COSO introduces updated Internal Control Framework

Many in the Internal Audit Community would be aware that COSO (the Committee of Sponsoring Organizations of the Treadway Commission) released an updated Internal Control Framework on May 14, 2013.

The COSO Framework initially introduced in 1992 and possibly the most widely accepted internal control framework has been enhanced by expanding the financial reporting category of objectives to include other important forms of reporting, such as non-financial and internal reporting.
The business environment has witnessed significant changes since the original framework was released and the Board felt it was time to align the framework to the emerging landscape and stakeholder expectations including:

  • Expectations for governance oversight
  • Globalization of markets and operations
  • Changes and greater complexities of business
  • Demands and complexities in laws, rules, regulations, and standards
  • Expectations for competencies and accountabilities
  • Use of, and reliance on, evolving technologies
  • Expectations relating to preventing and detecting fraud

The framework solidifies some of concepts mentioned in the previous versions as specific principles to assist management to implement a sound internal control framework.

What should companies do?


Senior Management should work closely with their internal audit groups to:

  •  Review the updated COSO Framework and evaluate how it impacts their internal control structures and procedures for each of the COSO components and principles. If the company had adopted the original framework management would need to focus their attention on the key changes
  •  Apprise their Audit Committee on any impact to their organizations and how the internal controls will be changed or enhanced as a result of the new guidance.
  •  Consider adopting the changes within their internal control system as soon as feasible.

May 24, 2013 at 8:39 pm Leave a comment

An Effective Risk Identification Approach

Linked in groups feature many interesting discussions on risk management practices. In the Enterprise Risk Management (ERM) group on Linked in, I came across an interesting question posed by a member.

“In terms of operational risk in the financial environment, what would be the best approach to follow to “teach” someone how to identify risks in their environment? Thinking about an effective risk identification approach, instead of the “top-of-mind” approach to identifying “top 10″ risks.”

There were a couple of other interesting responses, but my own view is that “top of the mind” risks are not necessarily a bad place to start. An effective risk identification approach would include the following steps:

1. Start with the “Top of Mind Risks”

Top of the mind items are usually there – occupying center stage in people’s minds because they are usually the most critical issues facing the industry, the organization or the function.

2. Develop a more comprehensive risk universe

Obviously  its not enough to stop at just those top of the mind items – we should supplement this with other items  both from within the organization combined with external factors. Sources of this risk information could be  – current issues facing the business or the industry, past trends, known loss events, emerging risk scenarios, potential black swans etc. So a more comprehensive universe of potential risks would be the result of this exercise.

3.  Identify the critical risks facing the business

Its also crucial to get organization wide views into which of these risks are most critical to your business, and have the highest potential impact and probability of occurrence. Consolidating the views of the C suite and the business functions can help create a shared view of the risks facing the organization and develop appropriate response strategies.

February 10, 2013 at 7:34 pm Leave a comment

Components of an Effective AML Monitoring Program

 

AML – A Critical Component of an institution’s risk and compliance

 Combating Money Laundering and fraud has become an area of increasing focus for governments and regulators across the world. Financial Institutions (FIs) play a key role in the war against money laundering and terrorist financing by developing strong Anti Money Laundering monitoring capabilities. Obviously, investments in AML monitoring systems and processes have to be balanced with other priorities and demands placed on FIs by an economy weakened by recession and by a slew of regulatory changes being introduced by the Dodd Frank Act and similar legislations globally.

However since AML sanctions violations continue to attract stiff regulatory fines and penalties, this remains an area of high priority for Boards and senior management at the FIs.

AML Integrated into Enterprise Risk Management (ERM)

In an era of constrained budgets, leading FIs should consider creating an integrated Enterprise Risk Management model of which AML risk and compliance monitoring remains a critical component. The institution’s time and resources should consequently be invested commensurate with the institution’s AML risk profile and take into account the likelihood and impact of AML risks vis a vis other significant risks that the institution faces. An integrated risk management effort leverages good internal control practices implemented in other areas of the business such as customer identification and on boarding controls.

