operational risk - american bankers associationcontent.aba.com/briefings/3012202.pdfmanagement...
TRANSCRIPT
ABA BRIEFING | PARTICIPANT’S GUIDE
Operational Risk
How Do You Develop a Strong Operational Risk Program and Make it Effectively
Intersect with Compliance?
Thursday, September 24, 2015 Eastern Time
2:00 p.m.–3:30 p.m. Central Time
1:00 p.m.–2:30 p.m. Mountain Time
12:00 p.m.–1:30p.m. Pacific Time
11:00 a.m.–12:30 p.m.
ABA Briefing/Webcast Operational Risk How Do You Develop a Strong Operational Risk Program and Make it Effectively Intersect with Compliance? Thursday, September 24, 2015 2:00 – 3:30 p.m. ET
DISCLAIMER This Briefing/Webcast will be recorded with permission and is furnished for informational use only. Neither the speakers, contributors nor ABA is engaged in rendering legal nor other expert professional services, for which outside competent professionals should be sought. All statements and opinions contained herein are the sole opinion of the speakers and subject to change without notice. Receipt of this information constitutes your acceptance of these terms and conditions.
COPYRIGHT NOTICE – USE OF ACCESS CREDENTIALS © 2015 by American Bankers Association. All rights reserved.
Each registration entitles one registrant a single connection to the Briefing by Internet and/or telephone from one room where an unlimited number of participants can be present. Providing access credentials to another for their use, using access credentials more than once, or any simultaneous or delayed transmission, broadcast, re-transmission or re-broadcast of this event to additional sites/rooms by any means (including but not limited to the use of telephone conference services or a conference bridge, whether external or owned by the registrant) or recording is a violation of U.S. copyright law and is strictly prohibited.
Please call 1-800-BANKERS if you have any questions about this resource or ABA membership.
ABA Briefing/Webcast Operational Risk How Do You Develop a Strong Operational Risk Program and Make it Effectively Intersect with Compliance? Thursday, September 24, 2015 2:00 – 3:30 p.m. ET
II
Table of Contents
TABLE OF CONTENTS ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . II
SPEAKERS & ABA STAFF LISTING ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . III
SPEAKER BIOGRAPHIES ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-V
PROGRAM OUTLINE ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VI-VII
CONTINUING EDUCATION CREDITS INFORMATION ... . . . . . . . . . . . . . . . . . . . . . VIII
CPA SIGN-IN/OUT SHEET ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IX
CPA CERTIFICATE OF ATTENDANCE REQUEST ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . X
PROGRAM INFORMATION ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .ENCLOSED
PLEASE READ ALL ENCLOSED MATERIAL PRIOR TO THE BRIEFING/WEBCAST. THANK YOU.
The Evaluation Survey Questionnaire is available online. Please complete and submit the questionnaire at:
https://aba.qualtrics.com/SE/?SID=SV_3EjDAe8bz7obE8Z
Thank you for your feedback.
ABA Briefing/Webcast Operational Risk How Do You Develop a Strong Operational Risk Program and Make it Effectively Intersect with Compliance? Thursday, September 24, 2015 2:00 – 3:30 p.m. ET
III
Speakers and ABA Staff Listing
Moderator LYN FARRELL, CRCM, CAMS, AMLP Managing Director Treliant Risk Advisors LLC 1255 23rd Street, NW, Suite 500 Washington, DC 20037 (202) 249-7980 [email protected] Speakers DAVID EVEREST, CISSP, CISA Manager Treliant Risk Advisors LLC 1255 23rd Street, NW, Suite 500 Washington, DC 20037 (216) 496-0128 [email protected] JEFF NAPPER Assistant Vice President Bank Senior Risk Office USAA 9800 Fredericksburg Road San Antonio, Texas 78288 (210) 443-7137 [email protected] S. LOUIS OLIVERA, CPA, CIA, CISA, CFE Vice President Business Monitoring Services First National Bank of Nebraska 1620 Dodge St., SC:3151 Omaha, NE 68197 (402) 602-6286 [email protected]
ABA Briefing Staff CARI HEARN Sr. Manager (202) 663-5393 [email protected]
LINDA M. SHEPARD Sr. Manager (202) 663-5499 [email protected] American Bankers Association 1120 Connecticut Avenue, NW Washington, DC 20036 www.aba.com
ABA Briefing/Webcast Operational Risk How Do You Develop a Strong Operational Risk Program and Make it Effectively Intersect with Compliance? Thursday, September 24, 2015 2:00 – 3:30 p.m. ET
IV
Speaker Biographies
