It wasn’t uncommon in the latter half of 2019 for bank executives to note the margin pressure faced by the industry, brought on by an inhospitable interest rate environment. And rates dropped even lower in early 2020, with the Federal Reserve cutting rates to zero.
“In spite of the Fed’s yo-yo interest rate, we have a responsibility to manage our assets in a manner that is in the best interest[s] of our shareholders and communities we serve. The key is not to panic, but [to] hold the course,” said John Allison, CEO of Conway, Arkansas-based Home Bancshares, in the $15 billion bank’s second quarter 2019 earnings call. “At the end of the day, your management’s trying to operate profitably in the middle of this chaos. They say when you’re piloting an airplane and there’s a major problem, like an engine going out: ‘Don’t panic. Just fly the airplane.’”
Allison’s advice to “just fly the airplane” seems an appropriate way to frame the risks facing the banking industry, which Bank Director explored again in its 2020 Risk Survey, sponsored by Moss Adams. Conducted in January, it includes the views of more than 200 independent directors, CEOs, risk officers and other senior executives of U.S. banks below $50 billion in assets.
A majority of these industry leaders say they’re more worried about interest rate risk amid a competitive environment for deposit growth — 25% report their bank lost deposit share in 2019, and 34% report gains in this area. Looking ahead to 2020, most (73%) say their bank will leverage personal relationships to attract deposits from other institutions. Less than half will leverage digital channels, a strategy that skews toward — but is not exclusive to — larger banks.
In the survey, almost 60% cite increased concerns around credit risk, consistent with the Federal Reserve’s Senior Loan Officer Opinion Survey from January, which reports dampened demand for commercial loans and expectations that credit quality will moderately deteriorate.
Interestingly, Bank Director’s 2020 Risk Survey finds respondents almost unanimously reporting that their bank’s loan standards have remained consistent over the past year. However, the majority (67%) also believe that competing banks and credit unions have eased their underwriting standards over the same time period.
Scaling Back on Stress Tests. The Economic Growth, Regulatory Relief and Consumer Protection Act, passed in May 2018, freed banks between $10 billion and $50 billion in assets from the Dodd-Frank Act (DFAST) stress test requirements. While last year’s survey found that 60% of respondents at these banks planned to keep their stress test practices in place, participants this year reveal they have scaled back (7%) or modified (67%) these procedures.
Ready for CECL. More than half of survey respondents say their bank is prepared to comply with the current expected credit loss (CECL) standards; 43% indicate they will be prepared when the standards take effect for their institution.
Cyber Anxiety Rising. Eighty-seven percent of respondents say their concerns about cybersecurity threats have risen over the past year. This is the top risk facing the banking industry, according to executives and directors. Further, 77% say their bank has significantly increased its oversight of cybersecurity and data privacy.
Board Oversight. Most boards review cybersecurity regularly — either quarterly (46%) or at every board meeting (24%). How the board handles cybersecurity governance varies: 28% handle it within a technology committee, 26% within the risk committee and 19% as a full board. Just one-third have a director with cybersecurity expertise.
Climate Change Overlooked. Despite rising attention from regulators, proxy advisors and shareholders, just 11% say their bank’s board discusses climate change at least annually as part of its analysis and understanding of the risks facing the organization. Just 9% say an executive reports to the board annually about the risks and opportunities presented by climate change. More than 20% of respondents say their bank has been impacted by a natural disaster in the past two years.
To view the full results of the survey, click here.
In today’s news cycle, it seems barely a week goes by before another headline flitters across a social news feed about a data breach at some major U.S. or foreign company. Hackers and scams seem to abound across the marketplace, regardless of industry or any defining factor.
Cybersecurity itself has become an increasingly important issue for bank boards—84 percent of directors and executives responding to Bank Director’s 2018 Risk Survey earlier this year cited cybersecurity as one of the top categories of risk they worry about most. Facing the industry’s cyber threats has become a principal focus for many audit and risk committees as well, along with their oversight of other external and internal threats.
Technology’s influence in banking has forced institutions to come to terms with both the inevitability of not just integrating technology somewhere within the bank’s operation, but the risk that’s involved with that enhancement. Add to that the percolating influence of blockchain and cryptocurrency and the impending implementation of the new current expected credit loss (CECL) standards issued by the Financial Accounting Standards Board, and bank boards—especially the audit and risk committees within those boards—have been thrust into uncharted waters in many ways and have few points of reference on which to guide them, other than what might be general provisions in their charters.
