National Supervisors Forum

W E L O O K A T T H I N G S D I F F E R E N T L Y

Conducting an Operational Risk Audit

Kevin Loughnane, ILCU Training Department

Conducting an Operational Risk Audit

Kevin Loughnane, ILCU Training Department

National Supervisors ForumWestport, Co. Mayo5th November 2011

National Supervisors Forum 2011

W E L O O K A T T H I N G S D I F F E R E N T L Y

Purpose of Presentation

To provide supervisors with practical knowledge to assist in conducting an operational risk audit

in their credit union.

National Supervisors Forum 2011

W E L O O K A T T H I N G S D I F F E R E N T L Y

OverviewTopic Introduction

Concept of internal control & operational risk

Step 1: Identifying risks

Step 2: Analysing risks

Step 3: Determining residual risk

Step 4: Reporting findings to the board

Closing comments

National Supervisors Forum 2011

W E L O O K A T T H I N G S D I F F E R E N T L Y

4

Categories of Financial Risk

Operational

Liquidity

Market

Credit

Reputational

National Supervisors Forum 2011

W E L O O K A T T H I N G S D I F F E R E N T L Y

5

Risk Management

ISO, Defined Risk Management Process

Role of Internal Audit (Supervisors)

1. Identify the risks

2. Analyse Risks

3. Create response

to risk

4. Monitor

& Review

National Supervisors Forum 2011

W E L O O K A T T H I N G S D I F F E R E N T L Y

What are Internal Controls?

• Any deliberate measure or plan put in place by the credit union to minimise and/or manage risk

• Operational risk is the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events.

National Supervisors Forum 2011

W E L O O K A T T H I N G S D I F F E R E N T L Y

DiscussionCredit Union Operational Structures Example of an

Internal Control?

1. The loan application form

2. A fire evacuation procedure

3. An employee’s contract of employment

4. Holding a data protection training session for the board

5. Having in place a cash handling procedure for all staff

6. The auditor verifying the annual accounts of the credit union

7. Directors being obliged to declare a conflict of interest

8. Virus protection software

9. A smoke alarm in the kitchen of the credit union

National Supervisors Forum 2011

W E L O O K A T T H I N G S D I F F E R E N T L Y

DiscussionCredit Union Operational Structures Example of an

Internal Control?

1. The loan application form Yes

2. A fire evacuation procedure Yes

3. An employee’s contract of employment Yes

4. Holding a data protection training session for the board Yes

5. Having in place a cash handling procedure for all staff Yes

6. The auditor verifying the annual accounts of the credit union Yes

7. Directors being obliged to declare a conflict of interest Yes

8. Virus protection software Yes

9. A smoke alarm in the kitchen of the credit union Yes

National Supervisors Forum 2011

W E L O O K A T T H I N G S D I F F E R E N T L Y

9

Why Conduct an Audit?

Rule: A credit union must establish, maintain and implement a fully documented system of control.

Guidance: (i) It should be comprehensive(ii) …the system should be cross referred so that the system can be

viewed as a whole.(iii) It should identify risks, and the controls established to manage

those risks.(v) It should state how the operation of the control is evidenced.

Extract from Section 4.3 of “CRED”, FSA guidelines for UK credit unions

National Supervisors Forum 2011

W E L O O K A T T H I N G S D I F F E R E N T L Y

10

Benefit of Conducting an Audit

Micro Macro

National Supervisors Forum 2011

W E L O O K A T T H I N G S D I F F E R E N T L Y

11

Conducting an Audit of Operational Risk

• Identify operational riskStep 1• Analyse risksStep 2• Determine “residual risk”Step 3• Report findings to boardStep 4

National Supervisors Forum 2011

W E L O O K A T T H I N G S D I F F E R E N T L Y

Step 1: Identifying Risks

• Must identify operational risks which could impact upon the credit union

• Use the six categories of operational risk as a guide

• No need to analyse at this stage

• Wording of each risk is important

National Supervisors Forum 2011

W E L O O K A T T H I N G S D I F F E R E N T L Y

13

Categories of Operational Risk1. Internal and external fraud - (embezzlement)

2. Employment practices and workplace safety - (sued by employee for breach of contract)

3. Damage to physical assets - (office damaged due to fire)

4. IT systems and software failures - (loss of records due to database corruption)

5. Business practices & service delivery - (misinforming members on insurance products)

6. Organisational processes - (incomplete documentation relating to a member’s loan resulting in invalid loan contract)

National Supervisors Forum 2011

W E L O O K A T T H I N G S D I F F E R E N T L Y

14

Example: Identifying Risks1. Internal and External Fraud

An officer of the credit union defrauds the credit union of significant sums of money by setting up false loans for fictitious members.

An officer of the credit union grants several large connected loans to family members / friends which to not meet the requirements of the lending policy of the credit union.

An officer of the credit union steals a series of small sums of cash from the cash drawer over a period of months, resulting in a financial loss to the credit union. An officer of the credit union has been transferring funds from dormant member accounts into his/her own credit union or bank account.

A member cashes a number of fraudulent cheques through the credit union resulting in a significant financial loss.

National Supervisors Forum 2011

W E L O O K A T T H I N G S D I F F E R E N T L Y

15

Step 2: Analysing Risks• This step will highlight the risks which pose the biggest risk to

the credit union.

• The impact of each risk is scored from 1 to 5

• The prevalence (likelihood of occurrence) is score 1 to 4.

• Both scores are multiplied for each risk to get the risk ranking score.

• Some lower scoring risks may be excluded from the audit at this point.

National Supervisors Forum

W E L O O K A T T H I N G S D I F F E R E N T L Y

16

Risk Prevalence

Impact Risk Ranking

1. Internal and External Fraud

1.1 An officer of the credit union defrauds the credit union of significant sums of money by setting up false loans for fictitious members.

