Upload
others
View
14
Download
0
Embed Size (px)
Citation preview
Three Key Risk Assessments: ERM, IT, and Internal Controls
ICBA – Community Banker University®
December 4, 2018
Marci Malzahn
President & Founder
Marci Malzahn – Malzahn Strategic• Professional Highlights:
• 23 years in banking: from teller to EVP/CFO/COO and CRO
• Started a bank in 2005 – Bank grew to $325MM in 10 years, now $750MM
• 5 years in nonprofit:
• CFO overseeing Finance, IT and HR
• Managed a $32MM budget, 28 employees
• 4 years with Malzahn Strategic consulting
• Professional Awards:• 25 On The Rise – Hispanic Chamber of Commerce
• Forty Under 40 – Minneapolis/St. Paul Business Journal
• Top Women in Finance – Finance and Commerce Newspaper
• Outstanding Women in Banking – North Western Financial Review magazine
• Education:• B.A. Business Management, Bethel University
• Graduate School of Banking, Madison, WisconsinCopyright 2018 Malzahn Strategic
Marci Malzahn – What I Do Now
Consulting and Coaching:
• Strategic Planning
• Enterprise Risk Management
• Talent Management
Speaking:• Banking/Business
• Inspirational/Motivational
• Faith based
Writing:• Devotions for Working Women – A Daily Inspiration to Live a
Successful and Balanced Life
• The Fire Within – Connect Your Gifts with Your Calling
• The Friendship Book – Because You Matter to Me
Copyright 2018 Malzahn Strategic
Webinar Overview Part I – ERM
• ERM Quick Overview of Key Definitions
• Three Key Phases of ERM and How Risk Assessments Fit In
• The Risk Assessment Process
• ERM Risk Assessment – Complete Example
Copyright 2018 Malzahn Strategic
Webinar Overview Part II – IT
• Information Technology Risk Assessment
• Definitions
• Areas Assessed
• Categories Included
• IT Risk Assessment – Complete Example
Copyright 2018 Malzahn Strategic
Webinar Overview Part III – Internal Controls
• Internal Controls Risk Assessment
• Definitions
• Areas Assessed
• Categories Included
• Internal Controls Risk Assessment –Complete Example
Copyright 2018 Malzahn Strategic
Webinar Overview Part I – ERM
• ERM Quick Overview of Key Definitions
• Three Key Phases of ERM and How Risk Assessments Fit In
• The Risk Assessment Process
• ERM Risk Assessment – Complete Example
Copyright 2018 Malzahn Strategic
Quick Overview of ERM – Strategic Plan Components
Strategic Plan
ERM
Marketing
BusinessPlan
Financials
Talent
Capital
Copyright 2018 Malzahn Strategic
My Definition of ERM
“An enterprise-wide continuous process to protect all your organization’s assets while allowing you to fulfill your vision.”
Marci Malzahn
9Copyright 2018 Malzahn Strategic
Three Ongoing Phases of ERM
Identifying and
Assessing Risk
Mitigating or
Eliminating Risk
Monitoring and
Reporting Risk
Copyright 2018 Malzahn Strategic
ERM Key Components
ERM
IT Security
Program
Compliance Program
Succession Plan
Capital
Plan
Liquidity Contingency
Plan
Internal Audit
Copyright 2018 Malzahn Strategic
IT Security Program Key Components
IT Security Program
DRP
Cyber Security
Vendor Mgmt.
Security Controls
Social Engineering
BCP
Copyright 2018 Malzahn Strategic
The Risk Assessment Process
1. Identify Risks First
Risk assessments follow event identification and
precede risk response
2. Develop Assessment Criteria
3. Assess Risks
4. Assess Risk Interactions
5. Prioritize Risks
6. Respond to Risks
Copyright 2018 Malzahn Strategic
1. Identify Risks
• List ALL the potential risks of the organization
• Organize risks by category (strategic, operational, technology, etc.) and sub-category where appropriate
• Prioritize all risks so senior management and board’s attention is on the key risks
• The prioritization is accomplished by performing a risk assessment
Copyright 2018 Malzahn Strategic
2. Develop Assessment Criteria
• Develop a common set of assessment criteria (scale) to be used across all functional areas of the organization (simple yet comprehensive).
• Scales should help in ranking and in prioritizing risks (i.e., 1 = Incidental, 2 = Minor, 3 = Moderate, 4 = Major, 5 = Extreme).
• Risks as well as opportunities are usually assessed in terms of impact(how it will affect the entire enterprise) or likelihood (i.e., 1 = Rare, 2 = Unlikely, 3 = Possible, 4 = Likely, 5 = Frequent)
• Ask the questions of vulnerability (how susceptible?) and speed of onset (how fast could the risk arise? 1 = Very Low, 2 = Low, 3 = Medium, 4 = High, 5 = Very High; How fast could you respond or recover?)
Copyright 2018 Malzahn Strategic
3. Assess Risks
• Consists of assigning values to each risk and opportunity using the defined criteria.
• The values should be the same in all areas across the organization.
• Use qualitative questions/criteria (descriptive assessment scales).
• Perform a quantitative analysis of the most important risks (using numerical values for impact and likelihood).
Copyright 2018 Malzahn Strategic
4. Assess Risk Interactions
• Risks in one area interact with other areas in the organization.
• Need to recognize how risks interact with each other –Reputation Risk
• Take the integrated approach and view all risks from the holistic perspective – thus Enterprise Risk Management.
• Group related risks into broad risk areas
• Use risk interaction maps
Copyright 2018 Malzahn Strategic
How Risks Interrelate – Reputational Risk
Reputational
Technology
Liquidity
Operational
Credit
Legal
Strategic
Copyright 2018 Malzahn Strategic
5. Prioritize Risks
• Determine which risks require immediate attention of senior management and board of directors.
• Prioritize by comparing the level of risk against agreed upon target risk levels and tolerance thresholds.
• Impact and likelihood or impact and vulnerability
• Develop the Board’s Risk Appetite and Tolerance Statement after risk assessments are done.
• There is a qualitative piece and a quantitative piece of the statement.
Copyright 2018 Malzahn Strategic
6. Respond to Risks
• After conducting the risk assessments input how to respond to each risk
• Decide to either accept, reduce, share, avoid, or eliminate each risk
• Perform cost-benefit analysis (i.e., is the cost to prevent or reduce a certain risk higher than the risk itself?)
