About Us | Contact Us
View Cart

The OCC’s Risk Analysis Executive Summary

By Dan Hadaway | Wednesday, June 25, 2014 - Leave a Comment

Top Six Risks Defined by OCC

(And the top six reasons to read the report, defined by Dans New Leaf!)


Another  one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . 

So right in the middle of requiring banks to roll out enterprise risk assessments, the OCC expresses the top six risks facing their banks, as follows:

  1. Competition for limited lending opportunities is intensifying, resulting in loosening underwriting standards, particularly in indirect auto and leveraged lending. Easing in underwriting and increased risk layering is also occurring in commercial loans.
  2. The prolonged low interest rate environment continues to lay the foundation for future vulnerability. Banks that extend asset maturities to pick up yield, especially if relying on the stability of non-maturity deposit funding in a rising rate environment, could face significant earnings pressure and potential capital erosion depending on the severity and timing of  interest rate moves.
  3. Many banks continue to re-evaluate their business models and risk appetites to generate returns against the backdrop of slow economic growth and low interest rates. OCC examiners will focus on banks’ strategic business and new product planning to ensure appropriate risk management processes are established.
  4. Cyber-threats continue to evolve, requiring heightened awareness and appropriate resources to identify and mitigate the associated risks.
  5. Financial asset prices have experienced very low volatility for an extended period. As a result, measures of price risk, such as value-at-risk, are at very low levels. The reduced willingness of dealers to hold securities in inventory, due to capital and other concerns such as a change in monetary policy, could contribute to greater price swings going forward and increased price risk.
  6. Bank Secrecy Act and Anti-Money Laundering risks remain prevalent as money-laundering methods evolve, and electronic bank fraud increases in volume and sophistication. Banks work to incorporate appropriate controls to oversee higher risk customers and new products and services.

This is from a report published by the OCC yesterday, located here.  (for quick reference, try m.infotex.com\occ062414).

The report presents data in five main areas: the operating environment; the condition and performance of the banking system; key risk issues; elevated risk metrics; and regulatory actions. It focuses on issues that pose threats to the safety and soundness of those financial institutions regulated by the OCC and is intended as a resource to the industry, examiners, and the public. The report reflects data as of December 31, 2013.

Six Reasons To Read the Report!
I believe studying this report can help a community-based bank in several ways:

  1. Question #1:  Do these risks apply to our bank?  Be sure that each of the above-expressed risks are somehow addressed in your next enterprise risk assessment.  Most auditors will use this as a guide to assure the mile-wide part of the inch deep assessment.  The risks expressed above may not apply to your bank, but you should at least be asking yourself if they do.
  2. Notice the format, tone, organization, and general expression of the report.  This is a risk analysis.  It is presented to you, the public, the way the OCC would like you to educate your team on the risk it faces.  It has an executive summary that, when read, gives high-level people a high-level summary of the entire report.  Risks are expressed in narrative form.  When it includes tables and pictures, they are to support the statements being made, rather than express the risks being accepted.
  3. Of course, understand and analyze the risks inherent in the above summary. especially if the answer to Question #1 is “yes, we’re seeing this.”  #1 seems to be related to #2, but they’re all inter-related in many ways, which is one of the Big Deliverables we’re finding in enterprise risk assessments.  And, you IT guys, you CAN understand the risks expressed in the five items without the word “cyber.”  And doing so will inspire others in the organization to understand the risk expressed in item #4!
  4. Regarding paragraph #4 though, notice that the words “heightened awareness” are the first to come after “requiring” when discussing cyber-risk.
  5. The second set of words in the cyber-risk paragraph:  appropriate resources.
  6. To me, a discussion about this report could be a good way to launch your next Enterprise Risk Assessment, if the kickoff meeting starts in the next six months or so, and especially if your organization is governed by the OCC.

 

Original article by Dan Hadaway CRISC CISA CISM.
Founder and Managing Partner, infotex

Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”

 

Latest News
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around your office. Interested in one of ours […]
    President Biden recently signed a bill tasking the agency with evaluating the unique risks that schools face… An article review. Taking note of the unique challenges educational institutions face in securing their networks, President Biden has signed a bill into law directing the Cybersecurity and Infrastructure Security Agency (CISA) to look into ways that they can […]
    Thanks for being interested in our Technology Planning Webinars! This year‘s annual update to our annual Technology Planning webinar will include a panel discussion, a review of the previous years’ movies that are already available, and a discussion about alternative tactics that have arisen from recent conferences as well as the impact of the AIO […]
    Welcome Cybersecurity Conference Attendees! Thanks for joining us for the Cybersecurity Conference today! We have created this page for you to have access to the deliverables from Dan’s talk.  
    What you need to know for compliance coast-to-coast. Back in 2020 we posted an article containing links to data breach laws from each state, and it has proven to be one of our more popular posts.  Because laws surrounding the use (and abuse) of technology are always evolving, we thought it was worth taking another […]
    Why It Rhymes With SEEM (And its Not the I Before E Rule) Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . It’s the Gestalt. The idea that the whole is greater than the sum of it’s parts. That’s not something that is often brought […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around your office. Interested in one of ours […]
    Questions about China’s new disclosure laws only highlight the uncertainty about disclosure in general… An article review. China recently made waves in the security world by announcing a new set of data security laws, one of which has added new fuel to a long running debate: how and when should security vulnerabilities be disclosed…and to […]
    Four Conditions … …For Why a Network Can be Anything But a Network! Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . I have to admit that infotex is being called into engineering meetings with larger organizations these days that are NOT community based banks.  We […]