Top Priorities for Internal Audit in Financial Services Organizations

Transcription

1 Top Priorities for Internal Audit in Financial Services Organizations Discussing the Key Financial Services Industry Results from the 2016 Internal Audit Capabilities and Needs Survey

2

3 Introduction Each year, Protiviti conducts its Internal Audit Capabilities and Needs Survey to assess current skill levels of internal audit executives and professionals, identify areas in need of improvement, and help to stimulate the sharing of leading practices throughout the profession. The 2016 report that follows describes the outlook of internal audit leaders within the financial services industry. For the first time in many years, this survey reflects the views of internal audit professionals during a time when the global economy and its financial system were recovering from the global financial crisis. The risk landscape it paints therefore reflects people s risk perceptions in a newly evolving world. Michael Thor is a Managing Director with Protiviti and leads the firm s North American Internal Audit practice. The findings discussed in our paper are based on responses from nearly 300 chief audit executives (CAEs) and internal audit professionals in the U.S. financial services industry. In the opinion of these respondents, cybersecurity represented the greatest area for internal audit functions to address. We have devoted one entire section of this report to the increasing attention that cybersecurity continues to garner. But this is far from the only area internal audit organizations seek to improve as they look forward to the coming year. A few areas that organizations prioritized as particularly acute challenges include: Agile Risk Management Model Risk Management & Data Analytics Mobile Applications Top Priorities for Internal Audit in Financial Services Organizations 1

4 It is a near certainty that financial institutions will suffer cyber-related outages in the next few years; the key issue is how they respond and recover. Cybercrime Concerns Dominate Chief among the issues identified this year is technology risk because of growing concerns about cybercrime and the vulnerability of outdated systems to outages and attack. Escalation in the frequency and sophistication of cyberattacks as well as the increased regulatory scrutiny around ensuring firms have adequate cyber-risk programs in place have driven this risk to the top of the list. 1 Exacerbating this is a growing reliance on old and overly complicated IT systems, which are more susceptible to security breaches and unpredictable outages that can cause disruption. A major challenge is that financial services firms are playing catch-up in a technology environment that continues to evolve rapidly. As financial institutions rely to an even greater extent on technology (see Mobile Applications Challenge on page 3) they also need to be concerned with risks arising from third-party outsourcing and off-shoring activities. Vendors different and possibly less stringent security standards could create the potential for data loss or leakage. This increases the risk of a firm losing control of parts of its operations as supply chains get longer and more complex. As financial institutions grow even more reliant on digital technology, the severity of a potential cyber breach increases exponentially. Cybersecurity has traditionally been the responsibility of the chief security officer and/or the chief information officer; however, risk management and internal audit have a key role to play in securing the organization by working closely with senior management to ensure cybersecurity is embedded into the enterprise. Agile Risk Management, Incorporating Risk Appetite and Risk Culture into the Third Line of Defense In the immediate aftermath of the financial crisis, financial institutions, especially banks, have invested a great deal of time, energy and money on developing more robust risk management functions focused on identifying and negating emerging risks. Although the perceived threat has fallen slightly, the responses we received suggest still more needs to be done to meet both the demands of the modern environment as well as the heightened expectations from regulators. Firms have recognized that they need to become more efficient in managing risk, compliance and internal audit requirements. Dealing with the myriad regulatory demands and changes in the operating environment requires firms to have agile and effective risk management and compliance functions that operate more like business functions, providing value through being agile, responsive and more forward-looking. Equally, firms need to maintain their focus on integrating risk appetite and risk culture into their organizations to create a risk-aware environment that allows an agile risk management philosophy to flourish. Even for those firms that have embraced the concept, integrating and embedding risk culture into the entire enterprise is a constant challenge. A greater challenge for internal audit is recognizing its role within an agile risk management philosophy and how it can assist in reinforcing and independently testing both risk appetite and risk culture in the organization. 1 The 2015 annual report by the Financial Stability Oversight Council said that although U.S. banks and financial businesses have been leaders in erecting barriers to hackers, cyberattacks still present a potential systemic danger, 2 Top Priorities for Internal Audit in Financial Services Organizations

5 Increasing reliance and complexity of models, especially in the area of stress testing, has driven increased demand for resources with the knowledge and skills to address the risks associated with the use of these same models. Model Risk Management Internal auditors have ranked model risk management one of the top areas where they need to improve their technical knowledge and for good reason. The internal audit function is tasked with verifying that financial institutions have a comprehensive model risk management practice, which includes governance, processes, policies, adherence to policies, and documentation. Having internal audit staff with the competence and skillset to provide effective challenge to the first and second line functions, using and providing oversight of the models, and overall model risk management continue to be a challenge for financial institutions, especially those that do not have the scale to support an in-house team of model professionals within the internal audit function. As organizations continue to increase the use and complexity of models, and with increasing regulatory focus on stress testing, already scarce modelling skillsets are in even greater demand. Mobile is lauded for its ability to connect organizations with consumers but it brings its own unique challenges and risks to the organization. Mobile Applications Challenge Continuing with the earlier technology trend, the survey shows a clear focus on auditing risks related to the development, management, and use of mobile applications within financial services institutions. Mobile banking and mobile payments are exploding in popularity as financial institutions are responding to demands from their customers to offer more convenience through mobile channels. The speed of change, the introduction of new third parties offering mobile services, as well as the myriad risks presented by such brand new technology, are presenting a wave of new challenges for financial services firms, as well as the internal audit functions that have to help the organization navigate the risks presented by these new channels, processes and technologies. The Changing Internal Audit Environment Three years ago, the financial services industry results from the 2013 Internal Audit Capabilities and Needs Survey showed that the focus of the entire industry was mainly on regulatory compliance from stress testing requirements to the broader concerns over compliance with the various regulations being issued under the Dodd-Frank Act. Even though internal auditors are continuing to grapple with regulatory compliance, an increasing focus is being placed on ensuring programs that have already been implemented, such as risk appetite and risk culture, are being embedded into the organization as well as looking ahead to adopting a more agile risk management function to help drive efficiency. The additional scrutiny regulators are placing on firms cybersecurity controls is also reflected in cybersecurity being ranked third by internal auditors for improving their technical skills. Respondents specifically called out the NIST Cybersecurity Framework as an area for greater attention. Top Priorities for Internal Audit in Financial Services Organizations 3

