ACUIA Region 6 IA & ERM Risk Assessment...©2016 Crowe Horwath LLP 9 Step One: Understanding Your...
Transcript of ACUIA Region 6 IA & ERM Risk Assessment...©2016 Crowe Horwath LLP 9 Step One: Understanding Your...
©2016 Crowe Horwath LLP
ACUIA Region 6
IA & ERM Risk Assessment
September 21, 2016
©2016 Crowe Horwath LLP 2 2
Agenda
Transitioning to Risk Based Auditing
Internal Audit Risk Assessment
Internal Audit’s Role in Enterprise Risk Management
COSO ERM Framework
Transitioning to Enterprise Risk Management
©2016 Crowe Horwath LLP 3 3
Transitioning to Risk
Based Auditing
©2016 Crowe Horwath LLP 4 4
Traditional Internal Auditor
Position established in response to regulatory oversight
“Available” employee
Internal training
Operationally focused
NOT ANYMORE!
©2016 Crowe Horwath LLP 5 5
Traditional Internal Audit vs. Risk-Based Internal Audit
Traditional
•“Canned” audit programs
•Detail (picky) testing
•Operational auditing
•Boring, easy work
•Only point out problems
Risk Based
•Tailored audit programs customized to
institution
•High-level, risk-based testing
•Business risk auditing
•Partner with institution management
•“Best Practices”, efficiency, value
added services
©2016 Crowe Horwath LLP 6 6
Traditional
•Reactive
•After the fact
•Discontinuous
•Observers of strategic planning
initiatives
Risk Based
•Coactive
•Real-time
•Continuous monitoring
•Participants in strategic planning
Traditional Internal Audit vs. Risk-Based Internal Audit
©2016 Crowe Horwath LLP 7 7
Traditional vs. Risk Based Internal Audit Paradigms
Traditional
• Important controls
•Emphasis on completeness of detail control testing
•Recommendations on internal control
•Strengthened
•Cost Benefit
•Efficient/Effective
•Addressing functional controls
• Independent appraisal function
Risk Based
• Important risks
•Emphasis on significance of broad business risks covered
•Recommendations on risk management
•Avoid/diversify risk
•Share/transfer risk
•Control/accept risk
•Addressing process risks
• Integrated risk management and corporate governance
©2016 Crowe Horwath LLP 8 8
Seven Step Process to Risk Based Auditing
©2016 Crowe Horwath LLP 9 9
Step One: Understanding Your Credit Union
Strategic analysis (strategic plans, minutes, marketing
materials, web site, etc.)
Financial analysis (financial statements, call reports,
peer group comparisons, management reports, etc.)
Regulatory analysis (regulatory reports, recent developments, etc.)
Management and Supervisory Committee inquiry (prior issues, staff turnover,
future plans, current concerns, legal issues, etc.)
Seven Step Process to Risk Based Auditing
©2016 Crowe Horwath LLP 10 10
Step Two: Preliminary Risk Assessment Process
From Step 1, work with management to assess risk in key areas
Factors considered for each area include
- Business Profile - Business Changes
- Business Management - Specific Risks/Concerns
Considers various types of risks inherent in financial institutions: Credit, Interest Rate, Market, Strategic, Operational, Reputational, Liquidity and Legal
Considers perceived direction of risk (increasing, stable, decreasing)
Seven Step Process to Risk Based Auditing
©2016 Crowe Horwath LLP 11 11
Step Three: Develop A Three Year Internal Audit Plan
Follows a risked based approach of “High” risk areas audited annually, “Moderate”
risk areas audited every two years, and “Low” risk areas audited every three years
Includes three-year rotational audit schedule and detailed audit schedule for the
upcoming year
Satisfies regulatory requirements
Continually updated with management and Supervisory Committee input (e.g.
