Your Brother’s Keeper: the OCC & Third-Party Mortgage Vendor Relationships

Background

Nationally-chartered federal savings banks are subject to the prudential regulation of the Office of the Comptroller of the Currency (the “OCC”). National banks may engage in activities that are part of, or incidental to, the business of banking, or are otherwise authorized for a national bank. The business of banking is an evolving concept and the permissible activities of national banks similarly evolve over time.¹ But when your bank’s senior management decides to outsource a critical function—especially a consumer-facing function like mortgage loan origination or servicing—you truly become your “brother’s keeper.” No Chief Executive Officer or Chief Compliance Officer wishes to find himself or herself targeted by the OCC for failure to conduct adequate third-party vendor due diligence or ongoing monitoring.

It had been historically understood that when employing third-party entities to conduct all or part of a critical banking function, by not fully understanding the nature of the risks being introduced to the bank and by not ensuring appropriate risk controls, senior management and boards of directors breach their most fundamental fiduciary responsibility to depositors and shareholders.² The Federal Financial Institutions Examination Council (the “FFIEC”) very aptly highlights that although the technology needed to support business objectives is often a critical factor in deciding to outsource, managing such relationships is more than just a technology issue; it is an enterprise-wide corporate management issue.³

Long-standing OCC guidance

A national bank and its operating subsidiaries may make, purchase, sell, service, or warehouse house loans or other extensions of credit for its own or another’s account, including residential mortgage loans.⁴ A bank may conduct its mortgage operations in conjunction with a third-party not owned by the bank or bank holding company. Vendors, brokers, dealers, and agents can offer banks a variety of legitimate and safe opportunities to enhance product offerings, improve earnings, diversify assets and revenues, or reduce costs. In most instances the fundamental risks associated with activities introduced by third parties are no greater or less than the bank would have incurred had the bank performed the activity on its own.⁵

Historically, the OCC had very explicitly decreed that bank management cannot rely solely on third-party assertions, representations, or warranties when entering such relationships.⁶ Specifically, the OCC has long required that:

• Before entering into a major relationship with a third party, a bank should establish a comprehensive program for managing the relationship.
• Such programs should be documented and include front-end management planning, appropriate due diligence selecting a vendor, and performance monitoring.⁷

The requirements above were not merely satisfied by a bank relying solely upon its own internal Vendor Management Policy. The OCC expressly contemplated that the bank’s negotiators and signatories to the vendor contract would tailor the program to the specific vendor, and that the documentation would reflect the criteria and validation specific to that vendor with regard to the services for which the bank sought to contract.

OCC activity in the wake of Bulletin 2013-29

OCC treatment of third-party vendor risk management was recently further clarified when the agency issued Bulletin 2013-29: Third-Party Relationships - Risk Management Guidance on October 30, 2013.⁸  Among the OCC’s explicit guidance, the Agency deemed that an effective risk management process throughout the life cycle of the relationship includes:

·     plans that outline the bank’s strategy, identify the inherent risks of the activity, and detail how the bank selects, assesses, and oversees the third party;

·         proper due diligence in selecting a third party;

·         written contracts that outline the rights and responsibilities of all parties;

·         ongoing monitoring of the third party’s activities and performance;

·         contingency plans for terminating the relationship in an effective manner;

·       clear roles and responsibilities for overseeing and managing the relationship and risk management process;

·        documentation and reporting that facilitates oversight, accountability, monitoring, and risk management; and

·   independent reviews that allow bank management to determine that the bank’s process aligns with its strategy and effectively manages risks.

The OCC has wasted no time applying those third-party risk management principles immediately before and since the issuance of Bulletin 2013-29. On September 19, 2013, the OCC assessed a $60 million penalty against JPMorgan Chase and ordered the bank to reimburse consumers for unfair billing practices.⁹ In the JPMorgan Chase matter, the OCC order also requires the bank to take a number of corrective measures that include:

·         ensuring compliance with the FTC Act;

·   improving governance of third-party vendors associated with certain consumer products;

·    developing an enterprise-wide risk management program for such consumer products marketed or sold by the bank or its vendors; and

·         improving its consumer compliance internal audit program.

