IN RECENT YEARS, MANY BANKS HAVE SHIFTED how they approach compliance issue management. Reacting quickly to rectify out-of-compliance situations remains a priority, of course, but a growing number of banks are addressing identified weaknesses more proactively as part of a larger,
more structured, and more comprehensive compliance management program.
As regulatory agencies continue to focus on effective compliance management programs, one component that should be reassessed is the process for
resolving identified compliance issues. Banks of all sizes are focusing their
efforts not only on immediate correction or remediation of compliance issues
but also on the establishment of structured, proactive programs to identify
and mitigate risk going forward.
Regulatory pressures provide some of the impetus
for the growing adoption of a more comprehensive approach, as examiners increasingly look to track specific
compliance issues back to banks’ overall compliance
management programs. But a growing number of institutions are going beyond regulatory responses alone
and establishing such programs on their own initiative.
These institutions are establishing structured, tested, and
repeatable processes for resolving identified compliance
issues consistently and applying these processes proactively to reduce the risk of related compliance problems
in the future.
Of course, no single approach works equally well for all
organizations. In addition to size, other variables such as
a bank’s risk appetite, specific risk exposures, and overall
strategy must be taken into account. Despite these differences, however, management teams that seek to improve
their compliance initiatives will find it useful to begin by
reviewing the five critical components that an effective
compliance resolution program must have.
Compliance issues can arise from a
variety of sources, including reports
from examiners. In addition, noncom-
pliance can be identified through internal audits, regular
compliance monitoring, or self-reporting by individual
lines of business–in other words, any of the traditional
three lines of defense that form the basis of virtually all
risk management models.
An effective compliance resolution program should
have direct visibility into issues raised by all these sources.
In many organizations, particularly in larger banks, the
responsibility for addressing audit and exam issues is assigned to a centralized risk monitoring function. But even
in circumstances in which the compliance department is
not specifically responsible for the tracking or resolution of
audit or exam issues, the compliance function nevertheless
should remain directly involved.
But even in circumstances in
which the compliance department
is not specifically responsible for
the tracking or resolution of audit
or exam issues, the compliance
function nevertheless should
remain directly involved.
BY JOSEPH N. DURHAM, CRCM, CAMS,
AND PAUL R. OSBORNE, CPA, AMLP, CAMS-AUDIT