And lest we forget, audit and risk committees still face conventional yet equally important duties related to identifying and hiring the independent auditor, oversight of the internal and external audit function, and managing interest rate risk and credit risk for the bank—all still top priorities for individual banks and their regulators.
The industry is also in a welcome period of transition as the economy has regained its health, which has influenced interest rates and driven competition to new heights, and the current administration is bent on rolling back regulations imposed in the wake of the 2008 crisis that have affected institutions of all sizes.
These topics and more will be addressed at Bank Director’s 2018 Audit & Risk Committees Conference, held June 12-13 at Swissôtel in Chicago, covering everything from politics and the economy to stress testing, CECL and fintech partnerships.
Among the headlining moments of the conference will be a moderated discussion with Thomas Curry, a former director of the Federal Deposit Insurance Corp. who later became the 30th Comptroller of the Currency, serving a 5-year term under President Barack Obama and, briefly, President Donald Trump.
Curry was at the helm of the OCC during a key time in the post-crisis recovery. Among the topics to come up in the discussion with Bank Director Editor in Chief Jack Milligan are Curry’s views on the risks facing the banking system and his advice for CEOs, boards and committees, and his thoughts about more contemporary influences, including the recently passed regulatory reform package and the shifting regulatory landscape.
It seems that all of the banking industry is abuzz about the prospects of potential legislative changes and financial regulatory reform. It is anticipated that Representative Jeb Hensarling will propose Financial Choice Act 2.0, bringing broad and sweeping changes to banking laws and a great number of regulatory changes. While most of the industry supports these changes, it is unclear if any of them will ultimately become law. With uncertainty about whether change in regulatory oversight will be made, we suggest that banks take a look at the functioning of their constant regulator: the board.
Most bank board members would recoil at the notion that they are regulators. They correctly view their role as enhancing shareholder value, which includes setting the strategy for the bank. In some cases, it is a dynamic strategy. However, the oversight function of the board requires that board members serve as the bank’s primary line of regulatory oversight. The board needs to ensure that the bank not only has reasonable programs in place designed to promote compliance with laws and regulations, but also that the bank is appropriately implementing the strategic plan adopted by the board. With that in mind, we believe bank boards can improve their oversight function by adopting some of the key proposals under discussion for regulatory reform.
Adopt a limited number of key principles: A board’s primary guidance to management—the strategic plan—should set forth high level requirements for the direction of the bank. Developing a detailed operational plan at the board level, or attempting to co-manage the bank along with officers, is frequently counterproductive and causes management to spend too much of its time complying with the board’s requirements rather than building value in the business.
Tailor oversight to the size and complexity of the institution: It is critical that the board’s oversight function evolve as the business model and the growth of the bank does. While we sometimes see boards impose requirements on management that are overly complex and burdensome, it is more common that boards fail to evolve their oversight as the bank grows and becomes more complex. This issue is particularly prevalent among fast-growing, acquisitive banks. Boards sometimes take the same approach to compliance and regulatory oversight as they did when the bank operated in a single community with a small number of conventional products.
Eliminate concentrations of power: Just as many bankers find the unchecked power and single director structure of the Consumer Financial Protection Bureau objectionable, concentrating too much power in one or two directors can also be destructive for a bank. Among the bank failures we saw, a disproportionate number relied on the oversight and guidance of a single dominant director. A properly functioning board should foster discussion and debate among directors with diverse business backgrounds, risk tolerances, and points of view. Moreover, directors should feel accountable to each other and to shareholders.
Eliminate useless reporting: Just as bankers seek to streamline regulatory reporting, board reports should be streamlined as well. When was the last time your board had a discussion about the usefulness of the various reports received at each board meeting? There is a terrible opportunity cost to having some of the best minds in the bank prepare reports that do not provide actionable information or, even worse, are ignored by board members. Boards should periodically discuss which reports are no longer helpful, and also, which types of additional reports might be beneficial as the business model of the bank evolves.
Provide timely feedback: One of the less publicized provisions of the Financial Choice Act is a requirement for timely delivery of regulatory exams. Boards should adopt this policy as well with regard to key board actions and feedback to senior management. A concern raised in a board or committee meeting without timely resolution by the board can leave management in limbo, afraid to make any decision that might ultimately be deemed by the board to be a bad one. If the board’s oversight function raises a concern, boards should work to resolve the concern and take any necessary action as quickly as possible in order to allow management to move forward.