American Express Bank received an early Christmas present, when the OCC announced on December 24, 2013 that it would assess a $3 million penalty against the bank and order restitution to customers for unfair billing and deceptive marketing practices.¹⁰ The OCC order, whose restitution payments also satisfied related Consumer Financial Protection Bureau (CFPB) obligations, requires the bank to:

·  improve governance of third-party vendors associated with “add-on” consumer products;

·     develop a risk management program for “add-on” consumer products marketed or sold by the bank or its vendors; and

·    conduct an “add-on” product review to, among other things, identify and remediate consumer harm and any program weaknesses.

The OCC has clearly communicated that it intends to aggressively protect consumers from harmful activities resulting from a bank’s use of third-party vendors, and that it will hold a bank fully responsible for that third party’s missteps.

Critical Attention to Pre-Contractual Due Diligence

Every activity undertaken by bank management and its agents should accord with OCC requirements, and support subsequent examination by the OCC, the internal audit function, and external auditors. The contemplation of a significant third-party business relationship that contributes directly to a bank’s growth plan should be disclosed in sufficient detail by bank management to the bank’s board of directors to facilitate the board’s fiduciary responsibility. Negotiators of a third-party business relationship (inclusive of bank management, holding company management, and legal counsel) are in the best position to review, inquire, and edit contract provisions accordingly prior to execution to ensure that all contract provisions directly address OCC compliance requirements, including those relating directly to third-party risk and due diligence.

With reliance upon bank management and its agents who engage directly in the planning, negotiation, and execution of the third-party agreement, one should reasonably be able to conclude that those parties have conducted their activities in accordance with OCC Bulletin 2013-29.¹¹ In advance of executing an agreement, bank management and its agents would have engaged in and fully documented both management planning and due diligence in selecting a vendor. The agreement would further have documented the ongoing performance monitoring required to evaluate the ongoing vendor risk management posture. To have failed to faithfully adhere to the details of the Bulletin by simply relying upon professional relationships or contractual representations and warranties would be both imprudent and discordant with explicit OCC guidance.

Ongoing Risk Assessment and Improved Governance

If a CEO or CCO had not been involved in contract negotiations with a third-party vendor, then that leader may not be able to independently confirm whether or not bank management and its agents adhered to OCC requirements during the pre-contractual due diligence period. Once that leader becomes aware that such a gap may have occurred, it becomes incumbent upon that leader to undertake an independent risk assessment of the third-party vendor relationship. This obligation becomes critically important when the third-party vendor is providing consumer mortgage loan services.

The auditors assigned to conduct the independent third-party risk management review should be able to request, obtain and evaluate pre-contractual documentation, and supplement their initial conclusions with interviews with the individuals directly engaged in the planning, negotiation, and execution of the third-party vendor agreement. As with any audit, should the auditors identify exceptions to the OCC’s third-party risk management guidelines that present a material risk of non-compliance or future financial loss, then in accordance with the Chief Audit Executive, you would advise that bank management and the bank board be so advised that subsequent remedial measures be undertaken.

Conclusion

It is evident that the OCC expects governance, risk management, and controls (GRC) to be in place prior to and at the inception of third-party mortgage vendor relationships. Even as bank management remediates the existing relationship with a consumer mortgage vendor, all stakeholders should take note of the lessons learned from a less-than-thorough due diligence; explicit contractual role definition; and contractual provisions for detailed oversight, accountability, and monitoring. Future third-party vendor relationships must incorporate those onboarding elements as standard requirements of a larger enterprise-wide risk management process, lest the OCC surmise that your bank’s governance practices are insufficient to take heed of Bulletin 2013-29.

References

1     Activities Permissible for a National Bank, Cumulative, Comptroller of the Currency, Administrator of National Banks, 2011 Annual Edition, April 2012.