• Formulate a response strategy and develop plans
Copyright 2018 Malzahn Strategic
Types of Risks
Technology Transaction/Operational Strategic Reputational
Compliance/Regulatory Liquidity Interest Rate Risk Credit Administration
Legal Human Resources Earnings/Profitability Capital
ERM
Copyright 2018 Malzahn Strategic
ERM Risk Assessment Matrix – Definitions
• Risks: Identify each type of risk
• Inherent Risk: Level of Risk of an activity with no controls in place (low, moderate, high)
• Consequences: If the risk occurs, identify damage (list)
• Risk Mitigating Factors: Activities that can control the risk and consequences of it happening
• Monitoring Tool(s): Tools used to monitor risks
Copyright 2018 Malzahn Strategic
ERM Risk Assessment Matrix – Definitions
• Plans for Improvement: If current mitigating factors are insufficient, describe plan to improve
• Status: Tracking mechanism to track progress on plans for improvement (person accountable for each action)
• Residual Risk: The risk that remains after controls are taken into account
• Trend of Risk: Increasing, stable, decreasing – provides a baseline for future assessments of this risk
Copyright 2018 Malzahn Strategic
ERM Risk Assessment Matrix –Sample Template
Ris
ks Technology Operational/Transaction Strategic Reputation
Inh
ere
nt
Ris
kC
on
seq
ue
nce
sR
isk
Mit
igat
ors
Mo
nit
ori
ng
Too
l(s)
Pla
ns
for
Imp
rove
me
nt
Stat
us
Re
sid
ual
Ris
k
Tre
nd
of
Ris
k
Priority
Scale =
1-5
Impact
= 1-5
Likeli-
hood =
1-5
Vulnera-
bility =
1-5
Speed
of Onset
= 1-5
Copyright 2018 Malzahn Strategic
ERM RA Matrix – Example #1 Operational
Copyright 2018 Malzahn Strategic
Title Definition Example
Ris
ks
Identify each type of
Risk or "Risk
Categories"
Example Risk #1: Operational/Transaction
Inh
ere
nt
Ris
k
Risk of an activity with NO
CONTROLS in place. Scale =
Low, Moderate, HighModerate/High
Co
nse
qu
en
ces If this risk occurs, identify
damage with NO CONTROLS in
place (list everything that
could potentially go wrong)
*Risk to earnings (operational losses), capital, and reputation from problems
with service or product delivery *Internal fraud *Reputation Risk *External
Fraud *Lost opportunities due to lack of products or inability to service
customers (Earnings risk) *Staff turnover *Business disruption due to systems
failures *Low quality of due diligence
ERM RA Matrix – Example #1 Operational
Copyright 2018 Malzahn Strategic
Ris
k M
itig
ato
rs List ALL the activities your bank
does in order to control (or
mitigate) this risk and its
consequences from happening
*On-going education for staff *Policies and procedures *Internal and external
audits *On-going maintenance of systems and equipment *Dual Control in
place *Segregation of Duties *Bond Insurance *Annual core system DRP testing
Mo
nit
ori
ng
Too
l(s) List ALL the tools your bank
uses and ALL the monitoring
activities already in place in
order to monitor this risk
*Internal and external audits (which include surprise cash audits) *Review
daily reporting *Vendor communications *Review of policies and procedures
*ATM Anti-Skimming devices
Pla
ns
for
Imp
rove
me
nt List the tasks, systems, new
procedures, new processes,
new talent to be hired, etc.
that your bank plans to
implement in the next 12
months to reduce/minimize,
improve or eliminate this risk
*Product enhancements *Policy & Procedure enhancements *Continue to
improve efficiencies
ERM RA Matrix – Example #1 Operational
Copyright 2018 Malzahn Strategic
Stat
us
This is your tracking
mechanism to track progress
on Plans for Improvement.
There should be a person
accountable for each item.
Ongoing
Re
sid
ual
Ris
kRisk of an activity that remains
for the bank AFTER ALL
controls and mitigating tools
are in place. The risk that the
Board is willing to "tolerate."
Moderate
Tre
nd
of
Ris
k
Based on current market
conditions. Provides a baseline
for future assessments of this
risk. Scale = Increasing, Stable
or Decreasing
Stable to Increasing
ERM RA Matrix – Example #1 Operational
Copyright 2018 Malzahn Strategic
Priority
Scale =
1-5
What is the priority ranking of
this particular risk in YOUR
bank based on Criticality (can
you run your bank without it?)
AND Confidentiality (how
sensitive is the data)?
Scale = 1-5
1=Incidental
2=Minor
3=Moderate
4=Major
5=Extreme
5
Impact
= 1-5
HOW will this particular risk
impact YOUR entire bank?
Scale = 1-5
1=Incidental
2=Minor
3=Moderate
4=Major
5=Extreme
5
ERM RA Matrix – Example #2 Credit
Copyright 2018 Malzahn Strategic
Title Definition ExampleR
isks
Identify each type of
Risk or "Risk
Categories"
Example Risk #2: Credit
Inh
ere
nt
Ris
k
Risk of an activity with NO
CONTROLS in place. Scale =
Low, Moderate, HighHigh
Co
nse
qu
en
ces If this risk occurs, identify
damage with NO CONTROLS in
place (list everything that
could potentially go wrong)
*Loan Losses *Regulatory action *Personnel costs *Erosion of capital (Capital risk)
*Lost Opportunities/ Lost Income (Earnings risk) *Reputation risk *Relationship
concentration *Loan type concentration (i.e. CRE) *Aggregate risk (i.e. risk from
various types of credit at the same time) *Liquidity risk
ERM RA Matrix – Example #2 Credit
Copyright 2018 Malzahn Strategic
Ris
k M
itig
ato
rs List ALL the activities your bank
does in order to control (or
mitigate) this risk and its
consequences from happening
*Loan Policy *Underwiting standards *Staff knowledge and experience *Approval
Process *Quality of client base *On going monitoring *Detailed analysis,
experienced workout person and file review *We know our customers well *Stress
testing at both the loan level and by portfolio level *Sale of mortgage loans in
secondary market (if applicable)
Mo
nit
ori
ng
Too
l(s) List ALL the tools your bank
uses and ALL the monitoring
activities already in place in
order to monitor this risk
*Credit presentations *Rating system *Watch reports *Loan review *Examination
*Daily past due reports *Ticklers report review *Monitor stress testing results
*Loan document tracking system *Annual financial tracking of commercial
customers *Pre-funding quality controls check
Pla
ns
for
Imp
rove
me
nt List the tasks, systems, new
procedures, new processes,
new talent to be hired, etc.
that your bank plans to
implement in the next 12
months to reduce/minimize,
improve or eliminate this risk
*Improve presentation on Watch Reports *Review after CR&M Audit *Continue
staff training
ERM RA Matrix – Example #2 Credit
Copyright 2018 Malzahn Strategic
Stat
us
This is your tracking
mechanism to track progress
on Plans for Improvement.