Elements of an Effective Monitoring Program

Based on our experience with a number of FIs, we share below the key elements of an effective AML program:

AML /OFAC Risk Assessment

Every FI has different products, customer base and operates in different geographies and has to consider the AML/OFAC Risk Assessment in light of this. Some of the factors that the FI will need to consider include the quality and type of customers, the industries these customers represent, the geographies that the FI has banking or correspondent operations, whether these locations including High Risk jurisdictions, High Intensity Drug Trafficking Areas (HIDTA) or High Intensity Financial Crime Area (HIFCA).

Risk-Intelligent Policies and Procedures

Based on the risk assessment, the FI will need to develop and implement suitable policies and procedures which will provide the first layer of defense. These would need to be approved by the FI’s Board of Directors or a Risk Committee of the Board. Such approval will demonstrate the Board’s commitment to implementation and ensure that AML receives the level of attention and resources that it deserves. The policies and procedures should be comprehensive and cover areas such as establishment of customer identification and on boarding procedures, training of personnel tasked with fulfilling of various AML monitoring responsibilities, ongoing customer due diligence and transaction monitoring, record keeping and custody, suspicious activity identification and reporting, management reporting and escalation processes, internal controls, segregation of duties, information technology controls such as access restrictions and business continuity plans. Some aspects of these policies and procedures are discussed below:

Training

A key component to ensure success of the AML program is the training of personnel. FIs should implement an ongoing training and education program that will ensure staff knowledge and skills are current with the latest regulatory changes, new money laundering and fraud schemes and consequent changes to the organization’s policies and procedures and their own roles and responsibilities in maintaining a full state of compliance. FIs would also need to maintain records of training conducted as this has increasingly been the subject of recent regulatory reviews.

Customer Identification and Onboarding Processes

Generally known as the Know Your Customer (KYC) process, most FIs have in place processes for understanding and verification of the customer’s identity, demographic information, risk profile etc.  FIs typically also filter the customer name against published watch lists such as the one from the Office of Foreign Asset Control (OFAC). Creating a customer profile based on the initial transactions aids in monitoring activities by flagging abnormal patterns or significant variations in subsequent customer transactions.

Beyond the KYC process, it is critical for the FI to ensure that customer data is regularly refreshed, as customers’ circumstances change. Another important consideration for FIs is to account for regulatory changes that might impact customer identification and monitoring, such as the Foreign Account Tax Compliance Act (FATCA). FIs ability to fulfill the requirements of this legislation, including identifying relevant US persons for reporting purposes will depend on enhanced KYC systems and processes.

Ongoing Transaction Monitoring and suspicous activity reporting

It is critical to perform ongoing due diligence of all customer transactional activity against risk levels and profiles. This allows FIs to detect potential suspicious activities that may require further investigation and also the filing of a Suspicious Activity Report (SAR) with the regulators within prescribed time limits.

The FI should have the systems and processes that will allow the monitoring of all customer transactions to assess if such activity falls within the expected activity patterns of the customer. Most AML monitoring systems contain algorithms that are applied to the customer information files and historical transactional data to generate the expected activity profile for each customer. Additional rule based monitoring is usually set up to flag transactions that may require further scrutiny for example transactions originating from or sent to high risk jurisdictions. Our experience during independent AML assessments we have conducted at several institutions has shown that organizations that fail to maintain their data quality often see a marked deterioration in their AML monitoring effectiveness over time. Also in large and global FIs, it is often a challenge to integrate information from various source systems across different geographies to be able to effectively monitor cross border transaction flows.

Managing Sanctions Lists

Another key challenge is ensuring the latest OFAC and other sanction party lists are updated and current. Many organizations do not have a process in place to maintain updated sanction lists issued by the various regulators, within a reasonable time frame. This leaves them open to the potential risk of not detecting transactions where the originator or beneficiary might be a newly listed sanctioned party. While the likelihood of such a risk may be small, the potential negative consequences of regulatory actions, should such a lapse occur, give organizations plenty of incentive to implement a process to proactively reconcile the sanction lists and keep them regularly updated.

Periodic Management Review of Monitoring Program

Management review of the effectiveness of the AML monitoring is the second layer of defense. Typically senior management is not involved with day to day compliance responsibilities, but should provide periodic review and oversight. Management reporting and analysis of trends will provide them with insights on the high risk areas and opportunities for improvement. We have often seen improvement programs emerge as a result of this management review, where for example management may want to optimize their AML/OFAC match levels by reducing false positive matches and increasing true matches.

