ABA Banking Journal - June 2014 - (Page 32)
Lines of defense
built on good
hey say there are 43 quintillion ways to arrange a
Rubik's Cube, the three-dimensional puzzle that
turned 40 in May. So many variations-yet there
is only one correct solution.
Controlling risk in all its forms can seem a puzzle, too, but
for bank leaders and the specialists in risk management, legal,
compliance, and audit whom they rely on, the shape of the
solution-unlike a Rubik's Cube-won't necessarily look the
same from one institution to another. The task is far more
challenging than twisting a plastic puzzle into place.
To assemble their "cube," bankers have various elements
to adjust: control functions, like risk management and compliance, and principles developed by bankers, specialists,
and regulators over decades, but especially over the last one.
In January, the Comptroller's Office released proposed
guidelines on heightened expectations for risk management, internal audit, and governance-incorporating the
"three lines of defense" concept-in very large national
banks, and, potentially, for any institution deemed complex enough to warrant application. The agency's blueprint
gets complex pretty quickly, and in some ways reads like a
risk management manual-as a regulator would write it.
Some facets have become controversial, and OCC promised to carefully consider the industry's comments.
But the basic concept applies quite broadly. In some
ways, experts in risk, compliance, and governance say the
three lines have been part of the general nature of these
disciplines, to one extent or another, for some time. Going
forward, they argue, the key is to avoid too much uniformity or rigidity in implementing the concepts-especially as
all component bank functions, mostly notably compliance,
continue to evolve in scope and role.
ABA BANKING JOURNAL
While OCC's proposal occupies center stage now, this is
an issue of interest to banks of all sizes, in principle. There
are concepts that apply to risk management and compliance anywhere, for instance. And there is concern that elements of large bank requirements slowly move down.
"Trickling down is a legitimate concern," says Tim
Burniston, vice-president and senior director, professional
services and consulting, Wolters Kluwer Financial Services.
Burniston, a former senior compliance regulator at the Fed
and FDIC, adds that this concern has been there all along.
"We all know that once these kinds of things go into
play, they become the expectations," says Elizabeth Snyder,
who formerly headed compliance and risk management at
a Chicago-area community bank. "It won't happen right
away, but things will become tougher." Snyder is senior
manager in charge of the regulatory compliance team at
Plante Moran, the accounting and business advisory firm.
At one time, enterprise risk management was just for big
banks, but in recent years, examiners increasingly expect
community banks to adopt at least elements of it.
OCC's proposal stirs the pot
The mission of the OCC proposal is not something anyone
argues about. In a recent speech, Comptroller Tom Curry
stated that, "The job of a risk governance framework and
the three lines of defense is to ensure that the bank has an
effective system to identify, measure, monitor, and control
risk taking, and to ensure that the board of directors has
sufficient information on the bank's risk profile and risk
management practices to do their job, providing management with effective direction and advice."
The proposal has focused industry attention on the need
for controls on risk at multiple levels with an emphasis on
independence to avoid compromising controls.
By Steve Cocheo, executive editor & digital content manager
Table of Contents for the Digital Edition of ABA Banking Journal - June 2014
Affordable housing pioneer
Pass the Aspirin
Lines of defense
Top performing community banks
Around the ABA
ABA Banking Journal - June 2014