Governance & Controls

Regulators are intensifying their scrutiny of companies’ data management and data governance practices over risk management data, from aggregation capabilities to internal risk reporting practices. This focus on RDARR (risk data aggregation and risk reporting) is part of the regulators’ increasing supervisory and enforcement activities in areas of both financial and non-financial risk. Areas of heightened supervisory focus, where companies are expected to both demonstrate existing and sustainable control elements, include data:

Governance & Management

Expectations around data governance and management will include:

• Clearly defined and formalized documentation of the governance model (i.e., roles, responsibilities, and accountabilities for the board, management, and across the business, Compliance, and Audit; policies, standards, and procedures), including mapping, ownership, and ongoing testing and monitoring of controls.
• Assessment of data risks associated with RDARR, with associated data risk taxonomy and minimum control requirements.
• Processes and controls for understanding the data sources and also around data access, authorization, use, privacy, security, and sharing.
• Deficiencies in data, data outputs, or reporting (e.g., data quality, timeliness, accuracy, traceability, metrics, models).
• Data management, including access controls; practices related to collection, retention, disposal; third-party governance/agreements; and reporting capabilities at the lines of business and enterprise levels.
• Companies’ ability to train, recruit, and retain, skilled talent resources to identify, measure, manage data risk management processes.
• Model risk management and TPRM with regard to advanced technologies/AI.

Universe & Tiering

An assessment of the adequacy of the scope and breadth of the “data universe” including:

• The types of data and reports covered by the RDARR standard, including metrics, models and reporting (e.g., risk, regulatory, compliance).
• Whether data classification, tiering, and risk ratings reflect the sensitivity, integrity, availability, and criticality of the data to the company.

Lineage

Companies are expected to have robust data lineage controls in order to demonstrate their ability to trace and report on the relationship between data outputs and business processes, sources, and systems of record and origin. Regulators will evaluate the level of process automation and coverage of the entire data flow (e.g., to consolidate data from different business units/ subsidiaries), compensating controls where automation is unavailable, and the accuracy and granularity of the data.

Organizations must not only comply with evolving risk management standards but must also maintain resiliency and adaptability through effective change management, a critical feature in continuous process enhancement and strategic risk framework adjustments.

Processes

Anticipate intensifying regulatory pressure on robust change management processes for:

• Completeness and quality of the issues inventory with a focus on root cause identification and analysis, and inclusive of issues associated with third-/nth-party arrangements.
• Demonstrable “risk reduction” across open issues life cycle, and governance throughout the issues management life cycle (e.g., planning, implementation, validation, closure).
• Identification and resolution of issues across business functions and across risk tiering, in addition to associated testing, critical challenges, and validation of sizing, mitigation, and resolution.
• Demonstration and validation of sustainability.

Review & Enhancement

Regulators will look for periodic review of, and changes/enhancements to, the risk management framework to reflect industry developments and other changes to the company's risk profile due to internal or external factors (e.g., new products, M&A, negative news, systems changes, regulatory changes). Regulators will look for risk and controls functions to be a part of continued business, operational, and technology change.

• Strengthen risk and control methodologies: Strengthen methodologies to ensure proactive identification of new and emerging risks, processes to capture risks within business lines, documentation of controls effectiveness throughout end-to-end business processes, first line ownership of risk assessment and controls process, role of independent review / challenge, and remediation measures to address identified deficiencies in a sustainable manner. Ensure that processes are mapped/tied to controls and regulatory and policy requirements.
• Review testing coverage: Review overall approach to testing governance and processes (e.g., controls testing, toll-gate testing, substantive/outcome-based testing) with an eye to ensuring proper balance of testing routines as well as increasing / adjusting coverage commensurate with the changing risk profile. Invest in automation, analytics, and process improvements (including methodologies) to meet stakeholder expectations.
• Be explicit on standardized data controls: Ensure that there are standardized data controls aligned to data risks. Define clear guidance and scope for the lines of businesses and functions on the application of minimum control requirements and how to operationalize controls expectations.
• Reassess issues management: Reassess the issues management process, from definitions, intake, severity levels and processes through clarity to resolution timeliness through issue life cycle. Ensure appropriate Quality Assurance and routine/ongoing critical challenge. Build and utilize root cause, data analytics and trending of issues, with demonstrable incorporation of learnings into risk and compliance enhancements.
• Support sustained change: Integrate methods to support change in risk and governance frameworks including critical challenge (e.g., escalation procedures, actions initiated, decisions made, and proof of altered/terminated paths based on risk determinations); document root cause analysis and remediation; automate controls where possible; conduct ongoing monitoring and testing of sustained change.
• Position, scale, and reward risk management: Appropriately position, scale, and reward risk management and compliance; hold individuals accountable, incentivize appropriate behavior, and penalize misconduct, including through compensation clawbacks and financial sanctions.