In a deregulatory environment, it may seem strange that attorneys would suggest that boards likewise streamline their oversight function. However, it is our belief that reducing regulation is not nearly as important as improving the effectiveness and efficiency of regulation. By focusing the board’s oversight function on monitoring the key risks of the bank in an efficient manner, board members will create more time to focus on developing effective strategy, and for their management teams to focus on building value for the bank. Thoughtful board oversight is as important as regulatory relief for the industry, if not more so.
There are few events in the life of a bank that are more important than a safety and soundness examination by the institution’s primary regulator. A passing grade means the bank will be able to execute its growth strategy, including acquisitions, product development and business expansion, with little interruption or objection from their regulator. Not only does a failing grade mean that bank’s major growth initiatives will probably be put on hold, but its management team will have to spend both time and money fixing the deficiencies—resources that otherwise would be spent on more productive pursuits. Gary Bronstein, a Washington, DC-based partner at Kilpatrick, Townsend & Stockton LLP, offers advice to bank management teams and boards for how to prepare for an exam in an edited conversation with Bank Director Editor in Chief Jack Milligan.
Preparing for a Safety and Soundness Examination The first thing, which is probably the most important thing, is for management and the board to review any deficiencies or matters requiring attention from the prior exam and make sure those have been addressed. The regulators will verify and review the effectiveness of any corrective action taken after a prior exam. A few other things that are perhaps a little less pressing but still important to consider include any changes in the bank’s business activities since the last exam. You might want to take a look at your policies and procedures to make sure that those have been updated to reflect the new activities. For example, if the bank is engaging in a new lending activity or a new subsidiary activity, do the policies and procedures reflect what they’re doing? Also, if you’re expanding to new markets, that also may require a look at the policies and procedures.
It’s also important that you prepare your employees for the examination process. You ought to make sure that they’re aware of the exam, that it’s coming, what the schedule is, when the examiners will be there and where they’ll be located. Remind employees of simple things about office protocol that you might take for granted, such as not having business discussions in public areas where they may be overheard by an examiner, and not to leave documents laying around in conference rooms and photo copiers that examiners might have access to and that might contain sensitive information that you’re not ready to provide. Employees should be knowledgeable about the policies and procedures for which they’re responsible, because they may be asked to talk about it.
Approximately 30 to 90 days before the exam, the bank will receive what’s called a first day letter, which talks about the scope of the exam. That is to be taken seriously. It’s important to do your homework, relative to that letter and what’s in it. The other thing that’s worth looking at is each of the federal banking agencies have an examination manual that’s posted online. It sets forth the supervisory and examination objectives. That’s absolutely worth reviewing. It’s a good idea to appoint a point person at the bank who is responsible for handling all inquiries that arise during the exam. And when you gather information for examiners, keep a record of what you’ve gathered so that in case anything gets lost, you have a record of it.
The Importance of the Initial Meeting With the Examiners It’s important to think in advance of an exam about the opening meeting that will take place with the examiners. It’s important to make a good first impression because that can set the tone for the exam. You should probably have your full executive team present for that. I don’t think it’s necessary to have board member at that initial meeting because most banks generally think of an exam, certainly at the initial stage, to be more of a management function, rather than a board function. It might be a good idea to have your compliance officer present, as well as key officers in charge of particular business units. You might start off the meeting by talking about issues that were raised during the prior exam and address those up front. Address some changes that have taken place at the bank since the last exam so that the examiners are well-informed of what has taken place. Set the ground rules for how this is going to unfold in terms of how long they’re going to be there, what days of the week and the person to contact.
Other Pre-Examination Considerations Take care of logistics, such as where the examiners are going to sit. Make sure they have access to things that they need because that sets a nice tone. It’s a good idea to be proactive. Sometimes you have new examiners who are not familiar with your bank, so it’s a good idea to start off with a summary of your business, where you’re headed and what your control environment looks like. Also, you might consider self-identifying issues or problems, but don’t do that without being prepared to provide a remediation plan of how you’re going to deal with those issues.
And make sure your files are organized because it sets a bad tone if you’re having difficulty finding things and it takes a long time, so organize your files related to things you expect the examiners are going to look for.
Conducting a Mock Examination Some banks conduct a mock regulatory examination, which may help you prepare for the process and identify areas to focus on. It could be performed by someone at the bank who is experienced in having gone through a number of exams, so they’re familiar with how the examination process takes place. Or you could use an outside consultant who walks you through an initial meeting, gets you prepared for issues that would typically arise during the exam. What happens if the examiner approaches you about X, Y or Z? How are you going to respond? What happens if you disagree with an examiner? Who’s going to be the spokesperson and how can you effectively address the disagreement?