2      Third-Party Risk, OCC ADVISORY LETTER AL 2000–9, Comptroller of the Currency, Administrator of National Banks, August 29, 2000. (Subsequently rescinded by OCC Bulletin 2013-29)

3    Board and Management Responsibilities, IT Examination Handbook InfoBase, Federal Financial Institutions Examination Council.

4      12 USC 24 (Seventh), 371; 12 CFR 5.34.

5      Third-Party Risk, August 29, 2000. (Subsequently rescinded by OCC Bulletin 2013-29)

6      Ibid.

7      Ibid.

8  Bulletin 2013-29: Third-Party Relationships - Risk Management Guidance, Office of the Comptroller of the Currency, October 30, 2013.

9      “OCC Assesses $60 Million Penalty Against JPMorgan Chase, Orders Bank to Reimburse Consumers for Unfair Billing Practices,” Office of the Comptroller of the Currency, September 19, 2013.

10    “OCC Assesses $3 Million Penalty Against American Express Bank, F.S.B; Orders Restitution to Customers for Unfair Billing and Deceptive Marketing Practices,” Office of the Comptroller of the Currency, December 24, 2013.

11    Bulletin 2013-29, OCC, October 30, 2013.

Starving for Compliance? Bring your Risk Appetite

“If it's your job to eat a frog, it's best to do it first thing in the morning. And if it's your job to eat two frogs, it's best to eat the biggest one first.”  ~Mark Twain

 

As Audit, Compliance & Ethics professionals, it is often our job to “eat a frog” and you likely find yourself sitting down to a banquet of frogs when crisis strikes your organization. Some of us consciously chose to enter the AC&E profession, while others with whom I’ve spoken tell me how their roles morphed into compliance functions. Either way, once we’ve accepted the responsibility to safeguard our organization’s enterprise risk management program, we must faithfully deploy an appropriate compliance framework.

One cannot simply purchase a compliance program at an online retailer, download it to your tablet, and check that task off your list. There is no one-size-fits-all compliance program that is going to align perfectly with every organization’s ERM model. The design of the compliance program begins with a studied understanding of the organization’s risk appetite. Delivering an off-the-shelf or generic compliance program to an organization without factoring in its risk appetite is like delivering a freeze-dried meal to a guest’s table without inquiring of her culinary preferences.

Risk appetite is that level of risk that an organization is prepared to willingly accept before mitigating actions are required to reduce it. Formulating the risk appetite requires the Board of Directors to consciously identify its consensus balance between the anticipated benefits of a chosen course of action and the threats that an uncertain future inevitably brings. Each area of risk may enjoy differing risk appetites. For instance, a well-capitalized organization bearing a trusted brand may be more averse regarding reputation and litigation risks, but more inclined to accept a moderate degree of financial and strategic risks. Such may be the variations found also in compliance risk appetites.

A compliance purist—if such a person exists—would trend strongly toward risk aversion. A Gordon Gekko (credit to Oliver Stone’s “Wall Street” fame) would trend strongly toward risk hunger. Since compliance is not generally viewed as a profit center, a typical organization’s Board of Directors will formulate a compliance risk appetite that represents its view of an appropriate balance (i.e. expects ethical business conduct that achieves its mission). A publicly-traded company may seek to maximize shareholder value and profit, but likely seek to avoid criminal and civil prosecution. A non-profit organization may seek to maximize its impact serving the largest number of people in a community, but likely seek to minimize its administrative cost ratio and excessive CEO compensation.

Organizations that design, employ, and monitor compliance programs that align with the Board of Directors’ risk appetite will encounter fewer compliance failures over the long-term. I am careful to point out that all organizations, no matter how well-run, will experience a compliance failure at some time. A risk appetite acknowledges that while risk may be mitigated, it generally cannot be entirely eliminated. To eliminate all risk is to forgo meaningful opportunities that competing organizations would be willing to accept, thus neutralizing your organization’s effectiveness in the space in which it competes. This fact does not apply only to for-profit companies, because non-profit organizations also compete for scarce resources and relevancy. Risk must always be recognized as a factor to be managed.

