One of the key components of a compliance risk management program is the inherent risk assessment. The assessment identifies where the institution is most exposed to regulatory risk and allows the institution to direct compliance resources and investment to the areas that pose the greatest risk.
A classic inherent risk assessment attempts to measure both the likelihood of a breach and the impact that the breach would have on the organization. The areas of greatest risk are found where there is both a significant risk of a breach and a significant impact on the institution if the breach were to occur.
Under this classic analysis, when either the likelihood of a breach or the size of its impact is considered to be small, the inherent risk assigned to the regulatory requirement is often considered to be low or nominal. As a consequence, the area receives less attention than other areas that might be rated high or even medium risk. However, recent experience may have demonstrated a fundamental flaw in this approach. In particular, recent examples of low probability, high impact events have raised questions about how institutions manage this “tail risk”.
What is tail risk? In classic investment terms, “tail risk” is the risk of the price of an investment moving more than three standard deviations from its current price. In other words, it is the risk of a very big price swing. More generally, tail risk can be described as the risk of a low probability, high cost event. In compliance risk management terms, the term could be used to refer to the risk of a breach that, while very unlikely to occur, would, if it were to occur, have a catastrophic impact on the institution.
Recently, we have seen some very dramatic examples of what might be termed a tail risk event. Earlier this month, Barclays Bank was fined almost £300 million for manipulating the LIBOR rate and its three most senior executives, including its CEO, resigned in response to the scandal. Last February, five U.S. banks agreed to pay $25 billion in relation to the “robo signing scandal”. The amount was paid to settle allegations made by federal and state regulators that the banks had routinely violated mortgage foreclosure laws.
Surely, contributing information for the LIBOR rate or foreclosing on a mortgage was not new for these banks. They were probably considered to be routine processes. However, in both cases, the environment presented highly unusual circumstances. The 2008 economic crisis and the threat of nationalization created an incentive for Barclays to misrepresent its funding costs. The same economic crisis led to an unprecedented volume of foreclosures being handled by third party mortgage processors. In both cases, prior to 2008, the likelihood of these types of changes in the environment would have seemed remote and, from a compliance perspective, the processes likely garnered little attention. Unfortunately, by the time that the breaches were discovered, it was too late to avoid catastrophic losses for the banks.
In the case of the U.S. scandal, even the Office of the Comptroller of the Currency (OCC) considered mortgage foreclosure laws to be an area of low risk. An investigation conducted by the inspector general of the OCC found that the OCC did not identify foreclosure documentation and processing as "an area of significant risk" and, consequently, had not updated the Mortgage Banking Comptroller's Handbook to make it an area of focus for bank supervisors.
So, how can you deal with tail risk? One obvious answer is to make sure that your risk assessments are up-to-date. Arguably, when the issues arose at Barclays and the U.S. banks, the regulatory requirements were no longer tail risks. Surely, the compliance departments at Barclays and at the U.S. banks had enough notice that the environment had changed and, had they updated their risk assessments, they would have identified the requirements as areas of significant risk. Looked at from this perspective, the problem was not that they were tail risks, the problem was that they were no longer tail risks.
What these recent examples also suggest is that we need to pay particular attention to the tails and the factors that trigger risk assessment updates. In particular, we need to carefully monitor the risks that fall in the low likelihood-high impact end of the curve. Given the potential impact at this end of the curve, even minor changes in the environment should trigger new inherent risk assessments.
One of the features of the OSFI Corporate Governance Guideline, is an expectation that directors will seek out both internal and external education opportunities. With almost 30 years experience with bank and insurance company regulation, we have the knowledge and background to assist directors to understand current regulatory issues and developments, OSFI expectations for directors and the regulatory framework within which the company operates, all essential information for directors.
We can assist your directors with a quick, cost effective training program that will give them the comfort of knowing that they are fully meeting their responsibilities and the regulator's expectations.
Call us to discuss your director training needs.
CCG and Resolver join forces
We are extremely excited to have partnered with :Resolver to build a powerful turn-key solution for compliance risk management for the Canadian banking and financial services sector. Resolver’s integrated platform supports application areas including Risk Assessment, Internal Control, Internal Audit, Compliance Management, Enterprise Risk Management and Incident Management. Resolver’s team is comprised of security, risk, and compliance experts supporting customers across 100 countries with offices in North America, United Kingdom, the Middle East, and Australia.