ABA BRIEFING | PARTICIPANT’S GUIDE

Operational Risk

How Do You Develop a Strong Operational Risk Program and Make it Effectively

Intersect with Compliance?

Thursday, September 24, 2015 Eastern Time

2:00 p.m.–3:30 p.m. Central Time

1:00 p.m.–2:30 p.m. Mountain Time

12:00 p.m.–1:30p.m. Pacific Time

11:00 a.m.–12:30 p.m.

ABA Briefing/Webcast Operational Risk How Do You Develop a Strong Operational Risk Program and Make it Effectively Intersect with Compliance? Thursday, September 24, 2015 2:00 – 3:30 p.m. ET

DISCLAIMER This Briefing/Webcast will be recorded with permission and is furnished for informational use only. Neither the speakers, contributors nor ABA is engaged in rendering legal nor other expert professional services, for which outside competent professionals should be sought. All statements and opinions contained herein are the sole opinion of the speakers and subject to change without notice. Receipt of this information constitutes your acceptance of these terms and conditions.

COPYRIGHT NOTICE – USE OF ACCESS CREDENTIALS © 2015 by American Bankers Association. All rights reserved.

Each registration entitles one registrant a single connection to the Briefing by Internet and/or telephone from one room where an unlimited number of participants can be present. Providing access credentials to another for their use, using access credentials more than once, or any simultaneous or delayed transmission, broadcast, re-transmission or re-broadcast of this event to additional sites/rooms by any means (including but not limited to the use of telephone conference services or a conference bridge, whether external or owned by the registrant) or recording is a violation of U.S. copyright law and is strictly prohibited.

Please call 1-800-BANKERS if you have any questions about this resource or ABA membership.

ABA Briefing/Webcast Operational Risk How Do You Develop a Strong Operational Risk Program and Make it Effectively Intersect with Compliance? Thursday, September 24, 2015 2:00 – 3:30 p.m. ET

II

Table of Contents

TABLE OF CONTENTS ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . II

SPEAKERS & ABA STAFF LISTING ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . III

SPEAKER BIOGRAPHIES ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IV-V

PROGRAM OUTLINE ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VI-VII

CONTINUING EDUCATION CREDITS INFORMATION ... . . . . . . . . . . . . . . . . . . . . . VIII

CPA SIGN-IN/OUT SHEET ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IX

CPA CERTIFICATE OF ATTENDANCE REQUEST ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . X

PROGRAM INFORMATION ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .ENCLOSED

PLEASE READ ALL ENCLOSED MATERIAL PRIOR TO THE BRIEFING/WEBCAST. THANK YOU.

The Evaluation Survey Questionnaire is available online. Please complete and submit the questionnaire at:

https://aba.qualtrics.com/SE/?SID=SV_3EjDAe8bz7obE8Z

Thank you for your feedback.

ABA Briefing/Webcast Operational Risk How Do You Develop a Strong Operational Risk Program and Make it Effectively Intersect with Compliance? Thursday, September 24, 2015 2:00 – 3:30 p.m. ET

III

Speakers and ABA Staff Listing

Moderator LYN FARRELL, CRCM, CAMS, AMLP Managing Director Treliant Risk Advisors LLC 1255 23rd Street, NW, Suite 500 Washington, DC 20037 (202) 249-7980 lfarrell@treliant.com Speakers DAVID EVEREST, CISSP, CISA Manager Treliant Risk Advisors LLC 1255 23rd Street, NW, Suite 500 Washington, DC 20037 (216) 496-0128 deverest@treliant.com JEFF NAPPER Assistant Vice President Bank Senior Risk Office USAA 9800 Fredericksburg Road San Antonio, Texas 78288 (210) 443-7137 jeffrey.napper@usaa.com S. LOUIS OLIVERA, CPA, CIA, CISA, CFE Vice President Business Monitoring Services First National Bank of Nebraska 1620 Dodge St., SC:3151 Omaha, NE 68197 (402) 602-6286 lolivera@fnni.com

ABA Briefing Staff CARI HEARN Sr. Manager (202) 663-5393 chearn@aba.com

LINDA M. SHEPARD Sr. Manager (202) 663-5499 lshepard@aba.com American Bankers Association 1120 Connecticut Avenue, NW Washington, DC 20036 www.aba.com

