Be sure to JOIN US for “Compliance for Senior Management & Board”.
Your risk assessments should be the driving force behind everything you do. They should drive your policies, procedures, monitoring, audits, training etc. Your Board needs to review your risk assessments because they are tasked with determining how much risk is acceptable for your institution. They need to know if the mitigation efforts put forth are too much, too little or just right to meet their risk appetite.
Listen to David explain more
One Ticket Gets Your Whole Team In!
Find out more about the Banker’s Compliance Consulting Team Here.
Does your board approve your risk assessments?
Does your board approve your risk assessments? Do they even review it? Hi, Dave Dickinson with Banker’s Compliance Consulting. Let’s talk about compliance management systems. You can see on your screen the house of compliance. You’ll notice that the oversight there is senior management, the board of directors, the roof of the house. The far left pillar has the risk assessment, and we have the other components of a compliance management system, policies, procedures, and monitoring and audits and training, et cetera.
Let’s talk about this risk assessment. Your board should be reviewing your risk assessments. What? They need to be able to articulate to you what their risk appetite, what their risk tolerance is. They need to make that crystal clear to you. That’s something that we see that is not effectively communicated in most cases. Why? Because they’re setting the policy, they’re responsible and they’re saying, “This is what we’ll accept.”
Now, you conduct a risk assessment. It is what it is. They don’t approve that. You bring them the risk assessment. It drives everything else. What you see up on your screen right now are these gears that you’ll see. The big gear in the middle there is risk assessment and then the monitoring and the policy, procedures, the audits, all those things are driven off of that. What the board and senior management need to know and what the board needs to know is are your management systems, your procedures, and all those, are those risk mitigators, are they reducing the risk down to an acceptable level that meets their risk appetite and their tolerance?
So we’ve got this inherent risk. That’s what the risk assessment says. It is what it is. They don’t approve that. They review that. And then they look at all the things that you’re doing and they say, “Yes,” or, “No, we want more controls in place. That’s too much risk.” Or, “We’re willing to take some more risk. That’s too much money and time being spent. So let it loose a little bit.” We’re left with then this residual risk.
Now, the board should be reviewing that. They don’t approve procedures. They don’t really approve training and things like that, but they do need to say, “Is this taken care of to a level that we can feel like we can stomach that.” That’s the point. So have these discussions with your board and say, “Is this an acceptable amount of risk?” And the results of that would be from your audits probably, and let them know yes. Or other types of penalties or examinations, civil cases, things like that. That’s where they need to be able to tell you, “Yes, you’re doing this is right.” Or, “We want more, we want less.”
I hope this is helpful. If you need more information on this, don’t hesitate to contact us or have your directors … We love to talk to them about this scenario that is not well understood or usually carried out. I hope this helps you. Thanks for watching.