Developing an Enterprise-Wide Risk Assessment

Developing an Enterprise-Wide Risk Assessment

Marci Malzahn, President & Founder

[email protected]

February 2017

mailto:[email protected]

Disclaimer

This presentation is designed to provide accurate and authoritative information in regard to the subject matter covered. The handouts, visuals, and verbal information provided are current as of the webinar date. However, due to an evolving regulatory environment, Financial Education & Development, Inc. does not guarantee that this is the most-current information on this subject after that time.

Webinar content is provided with the understanding that the publisher is not rendering legal, accounting, or other professional services. Before relying on the material in any important matter, users should carefully evaluate its accuracy, currency, completeness, and relevance for their purposes, and should obtain any appropriate professional advice. The content does not necessarily reflect the views of the publisher or indicate a commitment to a particular course of action. Links to other websites are inserted for convenience and do not constitute endorsement of material at those sites, or any associated organization, product, or service.

2 Copyright 2017 Malzahn Strategic

Sponsors

• Alabama Bankers Association • Arkansas Community Bankers • California Community Banking Network • Independent Bankers of Colorado • Florida Bankers Association • Community Bankers Association of Georgia • Community Banker Association of Illinois • Indiana Bankers Association • Community Bankers of Iowa • Community Bankers Association of Kansas • Kentucky Bankers Association • Maine Bankers Association • Community Bankers of Michigan • Independent Community Bankers of Minnesota • Missouri Independent Bankers Association • Montana Independent Bankers Association • Nebraska Independent Community Bankers • Independent Comm. Bankers Assoc. of New Mexico

• Independent Bankers Assoc. of New York State • Independent Community Banks of North Dakota • Community Bankers Association of Ohio • Community Bankers Association of Oklahoma • Pennsylvania Association of Comm. Bankers • Independent Banks of South Carolina • Independent Comm. Bankers of South Dakota • Tennessee Bankers Association • Independent Bankers Association of Texas • Vermont Bankers Association • Virginia Association of Community Banks • Community Bankers of Washington • Community Bankers of West Virginia • Wisconsin Bankers Association

Directed by

The Community Bankers Webinar Network


Marci Malzahn – Malzahn Strategic • Professional Highlights:

• 23 years in banking: from teller to EVP/CFO/COO and CRO

• Started a bank in 2005 – Bank grew to $325MM in 10 years, now $530MM

• 5 years in nonprofit:

• CFO overseeing Finance, IT and HR

• Managed a $32MM budget, 28 employees

• 2 years with Malzahn Strategic consulting

• Professional Awards: • 25 On The Rise – Hispanic Chamber of Commerce

• Forty Under 40 – Minneapolis/St. Paul Business Journal

• Top Women in Finance – Finance and Commerce Newspaper

• Outstanding Women in Banking – North Western Financial Review magazine

• Education: • B.A. Business Management, Bethel University

• Graduate School of Banking, Madison, Wisconsin


Webinar Overview

• The Big Picture (foundational knowledge):

• Strategic Planning

• Enterprise Risk Management

• Integrating your ERM into your Strategic Plan

• The Risk Assessment Process

• Identify Risks Using Risk Assessments

• Develop Assessment Criteria

• Assess Risks

• Assess Risk Interactions

• Prioritize Risks

• Respond to Risks


Webinar Overview Cont.

• Risk Assessment System (RAS)

• CAMELS Rating and How They Relate to Risk Assessments

• Top 8 Risks and Other Important Risks to Assess

• ERM Risk Assessment Matrix – How to Complete One

• Annual Risk Assessments Recommended and Areas Assessed

• IT Risk Assessment – How to Complete One

• Ongoing Monitoring and Reporting Tools

• Bringing It All Together


Strategic Plan Components

7

Strategic Plan

ERM

Marketing

Business Plan

Financials

Talent

Capital

Copyright 2017 Malzahn Strategic

What is ERM?