ABA Briefing/Webcast Operational Risk How Do You Develop a Strong Operational Risk Program and Make it Effectively Intersect with Compliance? Thursday, September 24, 2015 2:00 – 3:30 p.m. ET

IV

Speaker Biographies

Kathlyn L. Farrell, CRCM, CAMS, AMLP (Moderator) Lyn Farrell is a managing director at Treliant Risk Advisors LLC. She has worked in the field of Regulatory Compliance for financial institutions for over 30 years. She is a licensed attorney in the State of Texas and has functioned as in-house counsel and compliance officer to medium and large financial institutions. She has been in the field of consulting for the past 15 years and was previously the Managing Director of Risk Management Services for Sheshunoff Consulting + Solutions; an Austin, Texas-based financial services consulting company that provides services globally. At Sheshunoff she had oversight responsibility for the regulatory compliance, internal audit and loan review practices. These practices included more than 60 risk management professionals. Her experience includes all areas of regulatory compliance, BSA/AML work, handling lending and real estate transactions, managing loans in litigation and bankruptcy, supervising enforcement action compliance and drafting and negotiating contracts. Lyn is a Certified Regulatory Compliance Manager, a Certified Anti-Money Laundering Specialist and an Anti-Money Laundering Professional. She is a frequent speaker at banking events and regularly publishes articles on a variety of banking-related topics. Her publications include: Reference Guide to Regulatory Compliance, published by the American Bankers Association, the official

study guide to the CRCM examination Law and Banking textbook published by the American Bankers Association Consumer Lending textbook published by the American Bankers Association ABA Compliance Audit Manual co-author of the original edition Quick Reference Guide to Regulatory Compliance Consumer Lending published by The Institute for Financial Education (now BAI)

David Everest, CISSP, CISA David Everest is a Manager with Treliant Risk Advisors. He is an experienced professional specializing in process improvements, information security, model risk, and operational risk. Most recently at Treliant, David participated in the review of the BSA/AML Program of a New York based international financial institution. Suggestions were made to its compliance practices to develop and implement policies, procedures, internal controls, resulting in a program that is in compliance with the Board of Governors of the Federal Reserve System and NY State Dept. of Financial Services regulations. Prior to joining Treliant, David worked with a Fortune 500 financial institution as Payment Card Industry (PCI) Manager. In this role, David developed a corporate-wide PCI Compliance Program, led successful PCI DSS audits, and oversaw the development of policies and procedures. He also worked as an internal consultant on several major projects including data center re-location and outsourcing initiatives. David has owned and operated several successful small businesses in his community. David earned an MBA from The Weatherhead School of Management at Case Western Reserve University, and a BS from Baldwin Wallace College. He is a Certified Information Systems Security Professional (CISSP) and a member of the advisory board for the New Tech East High School in Cleveland, Ohio.

ABA Briefing/Webcast Operational Risk How Do You Develop a Strong Operational Risk Program and Make it Effectively Intersect with Compliance? Thursday, September 24, 2015 2:00 – 3:30 p.m. ET

V

Jeff Napper Jeff joined USAA in 2015 and leads the Bank's Operational Risk Management team. In this capacity, Jeff is responsible for the successful execution of the Bank's operational risk management program. Jeff joined USAA after more than 30 years in the financial services industry specializing in a range risk management disciplines. Most recently, he held a leadership role in Capital One’s Enterprise & Operational Risk Management Services team with specific responsibility for the loss and event management programs. Jeff also led the Basel II/III operational risk management initiatives at Ally Financial, Bank of America, and MBNA. Jeff began his career with Chubb as a property/casualty underwriter in the financial institution department and progressed to insurance brokerage and corporate insurance roles. Jeff received his Bachelor’s degree from the Southern Methodist University. He has been a speaker and panelist at a number of risk management conferences, focusing on the operational risk management discipline. S. Louis Olivera, CPA, CIA, CISA, CFE S. Louis Olivera is Vice President of Business Risk Monitoring (BRM) in First National Bank of Omaha’s Consumer Banking Group. Louis joined First Bankcard, the credit card division of First National Bank, in April, 2014, bringing more than 30 years of domestic and international experience in the banking, insurance, and brokerage industry in Audit and Compliance roles. At First National, Louis leads a team of 12 professionals responsible for the development, alignment and monitoring of business unit controls. In early 2015 BRM introduced the Business Unit Control Officer Program, an integrated in-business monitoring and control program. Other programs managed by BRM include Marketing Fairness and Practices Review, Consumer Bank Privacy, and the Disaster Recovery Program for Cards. A native of New York City, Louis grew up in the shadow of the Flatiron Building in Manhattan’s Chelsea district. Louis attended Manhattan College, where he earned a B.A. in Accounting and an MBA. He and his wife, Pamela, have two grown children, Adam and Kristen.