6 Unlocking the Power of Data to Help Manage Risk Finally, data analysis continues to be a topic that internal auditors across financial institutions wrestle with. The industry agrees that data analysis holds great promise; however, how to effectively deploy and utilize expanding data analysis capabilities to harness the power of advanced analytics remains a challenge to most internal audit organizations. That said, the use of analytics by internal audit functions is continuing to evolve, driven by internal audit functions desire to make informed decisions on data from key risk indicators in the various lines of business to help them dedicate their audit hours and testing more efficiently and effectively. The more advanced firms report that they are implementing the use of aids such as visualization tools and continuous monitoring, accessing enterprisewide data, as well as running analytics, to help them better understand where the biggest risks exist. Impacts on Internal Audit The role of internal audit the third line of defense is changing. Under the U.S. Office of the Comptroller of the Currency (OCC) Heightened Standards for Large Financial Institutions, 2 the role of internal audit is to opine on the readiness and design of risk management systems corporate governance structures, including risk culture and risk appetite. Financial institutions are also facing a changing risk landscape, as highlighted within the topics above. Internal audit functions face a growing list of priority areas for the next 12 months. The foremost of these are addressed in the following pages, with separate chapters exploring the impact of cybersecurity, mobile applications, model risk, and the challenge of integrating risk appetite and risk culture within an agile risk management philosophy Internal Audit Concerns Further areas of concern that firms need to consider in developing their 2016 audit plans include: Development of dynamic risk assessment and audit planning Talent management and acquisition Reliance across the three lines of defense Assessing effective risk management Vendor management Communication with stakeholders Top Priorities for Internal Audit in Financial Services Organizations

7 About the Internal Audit Capabilities and Needs Survey This year the 2016 Internal Audit Capabilities and Needs Survey consisted of questions grouped into four divisions: cybersecurity and the audit process, general technical knowledge, audit process knowledge, and personal skills and capabilities. Respondents from U.S. financial services companies were also asked to assess industry-specific skills. The results, based on information provided by all respondents (who numbered more than 1,300), are contained within the master report (available at In addition to the overall findings, Protiviti collected and analyzed specific data from respondents in a number of different industries, including financial services. The intent of this report is to provide internal audit executives and professionals in the financial services industry with more focused insights about the unique issues within their domains. Top Priorities for Internal Audit in Financial Services Organizations 5

8 Cybersecurity and the Audit Process An organization can have all of the audit controls, checks and balances in place, but if it doesn t know what it is trying to protect, its cybersecurity program is ultimately flawed. Cal Slemp, Managing Director Cal Slemp is a Managing Director with Protiviti s IT Consulting practice. James Armetta is a Managing Director with Protiviti s Internal Audit and Financial Advisory practice. Everyone, from individuals to large businesses, is at high risk of cybercrime identity theft, account takeover, account cloning, fraudulent payments and/or transfers, the list goes on. But it is financial institutions that are battling against cyber criminals on the frontline. Cyber risk is recognized around the world as the foremost risk for most financial services firms, which for the moment at least, remain liable for any losses. Financial institutions are also increasingly reliant on their technology and systems infrastructure, with many banks growth strategies shifting to digital models. Such a high degree of dependence on digital technology exponentially increases the risk, and the potential severity, of cyberattacks for financial services firms. Need to Improve Rank General Technical Knowledge (top 10 areas) Areas Evaluated by Respondents Competency (5-pt. scale) 1 Agile risk and compliance Internet of Things NIST Cybersecurity Framework 2.3 GTAG 16 Data Analysis Technologies 2.7 ISO (environmental management) 2.1 ISO (information security) Mobile applications International Financial Reporting Standards (IFRS) 2.2 Country-specific enterprise risk management framework 2.9 Assurance around outsourced service providers COSO Internal Control Framework Evaluation of Presence, Functioning and Operating Together Top Priorities for Internal Audit in Financial Services Organizations

9 Need to Improve Rank Audit Process Knowledge (top 10 areas) Areas Evaluated by Respondents Competency (5-pt. scale) 1 Data analysis tools statistical analysis Auditing IT program development Auditing IT security Auditing IT continuity 3.2 Quality Assurance and Improvement Program (IIA Standard 1300) Ongoing Reviews (IIA Standard 1311) Operational auditing effectiveness, efficiency and economy of operations approach Fraud fraud detection/investigation 3.2 Assessing risk emerging issues Audit planning process, location, transaction level Operational auditing risk-based approach A flurry of high-profile breaches at banks, credit card and payment providers, as well as large retailers, has succeeded in embedding the message that every firm will be the target of a cyberattack at some point. The only unknown is when an attack will happen and if the firm is prepared for the counterattack with processes in place to deal with the aftermath. The growing importance of cybersecurity at financial services firms is evident in the financial services industry findings from Protiviti s 2016 Internal Audit Capabilities and Needs Survey. Many internal audit professionals at financial services firms stated that key priorities for improvement include leveraging the NIST Cybersecurity Framework 3 as well as the Internet of Things. Understandably, respondents to the survey are also eager to improve their capabilities with auditing IT security. Most companies are beyond thinking that it is not a matter of if they are attacked, it s when. The executive management and boards of most organizations recognize that it is probable, and perhaps inevitable, that they will be compromised, says Cal Slemp, a Managing Director with Protiviti and a leader with the firm s Security and Privacy practice. This is the main driver for boards calling for more enhanced, robust incident response plans that are tested through tabletop exercises to determine potential gaps in responding to attacks on the key assets of their organizations. The real challenge is establishing enterprisewide security and breaking down the silos that have traditionally addressed IT security requirements and controls with technology and limited processes, if any. Many companies have adopted leading industry standards such as ISO or the NIST Cybersecurity Framework to guide them in assessing the strength of their security programs. Organizational governance needs to be established for these frameworks to be effective when organizations adopt them. This approach will ensure it is integrated into the culture of the organization. Firms need to have that top-down approach. The board should state that it knows breaches are inevitable but it needs to know when the firm has been compromised and that it has a robust response plan in place. One of the most important aspects to any firm s cybersecurity plan is identifying its key assets the proverbial crown jewels. 4 An organization can have all of the audit controls, checks and balances in place, but if it doesn t know what it is trying to protect, its cybersecurity program is ultimately flawed, says Slemp. Firms need to identify what they are trying to protect, and then need to be able to detect when there is a potential compromise or an attack on those key assets. And when they are compromised, firms must be able to respond effectively. 3 See Protiviti s Flash Report: Cybersecurity Framework: Where Do We Go From Here? Reports/Information-Technology/IT-FlashReport-NIST-Cybersecurity-Framework-Where-Do-We-Go-From-Here Protiviti.pdf. 4 See Protiviti s Board Perspectives: Risk Oversight, Volume 1, Issue 66: Managing Cyber Threats with Confidence, US/Documents/Newsletters/Board-Perspectives/Board-Perspectives-Risk-Oversight-Issue66-Managing-Cyber-Threats-Protiviti.pdf. Top Priorities for Internal Audit in Financial Services Organizations 7

