# The Friday I Signed Off on a Risk Framework I Knew Was Broken
There’s a particular kind of exhaustion that sets in on a Friday afternoon in Q3 when an OCC examination cycle looms. It’s not the clean tiredness of hard work finished. It’s the grubby, low-grade fatigue of a problem you’ve been managing rather than solving for the better part of a year. Everything on your desk is a version of the same question: how long can we hold this position?
In Q3 2021, I found out exactly how long. The answer was four months.
We had an open MRA—a Matter Requiring Attention—that had been sitting on the books for eleven months. For anyone outside the OCC’s regulatory world: an MRA isn’t a fine, it isn’t a public censure, but it’s a formal signal that the examiner has found something structurally wrong with your risk management practices and expects you to fix it. It’s the regulator telling you, in careful institutional language, that they’re watching. What we submitted that Friday addressed every word of the finding. It didn’t address the condition that had produced it. I knew this when I signed.
—
## The Decision I Made in That Room
The framework we built was technically responsive. That’s the exact right phrase. It answered the question as written rather than the question being asked. We’d brought in outside counsel, run it through the risk committee, and produced something that looked, on paper, like a serious institutional response. It had the right headings. It cited the right regulations. It mapped to the MRA’s specific language with the kind of precision that signals effort.
What it didn’t do was account for the direction our risk environment was moving. The original finding had been written against conditions from early 2020. By the time we submitted the remediation framework in 2021, those conditions had shifted materially: vendor concentration had increased, a key operational process had been restructured, and two of the control owners named in the original framework had left the organisation. The framework we submitted was already ageing before the ink dried. I knew this. The head of my risk team knew this. We submitted it anyway, because the examination window was closing and an open MRA going into the next cycle felt like a worse outcome.
That’s the calculation that leads you to the wrong decision in a very calm and rational way.
The examiner accepted the framework. For approximately four months. Then the follow-up review arrived, and what had been an MRA became an MRA with a deadline. In OCC language, that’s the last door before formal enforcement action. We had to rebuild the entire framework under significant pressure, on a compressed timeline, with an examiner who now had a documented record of our previous submission sitting in the file. We hadn’t bought ourselves time. We’d borrowed it at an interest rate nobody quoted us at closing.
—
## What Regulatory Time-Buying Actually Costs
The first thing to understand is that OCC examiners have institutional memory that outlasts personnel changes on both sides of the table. Examination files follow an institution. When you resolve an MRA with a framework that’s already structurally compromised, that’s noted—not always in the formal finding, but in the examiner’s working papers, in the tone of the next examination, in the questions that surface two cycles later about the same underlying risk area. Regulators track patterns, not just incidents. A technically compliant response followed by a material lapse reads, to an experienced examiner, as a pattern.
The second thing is that the goodwill cost is real and hard to recover. Regulated institutions often underestimate how much of the OCC examination relationship runs on examiner judgement—judgement about whether management genuinely understands its risk environment, whether leadership takes findings seriously, whether the organisation has a credible culture of risk management or a credible performance of one. That judgement is formed over multiple examination cycles. When you trade a substantive response for a timely one, you’re spending a currency you don’t get back by submitting the next framework on schedule.
The third insight, and the one that cost me the most to learn: the MRA itself isn’t the problem. It’s a signal about the condition underneath. This sounds obvious until you’re the person sitting across the table from a Friday afternoon examination deadline with an open finding, at which point it stops being obvious and starts being inconvenient. Most MRA remediation work I’ve reviewed—and I’ve reviewed a substantial amount, at enough institutions to recognise the pattern—is designed around closing the finding rather than resolving the condition. Those aren’t the same activity. The finding is a description of a symptom at a point in time. The condition is a structural feature of how risk is identified, escalated, and owned inside the organisation. You can resolve the former without touching the latter. Banks do it regularly. The examiners know.
This same dynamic appears in how organisations manage third-party risk. A vendor who fails a due diligence review is a finding. The governance gap that allowed the vendor relationship to become operationally critical before due diligence was completed is the condition. I’ve written separately about how third-party risk frameworks often suffer from exactly this confusion—treating relationship incidents as the unit of analysis when the control environment is the actual problem.
—
## What This Means for Your Organisation
If you’re managing an open MRA right now, the practical implication is this: build the remediation framework for where your risk environment will be in eighteen months, not where it was when the finding was written. That means the control owners named in the framework need to be current. The risk scenarios need to reflect your actual operational configuration, not the one that existed at examination time. The governance structure underpinning the framework needs to have real teeth—real escalation paths, real accountability, real testing cycles—because an OCC examiner doing a follow-up review will ask to see the evidence of operation, not just the document. A framework that exists primarily as a document is a liability dressed as a remediation.
The examination cycle will come back. It always does. The question is whether you’re presenting an organisation that learned something or one that bought four months.
—
## The Last Thing
Borrowing time from a regulator is always possible. The terms are just worse than they appear on a Friday afternoon when you’re tired and the deadline is real.
What you sign in that moment isn’t the framework. It’s your starting position for the next conversation.
Make sure it’s one you can defend.