ABA Briefing/Webcast Operational Risk How Do You Develop a Strong Operational Risk Program and Make it Effectively Intersect with Compliance? Thursday, September 24, 2015 2:00 – 3:30 p.m. ET

VI

Program Outline

TIMES SESSION & SPEAKERS 2:00 – 2:03 p.m. ET

Introduction Overview of Program, Welcome Introduction of Speakers

1Source International

2:03 – 2:07 p.m.

Introductory Remarks/Speaker Introductions Lyn Farrell, Treliant Risk Advisors LLC

2:07 – 2:30 p.m.

USAA Control Environment Lines of Defense Compliance Control Process Operational Risk Control Process Example – Testing of Wire Transfer Process Jeff Napper, USAA

2:30 – 2:45 p.m.

Operating Framework Business Controls and Survival Achieving Fairness by Balancing Enterprise Risk Management Framework Evolving Conceptual Fairness Framework Louis Olivera, CPA, CIA, CISA, CFE, First National Bank of Omaha

2:45 – 2:55 p.m.

Questions & Answers

2:55 – 3:05 p.m.

First National Operating Philosophy Fairness Outcomes: The Evolving Ideals Buco Mission Achieving UDAAP & Fair Banking Goals Simplify: The Swim Lane Process The “Swim Lane Product” In Summary Louis Olivera, CPA, CIA, CISA, CFE, First National Bank of Omaha

ABA Briefing/Webcast Operational Risk How Do You Develop a Strong Operational Risk Program and Make it Effectively Intersect with Compliance? Thursday, September 24, 2015 2:00 – 3:30 p.m. ET

VII

Program Outline

TIMES SESSION & SPEAKERS 3:05 – 3:20 p.m.

Industry Trends Cybersecurity Vendor Oversight Business Continuity Risk Based Approach

David Everest, CISSP, CISA, Treliant Risk Advisors LLC

3:20 – 3:30 p.m.

Questions & Answers, Wrap-up

ABA Briefing/Webcast Operational Risk How Do You Develop a Strong Operational Risk Program and Make it Effectively Intersect with Compliance? Thursday, September 24, 2015 2:00 – 3:30 p.m. ET

VIII

Continuing Education Credits Information

The Institute of Certified Bankers™ (ICB) is dedicated to promoting the highest standards of performance and ethics within the financial services industry.

The ABA Briefing, “Operational Risk: How Do You Develop a Strong Operational Risk Program and

Make it Effectively Intersect with Compliance?” has been approved for 2.0 continuing education credits towards the CRCM designation.

To claim these continuing education credits, ICB members should visit the Member Services page of the ICB

Website at http://www.icbmembers.org/login.aspx. You will need your member ID and password to access your personal information. If you have difficulty accessing the Website and/or do not recall your member ID and

password, please contact ICB at ICB@aba.com or 202-663-5092.

American Bankers Association is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.learningmarket.org.

1.5 CPE credit hours (Business Management & Organization) will be

awarded for attending this group-live Briefing.

Participants eligible to receive CPE credits must sign in and out of the group-live Briefing on the CPA Required Sign-in/Sign-out Sheet included in these handout materials. A CPA/CPE Certificate of

Completion Request Form also must be completed online. See enclosed instructions.

Continuing Legal Education Credits This ABA Briefing is not pre-approved for continuing legal education (CLE) credits. However, it may be possible to work with your state bar to obtain these credits. Many states will approve telephone/ audio programs for CLE credits; some states require proof of attendance and some require application fees. Please contact your state bar for specific requirements and submission instructions.

ABA Briefing/Webcast Operational Risk How Do You Develop a Strong Operational Risk Program and Make it Effectively Intersect with Compliance? Thursday, September 24, 2015 2:00 – 3:30 p.m. ET

IX

CPA Required Sign-in/Sign-out Sheet

CPAs may receive up to 1.5 hours of Continuing Professional Education (CPE) credit for participating in this group-live Briefing.