10 Having the right response plan in place is crucial to be able to mitigate the damage to the organization and restore the business quickly. Many companies may have an incident response process in place but many do not always have the appropriate personnel, tools and stakeholders on board to be able to respond effectively to a breach. If a company is breached, it is not exclusively the responsibility of IT security to respond and recover, says Slemp. Many stakeholders of the organization need to be involved, from legal to PR and communications. The board of directors and executive management also need to be involved as well as the crisis management team the list goes on. Internal audit has a key role to play in ensuring the organization has an effective cybersecurity policy and response process in place, preferably taking a proactive role in helping the firm to develop its cybersecurity strategy and policy from the outset, then ensuring this strategy is maintained throughout the organization. Cybersecurity risk must be formally integrated into the audit plan, while auditors need to ensure they have the required knowledge to be able to evaluate the organization s cybersecurity program against the NIST Cybersecurity Framework. The NIST framework is not a regulation and therefore is not a requirement for firms. In many cases, firms already have many of the controls recommended by NIST but the degree of compliance varies between organizations. Firms that conduct business with the U.S. government or with regulators are required to demonstrate that they are following the framework and even though others may have a policy in place, the maturity level may still need to be developed. One area of concern for firms has been the cybersecurity risk posed by third parties such as vendors. Financial institutions can spend millions securing their own infrastructure and systems from cyberattacks but all too often the threat comes from within, from their own employees or from their suppliers, which may not have such sophisticated defense systems. Companies, including internal audit, need to evaluate the cyber risks associated with their vendors with the same rigor they evaluate their own internal risks. Protiviti s 2015 Vendor Risk Management Benchmark Study showed that organizations are striving to make improvements in their third-party risk management programs and have a better understanding of the nature of vendor threats. It also shows that boards are seeking assurances from management that vendor risk is being assessed, managed and monitored appropriately, especially if it relates to the loss or exposure of sensitive data through cyberattacks or other compromises. The improvement in understanding of vendor risk may be due to the release of new regulatory guidance over the past few years, including the NIST Cybersecurity Framework, as well as the 2013 update to ISO The NIST framework is U.S.-centric global banks often prefer an internationally recognized framework. Traditionally these banks have used ISO 27001, says Slemp. They are not abandoning that standard but Protiviti is helping a lot of companies to leverage ISO and map it to the NIST control framework. Companies that have embraced this culturally are more able to understand it. The NIST framework was first published three years ago, so it is not a new development and chief information officers and chief security officers are familiar with it. It is new from an internal audit perspective, however, and as such it may not have been automatically included in annual audit plans. Companies that partner internal audit with IT and/or the security function to benefit from their guidance and insight are often more successful in understanding and implementing the NIST framework. 8 Top Priorities for Internal Audit in Financial Services Organizations

11 Regulators Focus on Cybersecurity The FFIEC published its findings in March 2015 from a joint assessment conducted by U.S. banking agencies the year before to assess cybersecurity preparedness at more than 500 institutions. The paper contains key observations and questions that chief executive officers and boards of directors need to consider when assessing their institutions cybersecurity preparedness. 5 This includes high-level guidance for firms to take appropriate risk mitigation steps, including: conducting ongoing information security risk assessments; performing security monitoring, prevention, and risk mitigation; protecting against unauthorized access; implementing and testing controls around critical systems regularly; enhancing information security awareness and training programs; and participating in industry information-sharing forums. In June 2015, the FFIEC issued a Cybersecurity Assessment Tool for institutions to use to evaluate their risks and cybersecurity preparedness, which OCC examiners will gradually incorporate into examinations of national banks to benchmark and assess bank cybersecurity efforts. 6 The FFIEC s Cybersecurity Assessment Tool was introduced with a mapping of its controls to those in the NIST Cybersecurity Framework, and also supports a risk-based approach to determine the target maturity level for an organization and whether the cybersecurity preparedness is aligned with its risk, says Slemp. However, it is worth noting that the maturity levels start at a baseline level that ties back to the FFIEC s IT Examination Handbook, so financial institutions should already operate at this level. Where there is additional perceived risk, the bar is higher, so it will be interesting to see what the examiners expectations are for security as they begin to assess organizations using the tool. The assessment tool incorporates concepts and principles contained in the FFIEC IT Examination Handbook, regulatory guidance, applicable laws and regulations, FFIEC joint statements, and concepts from well-known industry standards, such as the NIST Cybersecurity Framework. There are two parts to the assessment: an inherent risk profile and cybersecurity maturity. The inherent risk profile identifies the amount of risk posed to a bank by the types, volume, and complexity of the bank s technologies and connections, delivery channels, products and services, organizational characteristics, and external threats notwithstanding the bank s risk-mitigating controls. Cybersecurity maturity is evaluated in five domains: cyber risk management and oversight, threat intelligence and collaboration, cybersecurity controls, external dependency management, and cyber incident management and resilience. Each domain has five levels of maturity: baseline, evolving, intermediate, advanced, and innovative. A bank s appropriate cybersecurity maturity levels depend on its inherent risk profile. Internal audit needs to be in tune with these regulatory guidelines, market developments and any cyber issues experienced by their peers to ensure they are prepared to handle those types of emerging risks. With the OCC s Heightened Standards, internal audit functions are expected to not only evaluate areas like cybersecurity in terms of how the IT department is addressing it, but also opine on what the IT compliance and/or IT risk functions are doing. Between the level of technical depth needed to look at the different aspects of cybersecurity to the need to examine the practice of both the first and second lines of defense, the bar has definitely been raised for financial services internal audit shops Understanding the FFIEC Cybersecurity Assessment Tool: An Internal Audit Perspective is available at White-Papers/Industries/FFIEC-cybersecurity-assessment-tool-IA-perspective-whitepaper-Protiviti.pdf. Top Priorities for Internal Audit in Financial Services Organizations 9