Handling Difficulties as They Come Up During the Exam Issues regularly come up during an exam. They could be tactical in nature. It might be the examiner taking a position that there’s been a regulatory violation. Is that based upon a law or regulation? It might not, in fact, be a violation, but there may be a disagreement. It might be a reasonable and understandable disagreement. It may not be. It may be a misunderstanding about something that the bank is doing that they’re actually not doing. It can be a mistake. Some of the examiners are inexperienced and like any person, an examiner can make a mistake. The question becomes, how do you proceed?
My first piece of advice for disagreeing with an examiner is this: Proceed with caution. The last thing you should do in communicating with the examiner is to dress that person down, or berate the person. I’ve seen that happen and things deteriorate quickly. That’s a bad idea in almost any scenario but it’s certainly a bad idea when you’re dealing with an examiner or regulator. You should never be condescending or disparaging. I think it’s important to be non-defensive, factual, unemotional and just set forth why you disagree. If it’s done in a constructive manner, it should go pretty well.
The importance of dealing with problems as they come up Whether it’s a regulatory violation or some other significant issue that arises during the exam, the bank should make every effort to try to get it resolved, hopefully while the examiners are still there, but certainly before the examination report is issued. If it’s a regulatory violation, it’s a good idea to get the lawyers involved, whether it’s in-house or outside counsel, to get an opinion about whether or not the situation does rise to a regulatory violation and then address it head-on, but again in a constructive way. Hopefully, it can be solved by resolution as opposed to a heated argument.
The board’s role in preparing for a safety and soundness examination The one thing the board can be doing all year long is to make sure that any discussions about board oversight of management is properly recorded in the minutes, because the examiners are going to look at the board minutes and I’ve heard it said on many occasions that from an examiner’s perspective, if it’s not in the minutes, it didn’t happen. That’s not to suggest that you should have a stenographer on hand to record every word, but it ought to be a fair summary of what discussions have taken place, particularly with respect to the prior exam. It’s important to have a record that these issues were discussed, that the exam was discussed, the response was discussed and questions were asked.
It is important that there be a tone at the top communicating that the examination process is important, and that begins with the board and the senior management team. As far as board involvement is concerned, certainly if it’s a troubled bank, the board is going to be more involved in the examination process and there’s the expectation that the board will be. With a healthy bank, you might have the chair of the audit committee be available as needed. Issues that may be discussed include the internal audit process and the internal controls environment. The audit committee chair is the most credible person to discuss those issues.
Managing the post-examination process As always, management is on the front lines and the board is performing an oversight function. I think it’s important after the exam to have open lines of communication with the examiners, particularly with an issue that might be unresolved, because I think it’s important to vet those issues, provide additional information, and hopefully correct those issues before a final report is released, so that kind of back-and-forth communication between management and examiners is important. If there are any issues of significance, those ought to be brought to the board’s attention as soon as possible so that the board is aware of it. If they’re significant enough, the examiners are going to want to meet with the board, so the board needs to be well informed before any meeting takes place with the examiners.
The final report ought to be reviewed carefully and a well thought out plan for correcting any problems ought to be developed. The written response ought to be delivered in a non-defensive and factual way, without getting combative. I think it’s important not to over-commit to remediation and corrections because the last thing you want is to commit to doing something and you’re unable to deliver. It’s important at the board level that there be a written record of discussions about the exam process, the report, the response and it’s important that management fully report to the board about the issues that arose during the exam. The board ought to be engaged and ought to challenge management about the areas of concern that were raised during the process, because ultimately, the board is going to be held responsible if there are any repeat violations of issues raised during the exam.
There has always been a level of subjectivity in the regulatory process. In the past, it manifested itself as interpretations of written regulations. The post-crisis regulatory environment continues to evolve—as does the subjective aspect of regulation—creating new challenges for bank boards. Bank directors are now faced with subjective terms like “risk culture” and “deceptive acts and practices” included in their exam reports as standards, as well as a regulatory focus on “adequacy” when evaluating strategic planning and capital and liquidity management. Bank directors are now challenged to understand what needs to be done to meet these evolving subjective expectations of the regulators and, in turn, hold senior management accountable.
Trying to define these terms is probably futile, but there are things the board can and should do to ensure these standards are being met.