INSTRUCTIONS: 1. Each participating CPA must sign-in when he/she enters the room and sign-out when he/she

leaves the room. 2. Name and signature must be legible for validation of attendance purposes as required by NASBA. 3. Unscheduled breaks must be noted in the space provided. 4. Each participating CPA must complete, online a CPA/CPE Certificate of Completion Request

Form (instructions found on next page). 5. Individuals who do not complete both forms and submit them to ABA will not receive their

Certificate of Completion.

This CPE Sign In/Out Sheet must be uploaded with the CPE / CPA Request for

Certificate of Completion form in order for the CPA to receive his/her Certificate of Completion.

FULL NAME

(PLEASE PRINT LEGIBLY) SIGNATURE TIME

IN TIME OUT

UNSCHEDULED BREAKS

American Bankers Association is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.learningmarket.org.

Please note: CPE credits are ONLY awarded to those who have listened to the live broadcast of this Briefing.

ABA Briefing/Webcast Operational Risk How Do You Develop a Strong Operational Risk Program and Make it Effectively Intersect with Compliance? Thursday, September 24, 2015 2:00 – 3:30 p.m. ET

X

Instructions for Receiving Certificates of Completion

CPA/CPE Certificate of Completion

Submission of a sign-in/sign-out sheet AND request for a Certificate of Completion are required for the validation process to be completed.

NASBA requires ABA to validate your attendance in order for

you to receive your Certificate of Completion.

1. COMPLETE a CPA / CPE Certificate of Completion Request Form online at: https://aba.desk.com/customer/portal/emails/new?t=546545

2. SCAN AND UPLOAD the completed CPE / CPA Required Sign-in/Sign-out Sheet (enclosed) and attach it to the REQUEST for CPE/CPA Certificate of Completion form found in Step 1.

3. SUBMIT completed Request Form and Sign-in/out Sheet

4. VALIDATION ABA will VALIDATE your attendance within 10 business days from receipt of Request Form and Sign-in/out Sheet

5. A personalized certificate of completion will be emailed to you once your attendance is validated

6. QUESTIONS about your certificate of completion? Contact us at briefingcertificates@aba.com.

General / Participant’s Certificate of Completion 1. REQUEST a General Certificate of Completion

at: https://aba.desk.com/customer/portal/emails/new?t=546530

2. A personalized certificate of completion will be emailed to you within 10 business days of your request.

3. QUESTIONS about your certificate of completion? Contact us at briefingcertificates@aba.com.

9/21/2015

1

treliant.com

Developing a Strong Operational Risk Program

September 24, 2015

• Lyn Farrell• Managing Director, Treliant Risk Advisors

• Jeffery Napper• AVP, Bank Senior Risk Officer USAA

• Louis Olivera• Vice-President, Business Monitoring Services, First

National Bank of Nebraska• David Everest

• Manager Operational Risk Practice, Treliant Risk Advisors

Presenters

2

9/21/2015

2

Introduction

Operational Risk Management

• Comprised of multiple risk disciplines• Intersects with compliance• Complexity, density and systems are

challenges

3

USAA Control Environment – Lines of Defense

1st Line of Defense 3rd Line of Defense

Senior ManagementSenior Management

Risk Committee/Finance and Audit Committee – Board of DirectorsRisk Committee/Finance and Audit Committee – Board of Directors

Exte

rnal

Au

dit

Reg

ulat

ors

Ethics and Core ValuesEthics and Core Values

CoSA Business Operations Audit 

ServicesAudit 

Services

2nd Line of Defense

Enterprise Risk ManagementEnterprise Risk Management

Enterprise ComplianceEnterprise Compliance

Enterprise Security GroupGeneral CounselGeneral Counsel

Functions that own

the risk

Functions that independently oversee

and monitor the riskFunction that

independently assesses the risk

9/21/2015

3

Lines of Defense

Own, assess, manage and control risk consistent with firm‐wide risk appetite Responsible for day‐to‐day management of risk within business processes and operations  Develop and maintain business operating policies, procedures and standards to ensure compliance with regulations 

and business requirements and to effectively manage all risk types within risk appetite Develop and execute QA / QC framework and processes

