Advanced Enterprise Risk Management
Transcript of Advanced Enterprise Risk Management
![Page 1: Advanced Enterprise Risk Management](https://reader030.fdocuments.us/reader030/viewer/2022012810/61bfe0798628847e7b63320e/html5/thumbnails/1.jpg)
The Payments InstituteJuly 21-24, 2019 • Emory University, Atlanta GA
Advanced Enterprise Risk Management
July 22, 201912:45 pm – 2:45 pm
Beth Cronenweth, AAP, CCMHuntington BankGroup Product Manager
![Page 2: Advanced Enterprise Risk Management](https://reader030.fdocuments.us/reader030/viewer/2022012810/61bfe0798628847e7b63320e/html5/thumbnails/2.jpg)
The International Organization for Standardization (ISO) identifies the following principles of risk management*:
Risk management should:
• create value – resources expended to mitigate risk should be less than the consequence of inaction
• be an integral part of organizational processes
• be part of decision making process
• explicitly address uncertainty and assumptions
• be a systematic and structured process
• be based on the best available information
• be tailorable
• take human factors into account
• be transparent and inclusive
• be dynamic, iterative and responsive to change
• be capable of continual improvement and enhancement
• be continually or periodically re-assessed
Risk Management
"Committee Draft of ISO 31000 Risk management" International Organization for Standardization. 2007-06-15.
![Page 3: Advanced Enterprise Risk Management](https://reader030.fdocuments.us/reader030/viewer/2022012810/61bfe0798628847e7b63320e/html5/thumbnails/3.jpg)
Enterprise Risk Management (ERM) Program
American Bankers Association: “Demystifying Enterprise Risk Management”
Identify inherent
risks
Identify changing
risks
Understand your
current
risk control
vulnerabilities
Assess risk in
new products,
services
Identify business
processes &
improvement
opportunities
Establish Risk
philosophy,
culture and
attitude
Risk Appetite
![Page 4: Advanced Enterprise Risk Management](https://reader030.fdocuments.us/reader030/viewer/2022012810/61bfe0798628847e7b63320e/html5/thumbnails/4.jpg)
The probability of loss arising out of circumstances or existing in an environment, in the absence of any action to control or modify the circumstances.
Inherent Risk
![Page 5: Advanced Enterprise Risk Management](https://reader030.fdocuments.us/reader030/viewer/2022012810/61bfe0798628847e7b63320e/html5/thumbnails/5.jpg)
Inherent Risk
![Page 6: Advanced Enterprise Risk Management](https://reader030.fdocuments.us/reader030/viewer/2022012810/61bfe0798628847e7b63320e/html5/thumbnails/6.jpg)
• Wire Transfer
• ACH
• Remote Deposit Capture
Inherent Risks in Payments
![Page 7: Advanced Enterprise Risk Management](https://reader030.fdocuments.us/reader030/viewer/2022012810/61bfe0798628847e7b63320e/html5/thumbnails/7.jpg)
A device for regulating and guiding.
Controls
![Page 8: Advanced Enterprise Risk Management](https://reader030.fdocuments.us/reader030/viewer/2022012810/61bfe0798628847e7b63320e/html5/thumbnails/8.jpg)
Controls
![Page 9: Advanced Enterprise Risk Management](https://reader030.fdocuments.us/reader030/viewer/2022012810/61bfe0798628847e7b63320e/html5/thumbnails/9.jpg)
• Internal Controls are operating practices or activities that are established to provide reasonable assurance that specific objectives will be achieved. – Compliance with applicable policies, procedures, laws, regulations and
contracts;
– Reliability and integrity of information;
– Economic and efficient use of resources; and
– Safeguarding of assets.
• Preventative, Detective
• Why are they important?
Internal Controls
![Page 10: Advanced Enterprise Risk Management](https://reader030.fdocuments.us/reader030/viewer/2022012810/61bfe0798628847e7b63320e/html5/thumbnails/10.jpg)
Directive Controls
Policies and procedures
Laws and regulations
Training seminars
Job descriptions
Meetings
Designed to establish desired outcomes
![Page 11: Advanced Enterprise Risk Management](https://reader030.fdocuments.us/reader030/viewer/2022012810/61bfe0798628847e7b63320e/html5/thumbnails/11.jpg)
Preventative Controls
Locking office door
Physical control over assets
Using passwords Policies and Procedures
Segregation of duties
Designed to keep errors or irregularities from occurring.
