Three Key Risk Assessments: ERM, IT, and Internal …...Three Key Risk Assessments: ERM, IT, and Internal Controls ICBA –Community Banker University®December 4, 2018 Marci Malzahn

Three Key Risk Assessments: ERM, IT, and Internal Controls

ICBA – Community Banker University®

December 4, 2018

Marci Malzahn

President & Founder

Marci Malzahn – Malzahn Strategic• Professional Highlights:

• 23 years in banking: from teller to EVP/CFO/COO and CRO

• Started a bank in 2005 – Bank grew to $325MM in 10 years, now $750MM

• 5 years in nonprofit:

• CFO overseeing Finance, IT and HR

• Managed a $32MM budget, 28 employees

• 4 years with Malzahn Strategic consulting

• Professional Awards:• 25 On The Rise – Hispanic Chamber of Commerce

• Forty Under 40 – Minneapolis/St. Paul Business Journal

• Top Women in Finance – Finance and Commerce Newspaper

• Outstanding Women in Banking – North Western Financial Review magazine

• Education:• B.A. Business Management, Bethel University

• Graduate School of Banking, Madison, WisconsinCopyright 2018 Malzahn Strategic

Marci Malzahn – What I Do Now

Consulting and Coaching:

• Strategic Planning

• Enterprise Risk Management

• Talent Management

Speaking:• Banking/Business

• Inspirational/Motivational

• Faith based

Writing:• Devotions for Working Women – A Daily Inspiration to Live a

Successful and Balanced Life

• The Fire Within – Connect Your Gifts with Your Calling

• The Friendship Book – Because You Matter to Me

Copyright 2018 Malzahn Strategic

https://www.amazon.com/gp/product/1931945675

https://www.amazon.com/dp/product/0996797106

https://www.amazon.com/The-Friendship-Book-Because-Matter/dp/0996797130

http://www.malzahnstrategic.com/

https://www.amazon.com/El-Libro-Amistad-Importas-Spanish/dp/0996797165/ref=sr_1_4?ie=UTF8&qid=1513891594&sr=8-4&keywords=marcia+malzahn

Webinar Overview Part I – ERM

• ERM Quick Overview of Key Definitions

• Three Key Phases of ERM and How Risk Assessments Fit In

• The Risk Assessment Process

• ERM Risk Assessment – Complete Example


Webinar Overview Part II – IT

• Information Technology Risk Assessment

• Definitions

• Areas Assessed

• Categories Included

• IT Risk Assessment – Complete Example


Webinar Overview Part III – Internal Controls

• Internal Controls Risk Assessment

• Definitions

• Areas Assessed


• Internal Controls Risk Assessment –Complete Example


Webinar Overview Part I – ERM

• ERM Quick Overview of Key Definitions

• Three Key Phases of ERM and How Risk Assessments Fit In

• The Risk Assessment Process

• ERM Risk Assessment – Complete Example


Quick Overview of ERM – Strategic Plan Components

Strategic Plan

ERM

Marketing

BusinessPlan

Financials

Talent

Capital


My Definition of ERM

“An enterprise-wide continuous process to protect all your organization’s assets while allowing you to fulfill your vision.”

Marci Malzahn

9Copyright 2018 Malzahn Strategic

Three Ongoing Phases of ERM

Identifying and

Assessing Risk

Mitigating or

Eliminating Risk

Monitoring and

Reporting Risk


ERM Key Components

ERM

IT Security

Program

Compliance Program

Succession Plan

Capital

Plan

Liquidity Contingency

Plan

Internal Audit


IT Security Program Key Components

IT Security Program

DRP

Cyber Security

Vendor Mgmt.

Security Controls

Social Engineering

BCP


The Risk Assessment Process

1. Identify Risks First

Risk assessments follow event identification and

precede risk response

2. Develop Assessment Criteria

3. Assess Risks

4. Assess Risk Interactions

5. Prioritize Risks

6. Respond to Risks


1. Identify Risks

• List ALL the potential risks of the organization

• Organize risks by category (strategic, operational, technology, etc.) and sub-category where appropriate

• Prioritize all risks so senior management and board’s attention is on the key risks

• The prioritization is accomplished by performing a risk assessment


2. Develop Assessment Criteria

• Develop a common set of assessment criteria (scale) to be used across all functional areas of the organization (simple yet comprehensive).

• Scales should help in ranking and in prioritizing risks (i.e., 1 = Incidental, 2 = Minor, 3 = Moderate, 4 = Major, 5 = Extreme).

• Risks as well as opportunities are usually assessed in terms of impact(how it will affect the entire enterprise) or likelihood (i.e., 1 = Rare, 2 = Unlikely, 3 = Possible, 4 = Likely, 5 = Frequent)

• Ask the questions of vulnerability (how susceptible?) and speed of onset (how fast could the risk arise? 1 = Very Low, 2 = Low, 3 = Medium, 4 = High, 5 = Very High; How fast could you respond or recover?)


