Has your financial institution reassessed risk since the COVID-19 pandemic began? If not, it’s way overdue.
That’s my takeaway after reading the OCC’s Semiannual Risk Perspective Spring 2020 released late last month. The agency notes that credit and operational risks, including vendor management and cyber risks, have skyrocketed over the past four months. From high unemployment to implementing new programs and operational approaches with record speed, FIs have coped with a huge volume of changes over a short period of time, creating elevated risk.
The good news is that banks entered the pandemic in a strong position thanks to a strong economy and sound risk management practices, the OCC says. Yet FIs can’t coast on past risk management efforts. It’s unclear how long the economic downturn will last or how new government efforts and other events will further change the banking environment.
The OCC has identified the following heightened risks:
Credit risk. The OCC says credit risk management practices need to be “flexible and proactive” to meet challenges going forward.
Operational risk. FIs had to change operational processes in a stressful environment. They’ve adjusted to a more remote workforce—and the cybersecurity risks that it poses—along with increased absenteeism as staff fell ill or needed to care for family members.
Bank systems, processes, and controls have been impacted by higher transaction volumes related to customers receiving stimulus payments, increased loan demand, and changes to regulatory requirements (e.g., changes in accounting rules).
The OCC warns this can introduce risks like:
Third-party risk. Third-party vendors, including fintech firms, have helped some FIs keep pace with change, but that comes with risks of its own. The OCC notes that third-party vendor management is essential due to increased risk.
“Bank risk management programs should maintain effective controls for third-party due diligence monitoring,” the OCC says. The agency also wants risk management to address “other oversight processes, operational errors, heightened cybersecurity risks, and potential fraud related to stimulus programs.”
Cyber risk. The OCC says cyberattacks are going to continue increasing in volume. Risk management should address system and operational resilience, including backups that can protect the FI against cyber risks like malware or ransomware.
Compliance risk is also elevated and may become a “key risk,” the OCC notes.
Many of the issues that have increased operational risk have also put pressure on compliance. Compliance has had to draft and update policies and procedures due to operational and regulatory changes plus the introduction of new government programs. These include the Paycheck Protection Program (PPP) and forbearance and payment modification programs. High transaction volume has increased BSA/AML concerns as well as consumer compliance and Fair Lending risk.
These areas need to be reviewed and monitored to ensure compliance controls are effective and that policies and procedures are performing as expected. Complaints should be monitored.
Risk management is an active and ongoing process. The pandemic has created a situation marked by rapid change. Here are four ways to improve risk management when risks are elevated.