![Page 12: Advanced Enterprise Risk Management](https://reader030.fdocuments.us/reader030/viewer/2022012810/61bfe0798628847e7b63320e/html5/thumbnails/12.jpg)
Detective Controls
Reconciliations
Exception reports
Physical counts of inventories
Testing & Monitoring
Reviews and comparisons
Designed to detect errors or irregularities that may have occurred.
![Page 13: Advanced Enterprise Risk Management](https://reader030.fdocuments.us/reader030/viewer/2022012810/61bfe0798628847e7b63320e/html5/thumbnails/13.jpg)
Residual risk is the threat that remains after all efforts to identify and eliminate risk have been made.
Residual Risk
![Page 14: Advanced Enterprise Risk Management](https://reader030.fdocuments.us/reader030/viewer/2022012810/61bfe0798628847e7b63320e/html5/thumbnails/14.jpg)
Residual Risk
![Page 15: Advanced Enterprise Risk Management](https://reader030.fdocuments.us/reader030/viewer/2022012810/61bfe0798628847e7b63320e/html5/thumbnails/15.jpg)
• Wire Transfer
• ACH
• Remote Deposit Capture
Residual Risk in Payments
![Page 16: Advanced Enterprise Risk Management](https://reader030.fdocuments.us/reader030/viewer/2022012810/61bfe0798628847e7b63320e/html5/thumbnails/16.jpg)
• In 2013, the Institute of Internal Auditors (IIA) released a position paper stating that the “Three Lines of Defense” model provides a simple and effective way to enhance communications on risk management and control by clarifying roles and duties.*
• Easier to handle significant risk events
• Financial institutions are receiving higher scrutiny from regulators.
Three Lines of Defense - Why?
*IIA Position Paper — The Three Lines of Defense in Effective Risk Management and Control. January 2013
![Page 18: Advanced Enterprise Risk Management](https://reader030.fdocuments.us/reader030/viewer/2022012810/61bfe0798628847e7b63320e/html5/thumbnails/18.jpg)
• Credit
• Compliance
• Legal
• Liquidity
• Market
• Operational
• Reputational
• Strategic
Pillars of Risk
![Page 19: Advanced Enterprise Risk Management](https://reader030.fdocuments.us/reader030/viewer/2022012810/61bfe0798628847e7b63320e/html5/thumbnails/19.jpg)
Credit risk is the risk of loss of principal or loss of a financial reward stemming from a borrower's failure to repay a loan or otherwise meet a contractual obligation.
Credit Risk
http://www.investopedia.com
![Page 20: Advanced Enterprise Risk Management](https://reader030.fdocuments.us/reader030/viewer/2022012810/61bfe0798628847e7b63320e/html5/thumbnails/20.jpg)
Compliance risk is exposure to legal penalties, financial forfeiture and material loss an organization faces when it fails to act in accordance with industry laws and regulations, internal policies or prescribed best practices.
Compliance Risk
http://searchcompliance.techtarget.com
![Page 21: Advanced Enterprise Risk Management](https://reader030.fdocuments.us/reader030/viewer/2022012810/61bfe0798628847e7b63320e/html5/thumbnails/21.jpg)
Legal risk is the risk of loss because of the unexpected application of a law or regulation or because a contract or other right cannot be enforced.
Legal Risk
http://www.assetman.net
![Page 22: Advanced Enterprise Risk Management](https://reader030.fdocuments.us/reader030/viewer/2022012810/61bfe0798628847e7b63320e/html5/thumbnails/22.jpg)
Liquidity risk is the risk that a company or bank may be unable to meet short term financial demands.
Liquidity Risk
www.investinganswers.com/financial-dictionary
![Page 23: Advanced Enterprise Risk Management](https://reader030.fdocuments.us/reader030/viewer/2022012810/61bfe0798628847e7b63320e/html5/thumbnails/23.jpg)
Market risk is the risk that the value of an investment will decrease due to moves in market factors.
Market Risk
www.hedgefund-index.com
![Page 24: Advanced Enterprise Risk Management](https://reader030.fdocuments.us/reader030/viewer/2022012810/61bfe0798628847e7b63320e/html5/thumbnails/24.jpg)
Operational risk is the prospect of loss resulting from inadequate or failed procedures, systems or policies.
Operational Risk
http://searchcompliance.techtarget.com
![Page 25: Advanced Enterprise Risk Management](https://reader030.fdocuments.us/reader030/viewer/2022012810/61bfe0798628847e7b63320e/html5/thumbnails/25.jpg)
Reputational risk is the risk that a company will lose potential business because its character or quality has been called into question.