3. Assess Risks

• Consists of assigning values to each risk and opportunity using the defined criteria.

• The values should be the same in all areas across the organization.

• Use qualitative questions/criteria (descriptive assessment scales).

• Perform a quantitative analysis of the most important risks (using numerical values for impact and likelihood).


4. Assess Risk Interactions

• Risks in one area interact with other areas in the organization.

• Need to recognize how risks interact with each other –Reputation Risk

• Take the integrated approach and view all risks from the holistic perspective – thus Enterprise Risk Management.

• Group related risks into broad risk areas

• Use risk interaction maps


How Risks Interrelate – Reputational Risk

Reputational

Technology

Liquidity

Operational

Credit

Legal

Strategic


5. Prioritize Risks

• Determine which risks require immediate attention of senior management and board of directors.

• Prioritize by comparing the level of risk against agreed upon target risk levels and tolerance thresholds.

• Impact and likelihood or impact and vulnerability

• Develop the Board’s Risk Appetite and Tolerance Statement after risk assessments are done.

• There is a qualitative piece and a quantitative piece of the statement.


6. Respond to Risks

• After conducting the risk assessments input how to respond to each risk

• Decide to either accept, reduce, share, avoid, or eliminate each risk

• Perform cost-benefit analysis (i.e., is the cost to prevent or reduce a certain risk higher than the risk itself?)

• Formulate a response strategy and develop plans


Enterprise Risk ManagementRisk Assessment Matrix

Types of Risks

Technology Transaction/Operational Strategic Reputational

Compliance/Regulatory Liquidity Interest Rate Risk Credit Administration

Legal Human Resources Earnings/Profitability Capital

ERM


ERM Risk Assessment Matrix – Definitions

• Risks: Identify each type of risk

• Inherent Risk: Level of Risk of an activity with no controls in place (low, moderate, high)

• Consequences: If the risk occurs, identify damage (list)

• Risk Mitigating Factors: Activities that can control the risk and consequences of it happening

• Monitoring Tool(s): Tools used to monitor risks


ERM Risk Assessment Matrix – Definitions

• Plans for Improvement: If current mitigating factors are insufficient, describe plan to improve

• Status: Tracking mechanism to track progress on plans for improvement (person accountable for each action)

• Residual Risk: The risk that remains after controls are taken into account

• Trend of Risk: Increasing, stable, decreasing – provides a baseline for future assessments of this risk


ERM Risk Assessment Matrix –Sample Template

Ris

ks Technology Operational/Transaction Strategic Reputation

Inh

ere

nt

Ris

kC

on

seq

ue

nce

sR

isk

Mit

igat

ors

Mo

nit

ori

ng

Too

l(s)

Pla

ns

for

Imp

rove

me

nt

Stat

us

Re

sid

ual

Ris

k

Tre

nd

of

Ris

k

Priority

Scale =

1-5

Impact

= 1-5

Likeli-

hood =

1-5

Vulnera-

bility =

1-5

Speed

of Onset

= 1-5


ERM RA Matrix – Example #1 Operational


Title Definition Example

Ris

ks

Identify each type of

Risk or "Risk

Categories"

Example Risk #1: Operational/Transaction

Inh

ere

nt

Ris

k

Risk of an activity with NO

CONTROLS in place. Scale =

Low, Moderate, HighModerate/High

Co

nse

qu

en

ces If this risk occurs, identify

damage with NO CONTROLS in

place (list everything that

could potentially go wrong)

*Risk to earnings (operational losses), capital, and reputation from problems

with service or product delivery *Internal fraud *Reputation Risk *External

Fraud *Lost opportunities due to lack of products or inability to service

customers (Earnings risk) *Staff turnover *Business disruption due to systems

failures *Low quality of due diligence



Ris

k M

itig

ato

rs List ALL the activities your bank

does in order to control (or

mitigate) this risk and its

consequences from happening

*On-going education for staff *Policies and procedures *Internal and external

audits *On-going maintenance of systems and equipment *Dual Control in

place *Segregation of Duties *Bond Insurance *Annual core system DRP testing

Mo

nit

ori

ng

Too

l(s) List ALL the tools your bank

uses and ALL the monitoring

activities already in place in

order to monitor this risk

*Internal and external audits (which include surprise cash audits) *Review

daily reporting *Vendor communications *Review of policies and procedures

*ATM Anti-Skimming devices

Pla

ns

for

Imp

rove

me

nt List the tasks, systems, new

procedures, new processes,

new talent to be hired, etc.

that your bank plans to

implement in the next 12

months to reduce/minimize,

improve or eliminate this risk

*Product enhancements *Policy & Procedure enhancements *Continue to

improve efficiencies



Stat

us

This is your tracking

mechanism to track progress

on Plans for Improvement.