Design and implement processes, internal risk controls and self assessments Identify and assess the level of risk associated with business processes, operations and products and conduct 

individual risk assessments as required (RCSA, FMEA, etc.) Define key controls, with assistance from control partners (Risk & Compliance), and establish control assessments 

and corresponding metrics to determine design and operating effectiveness

Develop, attract and retain talent and maintain staffing levels required to carry out the unit’s role and responsibilities effectively

Performs ongoing monitoring and supervision to include coordination of testing with affiliates and/or third parties

Executes control monitoring and testing program based on business and regulatory requirements Governance of suppliers, document management, and procedures

Drive timely remediation of issues needed to ensure effective and mitigation of all identified control weakness Respond with management comments to regulatory/control partner inquiries and develop/execute action plans to 

address the issues

Escalation of Issues  Escalate issues through risk review meetings, Risk Committees / Councils, and BoD.

1st Line: Business Operations

1st

Line of Defense

Business Operations

2nd Line: Independent Risk Management

Lines of Defense

Create enterprise‐wide risk framework, appetite and risk limits Establish and approve risk‐related policies, standards Develop and recommend to the BoD for approval, risk appetite thresholds and triggers. Ensure businesses are operating within risk appetite limits.

Deliver a clear and concise view of enterprise‐wide risk Quantify and aggregate risks via reporting  Provide oversight of observations, key risks, stress testing results utilizing relevant data. Facilitate the identification of emerging risk by 1st and 2nd line.

Develop, attract and retain talent and maintain staffing levels required to carry out the unit’s role and responsibilities effectively

Promote strong risk culture across USAA Provide independent perspective and risk guidance through development of risk program standards, 

policies, guidelines and training.

Challenge and conduct independent analysis of risks Independent assessment/challenge of risks, controls &  testing requirements. Provide insights and observations relative to 1st line risk management.

Deliver advice/guidance enabling the business to achieve its goals Provide insights and solutions on planning, practices and products via data, analytics, and expertise. Qualified and experienced Risk professionals “at the table”.

Escalation of issues Escalate issues through risk review meetings, Risk Committees / Councils, and BoD.

2nd Line of Defense

Risk Management

Compliance

9/21/2015

4

2nd Line: Compliance

Lines of Defense

Proactively identifies, assesses, reports and assists in mitigating compliance and reputational risks. 

Continuous monitoring and oversight of compliance with laws and regulations, independent of 1st Line. Monitors business process changes and applicability to new laws and regulations.

Assures Board and Senior Management are fully informed of significant compliance issues and plans for resolution.

Reports on state of compliance. Manages regulatory examination activities with enterprise and regulators. Closely coordinate with Chief Risk Office in oversight of legal/regulatory risk.

Develop, attract and retain talent and maintain staffing levels required to carry out the unit’s role and responsibilities effectively

Educate, communicate and drive a strong culture of compliance and control. Provides relevant and timely compliance training to business community.

Provides sound, independent advice and excellence in execution to exceed regulatory expectations and industry standards.

Escalation of issues Escalate issues through risk review meetings, Risk Committees / Councils, and BoD.

2nd Line of Defense

Risk Management

Compliance

Lines of Defense

3rd Line of Defense

Provides the Board of Directors and senior management independent and objective assurance on the design and effectiveness of: Governance  Risk Management Compliance  Internal controls

Avoids any operational management to ensure independence and objectivity Develop, attract and retain talent and maintain staffing levels required to 

carry out the unit’s role and responsibilities effectively

3rd Line: Internal Audit

Internal Audit

9/21/2015

5

1st Line of Defense:Ownership

New/Amended Laws  & Compliance Findings Interpretation

Legal / Compliance

Determine compliance requirements

Compliance

Develop compliance controls, risk controls, operational execution 

requirements

LoB / Compliance/ Ops Risk

First test of compliance controls and compliance 

approval

LoB

Business Community

Process execution

Ongoing quality control and operational testing

2nd Line of Defense:Oversight, Monitor & Control

Compliance Ensure Compliance program effectiveness

Compliance program monitoring, testing and reporting

LINES OF DEFENSE

Compliance Control Process

LoB / Op RiskLoB / Op Risk

1st Line of Defense:Ownership

New/Changed Operational risks or Issues (all non‐compliance risks)

