Aligning Your Compliance Program With Risk


There are many reasons financial intuitions suffer through periods of poor compliance performance.  The causes for these problems are myriad.  One of the key contributors to compliance woes is often overlooked.  When resources in the compliance department are misaligned or inadequate, trouble is bound to follow.  Inadequate resources result from not just a small compliance staff, but also instances of “over-compliance”.   Misaligned staff occurs when your institution’s risk assessment fails to identify the highest risks or is not used as part of the compliance planning process.

Inadequate Resources

Too few resources can result from many different sources including:

  • Training – Online training is a good first start for helping staff understand the basics of compliance. These courses are cost effective and provide good basic information about various topics in compliance.  However, training that includes some in-person components tends to be more effective.  In-person classes allow staff to review case studies, ask in-depth questions and gain a more complete understanding of the rationale for regulations.  In addition, these types of classes significantly increase the retention for participants.


  • Software used for monitoring – Determine whether your software provider effectively helps you monitor compliance activities. Many compliance officers “take what they get” from their software providers and make do with the reports that get generated.  Having a discussion with your vendor can result in significant changes.  Software providers have significant resources including the ability to tailor the report you receive to meet specific needs.  If the reports that are generated create more work than they resolve questions, now is good time to have a discussion with your software provider.


  • Compliance officer overburdened – Compliance has become a full-time occupation. In addition to constant reporting requirements there are nuances to the position that require the full focus and attention of the compliance officer.   Despite these requirements, there are many compliance officers that serve in various capacities in addition to their compliance duties.   When a compliance officer is overburdened, the compliance program suffers.  Attention can only be addressed toward the pressing issues of the moment.  Potential problems are left for consideration at the time they have become compliance violations.


  • Too Much Unnecessary information – In some cases, it is possible to engage in “over-compliance”, meaning developing data bases that are simply too large to effectively review and interpret. For example, some institutions make a habit of filing Suspicious Activity Reports on all clients that have even a whiff of questionable activity.  Alternatively, some institutions include a large portion of their customer base as high risk customers.  The sentiment for taking this course of action is understandable- a conservative approach to risk.  However, the net result of taking such an approach is information overload.  Massive amounts of data are presented to compliance staff rendering them unable to keep up and the process gets overwhelmed.



Misaligned Compliance

Compliance resources are limited in almost all institutions.   This is also true in the regulatory agencies that supervise financial institutions.  Therefore, the regulatory institutions take the risk based approach to supervision.   The goal of the risk based approach is not to necessary catch every flaw in a compliance system.  The idea is that the areas of greatest risk should receive the most attention.  The same philosophy is at the heart of the compliance rating system announced by the FFIEC.   The effectiveness of the compliance program will be reviewed and rated.  Individual findings of low importance will still be addressed, but put into an overall context of risk.   The point is that the areas with the highest risk should get the most attention.

At your institution, one of the ways to make your compliance program most effective is to concentrate on the highest levels of risk.   You can do this be “letting go” in some cases and focusing on others.  One of the areas that is illustrative is an institution with many Suspicious Activity Reports.   For example, in this case the institution has $1 billion in assets that writes SARS on over 70 clients a month.   The SAR process requires that each of these SAR reports has a follow-up at 90 days.  The SAR reports describe activity that such as structuring and potential tax evasion.  The compliance team at this institution has determined that all potential structuring activity will result in a SAR.   The institution quickly finds out that the time that is taken by filing SARS and following up on them leaves little time to research the customer and to determine if there are business reasons for the activity that is viewed as suspicious.   The number of SARs continues to grow while the amount of time that is spent on research of individual customers continues to shrink.  Eventually SARs are filed late and compliance concerns are noted by the regulators.

In the above instance, a re-alignment of compliance resources would focus on getting to “know your customer”.  By doing research on the customer and talking to them, the activity may not be suspicious at all.  For example, one customer deposits cash in amounts between $8,000 and $9,300 every two days.  This pattern may not be structuring at all if the customer is a small store that can prove the deposits are the actual cash receipts for the day.  The compliance team could ask the customer to report cash sales weekly, match the results with the deposits and have a level of comfort that structuring was not taking place.  Without a proper balance between KYC and SAR reporting, a compliance team can engage in a death spiral that included excessive SAR filing and inadequate research.

