About Us | Contact Us
View Cart

The OCC’s Risk Analysis Executive Summary

By Dan Hadaway | Wednesday, June 25, 2014 - Leave a Comment

Top Six Risks Defined by OCC

(And the top six reasons to read the report, defined by Dans New Leaf!)

Another  one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . 

So right in the middle of requiring banks to roll out enterprise risk assessments, the OCC expresses the top six risks facing their banks, as follows:

  1. Competition for limited lending opportunities is intensifying, resulting in loosening underwriting standards, particularly in indirect auto and leveraged lending. Easing in underwriting and increased risk layering is also occurring in commercial loans.
  2. The prolonged low interest rate environment continues to lay the foundation for future vulnerability. Banks that extend asset maturities to pick up yield, especially if relying on the stability of non-maturity deposit funding in a rising rate environment, could face significant earnings pressure and potential capital erosion depending on the severity and timing of  interest rate moves.
  3. Many banks continue to re-evaluate their business models and risk appetites to generate returns against the backdrop of slow economic growth and low interest rates. OCC examiners will focus on banks’ strategic business and new product planning to ensure appropriate risk management processes are established.
  4. Cyber-threats continue to evolve, requiring heightened awareness and appropriate resources to identify and mitigate the associated risks.
  5. Financial asset prices have experienced very low volatility for an extended period. As a result, measures of price risk, such as value-at-risk, are at very low levels. The reduced willingness of dealers to hold securities in inventory, due to capital and other concerns such as a change in monetary policy, could contribute to greater price swings going forward and increased price risk.
  6. Bank Secrecy Act and Anti-Money Laundering risks remain prevalent as money-laundering methods evolve, and electronic bank fraud increases in volume and sophistication. Banks work to incorporate appropriate controls to oversee higher risk customers and new products and services.

This is from a report published by the OCC yesterday, located here.  (for quick reference, try m.infotex.com\occ062414).

The report presents data in five main areas: the operating environment; the condition and performance of the banking system; key risk issues; elevated risk metrics; and regulatory actions. It focuses on issues that pose threats to the safety and soundness of those financial institutions regulated by the OCC and is intended as a resource to the industry, examiners, and the public. The report reflects data as of December 31, 2013.

Six Reasons To Read the Report!
I believe studying this report can help a community-based bank in several ways:

  1. Question #1:  Do these risks apply to our bank?  Be sure that each of the above-expressed risks are somehow addressed in your next enterprise risk assessment.  Most auditors will use this as a guide to assure the mile-wide part of the inch deep assessment.  The risks expressed above may not apply to your bank, but you should at least be asking yourself if they do.
  2. Notice the format, tone, organization, and general expression of the report.  This is a risk analysis.  It is presented to you, the public, the way the OCC would like you to educate your team on the risk it faces.  It has an executive summary that, when read, gives high-level people a high-level summary of the entire report.  Risks are expressed in narrative form.  When it includes tables and pictures, they are to support the statements being made, rather than express the risks being accepted.
  3. Of course, understand and analyze the risks inherent in the above summary. especially if the answer to Question #1 is “yes, we’re seeing this.”  #1 seems to be related to #2, but they’re all inter-related in many ways, which is one of the Big Deliverables we’re finding in enterprise risk assessments.  And, you IT guys, you CAN understand the risks expressed in the five items without the word “cyber.”  And doing so will inspire others in the organization to understand the risk expressed in item #4!
  4. Regarding paragraph #4 though, notice that the words “heightened awareness” are the first to come after “requiring” when discussing cyber-risk.
  5. The second set of words in the cyber-risk paragraph:  appropriate resources.
  6. To me, a discussion about this report could be a good way to launch your next Enterprise Risk Assessment, if the kickoff meeting starts in the next six months or so, and especially if your organization is governed by the OCC.


Original article by Dan Hadaway CRISC CISA CISM.
Founder and Managing Partner, infotex

Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”


Latest News
    Artificial intelligence carries risk, but so does organic ignorance … Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . At a recent conference, I noticed two camps emerging in the debate over artificial intelligence. Some people embrace AI as a tool, while others support Elon […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS NEW EMPLOYEE FOR INFOTEX We are pleased to announce the appointment of Nathan Taylor as our new Network Administrator at infotex.  “We are very excited to have Nathan join our team as a Network Administrator and look forward to his contributions to maintaining and improving our infrastructure!” […]
    about artificial intelligence . . . And who will protect us from it . . .  Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . Just watched some press on the the Senate hearings over regulating AI. The normal senator faces, Sam Altman of OpenAI, […]
    The Evolution of an Inside Term Used in our Vendor Risk Report Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . Those who audit infotex know that our vendor risk report refers to a couple of our providers as “ransomware companies.” This reference started evolving […]
    Another awareness poster for YOUR customers (and users). Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape) You are welcome to print out and distribute this around your […]
    New tools could allow unskilled attackers to launch increasingly sophisticated attacks… An article review. Imagine a world where you receive a call from your boss asking you to assist them with something… only it’s not your boss, but an AI being used by an attacker.  This isn’t science fiction, it’s an actual attack that has […]
    Unavailability Strikes Where it doesn’t matter anyway Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . So, I’m writing today’s article from a resort in the middle of Wisconsin.  I want to make sure I’m staying on top of my New Leaf, which is to […]
    . . . and the importance of segregated response. The latest edition of Executive Vice President, Michael Hartke’s article series! In 2007 when I first joined infotex, coming from small to medium sized business general IT support into the world of cybersecurity, the one thing that was very hard for me to internally rectify was […]
    How concerts can help us understand APTs . . . Especially if you use your imagination! Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . My daughter reminded me of a concert Stacey and I attended way back in 2013, in Chicago.  It was one […]
    Mutiny! The Malicious Insider Threat Webinar Registration A Webinar-Video It is often awkward to bring up the one attack vector most of us have not addressed. The malicious insider threat. Even if we can flaunt all statistics and claim that the likelihood of an insider attack is low in our bank, the impact is still […]