Practice makes perfect: How to prepare for bank regulatory exams

Mock exams have long been a useful tool in preparing for and ultimately passing real-life regulatory inquiries. Today, amid macroeconomic, geopolitical, and technological upheaval—and increased regulation—preparation for inquiries and exams has become an essential component in navigating heightened supervision.

Led by the United States, banks around the globe are seeing enhanced oversight after the collapse—or rescue—of high-profile banks in early 2023. The regulatory gaze is especially strong on banks that haven’t traditionally had the same level of scrutiny as global systemically important banks.

This increased regulatory vigor varies by region, but broadly, there’s a renewed focus on horizontal exams by regulators. In these exams, a bank’s practices are compared against those of their peers. Regulators are seeking much greater detail and speaking to many more bank employees and stakeholders than in past regulatory exams. As conditions and the critical sources of risk have changed, regulators’ focus has shifted.

Regulators are seeking much greater detail and speaking to many more bank employees and stakeholders than in past regulatory exams. As conditions and the critical sources of risk have changed, regulators’ focus has shifted.

For instance, in the United States, the Office of the Comptroller of the Currency’s Fiscal Year 2024 Bank Supervision Operating Plan provides guidance on key areas of regulatory focus and objectives for the year. While many priorities are consistent with those of prior years, asset liability management and credit are notably higher on the list than seen in the 2023 plan. In Europe, the UK Financial Conduct Authority’s Business Plan and European Central Bank’s stress tests have been enhanced.

In light of these changes, banks should consider a proactive approach to preparing for regulatory exams. Using mock exams can help banks identify weaknesses that have flown under risk managers’ radar. The exams can also help banks prioritize improvements that both meet increased regulatory requirements and strengthen their resilience to future risks (see sidebar, “Mock exam approach”).

Preparation is crucial

Before undertaking a mock exam, banks should first review if their fundamental risk processes have adapted to the shifts in the current macroeconomic, geopolitical, and technological environment. A first step: evaluate if current risk identification processes sufficiently account for the environment, such as a prolonged period of high interest rates. To do this, banks should look at both the actual processes, comparing them against industry practices, and the outputs, such as recently logged issues and control weaknesses. Both approaches should indicate which processes aren’t surfacing problematic issues.

A look at internal systems and controls should also be part of the plan. Fraud screening, cybersecurity, risk analytics to measure and predict risk outcomes, and data risk management need to keep pace with changes in a bank’s risk profile. They also need to be consistent with industry standards and regulatory expectations that may be changing quickly.

Banks should review their issue management logs and regulatory findings to make sure they’re addressing known issues. For example, if a bank is struggling to resolve audit findings related to third-party risk management, there may be underlying problems. These issues could include a lack of resources, capabilities, attention from management, tools, and data. In short, problems need to be fixed and processes need to be in place before conducting a mock exam or other internal test.

To be clear, the need for and use of mock exams differ by regulatory jurisdiction. In the United States, they’re critical. In Europe, we recommend that banks and other financial institutions use them for high-stakes events. In some regions, exams can be add-ons to address specific areas. Mock exams aren’t self-standing solutions but preparatory tools used to test an institution’s risk assessment and monitoring functions—the cornerstone of risk management. Mock exams can also form part of the tool kit that compliance and other second-line oversight functions use as part of their quality assurance activities.

Leading financial institutions will undertake mock exams three to six months before an upcoming horizontal or topical exam. This provides enough lead time to act on the feedback before the “main event.” Banks that focus on proactive risk management will undertake two or three mock exams in a year. They will prioritize testing areas with known upcoming exams, known problems, and new leadership. In some instances, we’ve seen banks use the mock-exam approach as an annual health checkup, even when a real regulatory exam isn’t scheduled or expected.

Banks that focus on proactive risk management will undertake two or three mock exams in a year. They will prioritize testing areas with known upcoming exams, known problems, and new leadership. In some instances, we’ve seen banks use the mock-exam approach as an annual health checkup, even when a real regulatory exam isn’t scheduled or expected.

Ideally, banks should be setting aside the time and resources to review their current processes and outcomes for whether they are still fit for purpose. The reality of day-to-day responsibilities means that few banks systematically do so. This is why mock exams can act as a timely catalyst for needed change. In preparation for real exams, banks can simulate exam conditions to uncover blind spots in risk management.

Creating an effective mock exam requires expertise, accountability, and engagement from leadership. In a well-built exam, an independent team or party with the relevant expertise both in the subject matter of the mock exam and in regulatory practices should conduct it. It should simulate real exam conditions, such as robust preparation; formal presentations; realistic, live question-and-answer (Q&A) sessions; and a 48-hour response time for offline questions. There should be clear definitions of accountability for the mock exam. Typically, these come from the head of regulatory affairs and owners of the business and risk programs, depending on what is under assessment. Ultimately, banks should treat mock exams with the same level of preparation and candor as they do regulatory exams.

Benefits beyond compliance

Mock exams can lead to measurable improvements, allowing the organizations conducting them to have full insight into potential gaps and mitigation strategies. The benefits are far reaching. For one, a bank using mock exams inherently builds a risk culture and record of proactively identifying issues, emerging with a new set of self-identified issues.

For example, one bank’s mock exam found an overall disconnect in the integration of its US operations and its holding company. Identifying this vulnerability allowed the bank to ensure that the application of its standards and policies were consistent and to make adjustments as needed. The mock exam aligned the team by forcing members to articulate priorities, detail a target state and road map, and confirm clear-eyed understanding of the risk management standards applied across entities.

Another obvious benefit of using mock exams is the opportunity to address weaknesses prior to them showing up in regulatory findings. This will help banks align with regulators and limit potential penalties, including fewer matters that require immediate attention. For example, a mock exam helped senior executives at a bank identify that their risk and control self-assessments fell short in identifying risks and influencing decisions. As a result, the bank immediately formed a team to revamp its core risk identification processes.

A mock exam also tests abilities relating to documentation production under tight timelines, preparedness quality, presentations, and Q&A sessions. For instance, by engaging leaders of first-line business and control functions in mock exam interviews, one bank found great variability in their preparedness and effectiveness. Some of the leaders were engaging with regulators for the first time. By identifying these issues in a low-stakes setting, the regulatory affairs team could offer extra support and prep sessions to get those leaders prepared for the real thing.

Not just about passing

Mock exams have proved to benefit leaders by raising awareness of risk management strengths and weaknesses for high-stakes topics. For example, the results of a mock exam led one bank to identify gaps in its board engagement strategy. This prompted it to commit to a higher level of documentation and reporting ahead of a critical regulatory inspection.


Amid a turbulent environment, proactive risk management will only become more critical for banks, and the bar for ongoing risk assessment and monitoring will only go higher.

Amid a turbulent environment, proactive risk management will only become more critical for banks, and the bar for ongoing risk assessment and monitoring will only go higher. Mock exams are useful tools to boost risk management processes for critical topics. They help financial institutions manage their risk and regulatory exposures more appropriately to support their business objectives. Put another way, banks that use mock exams become not only more aligned with regulation but more self-aware and confident in their mission and growth plans.