OCC Spring 2022 Risk Report Highlights Risks Facing BFS Companies

OCC Spring 2022 Risk Blog
4 min read


The Office of the Comptroller of the Currency (OCC) has published the OCC Spring 2022 Risk Report that highlights risks faced by banks and financial services organizations. The National Risk Committee (NRC) of the OCC plays a key role in monitoring the U.S. federal banking system, identifying key risks facing banks, and highlighting those risks in its semiannual publications. The latest edition of its guidance has observed that the financial condition of banks remains strong and well-positioned to “deal with the economic headwinds arising from geopolitical events, higher interest rates, and increased inflation” and has warned banks and financial organizations to prepare for elevated operational risks and heightened compliance risk.

In the report, the risks have been due to the current geopolitical tensions, a heightened compliance risk environment attributed to regulatory changes, policy initiatives, and challenges in hiring qualified compliance professionals, and an observed increase of cyberattacks on the financial services industry.

Here is more into the key risk themes highlighted in the report.

Elevated Operational Risk Due to an Increasingly Complex Operating Environment

The OCC report attributes the elevated operational risk to cyber threats which “continue to evolve, with an observed increase in attacks on the financial services industry.” This has been further accelerated by the ongoing geopolitical situation. Additionally, “banks’ increasing reliance on third-party relationships, along with the development and adoption of innovative products, services, and technologies, and ongoing changes to banks’ staffing and the operating environment” have all led to an increase in operational risk.

Also, the OCC has observed that banks are finding it challenging “to maintain comprehensive operational resilience frameworks commensurate with the complexity of products, services, and operations being supported in this environment.” It has further advised that some of the risk exposure may manifest in the coming quarter, making it vital for “the industry to remain vigilant and fully assess its risk exposure.”

Given the increased operational risks, the OCC’s recommendations include:

  • Lowering reporting thresholds on information sharing activities, testing of organizational response plans, and continuing the focus on business continuity and resilience (as recommended by Cybersecurity and Infrastructure Security Agency (CISA))
  • Maintaining robust threat and vulnerability monitoring processes and implementing more stringent cybersecurity measures
  • Applying sound fraud risk management practices to help prevent losses when implementing new technology and innovative products and services
  • Following appropriate due diligence, change management, and risk management processes in accordance with the bank’s size, complexity, and risk profile, while accounting for and keeping pace with any new, modified, or expanded activity and the complexity that comes with it
  • Developing robust planning and risk management processes to manage, partner, or compete with new fintech entrants as needed

Heightened Compliance Risk, Driven by Regulatory Changes and Policy Initiatives

The OCC has highlighted that compliance risk remains heightened. This is primarily because banks are now required to navigate the complexity of sanctions imposed in response to the Russian invasion of Ukraine. At the same time, banks have also been required to “continue to manage the impact of forbearance programs and the elevated volume of customers on deferred payment and loss mitigation programs.”

The OCC has further observed challenges in the industry in retaining and replacing staff in compliance functions. The lack of access to subject matter expertise or the using of third-party relationships to support or fill such critical roles may increase compliance and operational risks.

The OCC offers the following recommendations for banks and financial institutions.

  • Navigate the “complex and evolving” sanctions by accurately assessing “the applicability and impact of sanctions on their institutions and customers, including the impact of sanctions imposed by both the U.S. and other countries on foreign branches, overseas offices, and subsidiaries.”
  • Institute effective change management and compliance risk management processes “to identify, measure, monitor, and control the evolving and emerging risks related to consumer products and services.”

Thrive on Risk with a Connected GRC Approach

As banks and financial institutions work to address key risk areas, it is important that they view and recognize the interconnectedness of risk. As highlighted in the OCC report, the scale and scope of the interconnectedness of risk are rapidly expanding. This requires a connected approach to manage and mitigate risk.

MetricStream’s ConnectedGRC empowers banks and financial institutions with a connected and streamlined governance, risk management, and compliance approach that enables firms to better identify, assess, manage, and mitigate risk across the enterprise—including strategic, operational, IT and cyber, third and fourth-party, compliance, and ESG risks.

  • Gain a holistic approach to risk, compliance, audit, and third-party management with MetricStream’s BusinessGRC. Leverage the comprehensive set of capabilities of Operational Risk Management to strengthen operational resilience and gain forward-looking risk visibility with predictive risk metrics and indicators. Reduce losses and avoid adverse risk events through proactive control structures and analytics. Navigate the complex web of regulatory obligations with Regulatory Compliance Management and sustain compliance by easily implementing measures, processes, and policies.
  • Actively manage IT and cyber risk and build cyber resilience with MetricStream’s CyberGRC that enables a streamlined, proactive, and business-driven approach to IT and cyber risk management and mitigation. Utilize best practices, insightful reporting, and cyber risk quantification to build cyber resilience.
  • Streamline management of various ESG requirements with MetricStream’s ESGRC. Define and manage ESG standards, frameworks, and disclosure requirements including GRI, SASB, TCFD, and others, automate the collection and aggregation of data, and report through real-time analytics and dashboards.

Interested to know how MetricStream can help you take a connected approach to risk management? Write to me at sumith.sagar@metricstream.com to learn more. You can also request a personalized demo to learn more about our products.


Sumith Sagar Associate Director, Product Marketing

Sumith Sagar is a proven product marketing professional, specializing in software product positioning, product-led growth marketing, presales and sales enablement. With over 12 years of risk management solutioning experience ranging from Governance, Risk and Compliance (GRC), Commodity Trading & Risk Management (CTRM) and cybersecurity, she has been instrumental in driving BusinessGRC product marketing at MetricStream.