“living document”)
Seven Step Process to Risk Based Auditing
©2016 Crowe Horwath LLP 12 12
Step Four: Secondary Risk Assessment Process
Assesses risks within each key area or line of business to focus detail testing on highest risk areas within the area Addresses risk control objectives and essential internal control points for each activity or process Assesses risk in relation to how well the Credit Union’s policies and procedures meet the control objectives Defines the internal audit program steps to be completed in relation to the assessed level of risk
Seven Step Process to Risk Based Auditing
©2016 Crowe Horwath LLP 13 13
Step Five: Execution of the Internal Audit Program
Linked directly to risk assessments and tailored to specific Credit Union issues Insure that experienced internal auditors perform more complex audits Scope is adjusted continually based upon actual findings during fieldwork As a best practice, conducted using automated work papers and audit tools
Seven Step Process to Risk Based Auditing
©2016 Crowe Horwath LLP 14 14
Step Six: Conduct Exit Meetings
Conducted at the end of fieldwork for each segment Active participation and interaction with key management and department leaders Review of coverage and findings Timely reporting of issues and clarification of facts Recommendations/best practices customized to your Credit Union’s unique situation On-going performance improvement feedback
Seven Step Process to Risk Based Auditing
©2016 Crowe Horwath LLP 15 15
Step Seven: Reporting and Communication Report structure Findings by level of priority – high, moderate and low Management responses – responsible party and due date
Follow-up process and reporting High priority findings from internal audits Significant regulatory findings
Continual communication with the Supervisory Committee and Management Scheduled meetings including executive sessions Status reports, hot topics, etc.
Seven Step Process to Risk Based Auditing
©2016 Crowe Horwath LLP 16 16
Risk Based Approach
• All significant “lines of business” deserve some audit attention
• Riskier areas deserve more attention
• More frequent review
• More detailed audit procedures
• More time and resources
• Specialty resources
©2016 Crowe Horwath LLP 17 17
Internal Audit Risk
Assessment
©2016 Crowe Horwath LLP 18 18
Risk Assessment and Audit Plan Process
The Risk Assessment and Audit Plan includes the following sections:
I. Internal Audit Approach
II. Risk Assessment Matrix
III. Business Process Risk Assessments
IV. Internal Audit Coverage Matrix
V. Internal Audit Plan
VI. Qualifications of Internal Audit Department
©2016 Crowe Horwath LLP 19 19
•The Internal Audit Approach includes Establishing Scope, Planning and
Fieldwork & Reporting.
•The Risk Assessment Process includes the risk categories:
Financial Risk
Credit Risk
Market Risk
Interest Rate Risk
Liquidity Risk
Business Risk
Strategic Risk
Reputational Risk
Legal/Compliance Risk
Operational Risk
Aggregate Inherent Risk
Internal Controls Assessment
Residual Risk
Risk Direction
Internal Audit Approach
©2016 Crowe Horwath LLP 20 20
Risk Assessment Matrix
Business Area Financial
Risk Business
Risk Operational
Risk Aggregate
Risk
Internal Controls
Residual Risk
Risk Direction
LENDING
Mortgage Loans
Consumer Loans
Indirect Loans
MEMBER BUSINESS SERVICES
Member Business Lending
Member Business Deposits (Commercial)
©2016 Crowe Horwath LLP 21 21
Business Process Risk Assessments
Lending Business Area
Financial Risk
Business Risk
Operational Risk
Aggregate Risk
Internal Controls
Residual Risk
Risk Direction
Mortgage Loans
Consumer Loans
Indirect Loans
Overview of Business Area Lending authority is granted and established by the Credit Union’s Board of Directors through its approved Loan Policy. XX…….