Reputational Risk
www.businessdictionary.com
![Page 26: Advanced Enterprise Risk Management](https://reader030.fdocuments.us/reader030/viewer/2022012810/61bfe0798628847e7b63320e/html5/thumbnails/26.jpg)
Strategic risk is the possible source of loss that might arise from the pursuit of an unsuccessful business plan.
Strategic Risk
www.businessdictionary.com
![Page 27: Advanced Enterprise Risk Management](https://reader030.fdocuments.us/reader030/viewer/2022012810/61bfe0798628847e7b63320e/html5/thumbnails/27.jpg)
Risk and Control Self-Assessment
• One of the most effective tools in the Risk Management arsenal.
• When applied effectively it will add value to your entire organization and improve the way it does business.
• Typically done on a quarterly basis.
RCSA
Global Risk Consult
![Page 28: Advanced Enterprise Risk Management](https://reader030.fdocuments.us/reader030/viewer/2022012810/61bfe0798628847e7b63320e/html5/thumbnails/28.jpg)
RCSA – Assessing Risks
Inherent Risks as well as Residual Risks need to be assessed and rated as High, Moderate or Low.
• Inherent Risk is the risk that exists in the process.
– Effectiveness of controls is not taken into consideration for arriving at Inherent Risks.
• Residual Risk is the risk that still exists after having business controls in place.
![Page 29: Advanced Enterprise Risk Management](https://reader030.fdocuments.us/reader030/viewer/2022012810/61bfe0798628847e7b63320e/html5/thumbnails/29.jpg)
What risks do we have?
What controls do we have to mitigate these risks?
Have the controls been implemented?
If implemented, have the controls been effective?
If not effective or not implemented, decide the response action.
RCSA – Control Effectiveness
![Page 30: Advanced Enterprise Risk Management](https://reader030.fdocuments.us/reader030/viewer/2022012810/61bfe0798628847e7b63320e/html5/thumbnails/30.jpg)
The OCC expects bank management and the board to oversee all new, expanded, or modified products and services through an effective risk management process.
New Product Risk Assessments
OCC BULLETIN 2004-20
![Page 31: Advanced Enterprise Risk Management](https://reader030.fdocuments.us/reader030/viewer/2022012810/61bfe0798628847e7b63320e/html5/thumbnails/31.jpg)
• A tool to assess how the risks associated with the new, expanded, or modified product or service fit with the bank's business strategy and risk profile.
• Before deciding to introduce a new, expanded, or modified product or service, banks must perform due diligence so that management understands the impact.
New Product Risk Assessment
![Page 32: Advanced Enterprise Risk Management](https://reader030.fdocuments.us/reader030/viewer/2022012810/61bfe0798628847e7b63320e/html5/thumbnails/32.jpg)
The due diligence process should include:• Assessing how the risks associated with the new, expanded, or modified product or
service fits with the bank's business strategy and risk profile.
• Consulting with relevant functional areas, such as credit, compliance, accounting, audit, risk management, legal, operations, information technology, and marketing to determine risks, concerns, and necessary controls.
• Determining requirements for complying with laws, regulations, and regulatory guidance.
• Determining the expertise needed to effectively manage the product or service, including the possible need to acquire additional expertise.
• Researching the background, experience, and reliability of relevant third parties.
• Developing a business and financial plan for the product or service that assesses the bank's competitive position and establishes objectives and strategies for how the product or service will be brought to market.
• Developing viable alternatives, including an exit strategy in the event the product or service fails to perform as expected.
New Product Risk Assessment
OCC BULLETIN 2004-20
![Page 33: Advanced Enterprise Risk Management](https://reader030.fdocuments.us/reader030/viewer/2022012810/61bfe0798628847e7b63320e/html5/thumbnails/33.jpg)
• Third party payment processors (TPPP) introduce a unique level of risk to banks.
• Third party payment processors are bank customers that provide payment processing services to merchants and other business entities.1
Third Party Payment Processors
1http://www.ffiec.gov
![Page 34: Advanced Enterprise Risk Management](https://reader030.fdocuments.us/reader030/viewer/2022012810/61bfe0798628847e7b63320e/html5/thumbnails/34.jpg)
Risk Factors• TPPPs generally are not subject to BSA/AML regulatory requirements. As a
result, some processors may be vulnerable to money laundering, identity theft, fraud schemes, or other illicit transactions, including those prohibited by OFAC.