Whether you are designing a new program or enhancing an existing compliance program, you will want to ascertain your organization’s defined compliance risk appetite. Your compliance program, including training, monitoring, and Board-level reporting, must align to that risk appetite to provide appropriate risk management tools to support your organization. Finally, periodically revisit the relationship between the stated risk appetite and your program elements to ensure that you are making appropriate adjustments.

Don’t starve your compliance program. Embrace the risk appetite. Be prepared to one day confidently defend your compliance risk management program to your external auditors and prudential regulators…and enjoy that frog sooner than later.

Regulatory Compliance: Tear Down That Ivory Tower!

I recently ran into a Compliance colleague, “Jill”, whom I hadn’t seen in a while. As we exchanged pleasantries, Jill explained how busy she has been at her organization, to a point where she “couldn’t even get out of her office for lunch most days.” I understood her sentiment, but I challenged Jill’s premise that her most effective oversight of her Compliance Management Program was being accomplished sitting at her desk with her nose to the proverbial grindstone.

“What do you mean?”, Jill inquired.

“For starters, how are you assessing the compliance culture within and across your organization?”, I responded. I waited for the predictable response.

“I receive reports from each department head on a quarterly basis. I meet with those same department heads at least annually as we update our risk assessment. “ And then she punctuated her response, “I always know what is going on from a Compliance perspective.”

We visited for a few more minutes before continuing on our respective journeys. I have the utmost respect for Jill, and the many colleagues with whom I’ve engaged in similar conversations over the years. But I was reminded again that day that differing viewpoints pervade our Compliance Management profession.

I liken the practice of our craft to that of a world traveler. In fact, given the international nature of Regulatory Compliance, many of us have become world travelers from time to time. But one cannot truly experience traveling the world by reading other people’s written accounts of foreign lands. Similarly, Compliance professionals cannot simply read stacks of reports, formally engage depart heads once or twice annually, and conclude that they have traveled the organizational “globe”.

We’ve got to come down out of our ivory towers. In fact, we’ve got to tear down our ivory towers in the Compliance Department and never return to our old ways. Instead, let’s engage leaders at all levels across our organizations as often as possible. Informal dialogue that may occur within the context of a scheduled project meeting, or a chance meeting in the hallway, can often generate useful information that lends itself well to a holistic risk assessment.

Leaders want to tell you what concerns they are facing, and when those concerns signal regulatory compliance exposure, you have an opportunity to collaborate further toward a resolution. Internal Audit provides another natural source of regulatory compliance risk data gleaned from its expansive reach throughout your organization. Regulatory Compliance also finds a natural ally in the Information Technology Department, where governance, risk management and compliance looms large over an ever-evolving landscape. Compliance professionals grow to become trusted confederates with leaders of lines of business, Internal Audit and Information Technology.

So join me! Grab your water bottle or coffee cup, and explore your organization more freely. Engage others daily and take a more genuine interest in the regulatory compliance challenges facing your fellow leaders. Collaborate with them to develop lasting compliance solutions. Your risk assessments and resultant regulatory compliance program will flourish, producing more meaningful results for the entire organization. You won’t want to return to the ivory tower.

WHEN ETHICS AND EXPEDIENCY COLLIDE

“It is the mark of an educated mind to be able to entertain a thought without accepting it.” ~Aristotle

“There are no easy answers' but there are simple answers. We must have the courage to do what we know is morally right.” ~Ronald Reagan


As Compliance and Ethics Professionals, we are daily reminded that violations of law and dignity are no less common now than they were in ancient civilizations. We report upon and read about corporate, government, and personal scandals that boggle the mind. Acts and omissions that defy common sense are nonetheless undertaken out of expediency, greed and ignorance, only to eventually expose the perpetrators in the public square.

Why?

Why--with all the failed historical examples, complex laws, regulatory bodies, education and training—do some organizations continue to succumb to poor judgment and wrongdoing, while other organizations rise above?

While we speak often about the ‘tone at the top’, we must also acknowledge that ideas and actions emanate at all levels of our organizations. Driven by deadlines, profits, corporate goals, marketplace competition, etc., individuals contemplate ideas and execute upon those ideas. But not all ideas for generating revenue, decreasing expenses, or streamlining processes merit the same consideration.

