|1.Country CBORC Governance & Line-of-Sight
- Maintain front-to-back line-of-sight on risks and controls across all country Consumer business processes (e.g. Cards, Loans, Mortgages, Wealth Management, Branches, etc) and functions (Consumer Operations).
- Identify in-unit risk and control staff in conjunction with the country Consumer business owners, and establish a direct reporting line from these staff to the Country CBORC Head with a matrix reporting line to the respective Consumer Unit Heads for staff spending more than 50% of their time on risk and control (the reverse should apply to staff spending less than 50% of their time on risk and control).
oAs far as viable, in-unit risk and control activities should be consolidated into individual staff (“full bodies”), rather than being performed fractionally by a range of staff that have both control and line responsibilities.
oThis approach may be adjusted for Consumer businesses and functions with a small footprint where a dedicated in-product risk and control resource may not be viable.
oResources may also be pooled across products and functions (e.g. a dedicated in-product risk and control staff covering products across business units) where this does not negatively impact the effectiveness of product- and function-level risk and control management.
- Represent the Country Consumer Bank on risk and control matters to support the CBM, and maintain oversight over emerging and existing key risks, issues, control weaknesses, control processes, corrective actions, control validations, and control enhancement initiatives front-to-back for the Consumer Bank.
- Participate in relevant risk and control committees, management meetings, and forums (e.g. Country Business Risk, Compliance, and Control (BRCC) committee, Legal Vehicle Governance Committee, etc) to represent the risk and control aspects of the country Consumer business.
- Perform oversight of specific Consumer business functions:
oBranch Oversight Function (BOF): The BOF function performs branch control oversight including the validation of the design and proper execution of branch controls.
oInvestment and Insurance Sales Surveillance (IISS) Function: The IISS function is a control function that performs surveillance on investment and insurance sales practices.
oConsumer Business Support Unit (CBSU): The CBSU function performs all customer due diligence related Periodic Review, Client Refresh, HRAC and Overlay (both manned and unmanned accounts) in accordance to the Global KYC operating model and standards.
- As part of the end-to-end line of sight into Consumer Bank processes, the Country CBORC Head also stays closely connected with the Account Review Committee (ARC) process hosted by Finance in order to be fully aware of, escalate and analyze material risks and issues with regards to proofing and reconciliation across the Consumer Bank front-to-back.
- For country Consumer functions and processes that are outsourced internally to a CSC (Citi Service Centre) or to an external third party: the Country CBORC function should work with the Consumer business and function owners to ensure that the process owners are tightly managing the processes and controls end-to-end up to and including third parties, establish and maintain strong linkage with the CSC’s Risk and Control function, perform risk assessment, analysis and trending, and escalate control breaks.
2.End-to-end Process Mapping (Including Third Parties and Inter-affiliate)
- Work with the country Consumer businesses to map and document processes including those that tie into third parties (external and internal).
- Use the process maps to support the Consumer business and function owners in identifying risks and incorporating appropriate controls (as outlined in #3 below) to ensure compliance with process and control requirements as laid down by local regulations as well as internal Citi policies and procedures.
3.Risk Identification, Analysis, and Management
- Work with country Business and Function Heads and the Regional CBORC function to identify, quantify, prioritize, and report key risks and vulnerabilities within the country Consumer Bank, document lessons learned, and propagate these across other Consumer businesses and functions as relevant. This also links in with the MCA Process, Risk and Control (PRC) process. The coverage of risk identification and analysis also covers the 22 Front-to-Back Global Consumer Bank Risk Domains listed in Section A.
- Provide specialist risk and control advice and guidance to the Consumer business and functions.
- Lead or support as appropriate the root cause analysis of material risk events and control breaks, and establish an effective feedback loop to country and regional business and control management. Support the business in drafting appropriate corrective and preventive actions plans.
- Assess, evaluate, and validate controls through processes and tools such as the MCA, KRIs, and the AsPac electronic Departmental Control Functional Checklist (eDCFC) process, and work with the process owners to develop action plans that remediate the weaknesses. Establish reasonable thresholds for KRIs, and supplement KRIs to cater for local regulatory requirements.
- Support the business in reviewing, maintaining, and enhancing Permanent Control Readiness.
4.Standards and Procedures Coordination
- Support the country Consumer business and functions on gap analysis and the implementation of global policy requirements and regional standards, and on the assessment of legal and regulatory requirements with Country Legal and Compliance as well as the development of local procedures.
- Coordinate and support the review of country Consumer processes and controls, both at the inception of new processes and controls, and when these undergo material change, including appropriate linkage with the MCA.
- Track and review deviations and risk acceptances when raised and at the time of renewal to assess the need for deviations, and ascertain that Consumer business and function owners have implemented and documented effective compensating controls.
- Specifically, in conjunction with the Consumer business and functions, perform gap analysis of local processes and procedures vis-a-vis the Regional Consumer Control Procedure Manual (RCCPM) and the associated electronic Departmental Control Functional Checklist (eDCFC) and incorporate local processes and legal and regulatory requirements ; coordinate with the Consumer business and functions to remediate gaps and supplement local procedures and checks.