 Independent Review and Testing

 The third layer of defense is provided by the Independent Assessment and Testing of the AML program. This would need to be performed by an independent third party that has no role in either the implementation or oversight of the AML program which are typically staff and management functions. FIs’ may have internal audit groups or may bring in an external independent assessment firm. Conducted annually, the independent assessment becomes a means to provide assurance to the Board and senior management about the effectiveness of design and operation of the AML program. External firms also bring in additional benefits from the knowledge and best practices they have gleaned from working with other FIs and this can be a valuable source of benchmarking information as part of a continuous improvement cycle.

 

 

April 7, 2012 at 4:50 pm Leave a comment

Top Cloud Computing Risks – Have you planned your mitigation strategies?

 

Cloud Computing seems to be the flavor of the season for Chief Information Officers (CIOs). Several surveys have indicated that a majority of CIOs rank cloud computing as one of their top technology priorities in 2012.  The allure of “moving to the cloud” is obvious. Cloud computing combines the benefits of flexibility, scalability and cost effectiveness as organizations typically only pay for what they use and do not have to maintain costly technology infrastructure in house. 

However before your institution moves operations to the cloud, it is worthwhile to keep in mind and plan for the following potential risk considerations:

 

Return on Investment (ROI): Though Cloud computing offers benefits as mentioned above, it is important that you have a clear understanding of the potential ROI. How do the current technology processing costs of your organization measure against the anticipated total “cost of ownership” of a cloud based solution? Does the service provider have adequate scale, responsiveness and quality control measures to provide for a seamless transition of your current business processes to the provider’s platform? This will determine to a large extent whether your organization will realize the promised benefits and ROI.

 

Data and Intellectual Property Loss: Before moving your IT infrastructure to cloud service provider, your organization must perform the due diligence necessary to understand the provider’s internal controls, hiring practices (background checks etc.) and access controls to protect your confidential data and intellectual property. Ask your provider for a copy of the Statement on Standards for Attestation Engagements No. 16 (SSAE 16). This report will typically contain an assessment of the provider’s internal controls, physical and logical access protections, intrusion prevention and detection, firewall configurations etc.

 

Non Compliance with Regulations: If your institution is subject to regulations such as Sarbanes-Oxley Act (SOX), Payment Card Industry (PCI) security standards, and the Gramm-Leach-Bliley Act (GLB Act) you will need to ensure that the Service Provider’s systems and processes are able to support your efforts to maintain compliance. Even though a portion of your information processing will be performed outside your firm, your organization will remain responsible for maintaining compliance for all processes including those that are performed outside your firm. If the provider or their hosted technology platform and applications reside in a different geography it is critical they maintain similar internal and technology controls as required by the laws and regulations that your institution is subject to.

 

Systems and information availability: This is especially critical for organizations that provide electronic banking and other web based services. Your provider should guarantee service levels that support the provision of 24x7x365 access for your bank’s customers to perform transactions and access account information. A key safeguard here will be to obtain an iron clad Service Level Agreement (SLA) that guarantees real time systems and data availability. A thorough due diligence to check the reputation and reliability of your service provider in this regard is a must.

 

Business continuity planning: Assess if your provider has a sound and fully tested Business Continuity Plan to provide continuity of operations in the event of a disaster. The Business Continuity plan should cover recovery of information, impact assessment, communication protocols and business resumption strategies. It is a good idea to conduct a Disaster Recovery / Business Continuity simulations with your provider periodically to test if the plan works as intended.

March 22, 2012 at 3:52 pm Leave a comment

Risk assessing your business plans

Given the level of complexity in the business environment today, businesses need greater flexibility in planning and implementing their business strategies.  Business planning processes should consider various detailed scenarios in the business environment such as – competitor’s moves, shifts in customer’s needs, government regulations, technology changes etc.

Best prepared companies risk assess their business plans and strategies to see how their business will cope with the likely scenarios as they emerge.