Kathlyn L. Farrell, CRCM, CAMS, AMLP (Moderator) Lyn Farrell is a managing director at Treliant Risk Advisors LLC. She has worked in the field of Regulatory Compliance for financial institutions for over 30 years. She is a licensed attorney in the State of Texas and has functioned as in-house counsel and compliance officer to medium and large financial institutions. She has been in the field of consulting for the past 15 years and was previously the Managing Director of Risk Management Services for Sheshunoff Consulting + Solutions; an Austin, Texas-based financial services consulting company that provides services globally. At Sheshunoff she had oversight responsibility for the regulatory compliance, internal audit and loan review practices. These practices included more than 60 risk management professionals. Her experience includes all areas of regulatory compliance, BSA/AML work, handling lending and real estate transactions, managing loans in litigation and bankruptcy, supervising enforcement action compliance and drafting and negotiating contracts. Lyn is a Certified Regulatory Compliance Manager, a Certified Anti-Money Laundering Specialist and an Anti-Money Laundering Professional. She is a frequent speaker at banking events and regularly publishes articles on a variety of banking-related topics. Her publications include: Reference Guide to Regulatory Compliance, published by the American Bankers Association, the official
study guide to the CRCM examination Law and Banking textbook published by the American Bankers Association Consumer Lending textbook published by the American Bankers Association ABA Compliance Audit Manual co-author of the original edition Quick Reference Guide to Regulatory Compliance Consumer Lending published by The Institute for Financial Education (now BAI)
David Everest, CISSP, CISA David Everest is a Manager with Treliant Risk Advisors. He is an experienced professional specializing in process improvements, information security, model risk, and operational risk. Most recently at Treliant, David participated in the review of the BSA/AML Program of a New York based international financial institution. Suggestions were made to its compliance practices to develop and implement policies, procedures, internal controls, resulting in a program that is in compliance with the Board of Governors of the Federal Reserve System and NY State Dept. of Financial Services regulations. Prior to joining Treliant, David worked with a Fortune 500 financial institution as Payment Card Industry (PCI) Manager. In this role, David developed a corporate-wide PCI Compliance Program, led successful PCI DSS audits, and oversaw the development of policies and procedures. He also worked as an internal consultant on several major projects including data center re-location and outsourcing initiatives. David has owned and operated several successful small businesses in his community. David earned an MBA from The Weatherhead School of Management at Case Western Reserve University, and a BS from Baldwin Wallace College. He is a Certified Information Systems Security Professional (CISSP) and a member of the advisory board for the New Tech East High School in Cleveland, Ohio.
ABA Briefing/Webcast Operational Risk How Do You Develop a Strong Operational Risk Program and Make it Effectively Intersect with Compliance? Thursday, September 24, 2015 2:00 – 3:30 p.m. ET
V
Jeff Napper Jeff joined USAA in 2015 and leads the Bank's Operational Risk Management team. In this capacity, Jeff is responsible for the successful execution of the Bank's operational risk management program. Jeff joined USAA after more than 30 years in the financial services industry specializing in a range risk management disciplines. Most recently, he held a leadership role in Capital One’s Enterprise & Operational Risk Management Services team with specific responsibility for the loss and event management programs. Jeff also led the Basel II/III operational risk management initiatives at Ally Financial, Bank of America, and MBNA. Jeff began his career with Chubb as a property/casualty underwriter in the financial institution department and progressed to insurance brokerage and corporate insurance roles. Jeff received his Bachelor’s degree from the Southern Methodist University. He has been a speaker and panelist at a number of risk management conferences, focusing on the operational risk management discipline. S. Louis Olivera, CPA, CIA, CISA, CFE S. Louis Olivera is Vice President of Business Risk Monitoring (BRM) in First National Bank of Omaha’s Consumer Banking Group. Louis joined First Bankcard, the credit card division of First National Bank, in April, 2014, bringing more than 30 years of domestic and international experience in the banking, insurance, and brokerage industry in Audit and Compliance roles. At First National, Louis leads a team of 12 professionals responsible for the development, alignment and monitoring of business unit controls. In early 2015 BRM introduced the Business Unit Control Officer Program, an integrated in-business monitoring and control program. Other programs managed by BRM include Marketing Fairness and Practices Review, Consumer Bank Privacy, and the Disaster Recovery Program for Cards. A native of New York City, Louis grew up in the shadow of the Flatiron Building in Manhattan’s Chelsea district. Louis attended Manhattan College, where he earned a B.A. in Accounting and an MBA. He and his wife, Pamela, have two grown children, Adam and Kristen.