12 Impacts on Internal Audit Chief audit executives and the internal audit function need to raise their awareness and knowledge of the cybersecurity threat and relevant regulatory guidelines to be able to develop a robust cybersecurity strategy. Below are cybersecurity action items for CAEs and internal audit to consider in their annual audit plans. Action Items for Chief Audit Executives and Internal Audit Functions to Consider 1. Strategy and Policy: Work with management and the board to develop a cybersecurity strategy and policy. 2. Cybersecurity Risk: Seek to have the organization become very effective in its ability to identify, assess and mitigate cybersecurity risk to an acceptable level. 3. Cybersecurity Breach: Recognize the threat of a cybersecurity breach resulting from the actions of an employee or business partner. 4. Board of Directors: Leverage board relationships to (a) heighten the board s awareness and knowledge of cybersecurity risk; and (b) ensure that the board remains highly engaged with cybersecurity matters and is up-to-date on the changing nature and strategic importance of cybersecurity risk. 5. Audit Plan: Ensure cybersecurity risk is formally integrated into the audit universe and audit plan based on the risk it represents to your organization. 6. Emerging Technology: Develop, and keep current, an understanding of how emerging technologies and technological trends are affecting the company and its cybersecurity risk profile. 7. NIST Cybersecurity Framework: Evaluate the organization s cybersecurity program against the NIST Cybersecurity Framework, while recognizing that the framework does not go to the control level and therefore may require additional valuations of ISO and Preventative Capabilities: Recognize that with regard to cybersecurity, the strongest preventative capabilities require a combination of human and technology security a complementary blend of education, awareness, vigilance and technology tools. 9. Clear Escalations Protocol: Make cybersecurity monitoring and cyber-incident response a top management priority a clear escalation protocol can help make the case for (and sustain) this priority. 10. Staffing Shortages: Address any IT/audit staffing and resource shortages, which represents a top technology challenge in many organizations and can hamper efforts to address cybersecurity issues. 10 Top Priorities for Internal Audit in Financial Services Organizations

13 Improving Model Risk Management The internal audit function is tasked with ensuring that financial institutions have a complete model risk management practice, which includes governance, processes, policies, adherence to policies, and documentation. Shaheen Dil, Ph.D., Managing Director Shaheen Dil, Ph.D., is a Managing Director with Protiviti and Global Leader of the Data Management & Advanced Analytics Solutions practice. Charlie Anderson is a Managing Director and Practice Leader for Model Risk Services within Protiviti s Data Management & Advanced Analytics Solutions practice. Steve Lafrance is a Managing Director with Protiviti s Internal Audit and Financial Advisory practice. Financial services industry internal auditors responding to Protiviti s 2016 Internal Audit Capabilities and Needs Survey have ranked model risk management (MRM) as a major area where they need to improve their technical knowledge. And for good reason: The internal audit function is tasked with ensuring that banks have a complete model risk management practice, which includes governance, processes, policies, adherence to policies, and documentation. Need to Improve Rank 1 Technical Knowledge U.S. Financial Services Industry (top 10 areas) Areas Evaluated by Respondents Competency (5-pt. scale) Basel guidance on internal audit 2.9 Basel III Model risk management Volcker Rule Dynamic risk assessment Interest rate/market risk CFPB examination readiness Federal Reserve Guidance on Internal Audit (SR 13-1) 3.0 Vendor management 3.4 Regulatory Compliance Holding Company (Reg W) 2.7 UDAAP 2.8 Reliance on 1st and 2nd line monitoring 3.4 Top Priorities for Internal Audit in Financial Services Organizations 11

14 Although internal audit generally is well-equipped to perform these types of activities, the function confronts several significant challenges, including access to the quantitative expertise required to evaluate whether the model validations were conducted appropriately. Basel III and the European Market Infrastructure Regulation (EMIR), along with guidance issued for U.S. institutions by the Federal Reserve, Federal Deposit Insurance Corporation (FDIC) and Office of the Comptroller of the Currency (OCC), are driving the need for significant changes in the model governance infrastructures of affected financial institutions. 7 This inevitably impacts the role of internal audit, since it has to review the effectiveness of the model governance infrastructure. Among other needs, these requirements mandate that institutions hold more risk capital, the definition of which has narrowed. Additionally, this capital has to undergo periodic stress testing, which necessitates the need for various additional models within institutions. These issues will still monopolize the attention of affected financial institutions and their internal audit functions in In the United States, regulatory bodies have been concentrating on model risk, model governance and stress testing. Regulators have been heavily testing compliance with SR 11-7 and OCC Supervisory Guidance on Model Risk Management. At the same time, regulators have been concentrating on Comprehensive Capital Analysis and Review (CCAR) 8 and Dodd-Frank Act Stress Test (DFAST) 9 results. The Federal Reserve evaluates the stress testing and capital planning processes of U.S. banking organizations with assets greater than $10 billion through DFAST, and organizations with assets of $50 billion or more through CCAR. Note that many organizations must comply with both. The Federal Reserve reviews and assesses the results of both exercises on both a quantitative and qualitative basis. These regulations require banks to create forward-looking projections of major balance sheet and income statement items under hypothetical economic scenarios. The items being projected include credit losses as well as Pre-Provision Net Revenues (PPNR). Some large banks are also required to conduct a Global Market Shock exercise, involving large changes in values and identification of key counterparty vulnerabilities. Producing such calculations is a complex undertaking, which calls for extensive governance and new processes. Regulators have made it clear that data completeness and data quality are crucial, and banks are rapidly building their data capabilities in order to be ready to produce the periodic DFAST and CCAR reports. In addition, banks are working quickly to develop models that can be used to create the necessary projections and calculations. The models are sophisticated and must be tested and shown to be capable of producing suitable results. As with other models, the CCAR/DFAST models must be developed, implemented, governed and validated per SR 11-7 and OCC Supervisory Guidance on Model Risk Management. Each new model must be separately validated prior to being used. Midsize banks may have dozens of new models for stress testing purposes, and large banks may have hundreds. 7 For more comprehensive analysis on these changes, Protiviti has published several articles, including Reducing Risk Through Model Validation, Model Governance and Effective Risk Management and Building Confidence in ALLL Models a Timely Practice (available at Top Priorities for Internal Audit in Financial Services Organizations

15 Size Makes a Difference The model risk management challenges financial services companies and their internal audit functions face generally vary by the size of the institution: Large institutions The 20 or so largest U.S. banks already have varying degrees of mature model governance infrastructure in place; their focus tends to be on upgrading the quality of their model documentation and model validation processes. Although a number of large institutions have model risk functions, most still have difficulty obtaining specialized skills and completing large model building (or model validations) in a timely manner. Midsize institutions These companies may face the most formidable model risk management challenges. Many of these firms are just beginning to build their model risk infrastructure. This process typically begins with a model risk oversight committee or the equivalent, consisting of members of risk management, modelers and business owners. Internal audit frequently serves in a nonvoting capacity on these committees. Since many of these efforts are starting from scratch, finding the talent and specific skill sets necessary to fuel these efforts represents a major challenge for midsize financial services institutions. Many medium-size banks do not have the skills on board necessary to build or validate models, Dil observes. For many midsize banks, it has been a struggle to embed these skills and this capability into their cultures. Small institutions Few smaller banks can afford to hire full-time personnel with the skills necessary to fulfill new model risk management requirements. Instead, these companies are competing for external experts to come in and provide assistance. Finally, there are several model risk management challenges all internal audit functions must contend with, regardless of the size of their organizations. These include data quality and availability; maintaining independence between model developers and model validators; and access to specific technical (e.g., quantitative) expertise and talent. 10 By addressing these challenges, internal audit functions will help management and boards of directors understand the limitations of their models so they can make confident business decisions, which could help advance business strategies and achieve regulatory compliance. 10 For more comprehensive guidance on model risk management compliance challenges, see Shaheen Dil s article, Complying with the New Supervisory Guidance on Model Risk, in the February 2012 issue of The RMA Journal. Top Priorities for Internal Audit in Financial Services Organizations 13

