Compliance Risk Assessments: Components and Trends

FIRMAMarch 28, 20121:15 – 2:15 PM

Patricia A. Hackett, Esq.The PNC Financial Services Group, Inc.

2

Table of Contents

Framework

Components

Trends

Compliance Risk Assessments: Framework

Identify

Assess

Monitor

Report

Compliance Risk Assessment

Risk MitigationActivities

(Metrics, Issues, Training, etc.)

Report Metrics, Issues,

Results

Determine Inherent Risk;

evaluate Quality of Risk

Management; create

recommendations and document

controls. Complete

annually; review periodically.

2

Implement risk mitigation activities

and monitor results. Re-evaluate and

update periodically.

Periodically report results that assess the compliance risk component of the firm’s operational risk profile to Business Risk Committees and executives.

Track recommendations to be

completed to monitor and/or improve Quality of Risk Management.

Track completion of monitoring events and other identified activities.

Review monitoring results, inputs from

business, Regulators, Internal Audit, etc.

Compliance Risk Assessment Components: Definition

4

Compliance Risk:

Risk of legal or regulatory sanctions, material financial loss, or loss to reputation firm may suffer as a result of its failure to comply with laws, regulations, rules, related self-regulatory organization, standards and codes of conduct applicable to its financial services activities. (Basel Committee on Banking Supervision)

Reminder: Business “owns” risk.

Compliance Risk Assessment Components: Analysis

INHERENT RISK – QUALITY OF RISK MANAGEMENT = RESIDUAL RISK

Inherent risk: Level of uncontrolled risk combined with the likely impact of a compliance violation, based on the firm’s business activities, before applying any controls or undertakes risk management activities.

QRM: Factor in institution’s controls and mitigants (consider manual or automated, complexities of process, etc.).

Residual Risk: What is “left over.”

5

6

Compliance Risk Assessment Components: Factors

Compliance Risk Assessment Components: Example Risk Categories

EXAMPLES OF ROLL-UP CATEGORIES: CHOICES AND COMPLEXITY ARE DEPENDENT UPON THE INSTITUTION AND ITS ACTIVITIES

Client: Fairness; Marketing Disclosure; Suitability; Charges and Pricing; Client Assets; Valuation; Real Estate Settlement; Client Confidentiality; Conflicts of Interest; Credit Reporting; Debt Collection; Complaints; Dispute Resolution; Business Practices

Trading: General Administration-B/D Activities; Insider Trading–Investment, Research; Investments and Variable; Trading and Sales; Underwriting Activities; Central Clearing and Settlement

Trust Administration: Personal; Pension/Retirement; Institutional Administrative: Education; Regulatory Reporting; Registration and Licensing;

Affiliate Transactions; Insider Lending; Conflicts of Interest; Information Security and Confidentiality; Vendor Management; Record Retention

AML: CIP; Transaction Monitoring; Sanctions; Other Financial Crime

7

Compliance Risk Assessment Components: Purpose

Determines compliance risk profile for enterprise and business units at a particular point in time, and on-going.

Ensures businesses work towards, achieve and maintain a “strong” compliance risk management environment.

Identifies and quantifies risks applicable to an institution’s business activities, especially those that require immediate action by business unit management.

Assesses effectiveness of controls designed to mitigate compliance risks.

Identifies emerging compliance risks on the foreseeable horizon.

Identifies instances where residual risks can be mitigated through strengthening of controls and identification of alternative control methods.

Provides effective reporting to senior management regarding significant, current, and emerging compliance risks.

8

Compliance Risk Assessment Components: Players

Compliance Personnel: – Define roles and responsibilities (analysis and data

input, review, approval)– Potentially develop junior employees

Others to Involve Early in Process: – Enterprise/Corporate Compliance: To ensure

consistency across business units– Compliance Testing and Internal Audit: For

agreement and buy-in

What about the business?

9

Compliance Risk Assessment Components: The Business How involved should the business be in the process?

When should the business be brought into the process?

How to respond to push back from the business?

Who owns follow-up?

Tension and Balancing: Risk assessment should be independent, with business input and buy-in, since business owns risk.

10

Compliance Risk Assessment Components: The Business

Providing data, information and support.

Accepting responsibility for controlling compliance risks to acceptable levels.

Developing mitigation plans, facilitated by Compliance.

