A Quick Guide to Risk and Gap Assessments for Complete Compliance Oversight
Industry compliance demands more from collection agencies with the rollout of new rules, new regulations, and new technology. Not keeping up with the industry dynamics can lead to more gaps and more risk. A gap and risk assessment (GRA), as a control assessment tool, can help you identify gaps in your policies, procedures, or compliance controls to evaluate what remediation your agency will need to mitigate new internal and external risks. Recently Provana sponsored a webinar from Research Assistant and insideARM, that covered do’s and don’ts of risk and gap assessments. Here are key takeaways from the webinar that will help you break a risk assessment into manageable chunks, assign responsibilities, win support from operations, and help you optimize ongoing audits.
Follow a natural risk assessment cycle
For risk assessments, start with broader scope questions on consumer welfare, data security, and operational risk (technology, client, and financial). Creating a list of these questions will not only help you identify key risks but also guide you to areas where you will need a deeper audit(s) to mitigate compliance risks. To compile the list, ask as many “why” questions as possible. Understand why things are happening a particular way in one of the areas mentioned above. Question why are the workflows set up a certain way. These questions will, later on, help you simplify normal operational issues and point out common operational waste.
As the next step, sketch out a remediation plan for each risk. The plan should specifically guide you on steps that you need to complete once you identify a new risk. The remediation should now follow an audit that must be performed at short time intervals to examine and document the effectiveness of risk responses mentioned in the remediation plan. All data evaluated from the audit then should be recorded and reported to be used for the next gap and risk assessment.
Split the assessment into manageable pieces
Given that it is always beneficial to keep GRA going throughout the year, it is important to split the overall exercise into manageable segments and timelines. To organize the assessment process, assign responsibilities for risk identification and remediation process. This will help you document all aspects of the GRA, identify data sources, key stakeholders, and visualize the remediation process.
Talking of breaking the GRA into manageable segments, in step one, organize your policies and procedures even if that means bringing them all together physically. As a second step, gather legal requirements concerning CFPB, FDCPA, FCRA, TCPA, and other landmark cases. And, in the end, cross-reference these to identify gaps and assign responsibilities to close these gaps to take stock of your inventory.
Build a business case for the assessment
If you’re a chief compliance officer, one of your top priorities should be keeping your team focused on gap and risk assessment all year around. However, making other leadership understand the importance of the exercise could be a challenge especially when you have a few resources to maintain compliance oversight within your agency. To help the management understand how can GRA solve many compliance problems at once, put a price on each compliance risk that could go unnoticed in absence of a GRA. This means, you simply have to connect your assessments to revenue and risk exposure. Document how areas of improvement (that are always uncovered after each GRA) can convert into a business opportunity and income.
Bonus Tip: A natural follow-up question that arises from the instructions mentioned above is – "At what time should you start your GRA?" All agencies are required to ensure CFPB compliance audits are happening within the organization at least once a year. Since GRA can help your compliance team identify the nature, extent, and timing of these audits, it is best to have a risk assessment done during the planning phase of any compliance audit.
Are you ready to get started on a customized audit for your business? Click here to request a free demo and consultation from our team of compliance experts.