An organization’s culture, modeled by its leaders at all levels, must unambiguously communicate that execution must meet its values. A healthy exchange of ideas should always be weighed sufficiently and transparently by knowledgeable stakeholders, so as to expose potential ethical, legal and financial pitfalls. Though we are charged with educating our operational and administrative colleagues about our Code of Conduct and our Legal and Regulatory obligations, we have the additional obligation to actively counsel them as well.

Leveraging our Anonymous Reporting Hotlines, Internal Audit Departments, and industry and regulatory trends, we ourselves must be prepared to actively engage our colleagues across our organizations to probe for prospective lapses. In a highly-charged competitive environment, we cannot idly sit by and fail to question if expediency is trumping ethical decision-making. Let’s not forget that we are the protagonists—not the villains—in this story.

YOUR DREAM TEAM: Where Everyone is a Compliance Leader

"In looking for people to hire, you look for three qualities: integrity, intelligence, and energy. And if they don't have the first, the other two will kill you." ~ Warren Buffet

“The supreme quality for leadership is unquestionably integrity. Without it, no real success is possible, no matter whether it is on a section gang, a football field, in an army, or in an office.” ~Dwight D. Eisenhower

Who leads legal and regulatory compliance at your organization?

How many of your employees are in a compliance role?

Before you respond, consider this…every employee in my organization is in a compliance role...and is charged with being a compliance leader. We only hire compliance leaders to fill each open position throughout the organization. Sales. Operations. Human Resources. Accounting. Facilities Maintenance.

You may be wondering why an organization would engage in such a hair-brained staffing strategy. (You may also be wondering how much longer such an organization could remain in business.) But hearkening back to the words of Warren Buffet and President Eisenhower above, how else could you possibly select talent?

In today’s increasingly complex international regulatory topography, no function within your organization escapes the need to develop policies, processes and training that will address compliance requirements at all employee levels. A CEO cannot simply rely upon on an Internal Audit function, a Legal Department, or a Regulatory Compliance team to identify and mitigate all enterprise-wide risks.

Further, day-to-day compliance and risk management responsibility cannot fall solely upon the shoulders of department heads or supervisors. As leaders, each of you knows that there are far more events occurring for which you are unaware than those that do rise to your attention. Each of our employees—from the most senior to the newly-hired—must understand his/her vital role in preventing, identifying, reporting, and resolving the compliance issues that affect his/her respective role and department.

We must hire individuals that bring the added skill of compliance awareness. I want:

• a talented facilities maintenance employee who also appreciates the impact the EPA and OSHA have at our organization;
• a certified public accountant who also appreciates the impact that the SEC and PCAOB can have;
• a customer-focused call center agent who also appreciates the impact that the FTC and FCC can have; and so forth.

Myself, I’d rather have thousands of sets of eyes mitigating risk globally than to rely only upon my own comparatively limited viewpoint. So, let me ask those questions a different way now…

Who doesn’t lead legal and regulatory compliance at your organization, and why not?

How many of your employees aren’t in a compliance role, and why not?

EXPOSING MY DIRTY LAUNDRY: Responding to Ethical Incidents in Advance

“Ethics is knowing the difference between what you have a right to do and what is right to do.”

~Potter Stewart, former U.S. Supreme Court Justice

“The time is always right to do what is right.”

~Martin Luther King, Jr., U.S. civil rights leader

Today’s revelation that former Olympus Corporation Chairman Tsuyoshi Kikukawa had received a suspended sentence for his role in a $1.7 billion accounting fraud is a reminder that neither business ethics courses nor prior real-world examples have stemmed the tide of high-profile executive wrongdoing.  In addition to former Olympus Executive Vice President Hisashi Mori, Hideo Yamada, the former auditing officer, also received a suspended sentence, debunking any myths that corporate audit and compliance professionals are above temptation.