Ensuring timely response to compliance issues.

Identifying alternative control strategies that might be more effective or efficient, especially in areas where compliance risks are high or growing quickly and control processes are highly reliant on manual controls.

Identifying new or heightened compliance risks that are likely to emerge on the foreseeable horizon and reporting them to Compliance.

11

Compliance Risk Assessment Components: Summary of Process

12

Compliance Risk Assessment Components: Getting Started

Determine Risk Assessment Scope:

– Inventory Business Units (complexity dependent on size of institution): Facilitates risk-based allocation of resources for compliance

control; and Satisfies requirements for risk assessments by legal entity.

– Inventory compliance obligations (e.g. laws, regulations, codes of conduct, etc.): Group obligations into standard, broad categories and sub-

categories. Leverage Operating Risk and/or other areas.

 13

Compliance Risk Assessment Components: Getting Started  Gather background data:

– Business Risk Profiles/Quarterly Risk Reports– Key Management Reports– Minutes from appropriate Board and management

committees– Key Business Initiatives– Operational/Strategic Plans– Prior Internal Audit Reports– Regulatory Exam Reports– Consumer Complaint Reports – External Audit Reports – Industry reports/trends, economic considerations, and

market developments 14

Compliance Risk Assessment Components: Calendar

Example Timeline:

Prepare Assessment: January to early March

Meet with Business: March to early April

Governance Roll-up: April to early May

15

Compliance Risk Assessment Trends: Frequency

16

Compliance Risk Assessments are an on-going activity. Not a static process.

Conduct full Compliance Risk Assessment process annually.

In addition, periodically (ex. minimum of two times each year), Compliance consults with Business, updates inherent risk ratings, control effectiveness ratings and resulting residual risk ratings.

What would lead to an update? Changes in compliance obligations, business activities, regulatory emphasis, and other factors that cause compliance staff to reconsider its past judgments.

17

Compliance Risk Assessment Trends: Results

In light of potential business resistance to risks identified as “high”, emphasize that the Compliance Risk Assessment results are not intended to be “Scorecards.”

– Primary driver for our compliance activities at an enterprise and business level.

– Supports the allocation of resources to manage compliance risk within tolerances set by the Board and senior management.

– Encourage collaborative approach to Compliance in order to prioritize and review institution’s compliance risks.

– View results as enhancement opportunity.

18

Compliance Risk Assessment Trends: Reporting

Provide business management and governance committees a summary (audit trail) of agreed upon findings:

– Tailor data presentation and level of detail to forum and audience.

– Circulate draft reports to senior management in advance (both business level and aggregate/roll-up reports)

19

Compliance Risk Assessment Trends: New Rules & Regs

When to include a new rule/reg in analysis?– 408(b)(2)– Broker-Dealer Fiduciary Standard– Dodd-Frank Swaps Rules – CFPB

How to analyze/characterize a new/pending rule?– If still working on implementation elements, rate as

“Needs Improvement”?

Coordinate regulatory change process and Compliance Risk Assessment– At hand-off, confirm where/how new rule to be analyzed

Compliance Risk Assessment Trends: QRM Consider manual vs. automated solutions

Systems that are not integrated across multiple businesses lead to manual processes and increased risk of error.

Coordinate Compliance Risk Assessment with Key Risk Indicators, Monitoring and Mitigation activities

Consider including “strong” rating to demonstrate areas of strength (new expectations of regulators)

Include more “subjective” assessment categories such as “Culture of Compliance”

20

Compliance Risk Assessment Trends: Value Add

Identification and assessment of compliance risks are core elements of an effective, independent compliance function and a key component of effective, enterprise-wide compliance risk management.

Importance of compliance risk assessments was made clear by regulatory guidance: New compliance obligations proliferate Regulatory and other agencies have increased their scrutiny of bank

compliance “Satisfactory” is not sufficient for large, complex organizations. “Strong”

compliance risk management is the minimum standard.

21

Questions and Answers

22

Contact Information:

Patricia A. Hackett, Esq.Vice President, Compliance Group Manager

The PNC Financial Services Group, Inc.Two PNC Plaza620 Liberty Avenue, 26th Floor Pittsburgh, PA 15222

Phone (412) 768-6888patricia.hackett@pnc.com

THANK YOU!

23