There should be a person
accountable for each item.
Ongoing
Re
sid
ual
Ris
kRisk of an activity that remains
for the bank AFTER ALL
controls and mitigating tools
are in place. The risk that the
Board is willing to "tolerate."
Moderate
Tre
nd
of
Ris
k
Based on current market
conditions. Provides a baseline
for future assessments of this
risk. Scale = Increasing, Stable
or Decreasing
Stable
ERM RA Matrix – Example #2 Credit
Copyright 2018 Malzahn Strategic
Priority
Scale =
1-5
What is the priority ranking of
this particular risk in YOUR
bank based on Criticality (can
you run your bank without it?)
AND Confidentiality (how
sensitive is the data)?
Scale = 1-5
1=Incidental
2=Minor
3=Moderate
4=Major
5=Extreme
5
Impact
= 1-5
HOW will this particular risk
impact YOUR entire bank?
Scale = 1-5
1=Incidental
2=Minor
3=Moderate
4=Major
5=Extreme
5
ERM RA Matrix – Example #3 Model
Copyright 2018 Malzahn Strategic
Ris
k M
itig
ato
rs List ALL the activities your
bank does in order to control
(or mitigate) this risk and its
consequences from happening
*Receive validation reports from critical vendors who develop the
Bank's key models (i.e. ALLL methodology model, A/L Model) *Bank
creates internal testing models to validate vendor produced
models *Bank creates various ways to validate internally
developed models
Mo
nit
ori
ng
Too
l(s)
List ALL the tools your bank
uses and ALL the monitoring
activities already in place in
order to monitor this risk
*Board oversight of current models used by the Bank *New
Initiatives Risk Assessment (to approve any new models used in
the bank) *Incorporated into Vendor Management Program
ERM RA Matrix – Example #3 Model
Copyright 2018 Malzahn Strategic
Pla
ns
for
Imp
rove
me
nt
List the tasks, systems, new
procedures, new processes,
new talent to be hired, etc.
that your bank plans to
implement in the next 12
months to reduce/minimize,
improve or eliminate this risk
*Implement Model Risk Management Program *Write Model
Risk Management Policy *Establish Model Validation
processes *Obtain Validation Reports from vendors' audits
*Ask vendors to provide developmental evidence *Request
vendors to conduct ongoing performance monitoring and
outcomes analysis *Establish inventory of all models used
*Conduct Model Stress Testing *Establish Monitoring Tools
and processes that confirm the model is appropriately
implemented, that it is being used, and is performing as
intended
ERM RA Matrix – Example #3 Model
Copyright 2018 Malzahn Strategic
Stat
us
This is your tracking
mechanism to track progress
on Plans for Improvement.
There should be a person
accountable for each item.
Not started or In Progress
Re
sid
ual
Ris
k Risk of an activity that remains
for the bank AFTER ALL
controls and mitigating tools
are in place. The risk that the
Board is willing to "tolerate."
High if not started, Moderate if in progress, Moderate to Low if
Model Risk Management Program is in place
Tre
nd
of
Ris
k Based on current market
conditions. Provides a
baseline for future
assessments of this risk. Scale
= Increasing, Stable or
Decreasing
Increasing
ERM RA Matrix – Example #3 Model
Copyright 2018 Malzahn Strategic
Priority
Scale =
1-5
What is the priority ranking of
this particular risk in YOUR
bank based on Criticality (can
you run your bank without it?)
AND Confidentiality (how
sensitive is the data)?
Scale = 1-5
1=Incidental
2=Minor
3=Moderate
4=Major
5=Extreme
4-5
Impact
= 1-5
HOW will this particular risk
impact YOUR entire bank?
Scale = 1-5
1=Incidental
2=Minor
3=Moderate
4=Major
5=Extreme
4
ERM RA Matrix – Example #4 IRR
Copyright 2018 Malzahn Strategic
Title Definition Example
Ris
ks
Identify each type of
Risk or "Risk
Categories"
Example Risk #4: Interest Rate Risk (IRR)
Inh
ere
nt
Ris
k
Risk of an activity with NO
CONTROLS in place. Scale =
Low, Moderate, HighModerate/High
Co
nse
qu
en
ces If this risk occurs, identify
damage with NO CONTROLS in
place (list everything that
could potentially go wrong)
*Risk of losing future earnings due to volatile rate movements (Earnings
risk) *Potential regulatory action (Regulatory risk) *Additional liquidity
risk through capital deteoriation (losing access to liquidity sources thus
Capital risk) *Reputation risk (paying too low on deposits or charging too
high on loans) *Margin Compression
ERM RA Matrix – Example #4 IRR
Copyright 2018 Malzahn Strategic
Ris
k M
itig
ato
rs List ALL the activities your
bank does in order to control
(or mitigate) this risk and its
consequences from happening
*Policy risk parameters *Experienced ALCO committee *Outside portfolio
analysis tools (ALMedge, Wells Fargo analysis) *Internal calculations / risk
management *Internal back testing procedures *Internal pricing models
for loans and deposits
Mo
nit
ori
ng
Too
l(s)
List ALL the tools your bank
uses and ALL the monitoring
activities already in place in
order to monitor this risk
*ALCO committee *Portfolio analysis tools (ALMedge, Wells Fargo
analysis) *Internal calculations / risk management *Budget vs actual
earnings - reviewed continously *Non-core liquidity measurements
*Internal & External Audits
Pla
ns
for
Imp
rove
me
nt List the tasks, systems, new
procedures, new processes,
new talent to be hired, etc.
that your bank plans to
implement in the next 12
months to reduce/minimize,
improve or eliminate this risk
*Adding ProfitStars IRR module
ERM RA Matrix – Example #4 IRR
Copyright 2018 Malzahn Strategic
Stat
us
This is your tracking
mechanism to track progress
on Plans for Improvement.
