About Us | Contact Us
View Cart

The OCC’s Risk Analysis Executive Summary

By Dan Hadaway | Wednesday, June 25, 2014 - Leave a Comment

Top Six Risks Defined by OCC

(And the top six reasons to read the report, defined by Dans New Leaf!)

Another  one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . 

So right in the middle of requiring banks to roll out enterprise risk assessments, the OCC expresses the top six risks facing their banks, as follows:

  1. Competition for limited lending opportunities is intensifying, resulting in loosening underwriting standards, particularly in indirect auto and leveraged lending. Easing in underwriting and increased risk layering is also occurring in commercial loans.
  2. The prolonged low interest rate environment continues to lay the foundation for future vulnerability. Banks that extend asset maturities to pick up yield, especially if relying on the stability of non-maturity deposit funding in a rising rate environment, could face significant earnings pressure and potential capital erosion depending on the severity and timing of  interest rate moves.
  3. Many banks continue to re-evaluate their business models and risk appetites to generate returns against the backdrop of slow economic growth and low interest rates. OCC examiners will focus on banks’ strategic business and new product planning to ensure appropriate risk management processes are established.
  4. Cyber-threats continue to evolve, requiring heightened awareness and appropriate resources to identify and mitigate the associated risks.
  5. Financial asset prices have experienced very low volatility for an extended period. As a result, measures of price risk, such as value-at-risk, are at very low levels. The reduced willingness of dealers to hold securities in inventory, due to capital and other concerns such as a change in monetary policy, could contribute to greater price swings going forward and increased price risk.
  6. Bank Secrecy Act and Anti-Money Laundering risks remain prevalent as money-laundering methods evolve, and electronic bank fraud increases in volume and sophistication. Banks work to incorporate appropriate controls to oversee higher risk customers and new products and services.

This is from a report published by the OCC yesterday, located here.  (for quick reference, try m.infotex.com\occ062414).

The report presents data in five main areas: the operating environment; the condition and performance of the banking system; key risk issues; elevated risk metrics; and regulatory actions. It focuses on issues that pose threats to the safety and soundness of those financial institutions regulated by the OCC and is intended as a resource to the industry, examiners, and the public. The report reflects data as of December 31, 2013.

Six Reasons To Read the Report!
I believe studying this report can help a community-based bank in several ways:

  1. Question #1:  Do these risks apply to our bank?  Be sure that each of the above-expressed risks are somehow addressed in your next enterprise risk assessment.  Most auditors will use this as a guide to assure the mile-wide part of the inch deep assessment.  The risks expressed above may not apply to your bank, but you should at least be asking yourself if they do.
  2. Notice the format, tone, organization, and general expression of the report.  This is a risk analysis.  It is presented to you, the public, the way the OCC would like you to educate your team on the risk it faces.  It has an executive summary that, when read, gives high-level people a high-level summary of the entire report.  Risks are expressed in narrative form.  When it includes tables and pictures, they are to support the statements being made, rather than express the risks being accepted.
  3. Of course, understand and analyze the risks inherent in the above summary. especially if the answer to Question #1 is “yes, we’re seeing this.”  #1 seems to be related to #2, but they’re all inter-related in many ways, which is one of the Big Deliverables we’re finding in enterprise risk assessments.  And, you IT guys, you CAN understand the risks expressed in the five items without the word “cyber.”  And doing so will inspire others in the organization to understand the risk expressed in item #4!
  4. Regarding paragraph #4 though, notice that the words “heightened awareness” are the first to come after “requiring” when discussing cyber-risk.
  5. The second set of words in the cyber-risk paragraph:  appropriate resources.
  6. To me, a discussion about this report could be a good way to launch your next Enterprise Risk Assessment, if the kickoff meeting starts in the next six months or so, and especially if your organization is governed by the OCC.


Original article by Dan Hadaway CRISC CISA CISM.
Founder and Managing Partner, infotex

Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”


Latest News
    You’ve heard it from every MSSP you’ve met: the definition of a SIEM is in the eye of the beholder. But at infotex, we are not talking about the database – an asset whose definition is continuously evolving. We’re talking about the way three teams collaborate in an overall Technology Risk Monitoring process. And whether […]
    A new study shows organizations are responding to cyber attacks faster than ever, so why is that bad news? An article review. When it comes to cyber attacks, the sooner an organization can begin to respond to an attack the better, so the results of a new study showing a drop in the amount of […]
    …a Crash Course of Security Measures The first article by Sara Fultz, Creative Assistant of infotex! Introduction: As the managing partner of infotex, I am proud to introduce the “debut article” for Sara Fultz.  I told Sara “write an article showing us what you’ve learned that the technical staff will appreciate.” As I read her […]
    infotex Programming Coordinator, Michael Hartke, introduces a high level overview of the upcoming update to the infotex SIEM. Look for more movies in the coming months informing our Clients, and those just now learning about us, about the SIEM and its features and functions.
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around your office.  
    As the investigation of the SolarWinds Hack was ongoing, another hack stole some of the limelight… This is the final update on the SolarWinds hack unless a major development comes to light. You can see the previous article here: “Autopsy of the SolarWinds Hack Update“. One of the largest cyber-espionage campaigns in the history of […]
    Employees working from home may find it more difficult to follow security policies… An article review. The surge in employees working from home during the pandemic created many headaches for IT departments around the world, many of whom had no telecommuting policies or procedures before the start… but what about the employees who had to […]
    A Webinar-Movie infotex presents the 2021 update of a previously released webinar presented by our Lead Non-Technical Auditor, Adam Reynolds. This movie-short is intended for those who are planning to participate in an infotex Incident Response Test. Not sure about the importance of an Incident Response Test? Check out onetest.infotex.com for more information! Please let […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS INFOTEX PROMOTES BRYAN BONNELL TO DIGITAL MEDIA MANAGER infotex, the Managed Security Service Provider, announced Bryan Bonnell’s promotion from Senior Data Security Analyst to Digital Media Manager.  “He will continue his normal DSA duties on a limited basis, because we want everybody to stay in touch with […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS RYAN HENSLER OF INFOTEX, EARNS CISSP CERTIFICATE Ryan Hensler, Senior NOC Associate of infotex, Inc., recently received the CISSP certification. “Ryan has proven himself to be a seasoned security professional both in his work for infotex and now through achieving this certification.” said Sean Waugh, Information Security Officer. […]