ABA Briefing/Webcast Operational Risk How Do You Develop a Strong Operational Risk Program and Make it Effectively Intersect with Compliance? Thursday, September 24, 2015 2:00 – 3:30 p.m. ET
VI
Program Outline
TIMES SESSION & SPEAKERS 2:00 – 2:03 p.m. ET
Introduction Overview of Program, Welcome Introduction of Speakers
1Source International
2:03 – 2:07 p.m.
Introductory Remarks/Speaker Introductions Lyn Farrell, Treliant Risk Advisors LLC
2:07 – 2:30 p.m.
USAA Control Environment Lines of Defense Compliance Control Process Operational Risk Control Process Example – Testing of Wire Transfer Process Jeff Napper, USAA
2:30 – 2:45 p.m.
Operating Framework Business Controls and Survival Achieving Fairness by Balancing Enterprise Risk Management Framework Evolving Conceptual Fairness Framework Louis Olivera, CPA, CIA, CISA, CFE, First National Bank of Omaha
2:45 – 2:55 p.m.
Questions & Answers
2:55 – 3:05 p.m.
First National Operating Philosophy Fairness Outcomes: The Evolving Ideals Buco Mission Achieving UDAAP & Fair Banking Goals Simplify: The Swim Lane Process The “Swim Lane Product” In Summary Louis Olivera, CPA, CIA, CISA, CFE, First National Bank of Omaha
ABA Briefing/Webcast Operational Risk How Do You Develop a Strong Operational Risk Program and Make it Effectively Intersect with Compliance? Thursday, September 24, 2015 2:00 – 3:30 p.m. ET
VII
Program Outline
TIMES SESSION & SPEAKERS 3:05 – 3:20 p.m.
Industry Trends Cybersecurity Vendor Oversight Business Continuity Risk Based Approach
David Everest, CISSP, CISA, Treliant Risk Advisors LLC
3:20 – 3:30 p.m.
Questions & Answers, Wrap-up
ABA Briefing/Webcast Operational Risk How Do You Develop a Strong Operational Risk Program and Make it Effectively Intersect with Compliance? Thursday, September 24, 2015 2:00 – 3:30 p.m. ET
VIII
Continuing Education Credits Information
The Institute of Certified Bankers™ (ICB) is dedicated to promoting the highest standards of performance and ethics within the financial services industry.
The ABA Briefing, “Operational Risk: How Do You Develop a Strong Operational Risk Program and
Make it Effectively Intersect with Compliance?” has been approved for 2.0 continuing education credits towards the CRCM designation.
To claim these continuing education credits, ICB members should visit the Member Services page of the ICB
Website at http://www.icbmembers.org/login.aspx. You will need your member ID and password to access your personal information. If you have difficulty accessing the Website and/or do not recall your member ID and
password, please contact ICB at [email protected] or 202-663-5092.
American Bankers Association is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.learningmarket.org.
1.5 CPE credit hours (Business Management & Organization) will be
awarded for attending this group-live Briefing.
Participants eligible to receive CPE credits must sign in and out of the group-live Briefing on the CPA Required Sign-in/Sign-out Sheet included in these handout materials. A CPA/CPE Certificate of
Completion Request Form also must be completed online. See enclosed instructions.
Continuing Legal Education Credits This ABA Briefing is not pre-approved for continuing legal education (CLE) credits. However, it may be possible to work with your state bar to obtain these credits. Many states will approve telephone/ audio programs for CLE credits; some states require proof of attendance and some require application fees. Please contact your state bar for specific requirements and submission instructions.
ABA Briefing/Webcast Operational Risk How Do You Develop a Strong Operational Risk Program and Make it Effectively Intersect with Compliance? Thursday, September 24, 2015 2:00 – 3:30 p.m. ET
IX
CPA Required Sign-in/Sign-out Sheet
CPAs may receive up to 1.5 hours of Continuing Professional Education (CPE) credit for participating in this group-live Briefing.