There should be a person
accountable for each item.
Profitstars in place
Ongoing
Re
sid
ual
Ris
k
Risk of an activity that remains
for the bank AFTER ALL
controls and mitigating tools
are in place. The risk that the
Board is willing to "tolerate."
Moderate
Tre
nd
of
Ris
k
Based on current market
conditions. Provides a
baseline for future
assessments of this risk. Scale
= Increasing, Stable or
Decreasing
Increasing
ERM RA Matrix – Example #4 IRR
Copyright 2018 Malzahn Strategic
Priority
Scale =
1-5
What is the priority ranking of
this particular risk in YOUR
bank based on Criticality (can
you run your bank without it?)
AND Confidentiality (how
sensitive is the data)?
Scale = 1-5
1=Incidental
2=Minor
3=Moderate
4=Major
5=Extreme
4
Impact
= 1-5
HOW will this particular risk
impact YOUR entire bank?
Scale = 1-5
1=Incidental
2=Minor
3=Moderate
4=Major
5=Extreme
4
Webinar Overview Part II – IT
• Information Technology Risk Assessment
• Definitions
• Areas Assessed
• Categories Included
• IT Risk Assessment – Complete Example
Copyright 2018 Malzahn Strategic
IT Areas Assessed in IT Risk Assessment
• Information Technology Security
• Information Technology: All Systems, All Hardware and Software Inventory
• Disaster Recovery Plan
• Threat Analysis
• Vendor Management Program
• Asset Inventory
• Internal Physical Bank Security: System, Policies, Training
• Cybersecurity:
• Website: Security, Compliance, Backup
• All Electronic Banking Products: mobile, remote deposit, wire transfers, ACH
Copyright 2018 Malzahn Strategic
Categories Included in IT Risk Assessment #1
• Asset Type: Application/Software, Process, System
• Asset Medium: Paper or Electronic
• Vendor Name
• Controls/Procedures in Place
• Description of Risks Associated with Asset
• Risk Mitigation: Description for Mitigation of Risks
• Risk Rating: Low, Medium, High
• Criticality to Institution: Levels 1 to 5 with 5 being the most critical
Copyright 2018 Malzahn Strategic
Categories Included in IT Risk Assessment #2
• Residual Risk: Low, Medium, High
• Information Classification: Public, Non-Public, Confidential
• Threats/Vulnerabilities: Level of Damage, Type of Vulnerability
• Threat/Vulnerability Likelihood: Low, Medium, High
• Vital Resources: Description of Vital Resources to the Institution’s Operations
• Recovery Point Objective: Description of How the Information or Asset Will be Recovered
• Recovery Time Objective: Approximate Time of RecoveryCopyright 2018 Malzahn Strategic
IT Risk Assessment – Sample Template
Copyright 2018 Malzahn Strategic
ASSET NAME:
EXAMPLES
Asset Type:
Application
/Software,
Process, or
System
Asset
Medium:
Paper or
Electronic
Vendor
Name
Controls/
Procedures
in Place?
Y or N
Description of Risks
Associated with Asset
Risk Mitigation:
Description of
Mitigation of Risks
Risk
Rating:
Low
Medium
High
Criticality
to
Institution:
Levels 1 =
lowest to
5= highest
Residual
Risk:
Low
Medium
High
Information
Classification:
Public
Non-Public
Confidential
Threats/
Vulnerabilities:
Level of
Damage, Type
of Vulnerability
Threat/
Vulnerability
Likelihood:
Low,
Medium,
High
Vital Resources:
Description of Vital
Resources to the
Institution's
Operations
Recovery Point
Objective (RPO):
Description of How the
Information or Asset
will be recovered
Recovery
Time
Objective:
Approximate
Time of
Recovery
(hours, days
or weeks)
Core System:
Fiserv/ITI S E Fiserv Y
Core system is critical to
the operations of the
institution. We have no
inhouse backup.
Fiserv has backup
sites. H 5 L NP, C
Confidential
information,
potential fraud M
Client information,
daily operation of
institution depends on
core system
Will use backup site and
remote DRP location from
Fiserv 2 days
IT RA Template – Example #1 Core System
Copyright 2018 Malzahn Strategic
ASSET NAME:
EXAMPLES
Asset Type:
Application
/Software,
Process, or
System
Asset
Medium:
Paper or
Electronic
Vendor
Name
Controls/
Procedures
in Place?
Y or N
Core System:
Fiserv/ITI S E Fiserv Y
IT RA Template – Example #1 Core System
Copyright 2018 Malzahn Strategic
Description of Risks
Associated with Asset
Risk Mitigation:
Description of
Mitigation of Risks
Risk
Rating:
Low
Medium
High
Criticality
to
Institution:
Levels 1 =
lowest to
5= highest
Residual
Risk:
Low
Medium
High
Information
Classification:
Public
Non-Public
ConfidentialCore system is critical to
the operations of the
institution. Bank has no
inhouse backup.
Fiserv has backup
sites. H 5 L NP, C
IT RA Template – Example #1 Core System
Copyright 2018 Malzahn Strategic
Threats/
Vulnerabilities:
Level of
Damage, Type
of Vulnerability
Threat/
Vulnerability
Likelihood:
Low,
Medium,
High
Vital Resources:
Description of Vital
Resources to the
Institution's
Operations
Recovery Point
Objective (RPO):
Description of How the
Information or Asset
will be recovered
Recovery
Time
Objective:
Approximate
Time of
Recovery
(hours, days
or weeks)
Confidential
information,
potential fraud M
Client information,
daily operation of
institution depends on
core system
Will use backup site and
remote DRP location from
Fiserv 2 days
IT RA Template – Example #2 Bill Payment
Copyright 2018 Malzahn Strategic
ASSET NAME:
EXAMPLES
Asset Type:
Application
/Software,
Process, or
System
Asset
Medium:
Paper or
Electronic
Vendor
Name
Controls/
Procedures
in Place?