There should be a person

accountable for each item.

Ongoing

Re

sid

ual

Ris

kRisk of an activity that remains

for the bank AFTER ALL

controls and mitigating tools

are in place. The risk that the

Board is willing to "tolerate."

Moderate

Tre

nd

of

Ris

k

Based on current market

conditions. Provides a baseline

for future assessments of this

risk. Scale = Increasing, Stable

or Decreasing

Stable to Increasing



Priority

Scale =

1-5

What is the priority ranking of

this particular risk in YOUR

bank based on Criticality (can

you run your bank without it?)

AND Confidentiality (how

sensitive is the data)?

Scale = 1-5

1=Incidental

2=Minor

3=Moderate

4=Major

5=Extreme

5

Impact

= 1-5

HOW will this particular risk

impact YOUR entire bank?

Scale = 1-5

1=Incidental

2=Minor

3=Moderate

4=Major

5=Extreme

5



ERM RA Matrix – Example #2 Credit


Title Definition ExampleR

isks


Risk or "Risk

Categories"

Example Risk #2: Credit

Inh

ere

nt

Ris

k



Low, Moderate, HighHigh

Co

nse

qu

en





*Loan Losses *Regulatory action *Personnel costs *Erosion of capital (Capital risk)

*Lost Opportunities/ Lost Income (Earnings risk) *Reputation risk *Relationship

concentration *Loan type concentration (i.e. CRE) *Aggregate risk (i.e. risk from

various types of credit at the same time) *Liquidity risk



Ris

k M

itig

ato

rs List ALL the activities your bank

does in order to control (or

mitigate) this risk and its


*Loan Policy *Underwiting standards *Staff knowledge and experience *Approval

Process *Quality of client base *On going monitoring *Detailed analysis,

experienced workout person and file review *We know our customers well *Stress

testing at both the loan level and by portfolio level *Sale of mortgage loans in

secondary market (if applicable)

Mo

nit

ori

ng

Too

l(s) List ALL the tools your bank




*Credit presentations *Rating system *Watch reports *Loan review *Examination

*Daily past due reports *Ticklers report review *Monitor stress testing results

*Loan document tracking system *Annual financial tracking of commercial

customers *Pre-funding quality controls check

Pla

ns

for

Imp

rove

me








*Improve presentation on Watch Reports *Review after CR&M Audit *Continue

staff training



Stat

us






Ongoing

Re

sid

ual

Ris

kRisk of an activity that remains





Moderate

Tre

nd

of

Ris

k


conditions. Provides a baseline

for future assessments of this

risk. Scale = Increasing, Stable

or Decreasing

Stable



Priority

Scale =

1-5







Scale = 1-5

1=Incidental

2=Minor

3=Moderate

4=Major

5=Extreme

5

Impact

= 1-5



Scale = 1-5

1=Incidental

2=Minor

3=Moderate

4=Major

5=Extreme

5



ERM RA Matrix – Example #3 Model




Ris

k M

itig

ato

rs List ALL the activities your

bank does in order to control

(or mitigate) this risk and its


*Receive validation reports from critical vendors who develop the

Bank's key models (i.e. ALLL methodology model, A/L Model) *Bank

creates internal testing models to validate vendor produced

models *Bank creates various ways to validate internally

developed models

Mo

nit

ori

ng

Too

l(s)

List ALL the tools your bank




*Board oversight of current models used by the Bank *New

Initiatives Risk Assessment (to approve any new models used in

the bank) *Incorporated into Vendor Management Program



Pla

ns

for

Imp

rove

me

nt

List the tasks, systems, new







*Implement Model Risk Management Program *Write Model

Risk Management Policy *Establish Model Validation

processes *Obtain Validation Reports from vendors' audits

*Ask vendors to provide developmental evidence *Request

vendors to conduct ongoing performance monitoring and

outcomes analysis *Establish inventory of all models used

*Conduct Model Stress Testing *Establish Monitoring Tools

and processes that confirm the model is appropriately

implemented, that it is being used, and is performing as

intended



Stat

us






Not started or In Progress

Re

sid

ual

Ris

k Risk of an activity that remains





High if not started, Moderate if in progress, Moderate to Low if

Model Risk Management Program is in place

Tre

nd

of

Ris

k Based on current market

conditions. Provides a

baseline for future

assessments of this risk. Scale

= Increasing, Stable or

Decreasing

Increasing



Priority

Scale =

1-5







Scale = 1-5

1=Incidental

2=Minor

3=Moderate

4=Major

5=Extreme

4-5

Impact

= 1-5



Scale = 1-5

1=Incidental

2=Minor

3=Moderate

4=Major

5=Extreme

4



ERM RA Matrix – Example #4 IRR


Title Definition Example

Ris

ks


Risk or "Risk

Categories"