8

Identifying and

Assessing Risk

Mitigating or

Eliminating Risk

Monitoring and

Reporting Risk


Identifying and Assessing Risk • Use risk assessments enterprise-wide to identify risks and assess the

types of risks

• Also identify unique and specific risks to your organization

• (i.e., succession planning, relationship concentration, industry concentration)

• Categorizing each risk across the organization by:

• Criticality and confidentiality

• Rate risks by:

• Impact and probability/likelihood

• Vulnerability and speed of onset 9 Copyright 2017 Malzahn Strategic

Mitigating and Eliminating Risk

• Determine the steps your institution will take to mitigate some of the inherent risks

• Determine how your institution can eliminate certain risks

• Ensure your institution is comfortable with the residual risk

• Establish policies, processes, and procedures to mitigate and eliminate risks


Monitoring and Reporting Risk

• Ongoing monitoring of risks identified

• Establish accountability across the organization

• Ensure policies, procedures, and systems in place are being followed AND are working (measuring)

• Ongoing reporting of risks and status to board of directors

• Provide results from monitoring efforts

• Directors learn about risks, get updates, understand their liability

• Use tools such as “heat maps”


Integrate Enterprise Risk Management into Your Strategic Plan • As you conduct the ERM Risk Assessment – what are your strategies

to mitigate and avoid certain risks?

• Know regulations – know your industry

• Establish policies to comply with regulations

• Establish procedures and processes

• Establish an organizational and operational infrastructure to support current size and scalable for future growth

• Establish key performance indicators (KPI) and key risk indicators (KRI) and reporting


Key Performance Indicators (KPI) – Examples • Total Assets

• Total Liabilities

• Net Income

• ROE

• ROA

• Efficiency Ratio

• ALLL

• OREO

• Texas Ratio 13 Copyright 2017 Malzahn Strategic

Key Risk Indicators (KRI) – Examples

Global/general:

• From global economy to your state to your city

• Unemployment rate nationwide and in your state

• GDP

Local/unique to your institution:

• Lack of risk awareness at the board level in your institution

• High employee turnover

• Loosening of credit standards


Integrate Other Key Components into ERM • IT Security Program

• Compliance Program (Compliance Management System)

• Internal Audit Program

• Liquidity Contingency Funding Plan (CFP) – Includes Liquidity Stress Testing

• Succession Planning

• Capital Planning DRP

• Credit Stress Testing

15

Disaster Recovery Plan Vendor Management

Business Continuity Plan Social Engineering

Cyber Security Program Controls & Policies


ERM Key Components

ERM

IT Security

Program

Compliance

Succession Planning

Capital

DRP

Liquidity Contingency

Plan

Internal Audit


IT Security Program Key Components

IT Security Program

DRP

Cyber Security

Vendor Mgmt.

Security Controls

Social Engineering

BCP


The Risk Assessment Process

• Identify Risks First

Risk assessments follow event identification and

precede risk response

• Develop Assessment Criteria

• Assess Risks

• Assess Risk Interactions

• Prioritize Risks

• Respond to Risks


Risk Assessments

• Should be practical, sustainable, and easy to understand.

• Process should be done in a structured and disciplined way.

• Should be standardized across the organization.

• Should be customized to your institution’s size, complexity, and geographic area.

• Risk assessments should be a useful tool in the decision-making process and strategic planning of the organization.


Identify Risks

• List ALL the potential risks of the organization

• Organize risks by category (financial, operational, strategic, etc.) and sub-category where appropriate

• Prioritize all risks so senior management and board’s attention is on the key risks

• The prioritization is accomplished by performing a risk assessment


Develop Assessment Criteria

• Develop a common set of assessment criteria (scale) to be used across all functional areas of the organization (simple yet comprehensive).

• Scales should help in ranking and in prioritizing risks (i.e., 1 = Incidental,

2 = Minor, 3 = Moderate, 4 = Major, 5 = Extreme).

• Risks as well as opportunities are usually assessed in terms of impact (how it will affect the entire enterprise) or likelihood (i.e., 1 = Rare, 2 = Unlikely,

3 = Possible, 4 = Likely, 5 = Frequent)

• Ask the questions of vulnerability (how susceptible?) and speed of onset (how fast could the risk arise? 1 = Very Low, 2 = Low, 3 = Medium, 4 = High, 5 = Very High; How fast could you respond or recover?)


