The Rewards of Risk-Based Compliance
One of the trends I've been noticing over the last couple of years or so from the various governing bodies is the messaging regarding using a risk-based approach in designing compliance solutions. Quite frankly, I'm relieved.
As someone who is distracted by common-sense when doing just about anything (I prefer to work smarter, not harder) I often find myself questioning why some of my clients need to spend time and money complying with regulatory elements that don't necessarily apply to their business. Until the recent shift towards taking a risk-based approach, it seemed as if the dialogue between banks and examiners was something akin to the age-old quandary of the "why" versus "because I said so" logic. If the regulation said you needed to have a policy for, say, program change control, and your institution doesn't code any of its own applications, there was a chance you could still get dinged for not having a policy in place. For many institutions, it was easier to simply create a policy and avoid the argument. But with the recent push toward taking a risk-based approach, banks have the opportunity to have a dialogue with their regulatory agency's representatives.
With the recent push toward taking a risk-based approach, banks have the opportunity to have a dialogue with their regulatory agency's representatives.
Of course, this places greater emphasis on getting a properly executed risk assessment done at the onset of the compliance cycle. But that should've been part of the program anyway. At least now banks can focus their efforts on areas that present the greatest risk to the institution.
I'm all for changes that result in more meaningful work being done.
What's your experience pro/con with the risk-based approach?