One question I frequently encounter when I meet compliance officers throughout the country is how can I help my Board understand or at least appreciate our compliance risks or our current compliance situation.
Perhaps, a brief movie reference would be beneficial here (as a long-time movie aficionado, I find a brief movie reference is almost always beneficial). In “The Pink Panther Strikes Again,” Inspector Clouseau, having just checked into a hotel, approaches a dog and asks the hotelier, “Does your dog bite?” The hotelier replies a simple, “No.” With that assurance, Clouseau goes to pet the dog, which savagely bites him. The shocked and bitten Clouseau indignantly exclaims, “I thought you said that your dog doesn’t bite,” which evokes the classic response, “That is not my dog.”
Context is everything.
Oftentimes in the world of compliance, we find that our understanding falls short because context is inadequate. If I say that my fair lending risk is a “5,” what does that mean? Nothing really, as a “5” without context makes little sense. Does it mean you’re likely to be bitten in an examination or does it mean that the examination will be a breeze?
When it comes to a Board’s understanding of its institution’s compliance risk(s), it is worthwhile to take the time to provide it context and trend. In the world of risk assessments, the magnitude of exposure must be explained as both a level and trend. It is easy to say, for example, that Fair Lending is a rising risk to the industry in general, but what is it relative to your institution, its products, services, personnel, regulatory factors, etc.? Presenting this context cannot be overstated in importance. But it alone is not sufficient. After all, Clouseau’s question was sound and valid, but incomplete. The second factor must be our Quality of Risk Management. After all, part of managing the magnitude of risk exposure is to determine what risks we must address and what risks we are willing to consider as acceptable.
To illustrate, I recently spend some time at a financial institution that made the decision to disconnect the CIP/CDD/EDD module of its AML System, because it considered it a duplication of effort. You may or may not know its BSA/AML automated surveillance system, but that is secondary. Moreover, the decision is somewhat secondary as well. The real question is does the Board understand and accept the aggregate risk created by the decision?
My sense, in this case, was that it was unlikely. Sometimes, despite our best efforts to the contrary, the full appreciation for an “uncontexted” decision isn’t realized until we, like Clouseau, feel those teeth sinking into our flesh. At that point, the question for the Chief Risk Officer or the Compliance Officer becomes: did they do their job?