Written by Ralph Rosynek, as originally published in The Reverse Review.

In the first part of this series, I outlined steps readers could take to assess their company for risk. So, how did your first risk underwrite meeting go? For many, the session was filled with discussions that created an agenda for the next meeting, yet probably ran overtime and did not complete all of the desired tasks of the agenda.

Regardless, your meeting was a success! Gathering a team of committed members to participate in the risk preparedness process is key to a thorough review. A committee of one assigned to all tasks is not a realistic approach to meeting the challenges of risk and compliance management.

Note: Most regulatory and agency reviews seek an organizational chart of compliance and risk management personnel and, in some cases, job descriptions and resumes associated with each of their responsibilities.

Your meeting was unsuccessful if the ownership and allocation of tasks resulted in the sole engagement of a third-party compliance and risk management vendor, the purchase of policies and procedures manuals; or the purchase of Web-based software designed to keep you protected and send or produce a report.

These resources are just that: resources. Third-party individuals and “primers” are a great assist for your committee members, but they do not change the fact that most regulatory bodies want to see that management owns the policy and procedure process and is in control of the daily monitoring and adjusting that’s often required.

More than likely, your initial meeting resulted in quite a number of questions and ideas for follow-up. In the meeting, it was suggested that your team review the CFPB’s “large-ticket items,” or the most essential compliance issues that must be tackled. Having team members divide ownership of these large-ticket items will allow for a more focused development and review of risk and compliance issues, allowing the team as a whole to examine steps toward mitigation.

Internal controls result from interpreting and defining risk from your policies and procedures. By testing the effectiveness of your compliance activity, you can analyze your management efforts to protect the consumer, the investors, the community, the industry, and the safety and soundness of your company.

The second item on the agenda, which will more than likely spill over into a subsequent meeting or two, should be the creation of subcategories for each of the larger items. These subcategories are where the detail and assessment begin to take place. Don’t forget to take those ideas and questions that arose in the initial meeting and place them within a large-ticket item subcategory.

For example, under the advertising/marketing category, your policies and procedures indicate there are specific state, federal and agency advertising requirements; disclaimer requirements; licensing notations; logo use and inclusion; prohibited statements and terms; and documented claims and prohibited offers. Each of these items is a subcategory that will impact the development of internal controls and result in measurement and testing of risk mitigation. Begin to identify the subcategories of each of these large-ticket items in your meeting and continue until all have been broken down.

In the next part of this series, we will examine subcategories and internal controls in more detail.