©2016 Crowe Horwath LLP 22 22
Internal Audit Coverage Matrix
Business Area
Residual Risk from
Risk Assessment
Matrix
Audit Frequency (1, 2, or 3
year rotation)
For the Years Ending December 31,
2016 2017 2018
Lending
Mortgage Loans 1 X X X
Consumer Loans 2 X X
Indirect Loans 2 X
Member Business Services
Member Business Lending 2 X
Member Business Deposits (Commercial) 2 X
©2016 Crowe Horwath LLP 23 23
Internal Audit Plan
Business Area Audit Dates
LENDING
Mortgage Loans July 18, 2016
Consumer Loans May 9, 2016
MARKETING
Marketing February 3, 2016
ACCOUNTING & FINANCIAL REPORTING
Wire Transfer October 10, 2016
Financial and Regulatory Reporting June 30, 2016
General Accounting October 10, 2016
©2016 Crowe Horwath LLP 24 24
Qualifications of Internal Audit Department
Mike Thomas Director of Audit Professional Experience Over thirty years of broad-based experience, specializing in the financial services industry, including over ten years with Credit Union. Prior to joining Credit Union, Mike was a Partner with Crowe Horwath and served as Vice President & Audit Group Manager for SunTrust Banks, Inc.
Areas of Expertise Consumer Lending/Leasing Commercial Lending/Leasing Loan Operations Retail Branch Operations Electronic Funds Transfer Risk Management
Financial Reporting Due Diligence/Acquisitions Deposit Operations Trust Fraud Prevention/Detection
©2016 Crowe Horwath LLP 25 25
Internal Audit’s Role in
Enterprise Risk
Management
©2016 Crowe Horwath LLP 26 26
Internal Audit’s Role in ERM IIA Statement of Position: The Role of Internal Audit in Enterprise-
wide Risk Management
©2016 Crowe Horwath LLP 27 27
COSO ERM Framework
©2016 Crowe Horwath LLP 28 28
Focus of Discussion
Monitoring
Information and Communication
Control Activities
Risk Response
Risk Assessment
Event Identification
Objective Setting
Internal Environment
©2016 Crowe Horwath LLP 29 29
Internal Environment
•How does the company’s culture
affect its approach to managing the
business?
• Integrity and ethical values
•Commitment to competence
•Organizational structure
•Authority and responsibility
•Human resource standards
•What are the board’s and/or
management’s risk taking
philosophy and risk appetite?
Internal Environment
©2016 Crowe Horwath LLP 30 30
Objective Setting
•What are the key business objectives for
the company/ division/business unit/
subsidiary?
•How do the division/business
unit/subsidiary objectives align with the
company objectives?
•What is the risk appetite relative to these
objectives?
•What is the range of acceptable variability
(i.e., risk tolerance) relative to these
objectives?
Objective Setting
©2016 Crowe Horwath LLP 31 31
Key Definitions
•Risk Management Philosophy - “… set of shared beliefs and attitudes
characterizing how the organization considers risk in everything it does,
from strategy development and implementation to its day-to-day
activities.”
•Risk Appetite - “… the amount of risk, on a broad level, an organization
is willing to accept in pursuit of value … a guidepost in strategy setting.”
•Risk Tolerance - “… acceptable levels of variation relative to the
achievement of objectives … aligns with risk appetite.”
©2016 Crowe Horwath LLP 32 32
Event Identification •What types of events may prevent us
from achieving our objectives (think risk
scenarios)?
•What else can go wrong?
•Are there similarities and/or
interdependencies between these
events?
•How should we summarize and define
these events (i.e., create a risk universe)?
Event Identification
©2016 Crowe Horwath LLP 33 33
Risk Assessment
• What are the various outcomes/range of
possible risk impacts?
• What is the likelihood of each impact
occurring?
• What’s our tolerance relative to that risk
occurrence?
• What are the interrelationships between
the various risks?
• How will we be able to measure the various
risk occurrences?
Risk Assessment
©2016 Crowe Horwath LLP 34 34
Key Definitions
•Inherent Risk - “… risk to an organization in the absence of any actions
management might take to alter either the risk’s likelihood or impact.”
•Risk assessment is applied first to inherent risks.
•Residual Risk - “… risk that remains after management’s response to
the risk.”
•Once risk responses have been developed, management then
considers residual risk.
•Tolerable Risk - Acceptable variability around expected business risk
outcomes (i.e., how much residual risk a company can live with).
©2016 Crowe Horwath LLP 35 35
Risk Response • How can we best deal with the key risks?