Example Risk #4: Interest Rate Risk (IRR)

Inh

ere

nt

Ris

k



Low, Moderate, HighModerate/High

Co

nse

qu

en





*Risk of losing future earnings due to volatile rate movements (Earnings

risk) *Potential regulatory action (Regulatory risk) *Additional liquidity

risk through capital deteoriation (losing access to liquidity sources thus

Capital risk) *Reputation risk (paying too low on deposits or charging too

high on loans) *Margin Compression



Ris

k M

itig

ato

rs List ALL the activities your

bank does in order to control

(or mitigate) this risk and its


*Policy risk parameters *Experienced ALCO committee *Outside portfolio

analysis tools (ALMedge, Wells Fargo analysis) *Internal calculations / risk

management *Internal back testing procedures *Internal pricing models

for loans and deposits

Mo

nit

ori

ng

Too

l(s)

List ALL the tools your bank




*ALCO committee *Portfolio analysis tools (ALMedge, Wells Fargo

analysis) *Internal calculations / risk management *Budget vs actual

earnings - reviewed continously *Non-core liquidity measurements

*Internal & External Audits

Pla

ns

for

Imp

rove

me








*Adding ProfitStars IRR module



Stat

us






Profitstars in place

Ongoing

Re

sid

ual

Ris

k

Risk of an activity that remains





Moderate

Tre

nd

of

Ris

k


conditions. Provides a

baseline for future

assessments of this risk. Scale

= Increasing, Stable or

Decreasing

Increasing



Priority

Scale =

1-5







Scale = 1-5

1=Incidental

2=Minor

3=Moderate

4=Major

5=Extreme

4

Impact

= 1-5



Scale = 1-5

1=Incidental

2=Minor

3=Moderate

4=Major

5=Extreme

4



Questions about ERM Risk Assessment?

Webinar Overview Part II – IT

• Information Technology Risk Assessment

• Definitions

• Areas Assessed


• IT Risk Assessment – Complete Example


IT Areas Assessed in IT Risk Assessment

• Information Technology Security

• Information Technology: All Systems, All Hardware and Software Inventory

• Disaster Recovery Plan

• Threat Analysis

• Vendor Management Program

• Asset Inventory

• Internal Physical Bank Security: System, Policies, Training

• Cybersecurity:

• Website: Security, Compliance, Backup

• All Electronic Banking Products: mobile, remote deposit, wire transfers, ACH


Categories Included in IT Risk Assessment #1

• Asset Type: Application/Software, Process, System

• Asset Medium: Paper or Electronic

• Vendor Name

• Controls/Procedures in Place

• Description of Risks Associated with Asset

• Risk Mitigation: Description for Mitigation of Risks

• Risk Rating: Low, Medium, High

• Criticality to Institution: Levels 1 to 5 with 5 being the most critical


Categories Included in IT Risk Assessment #2

• Residual Risk: Low, Medium, High

• Information Classification: Public, Non-Public, Confidential

• Threats/Vulnerabilities: Level of Damage, Type of Vulnerability

• Threat/Vulnerability Likelihood: Low, Medium, High

• Vital Resources: Description of Vital Resources to the Institution’s Operations

• Recovery Point Objective: Description of How the Information or Asset Will be Recovered

• Recovery Time Objective: Approximate Time of RecoveryCopyright 2018 Malzahn Strategic

Information TechnologyRisk Assessment Template

IT Risk Assessment – Sample Template


ASSET NAME:

EXAMPLES

Asset Type:

Application

/Software,

Process, or

System

Asset

Medium:

Paper or

Electronic

Vendor

Name

Controls/

Procedures

in Place?

Y or N

Description of Risks

Associated with Asset

Risk Mitigation:

Description of

Mitigation of Risks

Risk

Rating:

Low

Medium

High

Criticality

to

Institution:

Levels 1 =

lowest to

5= highest

Residual

Risk:

Low

Medium

High

Information

Classification:

Public

Non-Public

Confidential

Threats/

Vulnerabilities:

Level of

Damage, Type

of Vulnerability

Threat/

Vulnerability

Likelihood:

Low,

Medium,

High

Vital Resources:

Description of Vital

Resources to the

Institution's

Operations

Recovery Point

Objective (RPO):

Description of How the

Information or Asset

will be recovered

Recovery

Time

Objective:

Approximate

Time of

Recovery

(hours, days

or weeks)

Core System:

Fiserv/ITI S E Fiserv Y

Core system is critical to

the operations of the

institution. We have no

inhouse backup.

Fiserv has backup

sites. H 5 L NP, C

Confidential

information,

potential fraud M

Client information,

daily operation of

institution depends on

core system

Will use backup site and

remote DRP location from

Fiserv 2 days

IT RA Template – Example #1 Core System


ASSET NAME:

EXAMPLES

Asset Type:

Application

/Software,

Process, or

System

Asset

Medium:

Paper or

Electronic

Vendor

Name

Controls/

Procedures

in Place?