Here are a few things to consider as you risk assess your business plan for 2011 and beyond:

  1. A Risk Assessment exercise performed as part of your strategic planning exercise is most effective, rather than as a separate project.
  2. Involve your top management team to visualize various scenarios likely to play out in the economy,  within your industry and markets.
  3. Identify as best possible, the likelihood of these various scenarios occurring and their likely impact on your business plan – for e.g. how will  increased regulatory scrutiny, rising healthcare costs impact your company?
  4. Be prepared with alternative  strategies and plans based on the more likely scenarios that you and your team have identified.
  5. While maintaining higher levels of preparedness for the most likely events, identify contingency plans for less likely but high impact events.
  6. Gather intelligence from industry sources, customers, and suppliers to identify emerging developments.
  7. Identify milestones to track progress against the plan regularly making course corrections as necessary. 

November 3, 2010 at 8:30 pm 1 comment

Six Secrets to Creating a Culture of Innovation – HBR Blog

When IBM recently polled 1500 CEOs across 60 countries, they rated creativity as the most important leadership competency.

Eighty percent of the CEOs said the business environment is growing so complex that it literally demands new ways of thinking. Less than 50 percent said they believed their organizations were equipped to deal effectively with this rising complexity.

But are CEOs and senior leaders really willing to make the transformational moves necessary to foster cultures of real creativity and innovation?

 Read…Six Secrets to Creating a Culture of Innovation HBR Blog Post – by Tony Shwartz

August 13, 2010 at 8:26 pm 2 comments

7 questions to assess your customer management risks

Effective management of customer relationships is at the heart of every business. Customer satisfaction and retention is at the top of the mind for every CEO and business manager. Failure to appropriately manage the customer relationship is among the biggest risks facing a business. 

However, I believe that management of customer relationship risk has not been given its due importance, commensurate with the criticality of the process. Managers need to recognize this is not an empty theoretical risk management exercise, but that there are real dollars at risk here. Not managing the risks of the customer management process could potentially lead to lost sales, customer attrition, declining revenues and margins, loss of reputation etc.

 A cornerstone of managing customer relationships is  maintaining transparent flow of information and communications with your customers. Withholding critical information about your products from your clients and customers can lead to severe impairment of corporate reputation, as has been seen in the recent troubles of well known companies in the financial services and automobile industries.

In an intensely competitive business environment, exacerbated by the deep and severe economic recession, every customer interaction has to be managed to perfection. Today we are in an “experience economy.” Customer satisfaction depends not just on the quality of the product or service, but the total experience around it, including the quality and depth of information about the product or service, the functional and pricing options available, the process of purchase itself, the knowledge and friendliness of the staff and the level of utility of the product and service in fulfilling the need.   

Key moments of interaction with customers, known as “Moments of Truth” need to be managed effectively, as they can have a disproportionately large impact on customer satisfaction.  Automation of customer relationship management processes through Interactive Voice Response Systems (IVRS) and Customer Relationship Management (CRM) tools has led to increased efficiencies and cost savings for many organizations. However, implementing technologies should not come at the cost of quality of service. Many marketing organizations have ceded control of their CRM implementations to their IT groups and consequently are unable to realize desired returns on investments and improved customer service levels

Companies can address these risks by subjecting their customer management process to a rigorous risk assessment which would seek answers to critical, probing questions. Ask yourself the following 7 questions:

  • Do we have processes to assess the needs and feedback of  customers about  the quality of our products, services, the delivery experience and the product ownership or usage experience?
  • Do we have practices to identify and resolve potential or actual quality problems with the products or services and effective communication policies and damage containment measures?
  • Do we have a common view of our customer relationships across all transactions and all interactions the customer has with the organization?
  • Is our technology enabling us to enhance the quality of interactions with customers cost effectively?
  • Do we have clear measures to monitor and track customer satisfaction and incorporate the insights into the design of products and services?
  • Do we have measures to stem the risk of lost sales from customers that defect to competitors?  
  • Do we understand and assess reasons of lost customers to identify reasons for the same?  

Organizations that focus on customer relationship risk management will find that their investments in enhancing this capability flows straight to the bottom line.

May 9, 2010 at 5:31 pm Leave a comment

How Leadership and Culture shape Risk Management

Management guru and noted author, Charles Handy in his review of the best business books on Leadership for 2009 for the Strategy & Business magazine says the financial crises “did not need to happen. There were warnings enough from observers about troubles ahead but those in power in organizations did not pay heed until it was too late.”