• Avoid
• Reduce
• Share
• Accept
• Are there ways to aggregate risk responses
(i.e., deal with them on a portfolio basis)?
• Are there ways to exploit certain risks to create
a competitive advantage (i.e., risk
opportunities)?
Risk Response
©2016 Crowe Horwath LLP 36 36
Control Activities
• How are we going to execute the various
risk strategies/ risk responses?
• Do we have the capabilities to execute those
strategies/ risk responses consistently?
• People
• Processes
• Technology
• Are those capabilities mature enough to
achieve our business objectives?
Control Activities
©2016 Crowe Horwath LLP 37 37
Information and Communication
• How do we identify risk occurrences in a timely
manner?
• Have we established appropriate risk indicators so
we can anticipate risk occurrences?
• How do we ensure risk owners get the necessary
information (internal and external) to manage their
risks effectively?
• How is risk information communicated up and
down the organization (including the board)?
Information and Communication
©2016 Crowe Horwath LLP 38 38
Monitoring
•How do we ensure that our ERM program
is operating effectively?
•How do we continuously improve our ERM
program?
•What is the ongoing role of internal audit
in ERM?
•How do we ensure that ERM becomes the
mindset of every employee?
Monitoring
©2016 Crowe Horwath LLP 39 39
Summary
•The COSO ERM Framework encompasses much more than the Internal
Control Framework.
•To understand the bigger, broader COSO ERM Framework, one only
needs to ask a few simple questions about each of the components.
•However, the journey to fully implementing ERM is a long one; be
prepared.
©2016 Crowe Horwath LLP 40 40
Transitioning to
Enterprise Risk
Management
©2016 Crowe Horwath LLP 41 41
A Practical Approach
•ERM is a worthy goal for all businesses, regardless of size
•Risk-management activities need to be tied to strategy and ultimately built into
everyday business processes
•The following five-step project plan enables organizations to identify and
coordinate activities they already have begun, identify risks that are not
adequately managed, and close gaps and move forward:
Organizing your team
Establishing a framework
Assessing risks
Inventorying current risk-response activities
Closing the gaps
©2016 Crowe Horwath LLP 42 42
Leveraging existing knowledge and programs will go a long way to help reduce the effort in getting started.
• Who
• Internal Audit
• The Compliance Officer
• IT Security and Privacy or the Insurance Group
• Chief Risk Officer
• Safety
• What
• Internal Audit Risk Assessment
• Anti-Fraud Risk Assessment
• Enterprise-Wide Compliance Risk Assessment
• Insurance Risk Assessment
• GLBA/IT Risk Assessment
A Practical Approach
©2016 Crowe Horwath LLP 43 43
Step 1: Organize the Effort
Assemble:
•Steering Committee
•Project Team
•Project Charter
©2016 Crowe Horwath LLP 44 44
Step 2: Establish a Framework Around Risk
An ERM framework provides the context to develop specific ERM processes. For
example, the framework may contain these five components:
• Analyze risks
• Develop risk strategies
• Implement risk strategies
• Audit risk strategies
• Communicate results
Communication Develop
Strategy
Implement
Audit
Analyze
ERM
©2016 Crowe Horwath LLP 45 45
Risk Assessment ProcessSM
During the "Analyze" phase
of ERM, risks are identified,
sourced to a process or area
(where the risks reside) and
measured (based on impact
and likelihood of risk).
