Trust but verify: Controlling processes
One of the key steps in implementing policy is to make sure what’s required by the policy is actually done. A “trust but verify” approach both ensures that processes are being followed as well as evidences to audit functions and external parties that strong controls are in place.
There are two basic ways a process can be controlled: (1) stopping action before a step happens through process control points and (2) review after the fact using reporting. Each has benefits and drawbacks.
Process Control Points
Part of the benefit of creating process maps is that it allows the process owner to see key steps in the process. For example, a manager’s approval for a risk rating that differs from the scorecard is process control. The salient point for process control points is that they stop the action flow until the control is met. Therefore, they should be used carefully and reserved for situations where the risk of failure at a step outweighs potential delays.
These controls are even stronger when they can be systematized. For example, if the system that is being used for risk rating is configured to require the manager’s approval when it sees a risk rating being assigned that does not match to the scorecard, then it becomes nearly impossible to forget this step.
Regular Monitoring Reports
Reporting by definition takes place after the fact, so this method for controlling a process should be focused on those elements that individually do not have a high risk factor, but that combined and over time could pose an issue to the financial institution.
Let’s take risk rating as our example again. The risk inherent in assigning a rating that differs from the scorecard is mitigated on the individual loan by the requirement of a manager’s approval. However, there is still a risk that the scorecard becomes outdated because of changing market conditions. Over time, the number of final ratings that differ from the scorecard would increase. This shift would be difficult to see one by one. Regular reporting would provide insight into whether there is a systemic change.
At the time the control is established, management should also determine what level of deviation from expectations causes concern and what corrective actions will be taken if a trigger is breached. Some processes will have enough data to support statistically-based triggers, such as at a certain standard deviation from the norm. More likely for credit policy implementation, triggers will be set based on expert judgment and supported by data. The litmus test is to catch the issues before the deviation from expectation causes risk to the entire process.
Download the free whitepaper From Policy to Practice: A Guide to Implementing Credit Policy to learn the overall credit policy framework, ways to communicate expectations to credit professionals, and tools to assess and controls key risk areas.
On-demand Webinar: Part 1: A Guide to Implementing Credit Policy
On-demand Webinar: Part 2: A Guide to Implementing Credit Policy – Controls and Exceptions