Posted by: David Schneier
assessment, Audit, compliance, exam, examiner, exams, GLBA, governance, GRC, NCUA, oversight, regulations, regulatory, Regulatory Compliance, risk
I joined a new group last week on LinkedIn focusing on compliance within the banking space and during my first visit answered a forum question that started with “How do you manage the flow of compliance information”? It was a relevant question and I was happy enough to offer my two cents (never a problem for me I assure you).
Here’s my reply:
“It’s no longer even a matter of whether or not your institution has time to track the various activities and statuses, it’s quickly becoming a measurable practice of its own within the oversight circles. We’ve recently encountered several exam comments addressing the concept of compliance management which focuses on how an institution demonstrates a working knowledge of and compliance with the broad spectrum of requirements.
I think the days of last minute program (policy and procedure) updates and testing in the days leading up to an exam are near an end; the examiners are quickly losing their appetite to allow such flexibility and are expecting management to clearly establish that they’re taking compliance seriously.”
I’m sharing this exchange with you for a couple of reasons. First, my reply was one of four and quite literally each answer seemed to be addressing four separate questions which I found both curious and concerning. One person interpreted the question to be about keeping up with newly emerging and changing laws, one person replied as if though it was about keeping track of what needs to be done internally and one person thought it was more about governance and engaging stakeholders. And while I’m not sure which, if any of us answered the question correctly I am certain that all four brought out into the open the bigger issue which is how does anyone keep up with the speed at which compliance is evolving?
Which brings me to my second reason for bringing up the exchange. Are you prepared to demonstrate to an examiner how you manage all of your compliance initiatives? If not you’d better get busy because it’s something you’re likely going to need to do in the near future. There have been at least two clients my practice works with that have recently shared with us that their examiners have been slicing off time reviewing what’s being called “compliance management”. Simply put it’s the overall approach an institution takes to tracking the various regulations and ensures that they’re complying where applicable.
What that means to you is that it’s no longer enough to present the various program artifacts upon request to the examiner, you now have to demonstrate how you track each of those elements and determine their status. It also means that you have to demonstrate an awareness of new and/or changing requirements and maintain some measure of program change management. Gone are the days of pulling a new program together in the days leading up to the exam just so you have something to show for it. Gone too are the days of scrambling to bring everything up-to-date via herculean efforts by logging long nights and weekends in the weeks leading up to the kick-off meeting.
I remember how when Red Flags was about to go live back in 2008 I asked an audience I was presenting to how many had their programs board approved and in-place with only a few hands going up. I asked how many expected to have their program at least finalized by the go-live date and again only a few hands went up. But when I asked how many planned to wait until two weeks before their next exam to get around to designing something almost the entire room laughed and then sadly raised their hand. But those days are about to come to an end.
Ultimately what I’m thinking is going to happen is that this import shift in oversight strategy is going to accelerate the adoption of the principles of GRC. I’ve been beating that drum quite a bit lately (even more than usual) and am all the more confidant that my thinking is right. An important element of GRC is the ongoing monitoring (governance) of the various risk and compliance activities and that’s what your examiners are going to be looking for. My best guess is that we’re about a decade away from widespread acceptance and that GRC will follow a growth curve similar to that recently charted by ERM. Right now GRC seems a bit exotic to senior management and more theoretical than practical but that will continue to change. As more practitioners incorporate elements of the methodology into how they meet the various challenges it will become increasingly common-place. And when the economy finally starts to rebound and funding isn’t as hard to come by institutions will accelerate the pace and GRC will become part of the every day vernacular for compliance professionals and their management.
For now though practitioners like me will simply have to keep introducing elements of GRC into the solutions we develop for our clients without identifying it as such. For those of us fortunate enough to know there’s a better way there’s no reason to wait and it’s a win-win for the institutions we work with. As I recently advised a client in regards to an upcoming exam, have a plan, collect evidence that the plan is being followed and prove that there’s a process to periodically assess the plan for accuracy, viability and relevance. That they liked but had I introduced it as a component of GRC I wonder if it would have appealed to them as much.
How else can you keep pace with compliance?