Analyze Risks
2. Source
3. Measure
1. Identify
CommunicationDevelop
Strategy
Implement
Audit
Analyze
The "Analyze" Element of ERM
Discussions
With
Management
Customize
Risk
Assessment Approach
Perform
Risk
Assessment
Communicate
& Provide
Materials to Participants
Analyze
Results
Develop
Output
Discussions
With
Management
Customize
Risk
Assessment Approach
Perform
Risk
Assessment
Communicate
& Provide
Materials to Participants
Analyze
Results
Develop
Output
©2016 Crowe Horwath LLP 46 46
Step 3: Risk Assessment – The Top 10 – 15 Risks
•Identify key risks
•Identify where they reside
•Significance
•Where to draw the line
©2016 Crowe Horwath LLP 47 47
Likelihood Risk Ranking Table Description
Level Descriptor Likelihood of Occurrence
1 Rare Very Low
2 Unlikely Low
3 Possible Moderate
4 Likely High
5 Almost Certain Very High
©2016 Crowe Horwath LLP 48 48
Impact Risk Ranking Table Description
Level Descriptor Impact of Occurrence
1 Insignificant • Minimal loss of revenue
• No regulatory or reporting impact
2 Minor • 1-2 reportable incidents which may impact processing requirements
3 Moderate • Several incidents which may impact processing or reporting requirements
4 Major • Major reportable events to shareholders, or regulators
5 Catastrophic • Multiple major reportable events to shareholders or regulators
©2016 Crowe Horwath LLP
Impact +Likelihood = Aggregate Risk
5. Catastrophic 5 6 7 8 9
4. Major 4 5 6 7 8
3. Moderate 3 4 5 6 7
2. Minor 2 3 4 5 6
1. Insignificant 1 2 3 4 5
1. Rare 2. Unlikely 3. Possible 4. Likely 5. Almost Certain
I M P A C T
LIKELIHOOD 3 Green = 12% 24% 3 Gold = 12% ___________________________ 9 Yellow = 36% 4 Purple = 16% 52% ___________________________ 6 Red = 24% 24%
©2016 Crowe Horwath LLP 50 50
A risk profile summarizes key risks and allows organizations to focus risk management efforts.
Managing these risks will reduce the likelihood and significance over time, thus improving the organization's overall risk profile.
What is Your Organization's Risk Profile?
Which risks belong in the top-right quadrant?
Risk Profiles Result from Risk Assessment
High
High
I
mp
act
Likelihood
Low
Low
Reduce Likelihood
1. _______
2. _______
3. _______
4. _______
5. _______
etc...
©2016 Crowe Horwath LLP 51 51
Step 4: Inventory Current Risk - Response Activities
•How do you think about risk?
•When someone says "risk," what do you think?
•Which risks are you responsible for responding to?
•How do you coordinate your risk mitigation or compliance activities
with others in the organization?
©2016 Crowe Horwath LLP 52 52
Step 5: Identify Gaps and Prioritize
•Recommendations
•Guiding the organization to improve ongoing risk management
processes
•Decisions on how to best manage risks and where it should be
managed
©2016 Crowe Horwath LLP 53 53
Crowe Horwath’s ERM Risk Model for Financial Institutions
External
Operational
Legal
Strategic • Corporate Governance
• Leadership
• Alignment
• Planning
• Communication
Market • Valuation (on and off BS)
• Foreign Exchange
Interest Rate Risk • Re-Pricing
• Yield Curve
• Basis
• Options
Reputation • Fraud
• Ethics
• Privacy
Credit • Domestic
• Foreign
Liquidity
Legal • Compliance
• Litigation
• Contractual/Obligations
• Fiduciary
Operational • Accounting
• Technology
• Customer Loyalty/Retention
• Performance Measurement
• Budgeting and Planning
• Financial Reporting
• Product Development and Pricing
• Human Resources
• Third-Party Relationships
• Business Interruption
• Policy/Procedure Compliance
External • Regulatory/Legal
• Investor Relations
• Competitor
• Financial Markets
• Catastrophic Loss
• Sovereign/Political
©2016 Crowe Horwath LLP 54 54
1 2 3 4 5 6
Preparation
Building
EWR
Framework Pilot Audits
Transform
Existing IA
Resources
Continuous
Change
Management
7
Internal
Audit Plan
Execution
Risk
Assessment
and Internal
Audit Plan Preparation
Building
ERM
Framework Pilot
Transform
Existing
Resources
Continuous
Change
Management
Execution
Risk
Assessment
and
Planning