Develop controls / operational execution

First test of controls / operational execution

Business Community

Process execution

Ongoing quality control and operational testing

2nd Line of Defense:Oversight, Monitor                     & 

Control

Operational Risk Ensure Operational Risk Management program effectiveness

Continuous oversight and analysis of Operational risks

LoB / Compliance/ Op Risk

Develop compliance controls, risk controls, operational execution 

requirements

LINES OF DEFENSE

Operational Risk Control Process

9/21/2015

6

1st Line of Defense

Example – Testing of Wire Transfer Process

Business Operations

2nd Line of Defense

Risk Management

3rdLine of Defense

Compliance

Internal Audit

• Establish processes and procedures• Indentify key processes to prioritize RCSAs• Understand applicable laws/regulations• Develop RCSA and assess risk• Develop a comprehensive testing plan

encompassing wire processes• Execute detailed testing of critical wire

processes• Provide trend analysis and root cause

analysis of testing results• Aggregate and report QC test results,

regarding the wire transfer process, to LOB management

• Identify and remediate issues

• Set standards to include RCSA testing and reporting/escalation of issues

• Oversight to ensure that standards are being followed

• Aggregate testing results across all control partners to senior management and the Board

• Determine the overall health of the risk and control environment

• Over test 1st and 2nd Line of Defense to determine adequacy and effectiveness of controls

• Determine the effectiveness of 1st

and 2nd line processes governing Money Movement and the Wire Transfer Process

• Set compliance standards and test to ensure compliance with laws/regulations

• Provide advice/counsel to 1st Line on compliance risk matters as well as regulatory interpretations

• Provide overview on state of compliance• Provide over testing as needed

Operational Risk Set ORM program standards,

policies and guidelines Hold LOB accountable for

adherence to ORM framework and provide necessary training

Independent and continuous oversight and analysis of operational risks

OPERATING FRAMEWORKRoles and Responsibilities

1st Line of Defense Primary accountability for

identification of control failures and management and control of compliance and operational risks

Ongoing quality control testing and supervision to include coordination of testing with affiliates and third parties.

Responsible for risk remediation of required actions in an effective and timely manner

Compliance Perform delegated operational

business functions and control testing

Provide relevant training to business community

Monitor, oversee and report on state of compliance

Manage regulatory affairs

Continuous collaboration between Operational Risk, Compliance and Lines of Business to identify, monitor and control risks to ensure operational risk program effectiveness.

Continuous collaboration between Operational Risk, Compliance and Lines of Business to identify, monitor and control risks to ensure operational risk program effectiveness.

Continuous coordination of test plans between Lines of Business, Operational Risk and Compliance to ensure adequate coverage of exposures.

Continuous coordination of test plans between Lines of Business, Operational Risk and Compliance to ensure adequate coverage of exposures.

Continuous collaboration between 1st, 2nd, and 3rd lines of defense regarding risk prioritization, trends, control quality and remediation.

Continuous collaboration between 1st, 2nd, and 3rd lines of defense regarding risk prioritization, trends, control quality and remediation.

Audit Services Provides the BOD and Senior

Management independent and objective assurance on the effectiveness of governance, risk management, compliance and internal controls.

9/21/2015

7

2001 2013 Change%

Number of large banks (10 Billion or more) 76 98 +29%Number of Small Banks 8,263 6,279 -24%

Challenges:• Regulatory Pressures• Cost of doing business• Too Hard to Manage• Business Model or Culture does not adapt

BUSINESS CONTROLS AND SURVIVAL

Source: Statistics on depository institutions FDIC

ACHIEVING FAIRNESS BY BALANCING

Perfection

vs.

Excellence

Internal Focus

vs.

External Focus

14

9/21/2015

8

ENTERPRISE RISK MANAGEMENT FRAMEWORK

Corporate Audit Services

Enterprise Risk 

Management & 

Corporate Compliance

Business Units

Tier 3

Tier 2

Tier 1

First National’s Mission . Values . Culture

Fair Banking 

DESIRED OUTCOMES

THE EVOLVING CONCEPTUAL FAIRNESS FRAMEWORK

EXECUTIVE MANAGEMENT TONE AND ACTION

Customer Experience

Compliance Controls

9/21/2015

9

How to Ask a Question

If you are participating on the Web:Enter your Question in the “Questions” Box

and Press ENTER / SUBMIT

If you are participating by Phone:Email your question to: aba@1source-intl.net

17

FIRST NATIONAL OPERATING PHILOSOPHY

To build and maintain long term relationships by delivering a superior customer experience through simplicity, efficiency and engaged employees while delivering profitability and long term growth.

