My web

Operational Risk Management

Servicers are expected to communicate and enforce an environment that supports internal control activities throughout the organization. There should be adequate managerial and supervisory controls in place to ensure compliance and to identify control deficiencies, inadequate processes, and address control breakdowns. Servicers should test their internal controls periodically to evaluate the effectiveness of their internal control environment. Additional tests of controls may be required depending on circumstances such as the introduction of a new regulation, amendment of an accounting standard or a significant change in a servicer’s operations such as digital transformation. Based on the applicable risk areas for the digital initiatives, different control measures should be designed as applicable to leading standards and industry practices.

Well documented standardized processes, controls, policies, procedures and guidelines ensure effective risk management.

CSF: 6.3.3.1 Quality Assurance Control Measures

Control deficiencies are identified through preliminary walkthroughs, substantive testing, and various audit and oversight activities.

 

Enterprise Risk Management: Operational Risk Management: Quality Assurance Control Measures

Assessment Area Evidence

  • Standardized policies and procedures surrounding internal quality control environment
  • Standardized policies and procedures surrounding internal quality control testing and validation
  • Adequate communication method to key stakeholders of the control activities
  • Documenting and identifying exceptions
  • Remediation activities including action plans

CSF: 6.3.3.2 Operational Risk Management Framework

Strategy to identify and mitigate the risk resulting from inadequate or failed internal processes, people, and systems. The framework also includes a risk-based approach to managing cyber security and digital risk.

 

Enterprise Risk Management: Operational Risk Management: Operational Risk Management Framework Control Exceptions

Assessment Area Evidence

  • Identifies, assesses, controls, and mitigates risks

  • Controls are designed to ensure compliance

  • Implement corrective actions to address process and control deficiencies

  • Monitoring and testing to ensure consistent results

Evaluations and Recommendations

  • Identify and prioritize opportunities for improvement within the framework of a continuous and repeatable process.
  • Method to identify, assess and control risk factors, including but not limited to, personnel, technology, cyber security, and physical security.
  • Partner with internal audit and compliance teams to provide a consultative approach to designing solutions to ensure compliance and minimize other risks.
  • Provide training to all employees.
  • Activities related to cyber or digital risk should extend beyond the ownership of information technology and include business owners and senior leadership.
  • Standard process should exist for executing changes to existing systems.
  • Assign an Information Security liaison within the first line of defense.
  • Top-down awareness messaging and training programs, adjusted periodically to cover the latest potential threat.
  • Perform ongoing measurements against defined KPIs.