A Collaborative Effort to Take Risk Management to the Next Level
Transformation to Enterprise Risk Management
©2016 Crowe Horwath LLP 55 55
1 2 3 4 5 6
Preparation
Building
ERM
Framework Pilot
Transform
Existing
Resources
Continuous
Change
Management
7
Execution
• Educate and get buy-in
• Review existing RM processes
• Understand stakeholders' expectations
• Understand the uniqueness of your business
Risk
Assessment
and
Planning
A Collaborative Effort to Take Risk Management to the Next Level
Transformation to Enterprise Risk Management
©2016 Crowe Horwath LLP 56 56
1 2 3 4 5 6
Preparation
Building
ERM
Framework Pilot
Transform
Existing
Resources
Continuous
Change
Management
7
Execution Risk
Assessment
and
Planning
• Establish formal risk management process • Based on COSO Framework
• Built on key risk categories customized to meet the needs of the organization
• Based on an understanding of business and stakeholders' needs
• Develop a common risk language
• Define end state for stronger risk management processes corporate-wide
• Identify gaps
• Develop strategies for closing gaps
A Collaborative Effort to Take Risk Management to the Next Level
Transformation to Enterprise Risk Management
©2016 Crowe Horwath LLP 57 57
1 2 3 4 5 6
Preparation
Building
ERM
Framework Pilot
Transform
Existing
Resources
Continuous
Change
Management
7
Execution
• Perform training on ERM methodology
• Assess resource/expertise needs
• Perform training on manual/electronic tools
• Team building activities
Risk
Assessment
and
Planning
A Collaborative Effort to Take Risk Management to the Next Level
Transformation to Enterprise Risk Management
©2016 Crowe Horwath LLP 58 58
1 2 3 4 5 6
Preparation
Building
ERM
Framework Pilot
Transform
Existing
Resources
Continuous
Change
Management
7
Execution
• Roll out to one line of business
• Get direct assistance and coaching from ERM champion
• Assess results
• Make needed modifications
Risk
Assessment
and
Planning
A Collaborative Effort to Take Risk Management to the Next Level
Transformation to Enterprise Risk Management
©2016 Crowe Horwath LLP 59 59
1 2 3 4 5 6
Preparation
Building
ERM
Framework Pilot
Transform
Existing
Resources
Risk
Assessment
and
Planning
Continuous
Change
Management
7
Execution
• Conduct risk assessment
• Interviews
• Surveys
• Facilitated sessions
• Assessment will be used for ERM and to develop risk management plan
• Evaluate results
A Collaborative Effort to Take Risk Management to the Next Level
Transformation to Enterprise Risk Management
©2016 Crowe Horwath LLP 60 60
1 2 3 4 5 6
Preparation
Building
ERM
Framework Pilot
Transform
Existing
Resources
Continuous
Change
Management
7
Execution
• Obtain feedback on pilot and risk assessment from risk owners and management
• Adjust approach as needed
• Reassess training needs
• Adjust ERM frameworks and approaches as needed
• Establish ongoing evaluation process
Risk
Assessment
and
Planning
A Collaborative Effort to Take Risk Management to the Next Level
Transformation to Enterprise Risk Management
©2016 Crowe Horwath LLP 61 61
1 2 3 4 5 6
Preparation
Building
ERM
Framework Pilot
Transform
Existing
Resources
Continuous
Change
Management
7
Execution
Risk
Assessment
and
Planning
• Structured approach incorporates the following elements:
• Link to strategy
• Portfolio view of risks
• Continual monitoring and assessment
• Risk mitigation consistent with organizational risk appetite
• High level of organizational buy-in
A Collaborative Effort to Take Risk Management to the Next Level
Transformation to Enterprise Risk Management
©2016 Crowe Horwath LLP 62 62
Characteristics of an Effective ERM Process
• Infrastructure to support ERM process, including: • Policy
• Common risk language (customized risk model)
• Defined roles and responsibilities
• Tools to facilitate monitoring, updating, and reporting
•Framework to organize ERM activities
•Linkage to other management activities, e.g., strategic planning
©2016 Crowe Horwath LLP 63 63
ERM: Keys to Success
