Thursday, September 3, 2020

Management Oversight: Evaluation Methods

Our Board of Directors has asked our internal audit group to provide an evaluation of our management. Some members of our management are resisting, saying that they do not need to be bothered with oversight.

We decided to retain an independent internal audit for this purpose, and your firm’s name was mentioned. We are contacting you to discuss this matter. In the meantime, I wonder if you would share with all of us some insight into how financial institutions should evaluate management oversight from a self-assessment point of view.

We have two questions.

First, what should evaluation of management oversight consider?

And second, what questions should we ask as part of a self-assessment?

Quis custodiet ipsos custodes?[i]

Who will guard the guards themselves?

This Latin phrase comes from the Satires, a collection of satirical poems by the 2nd-century Roman poet Decimus Junius Juvenalis, better known as Juvenal. 

In Plato’s Republic, there is a considerable disquisition on how to control persons in positions of power whose actions may lead to abuse of authority.[ii] 

Juvenal was referring to the notion that wives cannot be trusted, so keeping them under guard is a good strategy for monitoring them. However, pessimistically, Juvenal is suggesting that keeping them under guard is not a solution because the guards themselves cannot be trusted. 

Plato was more optimistic about human nature. He thought that people in power could be trusted to behave properly and that it is "absurd" that they should require oversight. Indeed, Glaucon, Socrates’ interlocutor, states: “Yes, it would be ridiculous that a guardian should need a guard.”[iii]

There is nothing absurd about management oversight in a financial institution. Whether the initiative is undertaken as a self-assessment or an internal audit, management should receive a great deal of oversight. 

Doing an evaluation is needed, but will it be effective? It would seem that Juvenal’s view – “who will guard the guards themselves” – leads to evaluation; but Plato’s view – it is “ridiculous that a guardian should need a guard” – leads to resistance.

Management oversight is how a financial institution determines that strategic policies and objectives are being met through an evaluation of policies, plans, programs, and projects carried out by people charged with the authority to achieve expected results. These results should be accomplished in compliance with applicable policies, laws, regulations, and ethical standards. A Board stands “over” management hierarchically, and, as such, focuses its “sight” on management actions.

When Lenders Compliance Group conducts an independent internal audit, we include a review of many factors involved in management oversight. Our philosophy is that our evaluation of oversight functions are meant to look at a process, program, or project “from above,” as an independent agent (as it were) for the Board’s governance role. The Board generally is not involved in day-to-day management, but an oversight evaluation can provide mission-critical information about whether the Board’s many obligations are being duly implemented.

I am going to provide a set of factors that my firm takes into consideration when we are retained for an internal audit, which necessarily includes management oversight. 

If you only need an evaluation of management oversight, keep your costs down and use our Management Tune-up®, which is a targeted, cost-effective, mini-audit that provides an extensive report and risk rating. 

If interested, click HERE and we’ll send you information about it.

Concerning your first question about evaluating management oversight, we consider a host of factors and conditions. The following list provides a few important considerations.

- Extent of Board oversight and involvement in assuring compliance with consumer protection and fair lending laws and regulations.

- Training of directors and senior management regarding compliance and fair lending issues.

- Rationale for implementing new policies or procedures or modifying existing ones.

- Any negative comments on rejected loan applications during loan committee or any other meeting (such records must be traced to the specific loan file to assure that no unlawful disparate treatment or discrimination was involved in the denial).

- Consideration of new loan or deposit products and strategies for their implementation.

- Consideration of new software or software vendors.

- Consideration of third parties for compliance audits.

- Approval of, and rationale for, branch openings and closings.

- Whether the Board documented a review of the prior report that included, as applicable (i.e., a discussion of recommendations for policy changes, an adoption of those revisions, and a report regarding corrective action and subsequent testing for identified violations).

Your second question involves the questions you want to ask when conducting a self-assessment for management oversight. I am glad you want this information because asking the right questions is the key to getting useful answers. Keep in mind that your review should use collected materials as well as discussions with management. 

I will put these questions in the context of compliance because that is (and should be) the cornerstone of this review. Be sure you have the remit to determine if management oversight is strong, adequate, or weak. I think you should consider the following questions.

- What is the business strategy, and what is the compliance implications of that strategy (for example, elevated risk due to rapidly growing subprime lending, cutting-edge e-banking activities, and so forth)?

- What particular compliance-related area(s) does management feel are weak or in need of review?

- Have the Board and senior management worked to foster a positive climate for compliance?

- Has management allocated the appropriate level of resources to compliance?

- Does the institution have a designated compliance officer and/or compliance committee? (If not, is the absence of an officer or committee significant in light of the institution’s resources and risk profile?)

- Has management ensured that the compliance officer(s) and/or compliance committee has/have the level of authority and accountability to effectively administer the institution’s compliance management program?

- Has management responded correctly and promptly to consumer complaints?

- Has management responded deliberatively to deficiencies noted and suggestions made at previous examinations and audits?

- How does management stay abreast of changes in regulatory requirements and other compliance issues? (Is this method effective in light of the institution’s resources and risk profile?)

- How does management ensure that the institution’s staff stays abreast of changes?

- How does management ensure that compliance is considered part of new product and service development, marketing, and advertising? 

- How does management ensure that due diligence is performed before changing software or software vendors or third-party audit providers?

- What is the level of management’s knowledge of compliance issues?

- Does the review of the Board and/or compliance committee minutes indicate a reasonable level of board involvement?

- Is the Board aware that it is ultimately responsible for the institution’s compliance management program? 

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director
Lenders Compliance Group
[i] Liber secundus, Satura VI, in D. Junii Juvenalis Saturarum Libri V
[ii] Book III, XII, The Republic, Plato,
[iii] Ibid, my translation