Y or N

Core System:

Fiserv/ITI S E Fiserv Y





Risk Mitigation:

Description of

Mitigation of Risks

Risk

Rating:

Low

Medium

High

Criticality

to

Institution:

Levels 1 =

lowest to

5= highest

Residual

Risk:

Low

Medium

High

Information

Classification:

Public

Non-Public

ConfidentialCore system is critical to

the operations of the

institution. Bank has no

inhouse backup.

Fiserv has backup

sites. H 5 L NP, C



Threats/

Vulnerabilities:

Level of

Damage, Type

of Vulnerability

Threat/

Vulnerability

Likelihood:

Low,

Medium,

High

Vital Resources:


Resources to the

Institution's

Operations

Recovery Point

Objective (RPO):



will be recovered

Recovery

Time

Objective:

Approximate

Time of

Recovery

(hours, days

or weeks)

Confidential

information,

potential fraud M

Client information,

daily operation of

institution depends on

core system

Will use backup site and

remote DRP location from

Fiserv 2 days

IT RA Template – Example #2 Bill Payment


ASSET NAME:

EXAMPLES

Asset Type:

Application

/Software,

Process, or

System

Asset

Medium:

Paper or

Electronic

Vendor

Name

Controls/

Procedures

in Place?

Y or N

Bill Payment

System A E ABC Co Y





Risk Mitigation:

Description of

Mitigation of Risks

Risk

Rating:

Low

Medium

High

Criticality

to

Institution:

Levels 1 =

lowest to

5= highest

Residual

Risk:

Low

Medium

High

Information

Classification:

Public

Non-Public

Confidential

Bank uses this system to

pay all company bills,

employee

reimbursements, and

credit card transactions .

Bank has no backup

vendor.

AP Vendor has no

DRP in place. Bank

has no software

backup at this time.

Internal controls

and segregation of

duties in place. M 3 M NP, C



Threats/

Vulnerabilities:

Level of

Damage, Type

of Vulnerability

Threat/

Vulnerability

Likelihood:

Low,

Medium,

High

Vital Resources:


Resources to the

Institution's

Operations

Recovery Point

Objective (RPO):



will be recovered

Recovery

Time

Objective:

Approximate

Time of

Recovery

(hours, days

or weeks)

Company bills

and vendor

information L

Vendor's Fed Tax ID

numbers, employees'

names and bank

account numbers used

for reimbursements

Will need to look for

another AP vendor

immediately.

15 days to

establish new

AP vendor

and all

vendors in

system

IT RA Template – Example #3 Firewall Software


ASSET NAME:

EXAMPLES

Asset Type:

Application

/Software,

Process, or

System

Asset

Medium:

Paper or

Electronic

Vendor

Name

Controls/

Procedures

in Place?

Y or N

Firewall

Software S E XYZ Co Y



Description of Risks Associated

with Asset

Risk Mitigation: Description of

Mitigation of Risks

Risk

Rating:

Low

Medium

High

Criticality

to

Institution:

Levels 1 =

lowest to

5= highest

Residual

Risk:

Low

Medium

High

Information

Classification:

Public

Non-Public

Confidential

Firewall controls all external

access into Bank's network. If

Firewall is penetrated, intruders

would gain access to sensitive

information and could also do a

ramson attack on the Bank.

Outsourced Firewal management to vetted

IT vendors through Vendor Management

Program. External IT audits include annual

penetration testing. IT Director gives special

access to vendor as requested only. Best

practices for firewal management followed

such as redundant and layered firewalls. H 5 M NP, C



Threats/ Vulnerabilities:

Level of Damage, Type of

Vulnerability

Threat/

Vulnerability

Likelihood:

Low,

Medium,

High

Vital Resources:


Resources to the

Institution's

Operations

Recovery Point Objective (RPO):


Information or Asset will be

recovered

Recovery

Time

Objective:

Approximate

Time of

Recovery

(hours, days

or weeks)

If intruders penetrate the

firewalls in place, would gain

access to confidential and

sensitive customer data in

network and potentially gain

access to core system data. L

Customer and

employee sensitive

data.

If ramsonware is installed, Bank has

backups off-site that are not

logically connected to the internal

network. In case of denial of service

attack (DSA), Bank would recover

from redundant servers in place. 1-2 days

IT RA Template – Example #4 Mobile Banking


ASSET NAME:

EXAMPLES

Asset Type:

Application

/Software,

Process, or

System

Asset

Medium:

Paper or

Electronic

Vendor

Name

Controls/

Procedures

in Place?

Y or N

Mobile Banking

System A, S E Fiserv N (new)





Questions about IT Risk Assessment?