•Clearly articulated risk management goals that provide a foundation for ERM and
for related training and communication
•Common risk language to enable individuals throughout the organization to
conduct meaningful cross-functional discussions about risk
• Individuals clearly understand their roles in the assessment and risk management
framework
©2016 Crowe Horwath LLP 64 64
ERM - Risk Owners
Business Process Senior Executive
1 Accounting XXXX
2 Funds Management (includes ALM, Cash Mgt., Securities, Borrowings & Repurchase Agreements) XXXX
3 Bank Secrecy Act XXXX
4 Branch Operations XXXX
5 Lending (Credit Administration and Loan Operations) XXXX
6 Special Assets/ALLL/Collections/Recovery XXXX
7 Deposit Operations (includes Automated Clearing House, Remote Deposit Capture and Wire Transfer) XXXX
8 Entity Level/Corporate Governance XXXX
9 Human Resources and Payroll XXXX
10 Information Technology XXXX
11 Regulatory Compliance XXXX
©2016 Crowe Horwath LLP 65 65
Risk Inventory
XYX Bank
Risk Assessment Summary
Working Draft
Date:
Line of Business:
Risk Owner:
Objectives - Document three to five key operational, reporting and/or compliance objectives of the line of business. (1)*
O1.
O2.
O3.
O4.
O5.
Document the 1-3 most significant risks/risk events that could impact the line of business' ability to achieve each stated objective (2)*:
Likelihood (6) Impact (7)
Aggregate
(8)
Effectiveness
of Risk
Response
(10)
Residual
Risk (11)
Direction
(12)
Moderate High High Effective M S
Low High Moderate Effective L S
Moderate Moderate Moderate Effective M I
Low High Moderate Effective L S
Moderate High High Effective M I
Moderate High Moderate Effective M S
Low High Moderate Effective L I
Low High Moderate Effective L S
Moderate High High Effective M I
Overall Risk Assessment (16):
Risk Category Credit Market Liquidity Operational Legal Reputational
Inherent risk M M H H M M
Residual risk M L M/H M L M
Direction of Risk I I S I S I
Overall Risk Assessment Rationale (17) :
Discuss Mechanisms to Monitor Key Risk and Risk Responses (18):
KRI's
Int rate risk -
Turnover rate -
Compensation -
Building internal employee relations-
Competition in market -
Bank relationships-
Systemic mortg fraud -
Downturn of econ conditions -
Info tech security breach -
HMDA data error reports -
Discuss Information Considered (19):
From the most recent regulatory examination report, the OCC has not reported any isses regarding the mortg co.
Internal Documents and reports: Management subscribes to Mortgage Bankers Association and receives weekly survey and forecast information, etc.
* - Indicates this is a required
field. Other fields may be
completed if possible.
Legal -
Reputational -
Risk/Event Description (4)*
(5) Document the specific category(s) of risk using the risk categories defined by the Federal Reserve. The categories are Credit, Market, Liquidity, Operational, Legal, and Reputational.
Industry periodicals. External and internal QC loan review reports.
Industry and econimic data provided by MBA and various economists.
Govt statistics and daily volume and production against the plan and information provided from the market.
No reports or KRIs. Intuitive.
Formal salary survey was performed 2 yrs ago. Accordingly, mgmt made comp adjs 2 yrs ago. Employees freely discuss market comps with management.
Market -
Liquidity -
Operational -
Management conducts an open forum meeting with staff to solicit feedback.Pricing survey periodically. Compare rates with competition. Also, call competitors. Brokers will also tell mortg co re: pricing and svc. Daily, Second mkt determines pricing
wholesale pricing.
Analyze referrals from Bank. Have meetings with Bank personnel, sales people.
(4) Describe the nature of the risk or event that may impact the achievement of the objective(s)
Refer to
Audit
(15)
Risk Response (9)
(14) Document whether the risk response is auditable
(2) Document the 1-3 most significant risks/risk events that could impact the line of business' ability to achieve each stated objective.