INSTRUCTIONS: 1. Each participating CPA must sign-in when he/she enters the room and sign-out when he/she
leaves the room. 2. Name and signature must be legible for validation of attendance purposes as required by NASBA. 3. Unscheduled breaks must be noted in the space provided. 4. Each participating CPA must complete, online a CPA/CPE Certificate of Completion Request
Form (instructions found on next page). 5. Individuals who do not complete both forms and submit them to ABA will not receive their
Certificate of Completion.
This CPE Sign In/Out Sheet must be uploaded with the CPE / CPA Request for
Certificate of Completion form in order for the CPA to receive his/her Certificate of Completion.
FULL NAME
(PLEASE PRINT LEGIBLY) SIGNATURE TIME
IN TIME OUT
UNSCHEDULED BREAKS
American Bankers Association is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.learningmarket.org.
Please note: CPE credits are ONLY awarded to those who have listened to the live broadcast of this Briefing.
ABA Briefing/Webcast Operational Risk How Do You Develop a Strong Operational Risk Program and Make it Effectively Intersect with Compliance? Thursday, September 24, 2015 2:00 – 3:30 p.m. ET
X
Instructions for Receiving Certificates of Completion
CPA/CPE Certificate of Completion
Submission of a sign-in/sign-out sheet AND request for a Certificate of Completion are required for the validation process to be completed.
NASBA requires ABA to validate your attendance in order for
you to receive your Certificate of Completion.
1. COMPLETE a CPA / CPE Certificate of Completion Request Form online at: https://aba.desk.com/customer/portal/emails/new?t=546545
2. SCAN AND UPLOAD the completed CPE / CPA Required Sign-in/Sign-out Sheet (enclosed) and attach it to the REQUEST for CPE/CPA Certificate of Completion form found in Step 1.
3. SUBMIT completed Request Form and Sign-in/out Sheet
4. VALIDATION ABA will VALIDATE your attendance within 10 business days from receipt of Request Form and Sign-in/out Sheet
5. A personalized certificate of completion will be emailed to you once your attendance is validated
6. QUESTIONS about your certificate of completion? Contact us at [email protected].
General / Participant’s Certificate of Completion 1. REQUEST a General Certificate of Completion
at: https://aba.desk.com/customer/portal/emails/new?t=546530
2. A personalized certificate of completion will be emailed to you within 10 business days of your request.
3. QUESTIONS about your certificate of completion? Contact us at [email protected].
9/21/2015
1
treliant.com
Developing a Strong Operational Risk Program
September 24, 2015
• Lyn Farrell• Managing Director, Treliant Risk Advisors
• Jeffery Napper• AVP, Bank Senior Risk Officer USAA
• Louis Olivera• Vice-President, Business Monitoring Services, First
National Bank of Nebraska• David Everest
• Manager Operational Risk Practice, Treliant Risk Advisors
Presenters
2
9/21/2015
2
Introduction
Operational Risk Management
• Comprised of multiple risk disciplines• Intersects with compliance• Complexity, density and systems are
challenges
3
USAA Control Environment – Lines of Defense
1st Line of Defense 3rd Line of Defense
Senior ManagementSenior Management
Risk Committee/Finance and Audit Committee – Board of DirectorsRisk Committee/Finance and Audit Committee – Board of Directors
Exte
rnal
Au
dit
Reg
ulat
ors
Ethics and Core ValuesEthics and Core Values
CoSA Business Operations Audit
ServicesAudit
Services
2nd Line of Defense
Enterprise Risk ManagementEnterprise Risk Management
Enterprise ComplianceEnterprise Compliance
Enterprise Security GroupGeneral CounselGeneral Counsel
Functions that own
the risk
Functions that independently oversee
and monitor the riskFunction that
independently assesses the risk
9/21/2015
3
Lines of Defense
Own, assess, manage and control risk consistent with firm‐wide risk appetite Responsible for day‐to‐day management of risk within business processes and operations Develop and maintain business operating policies, procedures and standards to ensure compliance with regulations
and business requirements and to effectively manage all risk types within risk appetite Develop and execute QA / QC framework and processes
Design and implement processes, internal risk controls and self assessments Identify and assess the level of risk associated with business processes, operations and products and conduct
individual risk assessments as required (RCSA, FMEA, etc.) Define key controls, with assistance from control partners (Risk & Compliance), and establish control assessments
and corresponding metrics to determine design and operating effectiveness
Develop, attract and retain talent and maintain staffing levels required to carry out the unit’s role and responsibilities effectively
Performs ongoing monitoring and supervision to include coordination of testing with affiliates and/or third parties
Executes control monitoring and testing program based on business and regulatory requirements Governance of suppliers, document management, and procedures
Drive timely remediation of issues needed to ensure effective and mitigation of all identified control weakness Respond with management comments to regulatory/control partner inquiries and develop/execute action plans to
address the issues
Escalation of Issues Escalate issues through risk review meetings, Risk Committees / Councils, and BoD.