Webinar Overview Part III – Internal Controls

• Internal Controls Risk Assessment

• Definitions

• Areas Assessed


• Internal Controls Risk Assessment –Complete Example


Internal Control Areas Assessed #1

• Accounts Payable

• Allowance for Loans and Lease Losses (ALLL)

• Asset/Liability Management

• Bank Protection

• Branch Capture

• Call Report Preparation

• Capital

• Cash ControlsCopyright 2018 Malzahn Strategic

Internal Control Areas Assessed #2• Collateral Safekeeping

• Correspondent Lending

• Deposit Processing/New Deposit Account Opening Procedures

• Director, Officer, and Employee Accounts

• Dormant Accounts (if applicable)

• Due From Accounts (Correspondent Banks)

• Fixed Assets

• Human Resources: Hiring and Termination Practices, Payroll, Personnel Files, Performance Evaluations, Retirement Plans


Internal Control Areas Assessed #3• Income and Expense

• Internal DDAs

• Internet Banking

• Investments

• Loan Processing/New Loan Account Opening Procedures

• Mortgage Loans in Transit (MLIT)

• Official Checks

• Online Entries: General Ledger, Loan, and Deposit ProcessesCopyright 2018 Malzahn Strategic

Internal Control Areas Assessed #4

• Other Real Estate Owned (OREO)

• Other Liabilities

• Overdrafts

• Payroll

• Prepaid Expenses and Other Assets

• Remote Deposit Capture

• Secondary Market

• Wire Transfers


Categories Included in Internal Controls Risk Assessment #1

• Growth/New Activities – since the last Risk Assessment?

• Policies and Procedures – policies updated, written procedures?

• Regulation and Compliance – new regulations?

• IT System Changes – any new systems in place?

• Staff Turnover – new staff, more potential errors?

• Quality of Management – involved in daily activities?


Categories Included in Internal Controls Risk Assessment #2

• Training – tracked all training done?

• Date of Last Audit – done internally or outsourced?

• Previous Exceptions – fixed previous findings?

• Risk of Monetary Loss – in this area?

• Nature of Items – any changes?

• Nature of Operations – what does this area do?


Internal ControlsRisk Assessment Template

Internal Controls RA –Summary Report

# AREA/DEPARTMENT/GENERAL LEDGER ACCOUNT SCORE YEAR 2 YEARS 3 YEARS

1 Accounts Payable 34 X

2 Allowance for Loans and Lease Losses (ALLL) 30 X

3 Asset/Liability Management 15 X

4 Bank Protection 15 X

5 Branch Capture 20 X

6 Call Report Preparation 31 X

7 Capital 25 X

8 Cash Controls 20 X

9 Collateral Safekeeping 15 X

10 Correspondent Lending 13 X

11

Deposit Processing/New Deposit Account Opening

Procedures 35 X

12 Director, Officer and Employee Accounts 25 X

13 Dormant Accounts (if applicable) 20 X

14 Due from Accounts (Correspondent Banks) 20 X

15 Fixed Assets 15 X

16

Human Resources: Hiring and Termination

Practices, Payroll, Personnel Files, Personnel

Files, Performance Evaluations, Retirement Plans 26 X

17 Income and Expense 14 X

18 Internal DDA's 18 X

19 Internet Banking 28 X

20 Investments 22 X

21

Loan Processing/New Loan Account Opening

Procedures 25 X

22 Mortgage Loans in Transit (MLIT) 30 X

23 Official Checks 19 X

24

Online Entries: General Ledger, Loan and Deposit

Processes 20 X

25 Other Real Estate Owned (OREO) 21 X

26 Other Liabilities 25 X

27 Overdrafts 20 X

28 Payroll 28 X

29 Prepaid Expenses and Other Assets 14 X

30 Remote Deposit Capture 18 X

31 Secondary Market 20 X

32 Wire Transfers 40 X

CONDUCT AUDIT EVERY

INTERNAL CONTROLS RISK ASSESSMENT AREAS


Internal Controls RA – Accounts Payable


AREA BEING ASSESSED: Accounts Payable

SCALE USED: 1 = Incidental

2 = Minor

3 = Moderate

4 = Major

5 = Extreme

CATEGORY SCORE EXPLANATION OF CATEGORY REASON FOR SCORE

Growth/New Activities 4

Has there been any growth in this

area/department? New activities

performed?

Changed vendors. Previous vendor

went out of business.

Policies and Procedures 4

Have policies been updated within the

last 12 months? Are there written

procedures in place?

Need to write new procedures

based on new vendor system.

Regulation and Compliance 1

Does your policy comply with

appropriate regulation? Did you fall out

of compliance during the last 12

months for any reason? No change.

IT System Changes 5

Were there any system changes within

the last 12 months or since the last

assessment? New AP external vendor system.

Staff Turnover 3

Have there been any staff turnover

which may result in more potential

errors? One new staff member.

