The National Credit Union Administration (NCUA) by mandate has added Enterprise Risk Management (ERM) and Sarbanes-Oxley (SOX) like financial reporting attestation compliance to the list of required activities for credit unions. Why has the NCUA put SOX, or financial reporting attestation, and ERM in the same ruling?
The NCUA has recognized that all regulatory compliance guidelines have required a risk assessment component, so it is only natural to require an Enterprise Risk Management (ERM) program to standardize all these different risk assessments to make it easier for them to supervise these institutions. What is good for the goose is good for the gander. It is no surprise that 91% of banks and credit unions in a recent survey plan to restructure, reorganize, and reprioritize their organization's approach to risk management to standardize and consolidate compliance risk assessment activities.
1. Standardize your risk assessment templates: The key is to standardize a root-cause based risk library, or risk register, which will allow you to assess once and meet your multiple regulatory requirements. Nearly all regulations require a risk assessment so regulators, and therefore auditors, ERM committees and shareholder disclosures, are now checking up on the performance of these. Currently risk assessments are often not being done formally, meaning in a standardized manner, resulting in inconsistent quality and subjectivity.
2. Consolidate risk and control self assessments (RCSAs): Next is to create a risk taxonomy that records or stores the linkage between any compliance risk assessment information to any commonly identified root cause risk, so you can see which risks meet multiple regulatory requirements. Different areas across the organization are collecting the same information for resources, they just don't know it and they are not connected to each other or the requirements as a whole for the corporation. Different areas across the organization are collecting the same information for multiple regulations.
3. Structure reporting for flexibility and efficiency: Since everything is in one place, standardized and connected through a risk taxonomy, you can serve a variety of stakeholders by re-grouping the subsets of risks and their connected controls in different ways to meet the requirements of different stakeholders without repeating the work. This approach will also reveal systemic risks by tracking the number of times the same risk is independently assessed and where these risks occur to see their cumulative strategic impact and monitor risk and compliance over time.
4. Verify links between the controls to the regulations they serve: There are so many regulations with seemingly overlapping guidelines, but it is hard to understand specifically how they are connected. The key to find that connection is to identify the underlying risks that the regulation is trying to address There is no linkage between a control and a regulation - the risk provides this linkage, and risks are mitigated by a control. Since everything is in one place, standardized and connected through a risk taxonomy, you can easily determine the completeness of your control activities. This tells you exactly where you are vulnerable and provides a game plan with a priority to do something about it.
5. Link resources to controls: All compliance requirements involve resources such as vendors, technology, physical assets or people. Business impact cannot be determined in isolation of the business process that relies upon them. Therefore the key is prioritizing and linking these resources to the compliance controls for each business area. The result is the connection of these key supply chain and infrastructure dependencies to the mitigation and control activities organized within the business processes in which they operate so you can allocate resources to most important areas.
Using governance risk and compliance (GRC) software helps you standardize all your risk assessments across all your regulatory, operational and strategic needs. When regulations change, you can even automate notifications to appropriate areas that are involved or affected by this change. So stop spending all your time chasing and reminding people to get their compliance requirements done and spend the time instead on saving 60-80% of time enterprise-wide resources currently waste on unnecessarily redundant compliance risk assessments with a Consolidated Compliance Risk Assessment framework.
Download a detailed white paper with examples that will show you how to consolidate compliance risk assessments.