1st Line: Business Operations
1st
Line of Defense
Business Operations
2nd Line: Independent Risk Management
Lines of Defense
Create enterprise‐wide risk framework, appetite and risk limits Establish and approve risk‐related policies, standards Develop and recommend to the BoD for approval, risk appetite thresholds and triggers. Ensure businesses are operating within risk appetite limits.
Deliver a clear and concise view of enterprise‐wide risk Quantify and aggregate risks via reporting Provide oversight of observations, key risks, stress testing results utilizing relevant data. Facilitate the identification of emerging risk by 1st and 2nd line.
Develop, attract and retain talent and maintain staffing levels required to carry out the unit’s role and responsibilities effectively
Promote strong risk culture across USAA Provide independent perspective and risk guidance through development of risk program standards,
policies, guidelines and training.
Challenge and conduct independent analysis of risks Independent assessment/challenge of risks, controls & testing requirements. Provide insights and observations relative to 1st line risk management.
Deliver advice/guidance enabling the business to achieve its goals Provide insights and solutions on planning, practices and products via data, analytics, and expertise. Qualified and experienced Risk professionals “at the table”.
Escalation of issues Escalate issues through risk review meetings, Risk Committees / Councils, and BoD.
2nd Line of Defense
Risk Management
Compliance
9/21/2015
4
2nd Line: Compliance
Lines of Defense
Proactively identifies, assesses, reports and assists in mitigating compliance and reputational risks.
Continuous monitoring and oversight of compliance with laws and regulations, independent of 1st Line. Monitors business process changes and applicability to new laws and regulations.
Assures Board and Senior Management are fully informed of significant compliance issues and plans for resolution.
Reports on state of compliance. Manages regulatory examination activities with enterprise and regulators. Closely coordinate with Chief Risk Office in oversight of legal/regulatory risk.
Develop, attract and retain talent and maintain staffing levels required to carry out the unit’s role and responsibilities effectively
Educate, communicate and drive a strong culture of compliance and control. Provides relevant and timely compliance training to business community.
Provides sound, independent advice and excellence in execution to exceed regulatory expectations and industry standards.
Escalation of issues Escalate issues through risk review meetings, Risk Committees / Councils, and BoD.
2nd Line of Defense
Risk Management
Compliance
Lines of Defense
3rd Line of Defense
Provides the Board of Directors and senior management independent and objective assurance on the design and effectiveness of: Governance Risk Management Compliance Internal controls
Avoids any operational management to ensure independence and objectivity Develop, attract and retain talent and maintain staffing levels required to
carry out the unit’s role and responsibilities effectively
3rd Line: Internal Audit
Internal Audit
9/21/2015
5
1st Line of Defense:Ownership
New/Amended Laws & Compliance Findings Interpretation
Legal / Compliance
Determine compliance requirements
Compliance
Develop compliance controls, risk controls, operational execution
requirements
LoB / Compliance/ Ops Risk
First test of compliance controls and compliance
approval
LoB
Business Community
Process execution
Ongoing quality control and operational testing
2nd Line of Defense:Oversight, Monitor & Control
Compliance Ensure Compliance program effectiveness
Compliance program monitoring, testing and reporting
LINES OF DEFENSE
Compliance Control Process
LoB / Op RiskLoB / Op Risk
1st Line of Defense:Ownership
New/Changed Operational risks or Issues (all non‐compliance risks)
Develop controls / operational execution
First test of controls / operational execution
Business Community
Process execution
Ongoing quality control and operational testing
2nd Line of Defense:Oversight, Monitor &
Control
Operational Risk Ensure Operational Risk Management program effectiveness
Continuous oversight and analysis of Operational risks
LoB / Compliance/ Op Risk
Develop compliance controls, risk controls, operational execution
requirements
LINES OF DEFENSE
Operational Risk Control Process
9/21/2015
6
1st Line of Defense