Quality of Management 1

Is management involved in the daily

operations of this activity? No change.

Training Performed 3

Has the staff attended training on any

new regulations, policies, or

procedures in the last 12 months or

since the last assessment? In progress.

Date of Last Audit 3

What was the date of this area/

department's last audit conducted

either by your internal or external 1/31/2016

Previous Exceptions 1

Did you have previous exceptions

noted either in an audit or regualtory

exam? None.

Risk of Monetary Loss 3

Does this area present any risk to your

institution on monetary loss?

Potential for internal fraud if

authorities are not setup correctly in

new system.

Nature of Items 3

What is the nature of the new or

changed items in this area?

A/P - payable of all bank's invoices,

directors, and employee

reimbursements.

Nature of Operations 3

What is the nature of operations in this

area/deapartment? Finance

TOTAL SCORE: 34

Add up all the individual scores and

transfer to the Summary Report

INTERNAL CONTROLS RISK ASSESSMENT

Internal Controls RA – Example #1 A/P


AREA BEING ASSESSED: Accounts Payable


2 = Minor

3 = Moderate

4 = Major

5 = Extreme





performed?

Changed vendors. Previous vendor

went out of business.





Need to write new procedures

based on new vendor system.

Regulation and

Compliance 1



of compliance during the last 12

months for any reason? No change.

IT System Changes 5



assessment? New AP external vendor system.

Staff Turnover 3



errors? One new staff member.


Internal Controls RA – Example #1 A/P




operations of this activity? No change.





since the last assessment? In progress.




either by your internal or external 1/31/2016




exam? None.




Potential for internal fraud if

authorities are not setup correctly in

new system.

Nature of Items 3



A/P - payable of all bank's invoices,

directors, and employee

reimbursements.



area/deapartment? Finance

TOTAL SCORE: 34



Internal Controls RA – Example #2 Call Report


AREA BEING ASSESSED: Call Report


2 = Minor

3 = Moderate

4 = Major

5 = Extreme





performed?

New employee completing Call

Report





Policies and procedures are up to

date.

Regulation and

Compliance 2



of compliance during the last 12 months

for any reason?

New regulation affected Schedule

RC-R. No compliance issues.

IT System Changes 4



assessment?

Bank's core system vendor made

major upgrade to Call Report

module.

Staff Turnover 4



errors?

Brand new employee being trained

to complete Call Report


Internal Controls RA – Example #2 Call Report




operations of this activity?

CFO is involved in the training and

oversees entire Call Report

preparation.





since the last assessment? New employee being trained.




either by your internal or external

auditor? May 2015




exam? Last audit had two minor findings.




If Call Report is misrepresented,

could potentially get written up by

regulators and may get monetary

penalties.

Nature of Items 3



New/upgraded Call Report system

and new employee



area/deapartment?

Finance oversees the Call Report

preparation

TOTAL SCORE: 31



Internal Controls RA – Example #3 HR


AREA BEING ASSESSED: Human Resources


2 = Minor

3 = Moderate

4 = Major

5 = Extreme





performed?

New payroll vendor and new HR

Director hired at beginning of 2017.

Hired 8 new employees in the last

six months due to planned growth.





All HR policies and procedures are

in place. HR Manual is up to date

Regulation and

Compliance 1




for any reason?

No policy or laws violation in last

audit.

IT System Changes 2



assessment?

Only new outsourced payroll

vendor system.

Staff Turnover 3



errors? New HR Director.


Internal Controls RA – Example #3 HR





HR Director reports directly to Bank

President.





since the last assessment?

All HR staff attends regular HR

related training. See training

schedule. All staff also receives

Sexual Harrassment training.





auditor? May 2015




exam?

Performance Reviews for several

employees were 6 to 12 months

behind.




Only if any lawsuits were to

happen.

Nature of Items 3


changed items in this area? New personnel and vendor.



area/deapartment? Human Resources

TOTAL SCORE: 26



Internal Controls RA – Example #4 Internet Bkg


AREA BEING ASSESSED: Internet Banking


2 = Minor

3 = Moderate

4 = Major

5 = Extreme





performed?

No changes in systems but

Cybersecurity issues globally

continue to be a high risk.





All policies and procedures are up

to date.

Regulation and

Compliance 1




for any reason?

Policies comply with all applicable

Internet Banking laws.

IT System Changes 2



assessment?

Just normal vendor upgrades to

system.

Staff Turnover 1



errors? No new staff.


Internal Controls RA – Example #4 Internet Bkg





Operations manager oversees all

daily activity.






All Operations staff in charge of

this product have attended training

in the last 12 months.





auditor? Annually - Jan. 2017




exam?

One one minor exception and it

was remediated.




Internet Banking includes all

monetary transactions customers

can process on the Bank's Internet

Banking system. Therefore, the risk

for identity theft is high.