Y or N
Bill Payment
System A E ABC Co Y
IT RA Template – Example #2 Bill Payment
Copyright 2018 Malzahn Strategic
Description of Risks
Associated with Asset
Risk Mitigation:
Description of
Mitigation of Risks
Risk
Rating:
Low
Medium
High
Criticality
to
Institution:
Levels 1 =
lowest to
5= highest
Residual
Risk:
Low
Medium
High
Information
Classification:
Public
Non-Public
Confidential
Bank uses this system to
pay all company bills,
employee
reimbursements, and
credit card transactions .
Bank has no backup
vendor.
AP Vendor has no
DRP in place. Bank
has no software
backup at this time.
Internal controls
and segregation of
duties in place. M 3 M NP, C
IT RA Template – Example #2 Bill Payment
Copyright 2018 Malzahn Strategic
Threats/
Vulnerabilities:
Level of
Damage, Type
of Vulnerability
Threat/
Vulnerability
Likelihood:
Low,
Medium,
High
Vital Resources:
Description of Vital
Resources to the
Institution's
Operations
Recovery Point
Objective (RPO):
Description of How the
Information or Asset
will be recovered
Recovery
Time
Objective:
Approximate
Time of
Recovery
(hours, days
or weeks)
Company bills
and vendor
information L
Vendor's Fed Tax ID
numbers, employees'
names and bank
account numbers used
for reimbursements
Will need to look for
another AP vendor
immediately.
15 days to
establish new
AP vendor
and all
vendors in
system
IT RA Template – Example #3 Firewall Software
Copyright 2018 Malzahn Strategic
ASSET NAME:
EXAMPLES
Asset Type:
Application
/Software,
Process, or
System
Asset
Medium:
Paper or
Electronic
Vendor
Name
Controls/
Procedures
in Place?
Y or N
Firewall
Software S E XYZ Co Y
IT RA Template – Example #3 Firewall Software
Copyright 2018 Malzahn Strategic
Description of Risks Associated
with Asset
Risk Mitigation: Description of
Mitigation of Risks
Risk
Rating:
Low
Medium
High
Criticality
to
Institution:
Levels 1 =
lowest to
5= highest
Residual
Risk:
Low
Medium
High
Information
Classification:
Public
Non-Public
Confidential
Firewall controls all external
access into Bank's network. If
Firewall is penetrated, intruders
would gain access to sensitive
information and could also do a
ramson attack on the Bank.
Outsourced Firewal management to vetted
IT vendors through Vendor Management
Program. External IT audits include annual
penetration testing. IT Director gives special
access to vendor as requested only. Best
practices for firewal management followed
such as redundant and layered firewalls. H 5 M NP, C
IT RA Template – Example #3 Firewall Software
Copyright 2018 Malzahn Strategic
Threats/ Vulnerabilities:
Level of Damage, Type of
Vulnerability
Threat/
Vulnerability
Likelihood:
Low,
Medium,
High
Vital Resources:
Description of Vital
Resources to the
Institution's
Operations
Recovery Point Objective (RPO):
Description of How the
Information or Asset will be
recovered
Recovery
Time
Objective:
Approximate
Time of
Recovery
(hours, days
or weeks)
If intruders penetrate the
firewalls in place, would gain
access to confidential and
sensitive customer data in
network and potentially gain
access to core system data. L
Customer and
employee sensitive
data.
If ramsonware is installed, Bank has
backups off-site that are not
logically connected to the internal
network. In case of denial of service
attack (DSA), Bank would recover
from redundant servers in place. 1-2 days
IT RA Template – Example #4 Mobile Banking
Copyright 2018 Malzahn Strategic
ASSET NAME:
EXAMPLES
Asset Type:
Application
/Software,
Process, or
System
Asset
Medium:
Paper or
Electronic
Vendor
Name
Controls/
Procedures
in Place?
Y or N
Mobile Banking
System A, S E Fiserv N (new)
Webinar Overview Part III – Internal Controls
• Internal Controls Risk Assessment
• Definitions
• Areas Assessed
• Categories Included
• Internal Controls Risk Assessment –Complete Example
Copyright 2018 Malzahn Strategic
Internal Control Areas Assessed #1
• Accounts Payable
• Allowance for Loans and Lease Losses (ALLL)
• Asset/Liability Management
• Bank Protection
• Branch Capture
• Call Report Preparation
• Capital
• Cash ControlsCopyright 2018 Malzahn Strategic
Internal Control Areas Assessed #2• Collateral Safekeeping
• Correspondent Lending
• Deposit Processing/New Deposit Account Opening Procedures
• Director, Officer, and Employee Accounts
• Dormant Accounts (if applicable)
• Due From Accounts (Correspondent Banks)
• Fixed Assets
• Human Resources: Hiring and Termination Practices, Payroll, Personnel Files, Performance Evaluations, Retirement Plans
Copyright 2018 Malzahn Strategic
Internal Control Areas Assessed #3• Income and Expense
• Internal DDAs
• Internet Banking
• Investments
• Loan Processing/New Loan Account Opening Procedures
• Mortgage Loans in Transit (MLIT)
• Official Checks
• Online Entries: General Ledger, Loan, and Deposit ProcessesCopyright 2018 Malzahn Strategic
Internal Control Areas Assessed #4
• Other Real Estate Owned (OREO)
• Other Liabilities
• Overdrafts
• Payroll
• Prepaid Expenses and Other Assets
• Remote Deposit Capture
• Secondary Market
• Wire Transfers
Copyright 2018 Malzahn Strategic
Categories Included in Internal Controls Risk Assessment #1
• Growth/New Activities – since the last Risk Assessment?
• Policies and Procedures – policies updated, written procedures?
• Regulation and Compliance – new regulations?
• IT System Changes – any new systems in place?
• Staff Turnover – new staff, more potential errors?
• Quality of Management – involved in daily activities?
Copyright 2018 Malzahn Strategic
Categories Included in Internal Controls Risk Assessment #2
• Training – tracked all training done?
• Date of Last Audit – done internally or outsourced?
• Previous Exceptions – fixed previous findings?
• Risk of Monetary Loss – in this area?
• Nature of Items – any changes?
• Nature of Operations – what does this area do?