Sufficient ink has been dedicated to detailing the corporate, government, and NGO ethical downfalls throughout the modern age. Fraud observes no geographical, political or industry boundaries. Ethical lapses remain pervasive and persistent, but I believe they are preventable.

What are you doing within your organization currently to acknowledge and mitigate the risks posed by executive ethical lapses?

Tone at the top is more than an email, a poster, or even a video distributed by your chief executive officer expounding the importance and benefits of maintaining an ethical cultural. Real ethical leadership takes root within an organization when the board of directors and senior leadership infuse the culture with relevant actions.

·         Strategic planning conferences and periodic governance meetings should include ethics discussions on the agenda.

·         Tabletop exercises should be built around current ethical lapse events in your industry.

·         Internal metrics should be tracked and benchmarked against other like organizations.

·         Employees at all levels must be encouraged to ask questions and report observed ethical lapses in good faith without fear of retaliation.

What are you doing when a significant ethical lapse strikes from within your own organization?

At one time or another nearly every organization, be it for-profit, government agency, faith-based, etc., will need to address an ethical incident that emanates from within its own walls. More than just the fear of negative publicity or criminal prosecution should drive the organization’s response. Many a relatively minor ethical incident has morphed into fodder for bloggers and 24/7 cable news outlets simply due to senior level fumbling and obfuscation amidst embarrassing revelations.

In fact, the best time to publicly address ethical lapses within your organization is before one has emerged.

·         Plan, document and test your organization’s Ethical Incident Response Plan (E-IRP).

·         Educate senior leadership regarding effective and transparent communication strategy, obtaining communication training in advance where needs dictate.

·         Communicate in a coordinated, transparent and timely manner both internally and externally to your organization, erring on the side of humility and candor.

Organizations are governed and led by human beings. Men and women, regardless of demographic variables across cultures, shun the humiliation and ridicule that scandal generates. Applying an objective E-IRP model in advance of ethical lapses will mitigate the risk that my dirty laundry—or yours—will hang too long on the proverbial corporate clothesline.

COMPLIANCE & ETHICS: STAND YOUR GROUND OR STAND DOWN?

“When restraint and courtesy are added to strength, the latter becomes irresistible.”  --Mahatma Gandhi

Building upon the topic of my last article, I want to explore how you respond when called upon for your compliance or ethics perspective.

On the one hand, as the cliché goes, to him whose only tool is a hammer, every issue is a nail. At some phase of our own careers we may have found ourselves expounding first and asking critical questions later. At the very least we have encountered compliance professionals who may have operated from this viewpoint. As I recall one individual saying to me years ago, “If he didn’t want my honest opinion, then he shouldn’t have come to me for compliance advice!” At this end of the spectrum, every situation that arises, every request that is received, is met with an oft-detailed compliance laundry list that can bog down many a promising business initiative.

At the other end of the spectrum is the laissez-faire attitude toward compliance and ethics. In such an environment the duty of care is subjugated to the operational imperatives of running the business. Time is money. Rules were made to be broken. What they don’t know won’t hurt them. And so forth. Where compliance has become a reactionary repair mechanism and ethics don’t weigh into substantive decision-making, an organization will eventually find itself on a collision course with the U.S. Federal Sentencing Guidelines and other civil and criminal laws. The wise compliance and ethics professional attempts to improve this culture, but if unsuccessful may best be advised to exit amidst a noisy withdrawal.

Between the Compliance Overlord and the Compliance Pushover models described above do we find the middle ground upon which the majority of us practice our profession. As we often must confess, the black-and-white scenarios aren’t the ones we’re generally called in to decide. Management can make those clear-cut calls on their own with ease.

When management encounters the Overlord too frequently, then management will avoid consulting compliance and ethics professionals. A resulting pattern of inconsistent and self-serving decision-making increases in this environment, exposing the organization to decreased morale, employee confusion, and potential litigation.

When management encounters the Pushover too frequently, then management will only seek out compliance and ethics professionals to rubber-stamp otherwise questionable or insubstantial decisions. A resulting pattern of patchwork compliance counsel that largely misses the breadth of business line decision-making spreads in this environment, exposing the organization to rogue players, overly-confident self-assessments, and potential litigation or criminal prosecution.