Business Unit Control Officers are needed because:• Controls shape and impact :

1) the Customer Experience

2) the Brand, and

3) our People.

• Our business is more complex and we are expected to have proactive and effective management systems in place.

• We need to better coordinate and manage our control environment to ensure it remains effective and efficient.

9/21/2015

10

19

FAIRNESS OUTCOMES: THE EVOLVING IDEALS

GOAL OUTCOME

REGULATORY We act responsibly monitoring consumer and regulatory trends; doing what’s right for the consumer and the Bank

CUSTOMER EXPERIENCE

We will treat all customers fairly, with a focus on a consistent customer experience 

PRODUCT We will provide products that are easy to use, that deliver appropriate value for both the consumer and the Bank

MARKETING We will make our Marketing clear and simple, with understandable disclosures and terms

ACCESSIBILITY We will make ourselves available to anyone with questions or comments, via the channel they wish to use

EMPLOYEE ACCOUNTABILITY

We will inform, sell, service and market the product(s) based on the customer needs

CUSTOMER FEEDBACK

We will be responsive to customer inquiries, feedback or complaints; and strive for first interaction resolution whenever possible, and/or facilitate the customer relationship through final resolution

BUCO MISSION

• Implement a self sustaining control environment that continuously monitors its effectiveness and efficiency which is able to proactively detect and remediate problems in their infancy state

9/21/2015

11

Achieving UDAAP & Fair Banking Goals

21

Initiatives:

Focus Area:

Objective:

BUCO Control Integration & Alignment

Transparency*Fairness* Proper Execution Desired Outcomes

Practices Review

Practices Review

Marketing is Clear

Marketing Fairness Review

Deliver as Promised

BUCO Control Work

Good Customer Experience; We Deliver as Promised

*Compliance prescribes and determines standards

SIMPLIFY: THE SWIM LANE PROCESS

1 2 3 4 5

Process

Key Control

Quality Control

Quality Assurance

Self Assessment & Review

1 2 3 4 5

Process

Risk

Key Control

Quality Control

Quality Assurance

Self Assessment & Review

Performed by Business Unit

Performed by BUCO

22

9/21/2015

12

THE “SWIM LANE PRODUCT”

1) Product is not the flow charts. 2) The Product is

• Analysis of end-to-end process• Interdepartmental process alignment• Intradepartmental process alignment

3) Developing continuous testing for high risk areas to make sure they work

4) Completing process flows determines:• What is?• What should be?• What is missing?• What is extra?

23

IN SUMMARY• Have a Plan to integrate Customer Experience, Compliance and

Controls as part of your program.

• Constant coordination required between Compliance, Risk and Audit.

• Having Procedures and Processes is not enough.

• Keep a focus that controls are actionable: approve, validate, verify, balance, and reconcile, etc.

• Quality Controls• Sometimes inappropriately substituted for a control• Sometimes not designed to test the right things and don’t keep up with changes to

processes• Sometimes not sufficiently or completely documented• Issues identified sometimes not remediated on a timely basis • Sometimes results are received and no corrective action is performed

24

9/21/2015

13

Industry Trends

• Cybersecurity• Vendor Oversight• AML/ BSA• Disaster Recovery

25

CYBERSECURITY

• Proactive Protection• Focus on security, not compliance• Bolster infrastructure from inside out• Integrate security program into the

operations

26

9/21/2015

14

Vendor Oversight

• More than Vendors• Continuous Monitoring• Periodic Review Process• Cross Functional Reviews

27

Business Continuity

• Disaster Recovery• Include External Partners• Identify new process breakdowns• Follow up on previous issues

28

9/21/2015

15

Risk Based Approach

• Risk Assessment• Risk Acceptance Process• Transfer Risks

• No one size fits all• No Templates

29

How to Ask a Question

If you are participating on the Web:Enter your Question in the “Questions” Box

and Press ENTER / SUBMIT

If you are participating by Phone:Email your question to: aba@1source-intl.net

30

9/21/2015

16

treliant.comtreliant.com

Visit aba.com/140

American Bankers Association

140years

1875 – 2015

ABA has always been at the heart of the innovations

that have helped bankers serve their customers.

Join us in celebrating 140 years of helping make

Americans’ financial dreams come true.