Nature of Items 3



No changes in systems but

Cybersecurity issues globally

continue to be a high risk.



area/deapartment? IT and Operations

TOTAL SCORE: 28



Internal Controls RA – Example #5 Remote Dep


AREA BEING ASSESSED: Remote Deposit


2 = Minor

3 = Moderate

4 = Major

5 = Extreme





performed?

Normal growth with new

customers using the product.





All policies and procedures are in

place. Customer Agreements are

up to date.

Regulation and

Compliance 2




for any reason?

Policies comply with regulation.

Only one minor compliance issue

from the last audit.

IT System Changes 1



assessment? No system changes.

Staff Turnover 2



errors? No staff changes.


Internal Controls RA – Example #5 Remote Dep





Operations manager oversees this

product along with Cash

Management Officer. Dual controls

are in place for all product

implementation.






Annual training attended and

special core system training.





auditor? Annual audit - Jan. 2017




exam? No previous exceptions noted.




Monetary loss can occur if Bank

accepts deposited items more than

once. Systems and procedures are

in place to avoid these incidents.

Nature of Items 1


changed items in this area? No changes.



area/deapartment? Operations, Cash Management

TOTAL SCORE: 18



Internal Controls RA – Example #6 Wire Tfrs


AREA BEING ASSESSED: Wire Transfers


2 = Minor

3 = Moderate

4 = Major

5 = Extreme





performed?

New client tripled the wire

transfer activity including

International Wires.





Need to update procedures with

new customer and with new

department volumes.

Regulation and

Compliance 2




for any reason?

Policy complies with all applicable

regulations. No compliance issues

from last audit.

IT System Changes 2



assessment?

Only normal vendor software

upgrades and they were

completed.

Staff Turnover 3



errors?

No new staff but Bank just lost one

team member. Looking to replace

position.


Internal Controls RA – Example #6 Wire Tfrs





Operations Manager overssees the

Wires department.






Due to increased volume, staff has

not had the time for training in the

last 12 months.





auditor? Annually - January 2017




exam?

No previous exceptions but Bank

monitors this area consistently.




Wire transfer area is one of the

hightest risk areas for both internal

and external fraud. Therefore, it's

monitored continually.

Nature of Items 4



Increased wire volume can lead to

more errors and internal fraud if

not watched.



area/deapartment? Finance and Operations

TOTAL SCORE: 40



Questions about Internal Controls Risk Assessments?

Bringing It All Together

• Always start with your Strategic Plan and integrate ERM

• Establish an ERM Program at your bank and complete the 3 phases:

• Identify and Assess Risks – our focus today

• Mitigate and Eliminate Risks

• Monitor and Report Risks

• Start with ERM Risk Assessment

• Then complete Risk Assessments enterprise-wide for all areas

• Track ALL Risk Assessments enterprise-wide and complete annually

• Resolve all findings and implement recommendations and best practices


Sources

• FDIC Risk-Based Assessment System – Financial Institution Letters (FILs) https://www.fdic.gov/deposit/insurance/risk/FILS.html

• OCC Bulletin 2015-48 Updated Guidance on Risk Assessment System (https://www.occ.gov/news-issuances/bulletins/2015/bulletin-2015-48.html#)

• OCC Comptroller’s Handbook: Community Bank Supervision https://www.occ.gov/publications/publications-by-type/comptrollers-handbook/pub-ch-ep-cbs.pdf

• COSO (The Committee of Sponsoring Organizations of the Treadway Commission) www.coso.org

• OCC Supervisory Guidance on Model Risk Management https://www.occ.treas.gov/news-issuances/bulletins/2011/bulletin-2011-12a.pdf


https://www.fdic.gov/deposit/insurance/risk/FILS.html

https://www.occ.gov/news-issuances/bulletins/2015/bulletin-2015-48.html

https://www.occ.gov/publications/publications-by-type/comptrollers-handbook/pub-ch-ep-cbs.pdf

http://www.coso.org/

https://www.occ.treas.gov/news-issuances/bulletins/2011/bulletin-2011-12a.pdf

Marci Malzahn, President & Founder

[email protected]

Consulting: www.malzahnstrategic.com

Free Resource: 30 Minute ERM Strategic Session with Marcihttps://www.linkedin.com/pub/marcia-marci-malzahn/1/6/729

Speaking & Books: www.marciamalzahn.com@marcimalzahn

612-242-4021


mailto:[email protected]

http://www.malzahnstrategic.com/

https://www.linkedin.com/pub/marcia-marci-malzahn/1/6/729

http://www.marciamalzahn.com/

Documents

Three Key Risk Assessments: ERM, IT, and Internal …...Three Key Risk Assessments: ERM, IT, and Internal Controls ICBA –Community Banker University®December 4, 2018 Marci Malzahn