In short, know when to stand your ground and know when to stand down and let management carry on.

When our organization’s compliance & ethics culture is strong, visible, and active, then management and employees know that they can rely upon us to exercise good judgment in the face of ambiguity. Your good judgment is best understood within and across your organization when exercised judiciously. When you get to know your management colleagues, truly understand their business strategies and objectives, and defer to their expertise when compliance and ethical standards are being substantially met, you will earn that reputation for wise and judicious counsel.

When you weigh in on matters sparingly and appropriately, your organization will prosper ethically in your stead.

Enterprise Risk Management: Captain Kirk Confronts the Final Frontier

When faced with the regulatory mandate to incorporate or improve your organization's enterprise (or enterprise-wide) risk management (ERM) process, we can sometimes feel like a Klingon confronting Tribbles. To succeed with ERM within our organization, we must instead adopt the attitude expressed by Captain James Kirk in the'Day of the Dove episode: "There's another way to survive. Mutual trust...and help."

Several years ago, the federal banking regulators set off on a mission to bring Enterprise Risk Management (ERM) to the forefront of financial institution governance expectations. In the ensuing years, state insurance regulators have joined the mission through the National Association of Insurance Commissioners (NAIC) Own Risk and Solvency Assessment (ORSA) model act. The topic continues to get considerable attention in recent regulatory guidance, including Federal Reserve Board (FRB) supervisory letters 12-7 and 08-8. The Federal Reserve Bank of Chicago (FRB-C) devoted considerable attention to the topic at its 2011 conference.

What appeared to be a distant risk management galaxy in the late 1990s has certainly become an oft-discovered governance imperative for financial institutions. As a financial industry executive, you know that you have been charged with the responsibility “to boldly go where no man has gone before.” Much like the voyage of the storied U.S.S. Enterprise, your voyage has taken you to strange new worlds as you have sought to develop or improve your ERM model.

When you have set out to build a robust risk management infrastructure to integrate, coordinate and facilitate forward-looking risk management throughout the enterprise, you invariable have encountered (or will encounter) skeptics. Captain Kirk addressed this challenge in the 'A Private Little War' episode: "The only solution is...a balance of power. We arm our side with exactly that much more. A balance of power...the trickiest, most difficult, dirtiest game of them all. But the only one that preserves both sides."

But make no mistake about it—ERM is not optional and is here to stay. Thus, we often will find ourselves educating senior leadership colleagues and independent directors about ERM, in parallel with obtaining the necessary data to build, enhance, and report upon our ERM model. ERM cannot simply become a once-and-done exercise that ends up on a binder on your credenza.

Building a culture around ERM involves acclimating leadership throughout the organization to a continuous reporting system that identifies and addresses emerging risks. Strategic initiatives and ongoing business planning are evaluated in light of current and emerging risks and incorporated into analysis and leadership and board decision-making. ERM becomes a discussion item on at least a weekly basis within the leadership team, and a standing agenda item for your board, often through an ERM committee. Reports are designed to be condensed, accurate and meaningful for decision-making.

Internal Audit and Compliance play key roles in the ERM process. The periodic review and validation of the model through targeted risk assessments must be conducted under the direction of the organization’s senior leadership to support the organization’s risk appetite.

Occasionally, Captain Kirk and his officers would find themselves enmeshed in a scene from Earth's pre-space travel history, yet the episode always ended with our beloved travelers safely back aboard the U.S.S. Enterprise. As your ERM model and methodology evolve, it is likely that the organization will also never return by the way that it arrived, because external variables will continually infiltrate the ERM model. Most notably, your organization’s ERM will remain under the scrutiny and be subject to the recommendations of your prudential regulator. There simply is no going back.

Continue to be the evangelist for sound enterprise risk management in your organization, devoting yourself to encouraging, educating and embracing your colleagues as you faithfully fulfill the ERM governance role entrusted to you. Much like Kir, may you live long and prosper in your role.