Wisdom gained out of hindsight indicates that many companies did not possess the robust culture and leadership conviction to stay true to their own long term goals. Leaders were swayed by the lure of short term profit taking in what ultimately proved to be an illusionary “pot of gold.”

The CFO of a company recently mentioned that organizational culture in his organization, is viewed as a “soft” issue, one that does not have an immediate tangible impact on his company’s performance.  This view is unfortunate. While quality of leadership and culture does not fit in a neat little box that an auditor or risk manager can check off, its impact on specific areas such as fraud prevention, corporate reputation  as well as the general long term health and success of an organization has been proven during this crises.

Leadership and culture of an organization have always had a profound impact on risk management by:

  • Shaping the behavior of people on a daily basis
  • Informing the decisions made by managers
  • Defining the kind of risks that an organization will accept and the opportunities that it will pursue
  • Determining  if a company is willing to swim against the tide, when everyone else in the industry is out there making outsized profits in what might potentially be an unsustainable  bubble.

Culture in turn is shaped by the attitudes,  experiences and mental models of the top leaders of an organization. Do leaders promote an open culture where information flows freely rather than being hoarded?  Are people in your organization afraid to share bad news in the fear that “the messenger will be shot?” These are essential questions that need to be addessed to determine the cultural health of an organization.

The last couple of years have been especially challenging for companies faced with the worst economic crisis in decades. Organizational culture comes under great pressure during times of intense change including downsizing, M&A, layoffs etc.  A manager  at a company going through severe turmoil and layoffs, recently likened the experience of going to work every day to going into a battlefield. He said “you do  not know whose turn it was to get fired, and everyday could well be your last at the company.” Not managing the crises’ “moments of truth” with sensitivity and honesty can expose organizations to risk of depleted employee morale and weakened corporate performance.

Leaders can shine and guide their organizations effectively even in these trying times, by articulating clearly, respectfully and transparently the need for the  changes and how  the organization plans to emerge stronger as a result. Ultimately the key to building a healthy organization culture rests with the leaders and the tone they set for the company. It is therefore essential for leaders to get personally involved in building an ethical, transparent organization where a free flow of ideas and focus on excellence is a way of life.

November 27, 2009 at 11:19 pm 9 comments

IIA Gain Report on Top Ten Risk Management Imperatives for Internal Audit

The Institute of Internal Auditors (IIA) published a report on the 10 Risk Management Imperatives for Internal Auditing. 

The timely and insightful report based on a recent IIA Global Audit Information Network (GAIN) survey  highlights the  evolving role of the Internal Audit profession in light of heightened expectations of their organizations and their key stakeholders. The IIA GAIN report provides a useful guide to Chief Audit Executives to proactively transform their internal audit functions to meet these expectations and deliver increasing value.

The report emphasizes how today’s business environment is characterized by mounting pressures for stronger, more effective risk management. It also states that there is a sharp focus on risk oversight, considered by many observers to be the top governance issue facing corporate boards in a post-meltdown world since audit committees are pushing for holistic risk management, stepped-up risk mitigation, and enterprise wide risk assessments.

The cornerstone of the increased focus on risk management is the need for rebuilding trust in our corporate society. Since the economic crises, many companies have gone into intense soul-searching mode to identify what went wrong and what they could have done differently and more importantly what they can improve in future. Companies are trying to better balance risks and rewards and taking a hard look at compensation practice and their corporate governance and oversight functions. In addition, Standard & Poor’s assessment of the Enterprise Risk Management function of companies is expected to bring greater  scrutiny on the company’s risk management and oversight functions.

Many internal audit groups are stepping up to the plate and taking on the role of integrating various governance, risk and compliance initiatives including SOX 404, Information Technology, financial reporting and compliance to provide deeper visibility to senior management and the Board on key risk indicators and the organization’s performance metrics in those areas.

It’s important to focus on the key strategic risks that can “put a company out of business” as also reputational risks that can lead to negative public, investor and regulator perceptions. Risk Management groups must look beyond past events as a guide to focus on an aggregated  picture of  “what could go wrong” across the enterprise. Leading companies now use scenario planning and leading indicator analysis to identify potential risks and opportunities and the likelihood and impact of such events on the organization’s business goals.