16 Internal audit teams are challenged with having quantitative expertise to assess whether the models meet the regulatory requirements. Significant needs include: Assessing the model governance program (under SR11-7/OCC ); Assessing each model validation for consistency with those rules; Assessing model development, implementation and use; and Assessing compliance with CCAR and DFAST regulations. The banking organizations that are subject to either the Federal Reserve s CCAR or DFAST exercise are expected to have sound model risk management practices that are consistent with existing supervisory guidance on model risk management. 11 As such, model risk management practice extends beyond model validation and requires input from the business and the second line of defense, while the internal audit function reviews the effectiveness of the overall capital planning/ccar process, including the relevant models. Notably, while CCAR banks largely have established overarching model risk management functions, DFAST banks tend to operate in more flexible ways, ranging from pockets of model validation and model risk expertise in various risk functions and business lines, all the way to outsourcing the entire function to external vendors. Incorporating the regulatory expectations set forth in SR 11-7 into the banking organization s stress testing and capital planning exercise presents specific and unique challenges. The nature and requirements of the stress testing and capital planning exercises necessitate participation, collaboration, and transparency between all model risk stakeholders, including model developers, users, validators, internal audit, and bank management and the board of directors, to manage model risk and apply mitigating controls 12 or overlays where applicable. These mitigating controls and overlays can be identified or quantified by any model stakeholders during every stage of the stress testing and capital planning exercises. For instance, if the strict timelines of the stress testing and capital planning exercise do not allow the validation team to perform a validation of a complete set of models, the validation team should make the validation results transparent to all stakeholders. This allows the other stakeholders to apply controls and overlays to mitigate any model risk. Although internal audit, as an independent oversight function, will not participate in such a process, it is essential that such a process is understood in relation to model risk management. Firms need to ensure they have sufficient skill sets in the internal audit team as well as sufficient staffing levels to assess model risk components. The difficulty is compounded by the scarcity of qualified resources. Some banks have started to staff quantitative expertise directly in their internal audit teams but many are relying chiefly upon outside resources to assist the bank s audit team. 11 SR 11-7 Supervisory Guidance on Model Risk Management. 12 Mitigating controls may include the following: (a) restriction of use, (b) limited scope validation. 14 Top Priorities for Internal Audit in Financial Services Organizations

17 Need to Improve Rank Audit Process Knowledge U.S. Financial Services Industry (top 10 areas) Areas Evaluated by Respondents Competency (5-pt. scale) 1 Current Expected Credit Loss (CECL) Stress testing (CCAR/DFAST) Derivatives and securities Derivatives and hedging Mergers and acquisitions due diligence Wholesale products 2.3 International regulation 2.2 Capital markets planning 2.4 Other Than Temporary Impairment (OTTI) 2.6 Criticized asset management 2.4 Financial services industry internal auditors responding to Protiviti s 2016 Internal Audit Capabilities and Needs Survey, in a section specific to financial institutions, ranked the new Current Expected Credit Loss (CECL) rules as the main area where they need to improve their audit process knowledge. CECL is a proposed credit impairment accounting standard, which is expected to be adopted shortly. The new standard is intended to address concerns that loss reserves were insufficient during the recent stress period. The proposed CECL standard would require financial services institutions to generate forward-looking and lifetime loss estimates to support their loss reserve decisions. Generating such estimates will entail more sophisticated models, which in turn will require more historical data, incorporating more types of information. The loss reserve estimation process would also involve multiple management judgements to be made using sufficient supporting information. Furthermore, institutions would need to review and reclassify their portfolios as required for the revised loss reserve standard and estimation models. Accommodating these changes will entail significant changes in data governance, data sourcing, and related areas. As institutions conform to the new accounting standard, internal audit would need to update the audit program for the loss reserve process. The updated audit program should assess the quality of the collected data, the consistency of asset classification, the information supporting management judgements, the accuracy of reserve calculation and reporting, the robustness of the loss reserve model, and other areas. For example, under the new accounting standard, it is expected that troubled debt restructuring (TDR) and available-for-sale (AFS) assets will need to have reserves consistent with CECL methodology. Therefore, internal audit would need to verify that the supporting systems have updated filters and codes as required to assign these assets to CECL-conforming models. Under the proposed CECL methodology, institutions would also need to determine the lifetime for each type of asset. Internal audit should also design controls and tests to determine whether the lifetime estimation and methodology conform to the requirements and are correctly applied to the loss reserve models. Internal audit will also need to review several more areas that are not applicable to the current loss reserve accounting rule, including: the long-term and possibly quantifiable economic and market scenarios applied to the lifetime model; the decision of the supportive forecast window; and the support of the lifetime of different types of assets. Top Priorities for Internal Audit in Financial Services Organizations 15

18 Impacts on Internal Audit Internal audit has a key role to play in ensuring the organization has an effective model risk management (MRM) policy in place, which should also be formally integrated into the annual audit plan. Action Items for Chief Audit Executives and Internal Audit Functions to Consider in Their Annual Audit Plans 1. Ensure MRM is included within the audit universe. 2. Review the overall MRM process governance, design, resources, and adequacy to manage risk within the appetite and tolerances set by the board of directors. 3. Address the functional adequacy of models within the business processes the models are supporting (e.g., the Allowance for Loan and Lease Losses (ALLL) validation). 4. Ensure the organization has the resources and capabilities, internally or externally, necessary to both challenge the effectiveness of models and review a validation for adequacy. 5. Conduct regular model governance audits, and ensure audit tests of CCAR and audit conceptual soundness review of models and adjustments/overlays are completed. 6. Evaluate data integrity controls and testing, and evaluate source data quality and data completeness. 7. Conduct audit review of policies for board and senior management governance over CCAR, as well as audit testing of board and management committee meetings for credible challenge. 8. Review that all material risks are covered in stress testing and CCAR, and that all risks are modeled appropriately. 16 Top Priorities for Internal Audit in Financial Services Organizations

