Ahead of the 3^rd Edition: Operational Risk Management & Organizational Transformation for Financial Institutions Conference, we spoke with Suzie Powers, SVP Enterprise Risk Testing at Regions Financial Corp., about how she finds common challenges within the operational risk governance framework, how she had overcome them, and how an integrated and streamlined approach to operational risk affects control testing.

Suzie, you will be participating as a panelist on the “Integrating Regulatory Compliance Goals” interactive discussion. What are some adopted strategies and practices that you have seen implemented for policy, governance, oversight, reporting and/or testing?

From a policy perspective, one of the strategies and practices we implemented several years ago, was the establishment of a standard policy template with key components identified, so enterprise policies would have a similar look and feel but more importantly, cover key components of what should go into a policy, (e.g. scope, purpose, key requirements, definitions, roles and responsibilities, implementation mandate, etc).

This helped to ensure policy writers had a roadmap for policy creation and ensure key components of a policy would not be missed. Annual review and approval of policies by oversight committees is also a key practice.

From a governance perspective, in addition to the traditional second line governance committees in place to oversee risk taking activities (e.g. Credit Committee, Operational Risk Committee, etc.), Regions established a framework for business units to create, lead and execute activities of Business Risk Committees a few years ago. As these BRCs have matured, there has been a much more focused understanding, ownership and awareness of risks by the first line of defense as they review and monitor KRIs and other emerging risks within their businesses. Most recently, Regions is undergoing a major initiative to “Simplify and Grow” the bank through streamlined processes, flattened organizational structures, and leveraging of shared services, one of which is the centralization of all compliance and operational risk testing. Our objective is to bring key resources together to create a more streamlined risk-based testing program, leveraging data analytics and automation. We are also moving away from an annual testing calendar and instead, moving to a quarterly cadence for more real-time testing priorities to be established, driven by KRI threshold breaches, new regulations or emerging risks that surface.

Where do you find common challenges within the operational risk governance framework, and how (if at all) have you overcome them?

A common challenge within the operational risk governance framework is the lack of a risk taxonomy that is used enterprise-wide. When different groups across the lines of defense use different rating scales and ratings, it makes it difficult not only to understand what the differences might be, but also prevents the institution from having an aggregate view of the risks. Having a consistent taxonomy and leveraging a GRC system is how we are overcoming this challenge. It will give us a clearer picture, with a consistent rating and scale and give us the ability to see similar risks across the enterprise in a more cohesive fashion, as well as, enhance and streamline reporting. Another common challenge is data and data quality. I am certain this is a challenge across our industry, given the number of legacy systems, as well as, integration of other technologies and systems over time, due to acquisitions. We have established a Chief Data Officer and Data Officer to oversee data at our organization and this is a continued and ongoing effort. Good data is critical, in order to leverage technology automation effectively.

How does an integrated and streamlined approach to operational risk affect control testing?

As I mentioned earlier, centralization of our compliance and operational risk testing is still in the very early stages of program development. However, we believe that the integrated and streamlined approach will allow us to deliver our testing reports more consistently, due to standardized processes across our risk testing teams, with a standard report format to deliver our report of control breakpoints to our key stakeholders. These testing results will be fact-based and enable us to provide an objective view of controls effectiveness. It will also allow us to align the appropriate skill sets internally and leverage the analytical talent and subject matter experts within our institution.

What are some strategies to mapping the risks, assigning the controls and/or testing the controls? What GRC tools/resources have you found to be helpful?

Operational risks are mapped through our RCSA process. Process walkthroughs are facilitated by our operational risk management team with the business and support groups. These are leveraged for identifying the key risks and controls within a process. We use Archer for our RCSA program. [Note:  I have not been involved in this process, so don’t have first-hand experience to add to this question].

You will also be participating as a panelist on the “Innovation GRC Management Efforts” discussion. What are some key takeaways or insights that we can expect to hear from you during this session?

In the panel discussion around Innovation GRC Management Efforts, I will be sharing how we plan to leverage a combined compliance and operational risk testing program to minimize duplicative testing efforts by looking at key processes, identifying where both compliance controls and operational risk controls are embedded, and potentially kill two birds with one stone, by testing attributes that will meet the objectives of both tests. I also plan to share how we will be leveraging our data analytics team, which is embedded in our risk testing group, to help expand our sample sizes, use technology and analytics to compare data elements, and allow our testers to focus their expertise on reviewing anomalies, which we hope will provide a more thorough and holistic approach to our testing.

For More Information Contact:
Amanda Pink
Digital Marketing Coordinator
marcus evans Group
(312) 894-6310
amandap@marcusevansch.com

At the 3^rd Edition: Operational Risk Management & Organizational Transformation for Financial Institutions Conference you will discuss strategies and best practices in adapting business models, transforming technology & operating processes, and responding to increasing cyber threats to attain flawless execution of policies & controls.

About the Conference

Suzie Powers currently serves as the Senior Vice President, Compliance and Operational Risk Testing Manager for the Enterprise Risk Testing Group at Regions Bank. She is an 8-year veteran with Regions, a top U.S. bank-holding company headquartered in Birmingham, Alabama, with $123 billion in assets, operating approximately 1,500 banking offices in 15 states. Prior to joining Regions, Powers served as Director of Mortgage Administration for BBVA Compass. Other positions held during her 10 years at Compass Bank, included Chief Operations Officer and National Operations Manager for Compass Mortgage Financial Services.  She has served in various roles throughout her 37-year banking career in Strategic Planning, Treasury, Finance, Mortgage Banking and Risk Management in California, Texas and Alabama. Powers earned a Master of Business Administration degree from the Notre Dame de Namur University and a Bachelor of Science Degree in Business Management from the Ateneo University.

About the Speaker:

An interview with:

Suzie Powers

SVP Enterprise Risk Testing

Copyright © 2018 Marcus Evans, Inc.

Regions Financial Corp.

All rights reserved.

Speaker at the:

3rd Edition: Operational Risk Management & Organizational Transformation for Financial Institutions

September 12-13, 2018 | New York, NY          

 Register today and SAVE $200 by using the code,SuziePowers, at checkout!