Compliance programs should look for the root cause of a concern and address that root cause rather than attempt to apply “bandages” when findings are noted.    Training programs that help staff learn about the financial needs of the client base are also an effective means to aligned compliance resources.  If your institution does not offer credit cards, then course information on these products could be reduced in exchange for information on current products.


Aligning Compliance to Risk

The compliance risk assessment is the best place to start the alignment of compliance risk to resources.  Developing a comprehensive and effective compliance risk assessment will allow the institution to identify the greatest areas of risk and to direct resources to those areas.


***For More Information on aligning your Compliance Department with risk, please visit ***

Some Items to Consider for Your Audit Scope




As you prepare your annual audit schedule, a task that can often seem mundane, there are significant opportunities to take charge and “change the game”.   The schedule is often set by focusing on the number of audits that must be completed within the year.  The bulk of the planning attention goes to the task of scheduling the audits in a manner that is least disruptive.   There is often little attention paid to the construction of the components of the audit scope.   Consider building the scope of the audits around the results of your risk assessment and you can greatly enhance the effectiveness of the audit reports.

The Standard Menu

Outsourced internal audit firms design the scopes for the audits that they conduct based upon their knowledge of auditing, regulatory trends, best practices and the overall knowledge of their staff.  This practice allows the firms to bring a wealth of experience and important information from outside of the financial institutions that they are reviewing.   When your audit firm presents you the scope that they propose it is based upon completely external actors and considerations.  This is not a criticism of the firm, it is a standard practice.   However, setting of the scope for internal audits is really supposed to be a collaborative effort, and both the audit firm and your institution are best served by developing the scope for audits together, after all, who knows the strengths and weaknesses of your institution better than the management?  To get the biggest bang for your buck, why not tie the audit scope into the results of your risk assessment?

The Risk Assessment and the Internal Audit

An effective risk assessment of your compliance program can be an excellent source document for various things including budgeting requests for additional resources and scoping of audits.   Completing the assessment includes considering the inherent risk at your institution, the internal controls that have been established to address risk and a determination of the residual risk.   The process is intended to be one of self-reflection and consideration of the areas of potential weakness.  For those areas that have the potential to be a problem, the best practice is to make sure they are included in the scope of an audit.  Audit firms are more than happy to work with the management of the institutions they are reviewing on developing a scope.  One of the crucial goals of the audit is to uncover areas where there are weaknesses in internal controls.  For example, in your risk assessment, you may have noted a large number or errors in disclosures for new accounts.  This should be a focus for the internal auditors when the compliance audit is performed.

Root Causes

An area that is often overlooked in audits is a discussion of the root causes for findings.  For every violation or a problem noted during an examination or audit, there is a reason the violation occurred.  Ineffective training, incomplete written procedures, poor communication or incompetence are all possible causes of a finding.  Getting feedback from the auditors on the root cause of a problem allows the remediation to be most effective.  One of the main reasons for repeat findings is ineffective remediation.

Future or Strategic Risks

The environment for banking is going through significant change as fintech companies have begun to make inroads into the financial markets.  Financial institutions should consider whether their current systems, business plans and infrastructure is well positioned to meet the annual goals.  External audit firms can be a very good source of information for industry trends and ideas.   Building a consideration of both future and strategic risks into the scope of the audit can yield significant benefits.

Self-Policing and the New Compliance Ratings

One of the main reasons to expand the scope of your audits is to take advantage of the new compliance ratings systems that take effect in March of 2017.  The new ratings will consider the Board and management oversight, strength of the compliance program as well as the potential for consumer harm.  These new ratings will put an increased premium on an institutions ability to self-police potential violations.  The ability of a financial institution to identify problems, determine the root cause and to remediate the problem will have a large impact of the overall rating of the institution.  By setting the scope of your audits to help self -police, your institution can take full advantage of the new ratings system.



** For More information on setting the scope of audits, please contact us at *

What Is Supposed to be in my Risk Assessment




2017 is here!  Now is the time for new resolutions, renewed plans for success and… if you’re in compliance, now is the time for new compliance risk assessments. As we have discussed in previous blogs, the risk assessment is often discussed and sometimes reviled as a meaningless regulatory requirement.  When attempting to prepare a risk assessment, a frequent question is presented; what are the essential items in my risk assessment? Per regulatory guidance produced by the Federal Reserve:

“Principles of sound management should apply to the entire spectrum of risks facing an institution including, but not limited to, credit, market, liquidity, operational, compliance, and legal risk.”