19 Dealing with Data Analysis Tools [Internal auditors] are implementing the use of visualization tools and continuous monitoring, they are accessing data without a traditional request of IT, and they are running analytics to help them understand where the biggest risks exist. Barbi Goldstein, Managing Director Shaheen Dil, Ph.D., is a Managing Director with Protiviti and Global Leader of the Data Management & Advanced Analytics Solutions practice. Charlie Anderson is a Managing Director and Practice Leader for Model Risk Services within Protiviti s Data Management & Advanced Analytics Solutions practice. Barbi Goldstein is a Managing Director with Protiviti s Internal Audit and Financial Advisory practice. Survey respondents indicated that the number one area where they need to improve their audit process knowledge is data analysis tools and statistical analysis. This interest in advanced analytics capabilities is being driven by several factors, including: Internal audit s increasing role in supporting regulatory compliance needs and monitoring, and a growing need to apply continuous monitoring on a broader scale to increase efficiency and add value to the organization through better insights into risks. External guidance calling for internal audit departments to better leverage data analytics to increase sample size and analysis of information for the organization. A growing focus on data quality and data governance, driven by organizations growing reliance on big data and big data tools, increasing the need for sophisticated data analysis within internal audit. Rapid adoption of data analytics in other functions and groups throughout the enterprise (enterprise risk management, data governance, compliance), leading to a similar expectation for the internal audit function. Protiviti developed a second quantitative benchmarking study in 2015 that was distributed to a select group of the largest U.S. financial institutions. 13 The study showed that internal audit functions were seeking to achieve several strategic goals in data analytics, chiefly to: increase more robust testing, increase efficiency, achieve continuous auditing, raise visibility of risk indicators, and meet the heightened expectations of regulators. 13 Changing Trends in Internal Audit and Advanced Analytics is available at Internal-Audit-Data-Analytics-whitepaper-Protiviti.pdf. Top Priorities for Internal Audit in Financial Services Organizations 17

20 Need to Improve Rank Audit Process Knowledge (top 10 areas) Areas Evaluated by Respondents Competency (5-pt. scale) 1 Data Analysis Tools Statistical Analysis Auditing IT program development Auditing IT security Auditing IT continuity 3.2 Quality Assurance and Improvement Program (IIA Standard 1300) Ongoing Reviews (IIA Standard 1311) Operational auditing effectiveness, efficiency and economy of operations approach Fraud fraud detection/investigation 3.2 Assessing risk emerging issues Audit planning process, location, transaction level Operational auditing risk-based approach It was clear from the benchmarking study that analytics is treated as a high priority for large financial institutions internal audit functions since the majority of participants reported an increase in demand for data analytics within their audits. Most internal audit functions (87 percent) reported that they had a dedicated data analytics/ information management group within their function, while these groups indicated that they needed to ensure they had immediate access to business data within their own data warehouse or similar environment. The survey also showed that the vast majority of firms internal audit analytics functions are continuing to evolve toward a risk-based approach with the goal of providing continuous monitoring to some degree to be able to plan individual audits, monitor key risk indicators (KRIs) and support risk assessments. Continuous auditing is also being pushed out to new areas within the enterprise since, at the moment, the survey showed that firms now only monitor areas where there are known risk issues. Although there is clearly more work to be done, the findings of this benchmarking study show that internal auditors are committed to developing a forward-looking internal audit analytics capability that allows for deeper business insights via the monitoring of KRIs, rather than just analyzing data in support of individual audits. The use of analytics by internal audit functions has definitely evolved and continues to do so, says Protiviti Managing Director Barbi Goldstein. Historically, data analysis for internal auditors has consisted of performing population testing in support of specific audits. Today, internal audit functions want to have a view of the business lines key risk indicators based on current data and use that knowledge to make informed decisions about where to dedicate their audit hours and testing. They are implementing the use of visualization tools and continuous monitoring, they are accessing data without a traditional request of IT, and they are running analytics to help them understand where the biggest risks exist. This allows them to take a truly risk-based approach to creating their audit plan. Building an internal audit analytics function requires time and more resources, however. The financial services industry results from Protiviti s 2016 Internal Audit Capabilities and Needs Survey show that larger financial services firms intend to hire more data analytics specialists this year, but talent is scarce, which means firms have been retaining outside help to support the internal audit team. Chief audit executives and the internal audit function need to raise their awareness and knowledge of data analytics tools to be able to improve efficiencies and capabilities by adding more advanced techniques, such as continuous monitoring and other indicators. 18 Top Priorities for Internal Audit in Financial Services Organizations

21 Adopting Agile Risk and Compliance Risk is moving away from being a control checker and referee, to an enabler of business performance, driving a single approach for risk management and is fully taking responsibility for improving the risk culture of the organization. Cory Gunderson, Managing Director Cory Gunderson leads Protiviti s Global Financial Services Industry practice. Matthew Moore leads Protiviti s Risk & Compliance practice. Organizations are realizing that their risk and compliance capabilities need to be agile, flexible and nimble in order to respond more efficiently to the changing operating environment. Need to Improve Rank General Technical Knowledge (top 10 areas) Areas Evaluated by Respondents Competency (5-pt. scale) 1 Agile risk and compliance Internet of Things NIST Cybersecurity Framework 2.3 GTAG 16 Data Analysis Technologies 2.7 ISO (environmental management) 2.1 ISO (information security) Mobile applications International Financial Reporting Standards (IFRS) 2.2 Country-specific enterprise risk management framework 2.9 Assurance around outsourced service providers COSO Internal Control Framework Evaluation of Presence, Functioning and Operating Together 3.3 Managing risk and compliance has become increasingly complex and expensive for financial services organizations post-financial crisis. The increased regulatory expectations, the ever-changing risk landscape and rise of inherent risk represent a new and permanent operating paradigm for the industry. To adapt, firms are expending significant time, money and resources to implement required changes and prioritize risk management and compliance. Top Priorities for Internal Audit in Financial Services Organizations 19

