Compliance Officers - Risk Rating & Prioritizing
By David Dickinson
I'm still providing you with my notes from the ABA's Regulatory Compliance Conference. I attended a session on Risk Rating and Prioritizing tasks as a Compliance Officer. Below are my notes from this session:
Gone are the days of checking off tasks. Now you must risk assess everything. Apply a risk approach to everything. What issues are facing your bank?
Getting Organized:
Design a "Issues Status Report"
Be sure to list the responsible office and responsible officer/manager. (These people will want their name off the list - so it becomes a priority for them).
If past due, change the color (yellow or red). This will get a faster response.
Design a "Project Status Report"
Showing the schedule, process and completion status of tasks. This is a great way to report to senior management and/or Board.
Risk Rating/Prioritizing:
Lower risk = lower priority
For example, check some disclosures once per year (such as the Cosigner notice) to make sure verbiage hasn't changed.
"Don't let the Compliance Tail wag the Banking Dog" 
If you under manage, issues will arise.
If you over manage, you risk profits.
It's not a "compliance culture". It's a "Risk Culture."
Risk management starts at the top.
Many senior people don't like the term "compliance". Use "risk".
Auditing & Risk Rating:
For example, not all of Reg E is a high risk:
Issuing access device (205.5) vs. initial disclosures (205.7) vs. error resolutions procedures (205.11).
Same with Reg D, yet Reg D doesn't have the same monetary penalties or seems to receive less examiner scrutiny.