Copyright 2018 Malzahn Strategic
Internal Controls RA –Summary Report
# AREA/DEPARTMENT/GENERAL LEDGER ACCOUNT SCORE YEAR 2 YEARS 3 YEARS
1 Accounts Payable 34 X
2 Allowance for Loans and Lease Losses (ALLL) 30 X
3 Asset/Liability Management 15 X
4 Bank Protection 15 X
5 Branch Capture 20 X
6 Call Report Preparation 31 X
7 Capital 25 X
8 Cash Controls 20 X
9 Collateral Safekeeping 15 X
10 Correspondent Lending 13 X
11
Deposit Processing/New Deposit Account Opening
Procedures 35 X
12 Director, Officer and Employee Accounts 25 X
13 Dormant Accounts (if applicable) 20 X
14 Due from Accounts (Correspondent Banks) 20 X
15 Fixed Assets 15 X
16
Human Resources: Hiring and Termination
Practices, Payroll, Personnel Files, Personnel
Files, Performance Evaluations, Retirement Plans 26 X
17 Income and Expense 14 X
18 Internal DDA's 18 X
19 Internet Banking 28 X
20 Investments 22 X
21
Loan Processing/New Loan Account Opening
Procedures 25 X
22 Mortgage Loans in Transit (MLIT) 30 X
23 Official Checks 19 X
24
Online Entries: General Ledger, Loan and Deposit
Processes 20 X
25 Other Real Estate Owned (OREO) 21 X
26 Other Liabilities 25 X
27 Overdrafts 20 X
28 Payroll 28 X
29 Prepaid Expenses and Other Assets 14 X
30 Remote Deposit Capture 18 X
31 Secondary Market 20 X
32 Wire Transfers 40 X
CONDUCT AUDIT EVERY
INTERNAL CONTROLS RISK ASSESSMENT AREAS
Copyright 2018 Malzahn Strategic
Internal Controls RA – Accounts Payable
Copyright 2018 Malzahn Strategic
AREA BEING ASSESSED: Accounts Payable
SCALE USED: 1 = Incidental
2 = Minor
3 = Moderate
4 = Major
5 = Extreme
CATEGORY SCORE EXPLANATION OF CATEGORY REASON FOR SCORE
Growth/New Activities 4
Has there been any growth in this
area/department? New activities
performed?
Changed vendors. Previous vendor
went out of business.
Policies and Procedures 4
Have policies been updated within the
last 12 months? Are there written
procedures in place?
Need to write new procedures
based on new vendor system.
Regulation and Compliance 1
Does your policy comply with
appropriate regulation? Did you fall out
of compliance during the last 12
months for any reason? No change.
IT System Changes 5
Were there any system changes within
the last 12 months or since the last
assessment? New AP external vendor system.
Staff Turnover 3
Have there been any staff turnover
which may result in more potential
errors? One new staff member.
Quality of Management 1
Is management involved in the daily
operations of this activity? No change.
Training Performed 3
Has the staff attended training on any
new regulations, policies, or
procedures in the last 12 months or
since the last assessment? In progress.
Date of Last Audit 3
What was the date of this area/
department's last audit conducted
either by your internal or external 1/31/2016
Previous Exceptions 1
Did you have previous exceptions
noted either in an audit or regualtory
exam? None.
Risk of Monetary Loss 3
Does this area present any risk to your
institution on monetary loss?
Potential for internal fraud if
authorities are not setup correctly in
new system.
Nature of Items 3
What is the nature of the new or
changed items in this area?
A/P - payable of all bank's invoices,
directors, and employee
reimbursements.
Nature of Operations 3
What is the nature of operations in this
area/deapartment? Finance
TOTAL SCORE: 34
Add up all the individual scores and
transfer to the Summary Report
INTERNAL CONTROLS RISK ASSESSMENT
Internal Controls RA – Example #1 A/P
Copyright 2018 Malzahn Strategic
AREA BEING ASSESSED: Accounts Payable
SCALE USED: 1 = Incidental
2 = Minor
3 = Moderate
4 = Major
5 = Extreme
CATEGORY SCORE EXPLANATION OF CATEGORY REASON FOR SCORE
Growth/New Activities 4
Has there been any growth in this
area/department? New activities
performed?
Changed vendors. Previous vendor
went out of business.
Policies and Procedures 4
Have policies been updated within the
last 12 months? Are there written
procedures in place?
Need to write new procedures
based on new vendor system.
Regulation and
Compliance 1
Does your policy comply with
appropriate regulation? Did you fall out
of compliance during the last 12
months for any reason? No change.
IT System Changes 5
Were there any system changes within
the last 12 months or since the last
assessment? New AP external vendor system.
Staff Turnover 3
Have there been any staff turnover
which may result in more potential
errors? One new staff member.
INTERNAL CONTROLS RISK ASSESSMENT
Internal Controls RA – Example #1 A/P
Copyright 2018 Malzahn Strategic
Quality of Management 1
Is management involved in the daily
operations of this activity? No change.
Training Performed 3
Has the staff attended training on any
new regulations, policies, or
procedures in the last 12 months or
since the last assessment? In progress.
Date of Last Audit 3
What was the date of this area/
department's last audit conducted
either by your internal or external 1/31/2016
Previous Exceptions 1
Did you have previous exceptions
noted either in an audit or regualtory
exam? None.
Risk of Monetary Loss 3
Does this area present any risk to your
institution on monetary loss?
Potential for internal fraud if
authorities are not setup correctly in
new system.
Nature of Items 3
What is the nature of the new or
changed items in this area?
A/P - payable of all bank's invoices,
directors, and employee
reimbursements.
Nature of Operations 3
What is the nature of operations in this
area/deapartment? Finance
TOTAL SCORE: 34
Add up all the individual scores and
transfer to the Summary Report
Internal Controls RA – Example #2 Call Report
Copyright 2018 Malzahn Strategic
AREA BEING ASSESSED: Call Report
SCALE USED: 1 = Incidental
2 = Minor
3 = Moderate
4 = Major
5 = Extreme
CATEGORY SCORE EXPLANATION OF CATEGORY REASON FOR SCORE
Growth/New Activities 3
Has there been any growth in this
area/department? New activities
performed?
New employee completing Call
Report
Policies and Procedures 2
Have policies been updated within the
last 12 months? Are there written
procedures in place?