Example – Testing of Wire Transfer Process
Business Operations
2nd Line of Defense
Risk Management
3rdLine of Defense
Compliance
Internal Audit
• Establish processes and procedures• Indentify key processes to prioritize RCSAs• Understand applicable laws/regulations• Develop RCSA and assess risk• Develop a comprehensive testing plan
encompassing wire processes• Execute detailed testing of critical wire
processes• Provide trend analysis and root cause
analysis of testing results• Aggregate and report QC test results,
regarding the wire transfer process, to LOB management
• Identify and remediate issues
• Set standards to include RCSA testing and reporting/escalation of issues
• Oversight to ensure that standards are being followed
• Aggregate testing results across all control partners to senior management and the Board
• Determine the overall health of the risk and control environment
• Over test 1st and 2nd Line of Defense to determine adequacy and effectiveness of controls
• Determine the effectiveness of 1st
and 2nd line processes governing Money Movement and the Wire Transfer Process
• Set compliance standards and test to ensure compliance with laws/regulations
• Provide advice/counsel to 1st Line on compliance risk matters as well as regulatory interpretations
• Provide overview on state of compliance• Provide over testing as needed
Operational Risk Set ORM program standards,
policies and guidelines Hold LOB accountable for
adherence to ORM framework and provide necessary training
Independent and continuous oversight and analysis of operational risks
OPERATING FRAMEWORKRoles and Responsibilities
1st Line of Defense Primary accountability for
identification of control failures and management and control of compliance and operational risks
Ongoing quality control testing and supervision to include coordination of testing with affiliates and third parties.
Responsible for risk remediation of required actions in an effective and timely manner
Compliance Perform delegated operational
business functions and control testing
Provide relevant training to business community
Monitor, oversee and report on state of compliance
Manage regulatory affairs
Continuous collaboration between Operational Risk, Compliance and Lines of Business to identify, monitor and control risks to ensure operational risk program effectiveness.
Continuous collaboration between Operational Risk, Compliance and Lines of Business to identify, monitor and control risks to ensure operational risk program effectiveness.
Continuous coordination of test plans between Lines of Business, Operational Risk and Compliance to ensure adequate coverage of exposures.
Continuous coordination of test plans between Lines of Business, Operational Risk and Compliance to ensure adequate coverage of exposures.
Continuous collaboration between 1st, 2nd, and 3rd lines of defense regarding risk prioritization, trends, control quality and remediation.
Continuous collaboration between 1st, 2nd, and 3rd lines of defense regarding risk prioritization, trends, control quality and remediation.
Audit Services Provides the BOD and Senior
Management independent and objective assurance on the effectiveness of governance, risk management, compliance and internal controls.
9/21/2015
7
2001 2013 Change%
Number of large banks (10 Billion or more) 76 98 +29%Number of Small Banks 8,263 6,279 -24%
Challenges:• Regulatory Pressures• Cost of doing business• Too Hard to Manage• Business Model or Culture does not adapt
BUSINESS CONTROLS AND SURVIVAL
Source: Statistics on depository institutions FDIC
ACHIEVING FAIRNESS BY BALANCING
Perfection
vs.
Excellence
Internal Focus
vs.
External Focus
14
9/21/2015
8
ENTERPRISE RISK MANAGEMENT FRAMEWORK
Corporate Audit Services
Enterprise Risk
Management &
Corporate Compliance
Business Units
Tier 3
Tier 2
Tier 1
First National’s Mission . Values . Culture
Fair Banking
DESIRED OUTCOMES
THE EVOLVING CONCEPTUAL FAIRNESS FRAMEWORK
EXECUTIVE MANAGEMENT TONE AND ACTION
Customer Experience
Compliance Controls
9/21/2015
9
How to Ask a Question
If you are participating on the Web:Enter your Question in the “Questions” Box
and Press ENTER / SUBMIT
If you are participating by Phone:Email your question to: [email protected]
17
FIRST NATIONAL OPERATING PHILOSOPHY
To build and maintain long term relationships by delivering a superior customer experience through simplicity, efficiency and engaged employees while delivering profitability and long term growth.