Educate Yourself Directors should start by learning as much as they can about these subjective requirements. Understanding how they evolved and what they are intended to correct or prevent will help you understand what has to be done to meet them. The regulators have made it clear they have higher expectations for director oversight of risk taking activities, and the board is expected to challenge, question and, where necessary, oppose management proposals. Education is key to meeting these expectations.
Identify Behaviors Actions speak louder than words. Too many organizations rely solely on policies or pronouncements to demonstrate compliance with subjective requirements. Take risk culture, for example. The board should ask and understand how everyone in the firm is held accountable for risk. How do compensation plans incorporate risk concepts? How do you deal with policy violations? Are employees rewarded for identifying and addressing risk matters? Directors must then ask whether the answers to these questions demonstrate the type of risk culture the firm is trying to achieve.
Learn From Others Directors should be acutely aware of industry trends when it comes to subjective regulation. Regulators are relying more and more on horizontal reviews of financial firms to identify best practices. Understanding what has been considered inadequate when it comes to a financial firm’s capital or liquidity planning can provide guidance on evaluating a firm’s own plans. For example, the Federal Reserve publishes the results of its Comprehensive Capital Analysis and Review for the largest banks, which is a good place to start. The public release of capital planning results showed there is both a quantitative and qualitative aspect to planning. While the quantitative aspect of planning is made public through establishing acceptable minimums, the qualitative aspect (how you got there) can best be met by understanding how others succeeded or failed to properly plan.
Create a Program Understanding what needs to be done is the first part of the challenge. The second step is making sure your firm is doing it properly. Subjective standards have to be incorporated into risk and audit programs. It may seem impossible to audit for something like risk culture, and an audit of risk culture is certainly more art than science, but some questions the audit should include are:
Is there an understanding, communication and alignment of values in the firm?
Are risk commitments being met and does the firm and management do what they say they will do?
Are there any exploitations of gray areas to benefit individuals?
Is there evidence of a balance in the firm between achieving results and managing risk?
Bottom line is the board should insist audits and risk assessments take into consideration how these areas of subjective regulation are reflected in the operation of each area, procedure or process they review.
Tell Your Story Directors should be ready and able to express their understanding of how they meet today’s subjective standards. For example, understanding the strategic planning process and the manner risk factors are taken into account in both planning and execution of strategy allows directors to ask the right questions throughout the process. The same is true for capital and liquidity planning, where reflecting the right level of question and debate in the minutes will likely be crucial to meeting the regulatory “adequacy” standard.
The examples shared are just some of the subjective terms permeating the regulatory process in today’s environment. Like written regulations, they will continue to evolve and will be heavily influenced by the regulatory climate. Dealing with this regulatory uncertainty will continue to be an important practice for directors.
Among the many threats to shareholder value that bank directors must address, the risk of internal fraud is among the most challenging. Virtually all bank directors recognize their obligation to actively oversee the way the bank monitors its employees to mitigate the risk of fraud, but most directors also understand the need to avoid micromanaging day-to-day operations.
Treading the fine line between oversight and overstepping can be difficult. Often it means learning to ask the right questions of the right people, particularly of the bank’s senior management team.
Because every bank’s risk profile is unique, no single list of questions can fit every institution. Nevertheless, it is possible to outline some broad principles and useful questions within three general areas of strategic, board-level concern.
Corporate Governance Major corporate governance elements related to internal fraud comprise management and oversight of the organization including the bank’s published code of conduct, written ethics policy, fraud policies and procedures, and loss reporting practices. Board members should exercise direct and active oversight of these components and be prepared to ask management a broad range of questions, including:
How frequently are our code of conduct and ethics policies reviewed and updated?
In addition to introducing our ethics policies during new employee training, how else—and how often—are these policies communicated and reinforced?
How are fraud losses identified, tracked and reported to the board? Are board members and executives regularly briefed on current fraud issues and trends by the appropriate managers?
Are employees able to report suspicious behavior outside the day-to-day management structure, or are they able to report it only through their immediate superiors?
Has the bank established a whistleblower hotline that allows employees to report suspected fraud anonymously?
How is hotline activity measured and tracked? How is the program’s effectiveness measured and evaluated?
How often is the whistleblower hotline publicized and reinforced in regular employee communications?
The Control Environment The next broad area of board concern, the control environment, addresses the various tools, processes, and other components that implement the fraud policies prescribed by corporate governance. Issues of strategic-level concern in this area tend to revolve around training, accountability, and equitable treatment, as well as the effectiveness, efficiency and reliability of fraud reporting practices. Useful control environment questions for board members to ask include:
How is fraud awareness training being provided throughout the organization? Is awareness training tailored to each line of business?