Policies and procedures are up to
date.
Regulation and
Compliance 2
Does your policy comply with
appropriate regulation? Did you fall out
of compliance during the last 12 months
for any reason?
New regulation affected Schedule
RC-R. No compliance issues.
IT System Changes 4
Were there any system changes within
the last 12 months or since the last
assessment?
Bank's core system vendor made
major upgrade to Call Report
module.
Staff Turnover 4
Have there been any staff turnover
which may result in more potential
errors?
Brand new employee being trained
to complete Call Report
INTERNAL CONTROLS RISK ASSESSMENT
Internal Controls RA – Example #2 Call Report
Copyright 2018 Malzahn Strategic
Quality of Management 1
Is management involved in the daily
operations of this activity?
CFO is involved in the training and
oversees entire Call Report
preparation.
Training Performed 2
Has the staff attended training on any
new regulations, policies, or
procedures in the last 12 months or
since the last assessment? New employee being trained.
Date of Last Audit 4
What was the date of this area/
department's last audit conducted
either by your internal or external
auditor? May 2015
Previous Exceptions 1
Did you have previous exceptions
noted either in an audit or regualtory
exam? Last audit had two minor findings.
Risk of Monetary Loss 3
Does this area present any risk to your
institution on monetary loss?
If Call Report is misrepresented,
could potentially get written up by
regulators and may get monetary
penalties.
Nature of Items 3
What is the nature of the new or
changed items in this area?
New/upgraded Call Report system
and new employee
Nature of Operations 2
What is the nature of operations in this
area/deapartment?
Finance oversees the Call Report
preparation
TOTAL SCORE: 31
Add up all the individual scores and
transfer to the Summary Report
Internal Controls RA – Example #3 HR
Copyright 2018 Malzahn Strategic
AREA BEING ASSESSED: Human Resources
SCALE USED: 1 = Incidental
2 = Minor
3 = Moderate
4 = Major
5 = Extreme
CATEGORY SCORE EXPLANATION OF CATEGORY REASON FOR SCORE
Growth/New Activities 4
Has there been any growth in this
area/department? New activities
performed?
New payroll vendor and new HR
Director hired at beginning of 2017.
Hired 8 new employees in the last
six months due to planned growth.
Policies and Procedures 1
Have policies been updated within the
last 12 months? Are there written
procedures in place?
All HR policies and procedures are
in place. HR Manual is up to date
Regulation and
Compliance 1
Does your policy comply with
appropriate regulation? Did you fall out
of compliance during the last 12 months
for any reason?
No policy or laws violation in last
audit.
IT System Changes 2
Were there any system changes within
the last 12 months or since the last
assessment?
Only new outsourced payroll
vendor system.
Staff Turnover 3
Have there been any staff turnover
which may result in more potential
errors? New HR Director.
INTERNAL CONTROLS RISK ASSESSMENT
Internal Controls RA – Example #3 HR
Copyright 2018 Malzahn Strategic
Quality of Management 1
Is management involved in the daily
operations of this activity?
HR Director reports directly to Bank
President.
Training Performed 2
Has the staff attended training on any
new regulations, policies, or
procedures in the last 12 months or
since the last assessment?
All HR staff attends regular HR
related training. See training
schedule. All staff also receives
Sexual Harrassment training.
Date of Last Audit 3
What was the date of this area/
department's last audit conducted
either by your internal or external
auditor? May 2015
Previous Exceptions 3
Did you have previous exceptions
noted either in an audit or regualtory
exam?
Performance Reviews for several
employees were 6 to 12 months
behind.
Risk of Monetary Loss 2
Does this area present any risk to your
institution on monetary loss?
Only if any lawsuits were to
happen.
Nature of Items 3
What is the nature of the new or
changed items in this area? New personnel and vendor.
Nature of Operations 1
What is the nature of operations in this
area/deapartment? Human Resources
TOTAL SCORE: 26
Add up all the individual scores and
transfer to the Summary Report
Internal Controls RA – Example #4 Internet Bkg
Copyright 2018 Malzahn Strategic
AREA BEING ASSESSED: Internet Banking
SCALE USED: 1 = Incidental
2 = Minor
3 = Moderate
4 = Major
5 = Extreme
CATEGORY SCORE EXPLANATION OF CATEGORY REASON FOR SCORE
Growth/New Activities 3
Has there been any growth in this
area/department? New activities
performed?
No changes in systems but
Cybersecurity issues globally
continue to be a high risk.
Policies and Procedures 1
Have policies been updated within the
last 12 months? Are there written
procedures in place?
All policies and procedures are up
to date.
Regulation and
Compliance 1
Does your policy comply with
appropriate regulation? Did you fall out
of compliance during the last 12 months
for any reason?
Policies comply with all applicable
Internet Banking laws.
IT System Changes 2
Were there any system changes within
the last 12 months or since the last
assessment?
Just normal vendor upgrades to
system.
Staff Turnover 1
Have there been any staff turnover
which may result in more potential
errors? No new staff.
INTERNAL CONTROLS RISK ASSESSMENT
Internal Controls RA – Example #4 Internet Bkg
Copyright 2018 Malzahn Strategic
Quality of Management 2
Is management involved in the daily
operations of this activity?
Operations manager oversees all
daily activity.
Training Performed 2
Has the staff attended training on any
new regulations, policies, or
procedures in the last 12 months or
since the last assessment?
All Operations staff in charge of
this product have attended training
in the last 12 months.
Date of Last Audit 1
What was the date of this area/
department's last audit conducted
either by your internal or external
auditor? Annually - Jan. 2017
Previous Exceptions 3
Did you have previous exceptions
noted either in an audit or regualtory
exam?
One one minor exception and it
was remediated.
Risk of Monetary Loss 5
Does this area present any risk to your
institution on monetary loss?
Internet Banking includes all
monetary transactions customers
can process on the Bank's Internet
Banking system. Therefore, the risk
for identity theft is high.
Nature of Items 3
What is the nature of the new or
changed items in this area?
No changes in systems but
Cybersecurity issues globally
continue to be a high risk.