5.Issue Escalation and Socialization
- Establish an effective process to escalate and socialize material risk events and issues with country and regional management in line with the Asia Issue Escalation and Notification Guideline issued.
- Escalate material risk events and issues to appropriate levels of country and regional management.
- Maintain an escalations register, and lead and support root cause analysis, trending, and lessons learned.
6.New Product and Business Practice Reviews
- Participate in the in the appropriate design of controls for new Consumer Bank products, perform new product risk and control reviews, and provide concurrence or approvals through appropriate forums (e.g. New Product Approval Committee). Analyze new product issues and draft lessons learned to prevent recurrence.
- Support the Consumer business in the rollout of global, regional and local business practice requirements such as Treating Customers Fairly (TCF), and perform exception and trend analysis on customer complaints and TCF transgressions including recommended corrective actions.
7.End-to-end Regulatory Compliance Process Review
- Review the robustness of the end-to-end regulatory compliance process in partnership with Country Compliance including the receipt and interpretation of rules and regulations, their documentation in the Compliance Regulatory Control Matrix (RCM), the mapping from the Compliance RCM to the MCA, and the testing of rules and regulations
- Review the regulatory engagement model jointly with Compliance to ensure appropriate representation and communication with regulatory bodies.
8.Risk and Control Governance over “Digital”
- Enhance the focus on controls over Digital Channels (MBOL, CBOL, and other digital channels and technologies interfacing with customers) to ensure that controls are keeping pace with the evolution of the digital landscape.
- Ensure that processes are in place to track and monitor digital initiatives and associated approvals, as well as control checkpoints to ensure the processes are working as designed and to detect exceptions prior to implementation.
- Participate in business risk review meetings and work with regional counterparts (Digital Channels/AML/Compliance/Fraud/Legal/Information Security) to ensure that all digital initiatives are approved in line with the risk governance framework before go-live.
9.Manager’s Control Assessment (MCA) Coordination
- Coordinate the overall MCA and Annual Risk Assessment (ARA) processes for the country Consumer businesses and functions, track their status, ensure timely completion, and escalate exceptions.
- Support the business in performing its ARA based on the analysis of internally raised risks and issues (management-raised issues, Compliance review issues, Internal Audit review issues etc) and externally raised risks and issues (regulatory issues, KPMG observations, etc). Perform a review of the business’ PRCs (Processes, Risks, and Controls) for quality assurance and completeness.
- Perform periodic gap analysis between the Regulatory Control Matrix (RCM) and MCA to ensure that all key RCM controls are captured in the MCA.
- Perform sampling-based quality assurance on MCA results and corrective actions arising from identified exceptions.
- Analyze MCA issues and trends, work with the business on implementing appropriate corrective actions, and share best practices.
- Coordinate and track the appropriate training of MCA testers based on the regional MCA training program and escalate exceptions.
10.Issue and Corrective Action Plan (CAP) Process Oversight, Coordination And Validation
- Track issue and CAP status and progress, and escalate to the CBM and to the Regional CBORC Head issues and CAPs that are at risk of missing their target dates at least 30 days ahead of the targeted closure date. Support the business on ‘at-risk’ issues and CAPs.
- Act as ‘gate keeper’ and ensure data quality by centrally reviewing and documenting Management-Raised Issues (MRIs) and associated CAPs along with compensating controls and IBAM (Issues Being Addressed by Management) checklists in the global iCAPs system for issues and CAPs that have been drafted by the Consumer business and function owners. Ownership for issues and for developing and implementing CAPs remains with the respective Consumer business and function heads.
- Perform quality assurance on completed CAPs in the iCAPs system prior to formal validation by other control and assessment functions such as Internal Audit.
11.Audits, Franchise Reviews and Regulatory Examination Management
- Support the Consumer business and functions on Consumer-related reviews and audits. Support the business on reviewing and responding to findings issued by reviewers.
- Notify ‘at-risk’ audits to the CBM and to the Regional CBORC Head.
- Proactively drive the analysis of root causes of “failed” audits, audit issues that were not recognized as IBAM, PRCM (processes, risks, controls or monitoring) that were not included in MCA and implement measures to remediate the issues.
12.Risk and Control Project Management
- Coordinate and support the country Consumer business and functions in the implementation of global, regional and local risk and control projects.
- Support the implementation of process enhancements, control improvements, and best practices from key control projects or business strategies such as AML, FATCA, CRS, branch recalibration and process centralization etc that may have a significant impact on country risks and controls.
13.‘Deep Dive’ Reviews
- Perform and coordinate in-country process deep dives and analysis, and report on issues and recommendations.
- Participate in peer reviews on other countries’ Consumer businesses and functions, which is coordinated by the Regional CBORC office.
- Perform gap analysis of the material issues and breaks detected from Peer Reviews vis-a-vis the country and regional MCA and support the implementation of process enhancements, control improvements, and best practices to remediate the issues and breaks.
14.Training and Awareness
- Perform training for country Consumer business staff on risk and control concepts, processes, tools, and on effective issue self-identification and testing. Customize global and regional training programs to cater for local requirements and nuances.
- Create Permanent Control Readiness awareness across all country Consumer businesses.