Heightened standards for compliance risk management. Lines of defense compliance s role

Transcription

1 Heightened standards for risk management Lines of defense s role

2 Post-financial crisis, the Office of the Comptroller of the Currency (OCC) developed a set of heightened expectations to enhance the risk management practices of large banks. On September 2, 2014, the OCC issued a set of final rules and guidelines to expand these previously non-codified expectations into a set of enforceable minimum standards that require management to demonstrate a strong risk governance framework. The final rules and guidelines will apply to banks with average total consolidated assets equal to or greater than US$50 billion as of the effective date of November 1, The final rules and guidelines provide greater clarity and specificity around expectations for the design, implementation and oversight of an institution s risk governance framework. Future OCC examinations will broadly focus on an institution s operating model and execution, with a specific focus on the following four areas: Board of director oversight Personnel management Lines of defense Risk appetite This paper focuses on the lines of defense, specifically related to s role. 1

3 Lines of defense independent risk management The final rules and guidelines define the roles and responsibilities for front line units, independent risk management (inclusive of the function) and internal audit. Specifically, an independent risk management function should: Take primary responsibility and accountability for designing a risk governance framework commensurate with the size, complexity and risk profile of the bank Establish and adhere to enterprise risk policies On an ongoing basis, identify and assess material aggregate risks and determine which actions to take to strengthen risk management or risk reduction Identify and communicate to the CEO and the board material risks as well as significant instances where a front line unit is not adhering to the framework, or where independent risk management and front line unit assessments differ What should banks do now? Going forward, the banking regulators broadly continue to expect strong risk management frameworks, with defined roles and responsibilities for each line of defense. Specifically, the oversight of risk should not rest purely on the Compliance function. To address these requirements, banks should assess the structure of their current framework, establish clear accountability and ownership of risks, and consider the following key areas of the risk management approach: 1 Clearly defined roles and responsibilities for risk management, including the monitoring and oversight of risks outside of Compliance (e.g., Business, Operations, Finance, Market or Credit Risk, Technology) Firmwide approach to enhance coverage and consistency of the risk management/ oversight across the bank Independence, stature and influence of staff demonstrated through the ability to effectively challenge business and affect business decisions Sound practices for monitoring and testing to stay abreast of changes that may indicate potential increases to risk 1 As highlighted in Supervision and Regulation Letters SR 08-8 and SR issued by the Board of Governors of the Federal Reserve System. Heightened standards for risk management 2

4 To translate the above key areas into elements of success, banks should assess whether there is a consistent and comprehensive approach for the following: 1 Organizational structure Enterprise-wide approach 2Banks should strive for consistency of scope and approach across Banks should foster the stature and independence of Compliance, balancing its role as business advisor and its responsibility for oversight and broad risk management, by establishing: Clear roles and responsibilities for oversight Reporting relationships between the global chief officer (CCO) and lines of business (LOBs) and regional CCOs Communication and reporting between, senior management and the board Escalation and reporting protocols LOBs and geographies. Additionally, clear accountability and ownership of risks should be established, by defining: The coordination between Compliance and other functions to provide comprehensive coverage of management activities, gain efficiencies where possible and avoid unnecessary duplication Standards for consistency in application and approach to address similar risk issues, share common views of risk and facilitate central oversight A reporting framework and process for normalizing and aggregating information across the enterprise Board Board LOB 1 CCO Senior management Global CCO LOB 2 Enterprise team CCO Set strategic vision and priorities LOB Senior management Global CCO Enterprise team Consistent standards across LOBs and regions LOB Aggregate, analyze and report LOB Region 1 CCO Region 2 CCO Regional Regional Regional 3 Heightened standards for risk management

5 Compliance life cycle 3A sustainable program should address a set of integrated activities to identify, assess, control, measure, monitor and report on risk. Additionally, the program should: Support the execution of activities with sufficient resources of the requisite knowledge, expertise and skills (e.g., technology, testing) Establishing a set of integrated activities and components for the life cycle will facilitate a comprehensive and sustainable risk management framework. Enhance systems and technologies for integrated and consistent coverage of processes (e.g., common platforms to address risks) Governance and oversight A. Identifying regulations and assessing B. Policy framework Inventory Risk assessment Policies Training Advisory activities D. Communication and reporting Issue tracking and escalation Reporting Business lines Operations Technology Regulators Organization, stature and objectivity Technology enablement C. Compliance monitoring Monitoring surveillance Testing Heightened standards for risk management 4

6 How we can help Our Regulatory Compliance team brings deep experience in current supervisory expectations and the range of practices in the financial services industry. Specifically, we can assist with function strategy and design reviews to help our clients identify practical opportunities for improvement. The reviews provide an independent perspective on issues, gaps and benefits related to the current structure, as well as recommendations for enhancements. In addition, we have facilitated workshops with management to create action plans to remediate issues identified through our reviews and to determine the direction of the organization moving forward. Our team has also provided numerous educational sessions for organizations in the areas of supervisory expectations, strategic planning, execution of key activities and the scope of. We have also assisted clients with aligning their organizations to supervisory expectations and industry practices through the creation of a target operating model. The intent of the target operating model is to create a organization that enables stronger governance and oversight, promotes consistency and standardization of approach, and clearly delineates roles and responsibilities across the organization. Timeline Compliance dates /2/2014: Final rules and guidelines effective date 5/1/2015: Compliance for banks with less than US$750 billion but greater than or equal to US$100 billion Ernst & Young LLP contacts Michael R. Patterson Principal, Advisory Financial Services michael.patterson1@ey.com Madeline Miller Executive Director, Advisory Financial Services madeline.miller@ey.com 5/1/2016: Compliance date for banks with less than US$100 billion but greater than or equal to US$50 billion 5 Heightened standards for risk management

7 Heightened standards for risk management 6

8 EY Assurance Tax Transactions Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com. Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited operating in the US. EY is a leader in serving the global financial services marketplace Nearly 43,000 EY financial services professionals around the world provide integrated assurance, tax, transaction and advisory services to our asset management, banking, capital markets and insurance clients. In the Americas, EY is the only public accounting organization with a separate business unit dedicated to the financial services marketplace. Created in 2000, the Americas Financial Services Office today includes more than 6,900 professionals at member firms in over 50 locations throughout the US, the Caribbean and Latin America. EY professionals in our financial services practices worldwide align with key global industry groups, including EY s Global Wealth & Asset Management Center, Global Banking & Capital Markets Center, Global Insurance Center and Global Private Equity Center, which act as hubs for sharing industry-focused knowledge on current and emerging trends and regulations in order to help our clients address key issues. Our practitioners span many disciplines and provide a well-rounded understanding of business issues and challenges, as well as integrated services to our clients. With a global presence and industry-focused advice, EY s financial services professionals provide high-quality assurance, tax, transaction and advisory services, including operations, process improvement, risk and technology, to financial services companies worldwide Ernst & Young LLP. All Rights Reserved. SCORE No. CK NY ED None This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for specific advice. ey.com