CMS Flashcards
(33 cards)
What are the “three lines of defense” for managing risk on an enterprise-wide basis?
1) business unit
2) governance oversight
3) internal or external audit
What lines of defense collaboratively manage regulatory compliance risk?
1) business unit
2) governance oversight
What is the purpose of the Compliance Management System (CMS)?
* manage regulatory compliance responsibilities
* help the bank make risk-based decisions
* help the bank correlate risk across the enterprise
What is the high-level purpose of an effective CMS framework?
Ensure management understands the bank’s level of compliance risks and any steps to mitigate them.
Name the 6 primary risk management roles compliance professionals fill.
* provide regulatory advice to help business units mitigate risks
* regulatory change management
* compliance monitoring
* coordinate regulatory exams
* oversee compliance training
* review policies, procedures, and marketing materials
How can compliance professionals formalize their risk mitigation system?
Risk Assessments
Explain the responsibilities of a compliance professional.
* understand operating environment and risk tolerance
* perform risk assessments (including recommendations for mitigants)
* elevate unmitigated risk areas
* provide reporting
* review and revise policies and procedures
* assist in correcting errors and providing training
What are the basic elements of a CMS?
written program that addresses
- structure
- change management
- monitoring (testing)
- regulatory examinations
- compliance training
- reviews
- risk assessment
Outline the structure elements of the CMS.
* mission statement
* roles and responsibilities
* compliance policies and procedures
Outline the change management elements of the CMS.
* consultation
* regulatory proposal impact
* change implementation
Outline the monitoring elements of the CMS.
* compliance testing
* remediation
Outline the regulatory examination elements of the CMS.
* exam liaison
* review findings
* exam responses
* remediation
Outline the compliance training elements of the CMS.
* needs
* timing
* applicability
Outline the review elements of the CMS.
* marketing materials
* policies and procedures
* disclosures
* products and services
* third party relationships
Outline the risk assessment element of the CMS.
* risk review areas
* risk ratings
* key risk indicators
* controls
* key performance indicators
What are the two types of controls?
1) preventative controls
2) detective controls
What are the elements of risk identification?
* Inherent Risk (before controls)
- exposure
- likelihood
* Residual Risk (after controls)
What is risk exposure?
the extent of potential damage (severity)
What is risk likelihood?
the probability that an event will occur
What are risk dependencies?
dependencies on other areas of the bank or third parties for controls
When evaluating a regulatory proposal, what are the first 3 steps?
1) analyze the proposal’s effect on the bank
2) provide a summary to the affected business unit
3) establish a task force to study the proposal
Once a regulatory proposal becomes final, what is the first step to implement the rule?
establish a task force (Note: the question askes about ‘implementing’ the rule, not ‘analyzing’ the final rule)
Once an exam finding is validated, what is the next step?
review policies and procedures to determine where failure occurred (root cause)
Once an exam finding root cause is determined, what is the next step?
determine the extent of the problem (scope)