Beyond awareness, do employees receive training on ethics, fair service and honest dealing?
Are employees being trained on specific anti-fraud practices and controls? Once trained, are they held accountable?
Are fraud policies implemented and enforced consistently and fairly? Are senior-level or revenue-producing personnel subject to the same enforcement as junior or administrative staff members?
Are anti-fraud controls consistently monitored and tested as part of the internal audit function?
Do employees know how to report fraud?
Incident Management and Response The board of directors has primary responsibility for seeing that there is a defined structure and process for responding to fraud-related incidents and issues, including clearly defined roles and responsibilities. It is important that incident response protocols are applied consistently across the institution, rather than allowing each line of business to pursue its own course. To carry out this responsibility, directors should be prepared to ask questions such as:
Is there a high-level, organization-wide policy regarding incident management? Does it set forth adequate protocols including all relevant legal, reporting and regulatory requirements? Is the policy regularly reviewed and updated?
Who is the designated management-level employee with the authority to manage and administer fraud investigations and responses?
Has management taken adequate steps to support this employee with an appropriate team involving legal, human resources, internal audit, information technology and other departments?
Is there adequate oversight to allow fraud inquiries to proceed without interference from the affected lines of business?
Does the board receive regular briefings on material issues of fraud or fraud management?
How does the organization learn and evolve based on industry events and previous large incidents of fraud?
The scope of a director’s responsibility extends far beyond these three general areas alone, but starting with these broad topics can help board members maintain their focus at the strategic level while still posing challenging questions. In addition to establishing the appropriate “tone from the top,” such questions can help guide the management team toward more active and effective management of internal fraud risk.
Despite all that has been made of Dodd-Frank, the new Consumer Financial Protection Bureau, and the increased focus on consumer compliance throughout the banking industry, we think that the fundamental formula for effective board oversight of the compliance function has not materially changed. We encourage directors to take stock to make sure their bank’s program is adequate. In this season of great contests on the gridiron, we would emphasize that blocking and tackling—and defense generally—remain the keys to success in this area. Be a good coach and make sure that these fundamentals are practiced at your bank.
Bank Regulatory Expectations
We start with the black-letter guidance and then read between the lines based on our experience and judgment. Each of the prudential bank regulators has outlined its expectations for board oversight of the compliance function. Although it’s stated in various ways, the basic recipe for the “compliance management system” is this:
Compliance program documents and reporting
Board and management oversight
Think of board oversight as “coaching” and the rest as blocking and tackling.
Compliance Program Documents and Reporting
A successful compliance program has and will continue to be based on an effective internal controls environment—your defense. The most important things a board can do here are to maintain effective policies and to expect excellence out of your management team. Designate a chief compliance officer like you would a starting quarterback. Every compliance examiner expects to see a body of current written policies and procedures, including a compliance program document, and strong compliance management leadership.
As is often said, policies establish “what” and procedures say “how.” It is probably not effective or appropriate for your average director to be involved in articulating how compliance gets done. On the other hand, policies should be reviewed at least annually, and the board should ensure that its committees—typically risk or audit—receive and digest reporting sufficient to describe the state of the compliance function. Are we staffed to keep up with changes in law? Is our training sufficient? What complaints do we generally receive? Do we need new or additional software or equipment? Perhaps most importantly, and the subject of our next discussion point, does evidence demonstrate that the program is working?
The regulators describe compliance audit as the means of testing the effectiveness of your compliance program. A related function is self-monitoring. The difference is generally in the level of independence and frequency of reviews. A robust compliance program will include regular self-reviews. Annual testing, either by your internal audit department or by a third party, is a required step, but it cannot take the place of ongoing review through internal monitoring and testing and a formal risk assessment process.
This conclusion has at least two justifications: first, self-monitoring (either by business units or compliance staff) generates real-time data useful to board and management oversight and is most likely to result in swift corrective action. Second, regulators typically “draft” behind compliance audit findings—that is, they make preliminary conclusions about the state of your program based on these reviews. While a genuine, independent and comprehensive compliance audit is an important aspect of a good system, it is preferable to go into these audits with confidence that your program is clean.
The Role of the Coach
While the compliance atmosphere has undoubtedly changed, a board that emphasizes the fundamentals—like a good coach—should succeed on every front. Take an active interest in your compliance management program and make sure it has what is necessary to get the job done.