Nature of Operations 4
What is the nature of operations in this
area/deapartment? IT and Operations
TOTAL SCORE: 28
Add up all the individual scores and
transfer to the Summary Report
Internal Controls RA – Example #5 Remote Dep
Copyright 2018 Malzahn Strategic
AREA BEING ASSESSED: Remote Deposit
SCALE USED: 1 = Incidental
2 = Minor
3 = Moderate
4 = Major
5 = Extreme
CATEGORY SCORE EXPLANATION OF CATEGORY REASON FOR SCORE
Growth/New Activities 1
Has there been any growth in this
area/department? New activities
performed?
Normal growth with new
customers using the product.
Policies and Procedures 1
Have policies been updated within the
last 12 months? Are there written
procedures in place?
All policies and procedures are in
place. Customer Agreements are
up to date.
Regulation and
Compliance 2
Does your policy comply with
appropriate regulation? Did you fall out
of compliance during the last 12 months
for any reason?
Policies comply with regulation.
Only one minor compliance issue
from the last audit.
IT System Changes 1
Were there any system changes within
the last 12 months or since the last
assessment? No system changes.
Staff Turnover 2
Have there been any staff turnover
which may result in more potential
errors? No staff changes.
INTERNAL CONTROLS RISK ASSESSMENT
Internal Controls RA – Example #5 Remote Dep
Copyright 2018 Malzahn Strategic
Quality of Management 1
Is management involved in the daily
operations of this activity?
Operations manager oversees this
product along with Cash
Management Officer. Dual controls
are in place for all product
implementation.
Training Performed 1
Has the staff attended training on any
new regulations, policies, or
procedures in the last 12 months or
since the last assessment?
Annual training attended and
special core system training.
Date of Last Audit 1
What was the date of this area/
department's last audit conducted
either by your internal or external
auditor? Annual audit - Jan. 2017
Previous Exceptions 1
Did you have previous exceptions
noted either in an audit or regualtory
exam? No previous exceptions noted.
Risk of Monetary Loss 4
Does this area present any risk to your
institution on monetary loss?
Monetary loss can occur if Bank
accepts deposited items more than
once. Systems and procedures are
in place to avoid these incidents.
Nature of Items 1
What is the nature of the new or
changed items in this area? No changes.
Nature of Operations 2
What is the nature of operations in this
area/deapartment? Operations, Cash Management
TOTAL SCORE: 18
Add up all the individual scores and
transfer to the Summary Report
Internal Controls RA – Example #6 Wire Tfrs
Copyright 2018 Malzahn Strategic
AREA BEING ASSESSED: Wire Transfers
SCALE USED: 1 = Incidental
2 = Minor
3 = Moderate
4 = Major
5 = Extreme
CATEGORY SCORE EXPLANATION OF CATEGORY REASON FOR SCORE
Growth/New Activities 5
Has there been any growth in this
area/department? New activities
performed?
New client tripled the wire
transfer activity including
International Wires.
Policies and Procedures 3
Have policies been updated within the
last 12 months? Are there written
procedures in place?
Need to update procedures with
new customer and with new
department volumes.
Regulation and
Compliance 2
Does your policy comply with
appropriate regulation? Did you fall out
of compliance during the last 12 months
for any reason?
Policy complies with all applicable
regulations. No compliance issues
from last audit.
IT System Changes 2
Were there any system changes within
the last 12 months or since the last
assessment?
Only normal vendor software
upgrades and they were
completed.
Staff Turnover 3
Have there been any staff turnover
which may result in more potential
errors?
No new staff but Bank just lost one
team member. Looking to replace
position.
INTERNAL CONTROLS RISK ASSESSMENT
Internal Controls RA – Example #6 Wire Tfrs
Copyright 2018 Malzahn Strategic
Quality of Management 3
Is management involved in the daily
operations of this activity?
Operations Manager overssees the
Wires department.
Training Performed 4
Has the staff attended training on any
new regulations, policies, or
procedures in the last 12 months or
since the last assessment?
Due to increased volume, staff has
not had the time for training in the
last 12 months.
Date of Last Audit 2
What was the date of this area/
department's last audit conducted
either by your internal or external
auditor? Annually - January 2017
Previous Exceptions 2
Did you have previous exceptions
noted either in an audit or regualtory
exam?
No previous exceptions but Bank
monitors this area consistently.
Risk of Monetary Loss 5
Does this area present any risk to your
institution on monetary loss?
Wire transfer area is one of the
hightest risk areas for both internal
and external fraud. Therefore, it's
monitored continually.
Nature of Items 4
What is the nature of the new or
changed items in this area?
Increased wire volume can lead to
more errors and internal fraud if
not watched.
Nature of Operations 5
What is the nature of operations in this
area/deapartment? Finance and Operations
TOTAL SCORE: 40
Add up all the individual scores and
transfer to the Summary Report
Bringing It All Together
• Always start with your Strategic Plan and integrate ERM
• Establish an ERM Program at your bank and complete the 3 phases:
• Identify and Assess Risks – our focus today
• Mitigate and Eliminate Risks
• Monitor and Report Risks
• Start with ERM Risk Assessment
• Then complete Risk Assessments enterprise-wide for all areas
• Track ALL Risk Assessments enterprise-wide and complete annually
• Resolve all findings and implement recommendations and best practices
Copyright 2018 Malzahn Strategic
Sources
• FDIC Risk-Based Assessment System – Financial Institution Letters (FILs) https://www.fdic.gov/deposit/insurance/risk/FILS.html
• OCC Bulletin 2015-48 Updated Guidance on Risk Assessment System (https://www.occ.gov/news-issuances/bulletins/2015/bulletin-2015-48.html#)
• OCC Comptroller’s Handbook: Community Bank Supervision https://www.occ.gov/publications/publications-by-type/comptrollers-handbook/pub-ch-ep-cbs.pdf
• COSO (The Committee of Sponsoring Organizations of the Treadway Commission) www.coso.org
• OCC Supervisory Guidance on Model Risk Management https://www.occ.treas.gov/news-issuances/bulletins/2011/bulletin-2011-12a.pdf
Copyright 2018 Malzahn Strategic
Marci Malzahn, President & Founder
Consulting: www.malzahnstrategic.com
Free Resource: 30 Minute ERM Strategic Session with Marcihttps://www.linkedin.com/pub/marcia-marci-malzahn/1/6/729
Speaking & Books: www.marciamalzahn.com@marcimalzahn
612-242-4021
Copyright 2018 Malzahn Strategic