Assess Risks

• Consists of assigning values to each risk and opportunity using the defined criteria.

• The values should be the same in all areas across the organization.

• Use qualitative questions/criteria (descriptive assessment scales).

• Perform a quantitative analysis of the most important risks (using numerical values for impact and likelihood).


Assess Risk Interactions

• Risks in one area interact with other areas in the organization.

• Need to recognize how risks interact with each other.

• Take the integrated approach and view all risks from the holistic perspective – thus Enterprise Risk Management.

• Group related risks into broad risk areas

• Use risk interaction maps


Prioritize Risks

• Determine which risks require immediate attention of senior management and board of directors.

• Prioritize by comparing the level of risk against agreed upon target risk levels and tolerance thresholds.

• Impact and likelihood or impact and vulnerability

• Consider developing the Board’s Risk Appetite and Tolerance Statement after risk assessments are done.

• There is a qualitative piece and a quantitative piece of the statement.


Respond to Risks

• After conducting the risk assessments you should have to first input as to how to respond to each risk.

• Decide to either accept, reduce, share, avoid, or eliminate each risk.

• Perform cost-benefit analysis (i.e., is the cost to prevent or reduce a certain risk higher than the risk itself?)

• Formulate a response strategy and develop plans.


Risk Assessment System (RAS) • What is “supervision by risk”?

• Evaluating risk

• Identifying existing and emerging problems

• Ensuring that institution’s management takes corrective action before problems compromise the institution’s safety and soundness

• RAS provides framework to measure, document, and communicate:

• Quantity of risk

• Quality of risk management

• Aggregate risk

• Direction of risk for the eight risk categories

• Updated guidance expands the assessment of strategic and reputation risks


Risk Assessment System (RAS) Structure • Evaluate separately:

• Quantity of risk – reflects level of risk assumed in the course of doing business (low, moderate, or high)

• Quality of risk management – assesses whether the institution’s risk management systems are capable of identifying, measuring, monitoring and controlling that amount of risk (strong, satisfactory, insufficient, or weak)

• Identify and take action on emerging risks in a timely manner

• Provides both:

• Current (aggregate risk) – combined quantitative and qualitative risks (low, moderate, or high)

• Prospective (direction of risk) view of a institution’s risk profile – assessment of movement of the aggregate risk in 12 months (decreasing, stable, or increasing)


What Are CAMELS Rating System?

• Examiners use results from RAS to incorporate in CAMELS rating

• Primary risk categories that examiners consider within each component area

• Quality of risk management practices

• When RAS and CAMELS rating systems are used together:

• Provide a holistic view of the institution’s condition

• Support planned activities and supervisory findings


CAMELS Rating System Categories

• Capital

• Assets

• Management

• Earnings

• Liquidity

• Sensitivity to Market Risk

• Technology


New Definition of Banking Risk

The potential that events will have an adverse affect on an institution’s current or projected

financial condition and resilience

• Financial Condition: Includes impacts from diminished capital (impact from losses, reduced earnings, and market value of equity) and liquidity

• Resilience: Recognizes the institution’s ability to withstand periods of stress (based on stress testing)


Top 8 Risk Categories

1. Credit – Person/entity’s failure to meet the terms of any contract with the institution

2. Interest Rate – Movements in interest rates (repricing, basis, yield curve, and options risk)

3. Liquidity – The institution’s inability to meet obligations when they come due (contingency funding plan)

4. Price – Changes in the value of either trading portfolios or other obligations that are entered into as part of distributing risk


Top 8 Risk Categories

5. Operational – Inadequate or failed internal processes or systems, human errors or misconduct, or adverse external events

6. Compliance – Violations of laws or regulations, or nonconforming to prescribed practices, internal policies, and procedures, or ethical standards.

7. Strategic – Adverse business decisions, poor implementation of business decisions, or lack of responsiveness to changes in the banking industry and operating environment.