(10) Assess the effectiveness of the risk response in reducing the risk to a level that is within the organization's risk tolerance
(18) For each one of the significant risks identified above, document the mechanisms used by management to monitor risk on a periodic and on-going basis. Also document any other mechanisms used to monitor risk.
(19) Document any significant internal or external data reviewed as part of the risk assessment process.
Residual Risk Assessment
(15) If the risk response is auditable, assess whether it should be referred to IA for inclusion as part of the annual audit process
(7) Assess the impact on the organization/line of business should the risk/event occur using the scale on the attached schedule
(17) Document the rationale for each assessment including a discussion of the significant risk factors contributing to the assessment.
(16) For all risk areas identified by the Federal Reserve, assess the overall inherent, residual and direction of risk facing the line of business
(9) Describe the risk response(s) taken to address the identified risk/event. Risk responses may be controls in place or other actions taken to avoid, share or reduce the risk.
(11) Assess the residual risk - residual risk is defined as the remaining risk after management has taken action to alter the risk’s likelihood or impact.
(12) Assess the direction of risk as either (I)ncreasing, (S)table or (D)ecreasing
(13) Document whether the specific risk is subject to testing as part of the SOX 404 process
(1) Document three to five key operational, reporting and/or compliance objectives of the line of business.
(6) Assess the likelihood that the risk/event will occur using the scale on the attached schedule
(8) Giving consideration to both likelihood and impact assess the aggregate inherent risk using the scale on the attached schedule - inherent risk is defined as the risk to an organization in the absence of any actions management might take to alter the risk’s likelihood
or impact.
(3) Document the specific objective or objectives to which the individual risk relates
Credit-
An invalid login attempt report is reviewed monthly. Also, system diagnostic software creates exception reports that are reviewed daily.
Mortgage Company creates a file for HMDA reptg. Any exceptions identified by the software are researched and corrected. Also, management reviews external and internal QC
loan review reports and internal audit reports.
Auditable
(14)Objective # (3)*
Inherent Risk Assessment
Risk Category (5)
©2016 Crowe Horwath LLP 66 66
Risk Inventory (cont.)
(1) Document three to five key operational, reporting and/or compliance
objectives of the line of business.
(2) Document the 1-3 most significant risks/risk events that could impact the line
of business' ability to achieve each stated objective.
(3) Document the specific objective or objectives to which the individual risk
relates
(4) Describe the nature of the risk or event that may impact the achievement of
the objective(s)
(5) Document the specific category(s) of risk using the defined risk categories.
(6) Assess the likelihood that the risk/event will occur
©2016 Crowe Horwath LLP 67 67
(7) Assess the impact on the organization/line of business should the risk/event occur using the scale on the attached schedule.
(8) Giving consideration to both likelihood and impact assess the aggregate inherent risk using the scale on the attached schedule - inherent risk is defined as the risk to an organization in the absence of any actions management might take to alter the risk’s likelihood or impact.
(9) Describe the risk response(s) taken to address the identified risk/event. Risk responses may be controls in place or other actions taken to avoid, share or reduce the risk.
(10) Assess the effectiveness of the risk response in reducing the risk to a level that is within the organization's risk tolerance.
(11) Assess the residual risk - residual risk is defined as the remaining risk after management has taken action to alter the risk’s likelihood or impact.
(12) Assess the direction of risk as either (I)increasing, (S)table or (D)decreasing
Risk Inventory (cont.)
©2016 Crowe Horwath LLP 68 68
Questions?
Crowe Horwath LLP Member Crowe Horwath International
E. Michael Thomas, CPA, CIA, CBA, CFE,CRP, CFF,
CRMA 3399 Peachtree Rd NE, Suite 700
Atlanta, GA 30326-2832
404-442-1607 (Atlanta Office)
404-442-1616 (Atlanta Fax)
404-550-3492 (cell)