About Us | Contact Us
View Cart

The OCC’s Risk Analysis Executive Summary

By Dan Hadaway | Wednesday, June 25, 2014 - Leave a Comment

Top Six Risks Defined by OCC

(And the top six reasons to read the report, defined by Dans New Leaf!)


Another  one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . 

So right in the middle of requiring banks to roll out enterprise risk assessments, the OCC expresses the top six risks facing their banks, as follows:

  1. Competition for limited lending opportunities is intensifying, resulting in loosening underwriting standards, particularly in indirect auto and leveraged lending. Easing in underwriting and increased risk layering is also occurring in commercial loans.
  2. The prolonged low interest rate environment continues to lay the foundation for future vulnerability. Banks that extend asset maturities to pick up yield, especially if relying on the stability of non-maturity deposit funding in a rising rate environment, could face significant earnings pressure and potential capital erosion depending on the severity and timing of  interest rate moves.
  3. Many banks continue to re-evaluate their business models and risk appetites to generate returns against the backdrop of slow economic growth and low interest rates. OCC examiners will focus on banks’ strategic business and new product planning to ensure appropriate risk management processes are established.
  4. Cyber-threats continue to evolve, requiring heightened awareness and appropriate resources to identify and mitigate the associated risks.
  5. Financial asset prices have experienced very low volatility for an extended period. As a result, measures of price risk, such as value-at-risk, are at very low levels. The reduced willingness of dealers to hold securities in inventory, due to capital and other concerns such as a change in monetary policy, could contribute to greater price swings going forward and increased price risk.
  6. Bank Secrecy Act and Anti-Money Laundering risks remain prevalent as money-laundering methods evolve, and electronic bank fraud increases in volume and sophistication. Banks work to incorporate appropriate controls to oversee higher risk customers and new products and services.

This is from a report published by the OCC yesterday, located here.  (for quick reference, try m.infotex.com\occ062414).

The report presents data in five main areas: the operating environment; the condition and performance of the banking system; key risk issues; elevated risk metrics; and regulatory actions. It focuses on issues that pose threats to the safety and soundness of those financial institutions regulated by the OCC and is intended as a resource to the industry, examiners, and the public. The report reflects data as of December 31, 2013.

Six Reasons To Read the Report!
I believe studying this report can help a community-based bank in several ways:

  1. Question #1:  Do these risks apply to our bank?  Be sure that each of the above-expressed risks are somehow addressed in your next enterprise risk assessment.  Most auditors will use this as a guide to assure the mile-wide part of the inch deep assessment.  The risks expressed above may not apply to your bank, but you should at least be asking yourself if they do.
  2. Notice the format, tone, organization, and general expression of the report.  This is a risk analysis.  It is presented to you, the public, the way the OCC would like you to educate your team on the risk it faces.  It has an executive summary that, when read, gives high-level people a high-level summary of the entire report.  Risks are expressed in narrative form.  When it includes tables and pictures, they are to support the statements being made, rather than express the risks being accepted.
  3. Of course, understand and analyze the risks inherent in the above summary. especially if the answer to Question #1 is “yes, we’re seeing this.”  #1 seems to be related to #2, but they’re all inter-related in many ways, which is one of the Big Deliverables we’re finding in enterprise risk assessments.  And, you IT guys, you CAN understand the risks expressed in the five items without the word “cyber.”  And doing so will inspire others in the organization to understand the risk expressed in item #4!
  4. Regarding paragraph #4 though, notice that the words “heightened awareness” are the first to come after “requiring” when discussing cyber-risk.
  5. The second set of words in the cyber-risk paragraph:  appropriate resources.
  6. To me, a discussion about this report could be a good way to launch your next Enterprise Risk Assessment, if the kickoff meeting starts in the next six months or so, and especially if your organization is governed by the OCC.

 

Original article by Dan Hadaway CRISC CISA CISM.
Founder and Managing Partner, infotex

Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”

 

Latest News
    Today we present a special BONUS awareness poster for YOUR customers (and users).  This update to the April 2022 Awareness Poster takes some cues from the Dan’s New Leaf article: Why Local? Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the […]
    Awareness is 9/11’s of the battle, if we use it! Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . One of my old college buddies hates banks.  He was turned down for a loan a long time ago and just can’t let go.  I actually […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE SERVICE NEWS Dateline: Dayton, IN, June 22, 2022 We are proud to announce that infotex will now be supporting Endpoint Detection and Response (XDR/MDR)! We can manage/monitor solutions you already have or offer one as part of our service while still maintaining a segregated response posture. In recent years […]
    Over 85 percent of surveyed companies report having no  centralized monitoring of networked industrial devices… An article review. If you are involved in IT within your organization, you’re probably aware of the importance of being able to monitor relevant activity from your networked devices, especially if your organization is involved in healthcare, finance, or government.  […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    We always strive to bring you the best content that we possibly can. Your opinion on any content, presentation, service, or anything else you have received from us is important! Please click the button below to let us know how we are doing!  
    What to Expect in an Annual Information Security Report to the Board Webinar-Movie Information security ranks as a top risk to financial institutions, both in terms of likelihood and overall impact. It is important that boards receive annual comprehensive reporting from management about the information security risks and incidents, and the actions taken to address […]
    The Five Precepts of IT Vendor Management Webinar-Movie We’re going back to basics on Vendor Management. This webinar will give you a training tool to help out that new person that is starting to take on the gargantuan task that is Vendor Management.
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    The joint cybersecurity advisory includes the 15 most exploited vulnerabilities reported in 2021… An article review.  While a lot of attention is focused on previously undisclosed or “zero day” attacks, some of the most likely attack vectors are vulnerabilities that have been widely known for weeks or even months.  That’s according to a new joint […]