8. Reputation – Negative public opinion. Inherent to all activities.


Plus a Few Other Risks 9. Technology – Risk in all technologies used across the organization

10. Customer – Risk from dealing with fraudulent entities

11. Human Resources Management – Violations to HR laws and

HR-related areas

12. Earnings/Profitability – Losses in investments and earnings other

than credit

13. Legal – Failure to comply with statutory or regulatory obligations

14. Capital – Direct losses to capital due to all risks being interrelated

15. Model – The OCC is now focusing on the Model Risk Management


Model Risk Management – Quick Overview

• “Model” – Quantitative method, system, or approach

• Applies – Statistical, economical, financial, or mathematical theories, techniques, and assumptions

• Process – input data into quantitative estimates

• Three components:

• Information input

• Processing

• Reporting

• Model Risk – Potential for adverse consequences from decisions based on incorrect or misused model outputs and reports


ERM Risk Assessment Matrix – Definitions

• Risks: Identify each department

• Inherent Risk: Risk of an activity with no controls in place (low, moderate, high)

• Consequences: If the risk occurs, identify damage

• Risk Mitigating Factors: Activities that can control the risk and consequences of it happening

• Monitoring Tool(s): Tools used to monitor risks


ERM Risk Assessment Matrix – Definitions

• Plans for Improvement: If current mitigating factors are insufficient, describe plan to improve

• Status: Tracking mechanism to track progress on plans for improvement (person accountable for each action)

• Residual Risk: The risk that remains after controls are taken into account

• Trend of Risk: Increasing, stable, decreasing – provides a baseline for future assessments of this risk


Types of Risks

37

Technology Transaction/Operational Strategic Reputational

Compliance/Regulatory Liquidity Interest Rate Risk Credit Administration

Legal Human Resources Earnings/Profitability Capital

ERM


ERM Risk Assessment Matrix

38

Ris

ks

Credit Interest Rate Liquidity Price In

he

ren

t R

isk

Co

nse

qu

en

ces

Ris

k M

itig

ato

rs

Mo

nit

ori

ng

Too

l(s)

Pla

ns

for

Imp

rove

me

nt

Stat

us

Re

sid

ual

R

isk

Tre

nd

o

f R

isk


ERM Risk Assessment Matrix Cont.

39

Ris

ks Operational/

Transaction Compliance/ Regulatory

Strategic Reputational In

he

ren

t R

isk

Co

nse

qu

en

ces

Ris

k M

itig

ato

rs

Mo

nit

ori

ng

Too

l(s)

Pla

ns

for

Imp

rove

me

nt

Stat

us

Re

sid

ual

R

isk

Tre

nd

o

f R

isk



40

Ris

ks

Technology Customers Human Resources

Management Earnings/Profitability

Inh

er

en

t R

isk

Co

nse

qu

en

ces

Ris

k M

itig

ato

rs

Mo

nit

ori

ng

Too

l(s)

Pla

ns

for

Imp

rove

me

nt

Stat

us

Re

sid

ual

R

isk

Tre

nd

o

f R

isk



41

Ris

ks

Legal Capital Model – NEW Risk Other In

he

ren

t R

isk

Co

nse

qu

en

ces

Ris

k M

itig

ato

rs

Mo

nit

ori

ng

Too

l(s)

Pla

ns

for

Imp

rove

me

nt

Stat

us

Re

sid

ual

R

isk

Tre

nd

o

f R

isk


Annual Risk Assessments Recommended

• ERM

• Information Technology

• Bank Secrecy Act

• Internal Controls

• Bank Policies

• Bank Insurance

• ACH

• Fraud

• Fair Lending

• Mobile Banking


IT Areas Assessed • Information Technology Security

• Information Technology: All Systems

• Information Technology: All Hardware and Software Inventory

• Disaster Recovery Plan

• Threat Analysis

• Vendor Management Program

• Asset Inventory

• Internal Physical Bank Security: System, Policies, Training

• Cybersecurity:

• Website: Security, Compliance, Backup

• All Online Banking Products: mobile, remote deposit, wire transfers, ACH


BSA Areas Assessed

• Wire Transfer Program: System, Controls, Agreements

• ACH Program: System, Controls, Agreement

• Office of the Foreign Assets Controls (OFAC)

• Anti-Money Laundering (AML)


Internal Control Areas Assessed #1

• Accounts Payable

• Allowance for Loans and Lease Losses (ALLL)

• Asset/Liability Management

• Bank Protection

• Branch Capture

• Call Report Preparation

• Capital

• Cash Controls


Internal Control Areas Assessed #2 • Collateral Safekeeping

• Correspondent Lending

• Deposit Processing/New Deposit Account Opening Procedures

• Director, Officer, and Employee Accounts

• Dormant Accounts (if applicable)

• Due From Accounts (Correspondent Banks)

• Fixed Assets

• Human Resources: Hiring and Termination Practices, Payroll, Personnel Files, Personnel Files, Performance Evaluations, Retirement Plans


Internal Control Areas Assessed #3 • Income and Expense

• Internal DDAs

• Internet Banking

• Investments

• Loan Processing/New Loan Account Opening Procedures

• Mortgage Loans in Transit (MLIT)

• Official Checks

• Online Entries: General Ledger, Loan, and Deposit Processes 47 Copyright 2017 Malzahn Strategic

Internal Control Areas Assessed #4

• Other Real Estate Owned (OREO)

• Other Liabilities

• Overdrafts

• Payroll

• Prepaid Expenses and Other Assets

• Remote Deposit Capture

• Secondary Market

• Wire Transfers


Categories Included in IT Risk Assessment #1

• Asset Type: Application/Software, Process, System

• Asset Medium: Paper or Electronic

• Vendor Name

• Controls/Procedures in Place

• Description of Risks Associated with Asset

• Risk Mitigation: Description for Mitigation of Risks

• Risk Rating: Low, Medium, High

• Criticality to Institution: Levels 1 to 5 with 5 being the most critical


Categories Included in IT Risk Assessment #2

• Residual Risk: Low, Medium, High

• Information Classification: Public, Non-Public, Confidential

• Threats/Vulnerabilities: Level of Damage, Type of Vulnerability

• Threat/Vulnerability Likelihood: Low, Medium, High

• Vital Resources: Description of Vital Resources to the Institution’s Operations

• Recovery Point Objective: Description of How the Information or Asset Will be Recovered

• Recovery Time Objective: Approximate Time of Recovery 50 Copyright 2017 Malzahn Strategic

IT Risk Assessment Template

IT RISK ASSESSMENT

INSTITUTION NAME

DATE OF ASSESSMENT

ASSET NAME Ass

et

Typ

e: A

pp

licat

ion

/So

ftw

are

, P

roce

ss, o

r Sy

ste

m

Ass

et

Me

diu

m: P

ape

r o

r El

ect

ron

ic

Ve

nd

or

Nam

e

Co

ntr

ols

/Pro

ced

ure

s in

Pla

ce?

Y o

r N

De

scri

pti

on

of

Ris

ks A

sso

ciat

ed

wit

h

Ass

et

Ris

k M

itig

atio

n: D

esc

rip

tio

n o

f M

itig

atio

n o

f R

isks

Ris

k R

atin

g: L

ow

, Me

diu

m, H

igh

Cri

tica

lity

to In

stit

uti

on

: Le

vels

1 =

lo

we

st t

o 5

= h

igh

est

Re

sid

ual

Ris

k: L

ow

, Me

diu

m, H

igh

Info

rmat

ion

Cla

ssif

icat

ion

: P

ub

lic,

No

n-P

ub

lic, C

on

fid

en

tial

Thre

ats/

Vu

lne

rab

iliti

es:

Le

vel o

f D

amag

e, T

ype

of

Vu

lne

rab

ility

Thre

at/V

uln

era

bili

ty L

ike

liho

od

: Lo

w, M

ed

ium

, Hig

h

Vit

al R

eso

urc

es:

De

scri

pti

on

of

Vit

al

Re

sou

rce

s to

th

e In

stit

uti

on

's

Op

era

tio

ns

Re

cove

ry P

oin

t O

bje

ctiv

e (R

PO

):

