How to Achieve Regulatory Exam Readiness

This blog shares actions proven to prepare for regulatory exams by adopting a proactive and informed approach. At a high level, to prepare for regulatory examinations, organizations should adopt a proactive and informed approach. Staying abreast of regulatory changes and updates is crucial, and the bank should establish a robust Compliance Management System (CMS) that encompasses policies, procedures and controls aligned with current regulatory requirements. Regular internal audits and risk assessments must be conducted to identify and rectify compliance gaps, with a commitment to promptly address any deficiencies discovered.

Start Exam Readiness Planning by Identifying High Risk Functions and Performing Risk Assessments

Clients often ask, “We have an upcoming exam and are not sure where to start – what do we do? There are certainly some common standards, but our answer often varies by client, based on many factors that must be considered before planning readiness activities. These factors include:

• Who is the examiner (e.g., CFPB, OCC, FRB, FDIC, NCUA, State)?
• What functions (if known) are being reviewed during the exam?
• What is the context for the exam (is it the first exam conducted by a particular regulatory agency or the fourth exam?)
• What is the maturity of the individual client’s risk and control infrastructure?

We ask these questions before we begin to construct a readiness plan. While the most logical starting point always varies, there are several steps that can be taken to prepare. Start with identifying high-risk functions that are likely to be the focus areas of the exam. Then, compare the current state against known regulatory expectations for compliance/control. Identification of high-risk functions will help streamline readiness efforts and result in a prioritized list of impacted processes.

Identifying High-Risk Functions to be Exam Ready

Identifying high-risk functions will guide all readiness activities. Typically, once you’re aware of an upcoming exam, there isn’t time to check, double-check and triple-check every process. So, prioritization is a must. These steps can get you ready:

1. Determine Regulatory Applicability and Compare Expectations to What You Currently Do

You must first understand the applicability of all regulations to job functions, as well as regulators’ expectations for compliance and control to compare to current operations.

2. Analyze Complaints to Identify Potential Root Cause Weakness

Important in advance of any exam—but especially so for CFPB exams. This should not be limited to “highest volume” complaint types, as we’ve seen a small handful of complaints be signs of significant errors.

3. Review Recent Enforcement Actions

Review public enforcement actions to gain insights into regulatory expectations and identify where other organizations have been most impacted. This helps pinpoint areas for greater reputational risk.

4. Re-Examine Past Internal Audits of Regulatory Exam Findings

Repeat exam findings must be avoided as should un-addressed internal audit findings. Any function with recent findings should be automatically flagged as a higher risk and prioritized.

How to Perform a Risk Assessment

We recommend performing risk assessments on any impacted processes. The risk assessment finds gaps and helps determine how to address gaps prior to the exam.

Effective risk assessments for exam readiness must meet the following three criteria:

1. They are initiated quickly to give you more time. But, also, it increases the likelihood that results from changes will be evidenced within the examination period. You’ll have a powerful narrative to show a regulator that you were proactive.

2. They are completed independently to be sure that you don’t sacrifice rigor. You don’t need to hire third-party consultants to conduct each assessment. However, ensure that people conducting the assessment have distance from the business line. While subconscious, those close to the operation are more likely to have bias that all is well, which can create residual risk.

3. They are done thoroughly with full knowledge of the regulatory applicability and expectations. Many assessments fall short here. Risk assessments need to be deep—and go to the regulatory element level (i.e., testable elements) to ensure full compliance is addressed through policies, procedures, process maps, and monitoring and validation.

Typically, a risk assessment is completed in a format that allows for easy identification of gaps against a predefined expected state. Using a matrix with some well-defined fields to allow for a consistent prioritization methodology is encouraged. Regardless of approach, what is important is that the gaps identified during the risk assessment are prioritized, acted upon, and implemented in a way that tells a clear story.

Factors for prioritization may include the risk of customer or member harm, financial risk, implementation effort, implementation cost, time required for implementation, and process frequency.  The resulting prioritization document should be designed for handoff to any stakeholder, whether internal or external, seeking clarification on why an identified gap may have remained unaddressed.

Demonstrating a thoughtful approach to prioritization can go a long way with a regulatory body.

Execute the Regulatory Exam Readiness Plan and Establish Corrective Action and Project Structure

Once prioritization is complete, it is time to develop the readiness plan. This activity should ensure that items to be executed prior to the exam are completed. The plan also provides a roadmap sharing when open gaps will be addressed in the future.

The most important components of the exam readiness plan are related to the project management that surrounds its execution.

Effective components of an exam readiness plan include the following:

• Owners at the task and work stream level (one owner per line item)
• Documented due dates and task statuses
• Regularly scheduled working team update meetings
• Regular Steering Committee meetings for key decisions and accountability
• Formal change control processes to govern enhancement implementation
• Dedicated project manager(s) and a central repository

While these items alone are not enough to ensure exam success, they do contribute to the creation of a highly structured, consistent narrative.  It establishes the groundwork for clear likes of accountability, regular communication, and prompt identification of emerging risks.