Studies have shown that companies with robust risk management and governance are perceived as quality organizations and attract greater valuations over the long term than companies that are not so perceived. Therefore effective risk management should permeate the entire organization and involve a collaborative effort with the senior management in a risk management implementation and ownership role, Internal Audit as a value added independent assessment function and the Board in an oversight and monitoring role.

November 4, 2009 at 4:05 pm Leave a comment

Risk Management Challenges for Asset Managers

By Uday Gulvadi

Parkview Risk Advisorswww.parkviewconsult.com

The proposed financial sector regulatory reforms such as the Hedge Fund Transparency Act and the Treasury Department’s Financial Regulatory Reform proposals resulting from the acute crises in the financial sector are expected to have a deep and wide spread impact on the health of the financial sector.

Asset management firms and hedge funds in  particular are widely expected to come under the regulatory ambit. Due to recent scandals such as the Madoff and other Ponzi scheme and investment frauds, there has been increased anxiety in the investment community over the management of assets. Any organizational structure that separates the asset management from asset ownership is likely to experience greater scrutiny and require heightened assessment of risk management practices.

It is widely anticipated that larger hedge funds above a certain size of assets under management, and that represent a systemic risk, will come under the regulatory ambit. There is still uncertainty as to what the final shape of such regulations will be. Certain basic provisions requiring registration of hedge funds with the SEC, establishment of Anti Money Laundering procedures and enhanced level of disclosures are widely expected. There is some concern due to the potential of increased operating costs for asset managers due to the burden of these new regulatory compliance procedures. This concern is somewhat justified based on the initial experience of public companies’ implementation of the Sarbanes Oxley Act, adopting a broad brush approach which increased the costs of compliance.

Over the last several quarters, hedge funds have been subject to greater redemption pressures given the economic uncertainty and therefore effective liquidity management has become critical. However, this is a great time for proactive asset managers to put their house in order and gain the trust of investors and regulators alike. Investors in hedge funds have become increasingly sophisticated with the entry of pension funds and other institutions. Investors and regulators are looking for tangible evidence of propriety and adequate oversight in management of funds. Investors are looking to gain comfort about the asset manager’s risk management capabilities across the entire value chain including investment management, execution, and management of counterparty risk,
operational risks, and vendor / third party risks. It is therefore imperative for asset managers to establish a comprehensive framework of policies for risk management and risk reporting. For those that already have these policies in place it would be  advisable to conduct a “fresh look” assessment, especially in light of the market turmoil that may necessitate a change in risk postures.

During a time of crisis, companies are pressured to cut costs and reduce staff. This leaves companies especially vulnerable to operational risks. The workload gets redistributed among fewer employees leading to increased work pressure, and stress levels and also exposes the organization to fraud risks due to the weakening of natural process level checks and balances and segregation of duties controls and potential for management override. A good place to start would be to establish a clear and effective Corporate Governance and Risk Management Structure including a Board or Risk Oversight Committee. Establishment of a Code of Ethics and comprehensive policies and procedure guidelines and periodic independent assessment and monitoring of design and operation of internal controls including fraud controls would help asset managers rebuild trust.

Other aspects to review include the integration of information systems to ensure aggregated views ofrisk from all sources and a timely reporting mechanism that enables prompt attention to potential and actual risk exposures. Leading firms are using tools such as stress testing and scenario analysis to enhance their preparedness to respond to potential opportunities and upheavals in the markets. They are also increasingly using third party administrators to provide an independent fund administration, accounting and valuation function.

Regular and transparent communication with the investor community is also key especially since most hedge funds and alternative investment funds deal in a complex variety of products and derivatives instruments that make it tough to accurately measure and quantify risk, and disclose the true carrying value of these investments. The need for greater disclosures will obviously have to be balanced with the need to protect proprietary information related to investment strategies. A huge challenge for regulators would be to introduce alignment and consistency of regulatory and compliance practices across countries as regulatory inconsistency among different countries tends to create arbitrage opportunities. From a broader long term view, the US market is looking at a return to increased savings rates which will in turn lead to increased investments in traditional as well as alternative savings avenues.

In conclusion, asset managers that take proactive measures to strengthen corporate governance, risk management and disclosure practices and seek to understand and address investor and client’s concerns and needs will emerge stronger in the new landscape.

September 25, 2009 at 5:37 pm Leave a comment


Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 26 other followers