22 As costs continue to increase, it is becoming clear that the overly manual, reactive and siloed approach to risk management and compliance is unsustainable. Many organizations are beginning to change their vision for risk management, says Cory Gunderson, who leads Protiviti s Global Financial Services Industry practice. Risk is moving away from being a control checker and referee, to an enabler of business performance, driving a single approach for risk management and is fully taking responsibility for improving the risk culture of the organization. Leading practices in risk management suggest creating a mantra a simple and repeatable slogan that can be repeated in frameworks, policies and corporate messaging to help frame culture. Responding to Risk and Compliance Gaps Over the Years Has Left the Financial Services Industry in an Unsustainable Situation Significant Fines $100B Unsustainable Costs Large bank fines have topped $100B over the past five years. Operating costs have become unsustainable as quick-fix solutions and increasing headcount are the norm to improve risk management practices. Growth and innovation have been forced to take a back seat given risk and compliance challenges. Inherent risk continues to rise given the underlying business complexity and increased pace of change. Growth and Innovation Risk and Compliance Inherent Risk A better risk and compliance model is one that is technology-enabled, proactive, aligned across all three lines of defense and embedded into business processes. Business, risk, compliance and internal audit groups need to work within an integrated framework with clear accountabilities to create an aligned organization that can make sound decisions, while also driving efficiencies. This is the solution we refer to as Agile Risk Management, where internal audit has a major role to play in proving independent assurance. Firms are becoming more aware of the benefits of adopting such a program, and agile risk and compliance was ranked as the top area where internal auditors would like to improve their general technical knowledge, according to Protiviti s 2016 Top Priorities for Internal Audit in Financial Services Organizations survey. 20 Top Priorities for Internal Audit in Financial Services Organizations

23 What Is Protiviti s Agile Risk Management Philosophy? Protiviti Agile Risk Management Philosophy Customer Satisfaction Risk Management Aligned Organization Operational Excellence At the foundation of the Agile Risk Management philosophy is the central premise that business management and risk management should create a unified operating model with clear first, second and third line accountabilities. Agile Risk Management enables successful anticipation and response to a rapidly changing environment resulting in informed executive decisions through an aligned organization, operational excellence and customer satisfaction. An Aligned Organization of proactive collaboration and engagement is achieved by converging business and risk processes, while risk and business acumen is enhanced throughout the organization. Operational Excellence is sustained by the successful execution of business strategy supported by efficient processes, optimized technology and risk agility. Customer Satisfaction is improved by risk management and controls driving consistent customer experiences and ensuring the needs of customers are considered in the design of processes, products and services. Creating an organization that can respond to change more easily is central to the Agile Risk Management concept. Forward-looking organizations have designed components of their business model to be more configurable. Applying a more flexible business model allows firms to plug in new requirements and strategic changes smoothly, eliminating the current model of approaching change on a piecemeal basis, which only serves to increase costs and complexity. Top Priorities for Internal Audit in Financial Services Organizations 21

24 Bringing risk management and compliance closer to the first line and integrating them more fully with the business creates a model that can automatically respond to changing business strategies as well as regulatory change. Embedding agile risk management throughout the organization requires the front-line business units to still be accountable for risks while also being supported in a proactive way by independent risk management. A meaningful and well-understood risk appetite is used to make business decisions, while risk identification and monitoring are integrated within business processes. By more effectively aligning the business and the risk and compliance functions, firms benefit in a number of different ways. They are able to leverage integrated and coordinated business, IT, risk and compliance monitoring. The organization has agile risk skills and common tools and methodologies to act efficiently, while reporting is used jointly to measure business goals and risk limits. In all this, risk management enables the business, which leads to respected risk and compliance functions that add value to the organization. Internal audit plays a critical role in agile risk management by providing independent assurance on the design and effectiveness of risk management systems, says Matthew Moore, who leads Protiviti s Risk & Compliance practice. This includes reinforcing the firm s risk culture and holding front-line and risk management units accountable for fulfilling their responsibilities within the agile risk management framework. Internal audit has the unique perspective of being able to observe risk management activities across lines of defense and business units, which allows it to add value by providing important feedback on the extent to which there is alignment across the organization and the agile risk management philosophy is operating as intended. The time has come for proactive organizations to take the lead and adopt an agile risk management framework to better meet the challenges of today s customers, shareholders, employees, and the risk and regulatory environment. 22 Top Priorities for Internal Audit in Financial Services Organizations

25 Understanding and Integrating Risk Culture When the leadership team takes audit findings seriously and immediately puts pressure on the line of business where the issues were identified to resolve the problem, it tells you a lot about the risk culture of that firm. Michael Brauneis, Managing Director James McDonald is a Managing Director with Protiviti s Risk & Compliance Solutions practice. Michael Brauneis is a Managing Director with Protiviti s Risk & Compliance Solutions practice. Dolores Atallo is a Managing Director with Protiviti s Risk & Compliance Solutions practice. Risk culture remains a key concern for internal auditors. Although the subject is not specifically flagged in the 2016 survey results, it was singled out as an area for auditors to improve their technical knowledge in last year s results. The concept of risk culture has been a hot topic for the industry and global regulatory bodies in the wake of the global financial crisis, but it remains an enigma for many financial institutions. Regulators around the world have been encouraging financial institutions to articulate and formalize their risk culture. On July 8, 2015, the Basel Committee on Banking Supervision (BCBS) released a set of revised guidelines for enhancing corporate governance at banks, which includes the importance of a sound risk culture to drive risk management within a bank. 14 The Financial Stability Board (FSB) also has been very active in providing guidance to financial services firms on the subject of risk culture. In April 2014, the FSB published Guidance on Supervisory Interaction with Financial Institutions on Risk Culture: A Framework for Assessing Risk Culture, to assist firms in identifying the foundational elements that contribute to a sound risk culture, as well as core practices and dynamics that may be indicators of the effectiveness of an enterprise s risk culture. 15 The FSB s view is that the soundness of an institution s risk culture is based on the extent to which it governs its risk/reward decision-making process, successfully executes its agreed upon strategy within its defined risk appetite on a day-to-day basis, and structures its compensation practices to take into consideration prospective risks and risk outcomes that are already realized. The FSB recognizes that risk culture has to be embedded in the overall corporate culture, which will evolve over time Guidance on Supervisory Interaction with Financial Institutions on Risk Culture: A Framework for Assessing Risk Culture, Top Priorities for Internal Audit in Financial Services Organizations 23