Business Unit Control Officers are needed because:• Controls shape and impact :
1) the Customer Experience
2) the Brand, and
3) our People.
• Our business is more complex and we are expected to have proactive and effective management systems in place.
• We need to better coordinate and manage our control environment to ensure it remains effective and efficient.
9/21/2015
10
19
FAIRNESS OUTCOMES: THE EVOLVING IDEALS
GOAL OUTCOME
REGULATORY We act responsibly monitoring consumer and regulatory trends; doing what’s right for the consumer and the Bank
CUSTOMER EXPERIENCE
We will treat all customers fairly, with a focus on a consistent customer experience
PRODUCT We will provide products that are easy to use, that deliver appropriate value for both the consumer and the Bank
MARKETING We will make our Marketing clear and simple, with understandable disclosures and terms
ACCESSIBILITY We will make ourselves available to anyone with questions or comments, via the channel they wish to use
EMPLOYEE ACCOUNTABILITY
We will inform, sell, service and market the product(s) based on the customer needs
CUSTOMER FEEDBACK
We will be responsive to customer inquiries, feedback or complaints; and strive for first interaction resolution whenever possible, and/or facilitate the customer relationship through final resolution
BUCO MISSION
• Implement a self sustaining control environment that continuously monitors its effectiveness and efficiency which is able to proactively detect and remediate problems in their infancy state
9/21/2015
11
Achieving UDAAP & Fair Banking Goals
21
Initiatives:
Focus Area:
Objective:
BUCO Control Integration & Alignment
Transparency*Fairness* Proper Execution Desired Outcomes
Practices Review
Practices Review
Marketing is Clear
Marketing Fairness Review
Deliver as Promised
BUCO Control Work
Good Customer Experience; We Deliver as Promised
*Compliance prescribes and determines standards
SIMPLIFY: THE SWIM LANE PROCESS
1 2 3 4 5
Process
Key Control
Quality Control
Quality Assurance
Self Assessment & Review
1 2 3 4 5
Process
Risk
Key Control
Quality Control
Quality Assurance
Self Assessment & Review
Performed by Business Unit
Performed by BUCO
22
9/21/2015
12
THE “SWIM LANE PRODUCT”
1) Product is not the flow charts. 2) The Product is
• Analysis of end-to-end process• Interdepartmental process alignment• Intradepartmental process alignment
3) Developing continuous testing for high risk areas to make sure they work
4) Completing process flows determines:• What is?• What should be?• What is missing?• What is extra?
23
IN SUMMARY• Have a Plan to integrate Customer Experience, Compliance and
Controls as part of your program.
• Constant coordination required between Compliance, Risk and Audit.
• Having Procedures and Processes is not enough.
• Keep a focus that controls are actionable: approve, validate, verify, balance, and reconcile, etc.
• Quality Controls• Sometimes inappropriately substituted for a control• Sometimes not designed to test the right things and don’t keep up with changes to
processes• Sometimes not sufficiently or completely documented• Issues identified sometimes not remediated on a timely basis • Sometimes results are received and no corrective action is performed
24
9/21/2015
13
Industry Trends
• Cybersecurity• Vendor Oversight• AML/ BSA• Disaster Recovery
25
CYBERSECURITY
• Proactive Protection• Focus on security, not compliance• Bolster infrastructure from inside out• Integrate security program into the
operations
26
9/21/2015
14
Vendor Oversight
• More than Vendors• Continuous Monitoring• Periodic Review Process• Cross Functional Reviews
27
Business Continuity
• Disaster Recovery• Include External Partners• Identify new process breakdowns• Follow up on previous issues
28
9/21/2015
15
Risk Based Approach
• Risk Assessment• Risk Acceptance Process• Transfer Risks
• No one size fits all• No Templates
29
How to Ask a Question
If you are participating on the Web:Enter your Question in the “Questions” Box
and Press ENTER / SUBMIT
If you are participating by Phone:Email your question to: [email protected]
30
9/21/2015
16
treliant.comtreliant.com
Visit aba.com/140
American Bankers Association
140years
1875 – 2015
ABA has always been at the heart of the innovations
that have helped bankers serve their customers.
Join us in celebrating 140 years of helping make
Americans’ financial dreams come true.