This guidance applies to general principals of risk assessment preparation.  The compliance risk assessment is something of a different animal because questions of market risk, credit risk and liquidity risk are relatively minor concerns when considering risks in compliance.  The focus instead should be on compliance, transactional, strategic, financial and reputational risks associated with compliance activity.


Think of the risk assessment as a matrix – not the type where you get to choose a red pill or a blue pill, just a square with several blocks.   There is a formula that you can use to complete an effective risk assessment.  The basic formula is INHERENT RISK (minus) INTERNAL CONTROLS (equals) MITIGATED RISK.

Inherent Risk

Inherent risk is the risk associated with the products, customers and overall compliance structure at your bank.

An inherent risk is a risk category that really relates broadly to the activities and operations of a company without considering necessarily the company. For example, unsecured lending is inherently more risky than secured lending. If I were auditing an institution that was primarily involved in unsecured lending, then I would have a higher assessment of inherent risk in that organization than, let’s say, secured lending. And that’s a fairly simple example, but that type of a risk assessment is done for each critical business component[1]

When considering the level of inherent risk at your institution, consider all the products that you offer and the worst-case scenarios lurking in the background. For example, supposed you are considering the inherent risk associated with consumer lending.  The inherent risk might look something like this:

Consumer Loans- Inherent Risk

Type of Risk Comment
Compliance Risk The risk associated with the regulatory requirements for making consumer loans, e.g. disclosures, accurate calculations, etc.
Transactional Risks The risks associated with the systems in place that are being used to support offering the product.  Can your core support the loan types being offered?
Reputation Risks The risk that the products will result in consumer complaints, UDAAP violations or potential fair lending concerns.
Strategic Risk Are your products really meeting the credit needs of the community you serve?


The point of this part of the exercise should be to determine the level of risks that are part of offering the products at all.  This level of risk doesn’t consider anything of your compliance program.

Internal Controls

One you have identified the risks inherent in the products you offer, the customers you serve and the overall current compliance program, the next step is to review the steps your institution has taken to address them.  This is where your policies, procedures, training and independent audits come in.  There is really an opportunity to self-reflect and simultaneously project your aspirations during this part of the risk assessment.   It is one thing to note you have policies and procedures in place.  It is a far different consideration to determine how effective they are.  Are the policies and procedures written and updated on an annual basis?  How much of the policies and procedures are internally developed and how much have been “borrowed” from other institutions?  (Note:  This is not to imply that borrowing is a bad thing, if the information truly reflects the situation at your institution).   The risk assessment should contain an analysis of the current state of the internal controls.    What would excellent controls look like and what would it take for the compliance department to get there?  These considerations should be included.

Mitigated Risk

Your overall assessment of how well the internal controls at your institution address the possibility of problems is the mitigated risk.  For the risk assessment to be a most effective tool, it is necessary for this process to truly consider potential proems with internal controls.  Written policies and procedures, for example, can be comprehensive and up to the minute accurate, but totally ineffective if staff don’t use them.   Training is an area often taken for granted.  The online training that most institutions offer is a great start for training.  However, for a full in-depth understanding, additional training that includes case-studies is a best practice.


A word about Strategic Risk

For the banking industry in general regulators have put strategic risk at the forefront.  For example, its semiannual risk perspective for spring 2016, the OCC noted that strategic risk is a concern:

“Banks are several years into the risk accumulation phase of the economic cycle. The banking environment continues to evolve, with growing competition among banks, nonbanks, and financial technology firms. Banks are increasingly offering innovative products and services, enabling them to better meet the needs of their customers. While doing so may heighten strategic risk if banks do not use sound risk management practices that align with their overall business strategies, failure to innovate to meet evolving needs or financial services may place a bank at a competitive disadvantage.”[2]

As the risk assessment process is completed this year, it is important to consider whether your institution is keeping up with trends in technology and innovation.  The financial industry is being disrupted in a way that will significantly impact the relationship between customers and institutions. Without the right technology and business plan, it will be easy to be left behind.   Make sure that your risk assessment considers strategic risk.



James DeFrantz is the Principal of Virtual Compliance Management Services LLC.  He can be reached directly at


**For More Information on Risk assessments, please contact us at **

[1] William Lewis, Price Waterhouse Coopers  Comptroller of Currency Administrator of National Banks Audit Roundtable, Part 1 Risk Assessment and Internal Controls .

[2] OCC Semiannual Risk Perspective From the National Risk Committee  Spring 2016