• BSA/AML risks are similar to risks from other activities in which the bank’s customer conducts transactions through the bank on behalf of the customer’s clients. When the bank is unable to identify and understand the nature and source of the transactions processed through an account, the risks to the bank and the likelihood of suspicious activity can increase.
• While TPPPs generally affect legitimate payment transactions for reputable merchants, the risk profile of such entities can vary significantly depending on the make-up of their customer base.
Third Party Payment Processors
http://www.ffiec.gov
![Page 35: Advanced Enterprise Risk Management](https://reader030.fdocuments.us/reader030/viewer/2022012810/61bfe0798628847e7b63320e/html5/thumbnails/35.jpg)
Risks
• Heightened risk of returns
• Use of services by higher-risk merchants
• Money laundering
• Fraud
• Inadequate due diligence processes by TPPP
Third Party Payment Processors
![Page 36: Advanced Enterprise Risk Management](https://reader030.fdocuments.us/reader030/viewer/2022012810/61bfe0798628847e7b63320e/html5/thumbnails/36.jpg)
Banks offering services to TPPPs should develop a comprehensive risk management program to address the unique attributes of Third Party Payment Processors, including evaluation of the TPPP’s clients (KYCC).
ALWAYS monitor periodically for changes!
Third Party Risk Management
![Page 37: Advanced Enterprise Risk Management](https://reader030.fdocuments.us/reader030/viewer/2022012810/61bfe0798628847e7b63320e/html5/thumbnails/37.jpg)
A bank may assess the risks associated with payment processors by considering the following:
• Implementing a policy that requires an initial background check of the processor (using, for example, the Federal Trade Commission Web site, Better Business Bureau, Nationwide Multi-State Licensing System & Registry (NMLS), NACHA, state incorporation departments, Internet searches, and other investigative processes), its principal owners, and of the processor's underlying merchants, on a risk-adjusted basis in order to verify their creditworthiness and general business practices.
• Reviewing the processor's promotional materials, including its Web site, to determine the target clientele. A bank may develop policies, procedures, and processes that restrict the types of entities for which it allows processing services. These restrictions should be clearly communicated to the processor at account opening.
Third Party Risk Management
http://www.ffiec.gov
![Page 38: Advanced Enterprise Risk Management](https://reader030.fdocuments.us/reader030/viewer/2022012810/61bfe0798628847e7b63320e/html5/thumbnails/38.jpg)
• Determining whether the processor re-sells its services to a third party who may be referred to as an "agent or provider of Independent Sales Organization (ISO) opportunities" or "gateway" arrangements.224Gateway arrangements are similar to an Internet service provider with excess computer storage capacity that sells its capacity to a third party that would then distribute computer services to various other individuals unknown to the provider. The third party would be making decisions about who would be receiving the service, although the provider would be providing the ultimate storage capacity. Thus, the provider bears all of the risks while receiving a smaller profit.
• Reviewing the processor’s policies, procedures, and processes to determine the adequacy of its due diligence standards for new merchants.
• Requiring the processor to identify its major customers by providing information such as the merchant's name, principal business activity, geographic location, and transaction volume.
Third Party Risk Management (cont)
http://www.ffiec.gov
![Page 39: Advanced Enterprise Risk Management](https://reader030.fdocuments.us/reader030/viewer/2022012810/61bfe0798628847e7b63320e/html5/thumbnails/39.jpg)
• Verifying directly, or through the processor, that the merchant is operating a legitimate business by comparing the merchant's identifying information against public record databases, and fraud and bank check databases.
• Reviewing corporate documentation including independent reporting services and, if applicable, documentation on principal owners.
• Visiting the processor’s business operations center.
• Reviewing appropriate databases to ensure that the processor and its principal owners and operators have not been subject to law enforcement actions.
Third Party Risk Management (cont)
http://www.ffiec.gov
![Page 40: Advanced Enterprise Risk Management](https://reader030.fdocuments.us/reader030/viewer/2022012810/61bfe0798628847e7b63320e/html5/thumbnails/40.jpg)
Activities/Discussion
• Focusing on one payment product, analyze inherent risk, controls, and residual risk utilizing the risk pillars discussed.
• Where do you see the greatest challenges for your institution in managing risk?
![Page 41: Advanced Enterprise Risk Management](https://reader030.fdocuments.us/reader030/viewer/2022012810/61bfe0798628847e7b63320e/html5/thumbnails/41.jpg)
The Payments InstituteJuly 21-24, 2019 • Emory University, Atlanta GA
Beth Cronenweth, AAP, CCMSVP, Group Product Manager
Questions?