Every financial institution has findings. Whether it’s from a compliance review, an audit, or an examination, findings show your institution where improvements are needed.
Findings aren’t inherently bad – they are actually a good thing! Self-identified findings are a sign that your risk management system is working because you can proactively identify problems, including weaknesses in controls. (No one is perfect. If you don’t have any findings, you aren’t looking hard enough.) That gives your institution an opportunity to correct problems early on before they can grow into bigger problems – and long before they can become an issue with examiners.
Other times, findings are the result of an examiner uncovering a problem. Your institution’s risk and compliance management systems are out of sync with how examiners look at risk. It’s not ideal, but it happens.
Either way, it’s critically important that your institution effectively remediates every finding – not just to please examiners, but to keep your institution safe and sound. How do you ensure your institution has a proactive, effective findings management program that will stand up to examiner scrutiny?
Here are six practices examiners want to see:
1. Timely, documented corrective action. Examiners expect financial institutions to take prompt action to address findings — and they want to see evidence the issue was corrected. Financial institutions should have a system in place for tracking the status of corrective action and ensuring that it is completed by a specified deadline.
The best practice to assign an individual responsibility for remediating a finding. Accountability is key.
2. Root cause analysis. A thorough root cause analysis to identify the underlying reasons for the finding is a must. This analysis should include an assessment of the processes and controls in place, as well as an evaluation of the role of human error or other contributing factors. This information is crucial for developing an effective corrective action plan that addresses the root cause of the finding.
If you don’t understand what caused the problem, you can’t truly fix it
Related: How to Conduct a Root Cause Analysis
3. Evidence of effective implementation. Findings shouldn’t be addressed haphazardly. Examiners expect to see evidence that the corrective action plan has been effectively implemented. This may include documentation of training and communication to employees, updates to policies and procedures, and evidence of system changes to address the finding. Your institution should also demonstrate that it has ongoing monitoring processes in place to ensure that the corrective action remains effective.
Related: OCC reprimands bank for poor risk oversight, weak internal controls & repeat findings
4. Follow-up and monitoring. Examiners expect to see evidence that your financial institution has a system in place for following up on the effectiveness of corrective action, including the results of monitoring corrective action effectiveness. This may include regular reviews of reports, documentation of control testing, and ongoing monitoring of key indicators. It's not enough to take steps to correct a problem and then assume it’s fixed. You need to show the receipts.
5. Management involvement. Examiners expect to see evidence of strong management involvement in the findings management process. This includes senior management responsibility for ensuring that corrective action is taken, regular reporting on the status of corrective action, and effective communication with the examiner. The involvement of senior management helps to ensure that the findings management process is taken seriously and that the necessary resources and attention are given to address the findings.
Related: What Examiners are Looking for: Board Oversight
6. Effective communication. Examiners want to see clear and concise documentation of the findings, the action plan, and the status of corrective action. When dealing with examination findings, your institution should be proactive in keeping the examiner informed of any updates or changes to the corrective action plan.
Examiners don’t like surprises. If you’re having trouble correcting an examiner-identified issue, it’s better to proactively talk about it with an examiner than have them find out during an exam.
Having a strong findings management program is more than a regulatory requirement. It’s a commitment to compliance and operating and a safe and sound operating manner.
Want to learn best practices for tracking exam and audit findings?