Challenges: Expansive size & autonomous business operations hinder rapid enterprise-wide compliance
U.S bank holding companies must comply with strict industry regulations and are subject to federal and state oversight.
Two of the most critical regulations are the Federal Reserve Bank’s Comprehensive Capital Analysis and Review (CCAR) process and the Dodd-Frank Act’s Annual Stress Test (DFAST). The CCAR process also requires companies to perform a yearly Risk and Control Self Assessment (RCSA).
The company operates various product lines with each business group operating autonomously with individual Finance Risk Management Offices. Although the Risk Management Offices drive compliance efforts, a unified reorganization of the compliance program was needed.
Further, achieving full compliance with any new mandates was a daunting task for this 41,000-employee company. The company required quick-strike actions toward regulatory compliance. Specifically, they needed guidance on:
- What is required by the mandates (CCAR and DFAST)
- How to structure and organize the compliance effort
- What resources and staffing is required to support the effort
- How to document CCAR and DFAST requirements via the Risk and Control Self Assessment process consistently across the company
- How to approach and execute the Stress Testing effort
Solution: Mobilizing for Action through People, Processes & Tools
The Infinitive Insight team was engaged by the company’s Risk Office to advise and assist in the regulatory compliance effort. Infinitive Insight provided the following solutions to enable rapid implementation and adoption of a fully compliant CCAR/DFAST Stress Test program across the company:
Mobilize through People:
- Engaged C-level sponsorship to drive compliance at all levels and in all business areas. The executives received weekly updates of program statuses
- Formed a Program Management Office (PMO) with resources from all Risk Offices to operate the program. Bringing the resources from the various groups facilitated teamwork, collaboration and adherence to compliance standards.
- Required daily participation of subject-matter experts from the business operations.
- Defined communication methods within teams, across teams and up management levels. Status reporting, Issues and Risk Reporting methods were defined, documented and communicated on a daily basis.
- Trained team members on CCAR/DFAST requirements and how risk management concepts, methodologies and internal controls testing would enable compliance with regulatory mandates
Mobilize through Processes:
- Defined the methodology and approach for documenting processes
- Defined the process for documenting the Risk and Control Self Assessments (RCSA)
- Defined testing process and documentation of results
Mobilize through Tools & Technology:
- Developed questionnaires and flow charting templates for process engineers to use while documenting processes
- Developed RCSA templates for risk analysts to use to document key controls and conduct self assessments
- Developed testing documentation/work paper templates for testers to document results of findings
- Implemented SharePoint site and folder structure with strict naming conventions to store project artifacts and results
- Implemented change control methods for managing documentation updates
Results: Rapid Mobilization & Sustainability of a Compliance Program
As a result of the immediate actions, the company is now meeting its objective of gaining compliance with federally mandated rules and regulations. Furthermore, the project has provided the following value-added outcomes:
- The business units now have a consistent baseline, approach and toolset.
- Each group now understands expectations and have is able to perform the RCSA to ensure they are fully compliant with the CCAR and Dodd-Frank Act on a semi-annual and annual basis.
- Communications throughout the teams has been simplified with a consistent understanding of requirements.
- Establishing the organization structure, processes and tools has enabled on-going adoption and sustainability of this regulatory compliance effort.