1.2 An officer of the credit union grants several large connected loans to family members / friends which to not meet the requirements of the lending policy of the credit union.

1.3 An officer of the credit union steals a series of small sums of cash from the cash drawer over a period of months, resulting in a financial loss to the credit union.

1.4 An officer of the credit union has been transferring funds from dormant member accounts into his/her own credit union or bank account.

1.5 A member cashes a number of fraudulent cheques through the credit union resulting in a significant financial loss.

National Supervisors Forum

W E L O O K A T T H I N G S D I F F E R E N T L Y

17

Risk Prevalence

Impact Risk Ranking

1. Internal and External Fraud

1.1 An officer of the credit union defrauds the credit union of significant sums of money by setting up false loans for fictitious members.

2 2 4

1.2 An officer of the credit union grants several large connected loans to family members / friends which to not meet the requirements of the lending policy of the credit union.

3 4 12

1.3 An officer of the credit union steals a series of small sums of cash from the cash drawer over a period of months, resulting in a financial loss to the credit union.

2 2 4

1.4 An officer of the credit union has been transferring funds from dormant member accounts into his/her own credit union or bank account.

2 4 8

1.5 A member cashes a number of fraudulent cheques through the credit union resulting in a significant financial loss.

4 3 12

National Supervisors Forum 2011

W E L O O K A T T H I N G S D I F F E R E N T L Y

18

Risk Ranking – FraudRisk Score

1.2 An officer of the credit union grants several large connected loans to family members / friends which to not meet the requirements of the lending policy of the credit union.

12

1.5 A member cashes a number of fraudulent cheques through the credit union resulting in a significant financial loss. 12

1.4 An officer of the credit union has been transferring funds from dormant member accounts into his/her own credit union or bank account. 8

1.1 An officer of the credit union defrauds the credit union of significant sums of money by setting up false loans for fictitious members. 4

1.3 An officer of the credit union steals a series of small sums of cash from the cash drawer over a period of months, resulting in a financial loss to the credit union.

4

National Supervisors Forum 2011

W E L O O K A T T H I N G S D I F F E R E N T L Y

19

Step 3: Determining Residual Risk• This step will determine the threat posed by a risk once

internal controls have been considered.

• Must identify all internal controls which correspond to each risk.

• Determine how effective these internal controls are – very poor to excellent.

• Risk ranking score is multiplied by the controls’ effectiveness to determine the residual risk.

National Supervisors Forum 2011

W E L O O K A T T H I N G S D I F F E R E N T L Y

20

Mapping Internal Controls

Paperwork

Practices

People

Policy / Plan

Risk Code

Risk Ranking score Corresponding int. controls

Findings of supervisory committee

Effectiveness of internal controls

Residual Risk

1. Internal & external fraud

1.2 12 Section in lending policy dealing with loans to friends / family members. Last year 3 staff members attending training on loan assessment. Loan approval procedure which requires one officer to sign off application and issue loan.

No specific section of lending policy dealing with connected loans. Lending policy not updated since 2009. No monitoring of approved loans for connected loans / connected individuals. Loan approval procedure only requires one signature of manager or treasurer for loans up to €30,000.

Weak

0.89.6

National Supervisors Forum 2011

W E L O O K A T T H I N G S D I F F E R E N T L Y

24

Step 4: Reporting findings to the board

• Crucial that findings are clearly communicated to the board.

• Committee should include risk analysis, evaluation of internal controls and residual risk.

• Not the responsibility of the committee to make the changes – responsibility of the board.

• Encourage the board / risk management committee to maintain the documented system of control.

National Supervisors Forum 2011

W E L O O K A T T H I N G S D I F F E R E N T L Y

25

Summary of Key Points• Must have understanding of prevailing risks before internal

controls can be assessed

• An operational risk audit is a key tool for the credit union

• Use checklists to identify gaps and weaknesses against prevailing risks

• An evidence-based written report to the board should be compiled

• Encourage CU to maintain a documented system of control

National Supervisors Forum

W E L O O K A T T H I N G S D I F F E R E N T L Y

26

Part II: Developments in the Regulatory Supervision and

Auditing of Credit Unions

National Supervisors Forum 2011

W E L O O K A T T H I N G S D I F F E R E N T L Y

Evidence of movement towards a risk-based approach in credit unions

“Our risk-based supervision model will mean that our level of engagement will vary depending on the size and impact of each

credit union…. The biggest credit unions can expect more engagement from us as a result. Our risk-based approach also means that you can “earn” a less intense level of supervisory

engagement by having a well governed and well run credit union that scores low in terms of risk.”

Matthew Elderfield, Financial Regulator Extract from Speech at ILCU AGM 2010.

National Supervisors Forum 2011

W E L O O K A T T H I N G S D I F F E R E N T L Y

Evidence of movement towards a risk-based approach in credit unions

“The Monitoring Department scores credit unions on various risk areas (e.g. PEARLS ratios, financials) and

these scores are used as part of a risk-based approach to monitoring credit unions, and assigning Monitoring resources (e.g scheduling of visits by Field Officers and

Business Unit Managers).”

Dave Hewson, ILCU Monitoring Department

National Supervisors Forum 2011

W E L O O K A T T H I N G S D I F F E R E N T L Y

Role of Supervisory Committee in Monitoring Internal Controls

Principle 5: (Credit Unions) should implement a process to regularly monitor operational risk profiles and material exposures

to losses. There should be regular reporting of pertinent information to senior management and the board of directors that

supports the proactive management of operational risk.

Sound Practices for the Management and Supervision of Operational Risk, 2003, BIS