institutions to control the costs of compliance while passing regulatory muster. Connect with the company on Twitter @CE_Control, on Facebook at ContinuityControl and LinkedIn at http://www.linkedin.com/company/continuity-control.

blog comments powered by Disqus