De

scri

pti

on

of

Ho

w t

he

Info

rmat

ion

o

r A

sse

t w

ill b

e r

eco

vere

d

Re

cove

ry T

ime

Ob

ject

ive

: A

pp

roxi

mat

e Ti

me

of

Re

cove

ry

(ho

urs

, day

s o

r w

ee

ks)

Core System: Fiserv/ITI S E Fiserv Y

Core system is critical to the operations of the institution. We have no inhouse backup. Fiserv has backup sites. H 5 L NP, C

Confidential information, potential fraud M

Client information, daily operation of institution depends on core system

Will use backup site and remote DRP location from Fiserv 2 days


Categories Included in Internal Controls Risk Assessment #1

• Growth/New Activities

• Policies and Procedures

• Regulation and Compliance

• MIS/IT System Changes

• Turnover

• Quality of Management


Categories Included in Internal Controls Risk Assessment #2

• Training

• Date of Last Audit

• Previous Exceptions

• Risk of Monetary Loss

• Nature of Items

• Nature of Operations


Bank Insurance Policies Review

• Property and Casualty

• Liability

• Directors and Officers

• Auto

• Cybersecurity

• Umbrella

• Electronic


On-Going Monitoring: Opportunity & Risk Maps

COMBINED RISK AND OPPORTUNITY MAP EXAMPLE

Impact

Opportunities Risks

Extreme Major Moderate Minor Incidental Incidental Minor Moderate Major Extreme

Likelihood

Frequent

Likely

Possible

Unlikely

Rare

55

Source: Risk Assessment in Practice by COSO


On-Going Monitoring: Heat Maps

HEAT MAP SAMPLE

TLik

elih

oo

d

ID Risk

1 Capital

2 Earnings

3 Liquidity

Impact

56

1

2

3

Source: Risk Assessment in Practice by COSO


Bringing It All Together

• Start with your Strategic Plan

• Complete an ERM Program

• Identify and Assess Risks

• Mitigate and Eliminate Risks

• Monitor and Report Risks

• Start with ERM Risk Assessment

• Complete Risk Assessments enterprise-wide

• Be proactive and stay the course


Sources

• FDIC Risk-Based Assessment System – Financial Institution Letters (FILs) https://www.fdic.gov/deposit/insurance/risk/FILS.html

• OCC Bulletin 2015-48 Updated Guidance on Risk Assessment System (https://www.occ.gov/news-issuances/bulletins/2015/bulletin-2015-48.html#)

• OCC Comptroller’s Handbook: Community Bank Supervision https://www.occ.gov/publications/publications-by-type/comptrollers-handbook/pub-ch-ep-cbs.pdf

• COSO (The Committee of Sponsoring Organizations of the Treadway Commission) www.coso.org

• Credit Union Act https://www.ncua.gov/Legal/Documents/fcu_act.pdf

• NCUA (National Credit Union Administration) https://www.ncua.gov/regulation-supervision/Pages/default.aspx

• Credit Union National Association www.cuna.org


https://www.fdic.gov/deposit/insurance/risk/FILS.html

https://www.occ.gov/news-issuances/bulletins/2015/bulletin-2015-48.html







https://www.occ.gov/publications/publications-by-type/comptrollers-handbook/pub-ch-ep-cbs.pdf













http://www.coso.org/

https://www.ncua.gov/Legal/Documents/fcu_act.pdf

https://www.ncua.gov/regulation-supervision/Pages/default.aspx



http://www.cuna.org/

Marci Malzahn, President & Founder

[email protected] Consulting: www.malzahnstrategic.com

https://www.linkedin.com/pub/marcia-marci-malzahn/1/6/729

Speaking & Books: www.marciamalzahn.com @marcimalzahn

612-242-4021


mailto:[email protected]

http://www.malzahnstrategic.com/






http://www.marciamalzahn.com/

Developing an Enterprise-Wide Risk Assessment

Documents

Transcript of Developing an Enterprise-Wide Risk Assessment