26 In a survey conducted by Protiviti and the Risk Management Association (RMA) in 2013, only 37 percent of respondents noted that they evaluated risk culture, while only 28 percent said that they believed risk culture is fully integrated into their respective organizations. 16 Through internal employee surveys, some firms are trying to analyze today how their risk culture is being embedded in the organization to see how well their employees understand the risk culture, says Protiviti Managing Director James McDonald. The fact that firms need to do so shows it is a challenge. The CEO can state that the company is going to do the right things and live within its risk appetite but that message needs to be continually reinforced. Firms need to empower employees and provide them with examples of what good behavior looks like, such as instances where an employee raises their hand and identifies an issue early on, so the problem can be resolved before it becomes a larger issue. Another impediment to integrating risk culture can be pushback from employees who are resistant to change. Firms often build incentive plans to reinforce risk culture that are focused on punishing bad behavior taking compensation from people who misbehave or break limits rather than rewarding employees that are beacons of good culture. That is a backward-looking behavior modification, more so than incentivizing proper future behavior. Those employees who raise their hands when they have an issue, with the issue then being debated and escalated and addressed as appropriate, need to be rewarded, adds McDonald. Maintaining the consistency of risk culture messaging throughout the enterprise in all locations is a major barrier to the effectiveness of risk culture in large financial services firms. Organizations can stage all-hands town hall staff meetings to reinforce this messaging but it has to have the support of the board and executive management, who need to work to ensure risk culture is integrated with the growth objectives and strategy of the firm. Risk culture also needs to grow and change with the organization as it evolves, providing an additional challenge for firms to maintain consistency in their risk culture messaging. The BCBS guidelines on risk governance also recognize that compensation systems are a key component for a financial institution to convey acceptable risk-taking behavior and reinforce its operating and risk culture. It states that remuneration programs should encourage a sound risk culture in which risk-taking behavior is appropriate and which encourages employees to act in the interest of the company as a whole rather than for themselves or only their business lines. 16 Risk Culture: From Theory to Evolving Practice, RMA and Protiviti, 2013: Theory-to-Evolving-Practice.pdf. 24 Top Priorities for Internal Audit in Financial Services Organizations

27 Risk Culture is the Keystone Performance Management culture Risk Management Business Strategy Risk Appetite Culture is the keystone that holds things together, providing a source of strength or weakness for the organization. An actionable risk culture helps balance the inevitable tension between (a) creating enterprise value through the strategy and driving performance on the one hand, and (b) protecting enterprise value through risk appetite and managing risk on the other hand. In effect, it balances the push between strategy and risk appetite. Source: Establishing and Nurturing an Effective Risk Culture Enabling the Chief Risk Officer s Success (Fourth in a Series) ( Impacts on Internal Audit Chief audit executives and the internal audit function have a pivotal role in fostering a strong risk culture, which is the keystone of an organization s risk management framework. Compensation and incentive schemes are one obvious area for internal audit functions to review for their alignment with the company s intended risk culture but there are other areas that warrant internal audit s focus. Although the intangible nature of risk culture makes it difficult for firms to conduct specific standalone audits to determine the level of cultural integration in the organization, several topics that internal audit reviews in the daily course of business can provide insights into this area. Examples of these include evaluating the percentage of known issues that were first identified by a business process owner (versus internal audit, a regulatory agency, or another independent source) and the status of remediation of issues (issues that take too long to address or are in past due status often are indicators of a firm s risk culture). Top Priorities for Internal Audit in Financial Services Organizations 25

28 Internal audit certainly has a greater role to play in reinforcing risk culture within the organization. An effective internal audit department could and should have a role in reporting risk culture, but few audit functions at financial institutions currently have the capabilities to perform a standalone audit of risk culture. Firms can, however, include risk culture aspects in their existing audit processes: This is almost a continual process where audit can pick up on where risk culture has been embedded particularly successfully or not at all, says Protiviti s Director Mathew Perconte. Internal audit can reinforce some of the firm s risk culture messaging through their existing audits. Under the OCC s Heightened Standards, internal audit s role is to opine on the readiness and design of risk management systems, corporate governance structures and risk appetite statements. If internal auditors are truly acting as independent practitioners inside a firm, they can drive culture because they are going to report issues that are outside of boundaries, says Timothy Long, a Managing Director with Protiviti s Risk & Compliance Solutions practice. Indeed, a good measure of the risk culture of any firm is how audit findings are viewed in the organization and how seriously their recommendations are taken. When the leadership team takes audit findings seriously and immediately puts pressure on the line of business where the issues were identified to resolve the problem, it tells you a lot about the risk culture of that firm, says Protiviti Managing Director Michael Brauneis. The same is true for firms where audit exceptions are not considered to be a significant problem and where there are many repeat findings. Effective root cause analyses are key to this effort. Beyond simply identifying a control breakdown and recommending an immediate fix, audit can go a step further in evaluating the origin of the breakdown to consider whether a risk appetite breach or incentives problem (e.g., pressure to cut control corners in order to speed cycle time) might have contributed to the issue. Encouraging process owners to confront and respond to these considerations can help the organization s thinking and actions on risk culture evolve past tone at the top to become a more practical consideration in day-to-day business activities. Weaving risk culture audits into existing audit plans could also help when seeking to align the firm to the OCC s Heightened Standards, which require firms to show they have a strong risk management framework, an engaged board, a risk appetite framework and a strong risk culture. Regulators are requiring firms to show their assessments on how their company is aligned with the heightened standards, says McDonald. We are being asked by audit departments how they can show this. Our response is that they should, throughout the year, have a number of audits of lines of businesses and support functions to gauge how the company s risk framework, risk appetite and risk culture are being followed. Audit needs to assess how well they are aligned to the OCC Heightened Standards and a big part of that is risk culture. 26 Top Priorities for Internal Audit in Financial Services Organizations

29 Understanding and Integrating Risk Appetite Most of the focus has been around setting a risk appetite statement at the board level but at some point regulators are going to start pushing risk appetite down into the individual lines of business, which is exactly where it needs to be. Timothy Long, Managing Director Timothy Long is a Managing Director with Protiviti s Risk & Compliance Solutions practice. Scott Jones is a Managing Director with Protiviti s Internal Audit and Financial Advisory practice. Matthew Perconte is a Director with Protiviti s Risk & Compliance Solutions practice. A financial institution s risk culture and its risk appetite are explicitly interlinked. Risk culture should inform a bank s risk appetite statement (RAS) and in turn the risk appetite statement should inform the bank s risk culture. Guidelines from regulators around the world state that formal written risk frameworks should be maintained that cover all applicable risk categories, as well as any other material risk types to which an institution may be exposed. Until now, driven by regulatory demands, the focus has been on establishing a high-level risk appetite statement at the board level. However, firms need to push the risk appetite framework into the lines of business (LOB) for it to achieve its ultimate goal of aligning the enterprise s risks with the stakeholders priorities in the most effective and efficient manner. The highest levels of management, up to and including the board of directors, must sponsor the initiative, but involvement of LOB leadership and independent risk management are crucial to ensure that all stakeholders embrace the overall approach. Many financial services regulators around the world have stated that driving a risk culture throughout an organization, resulting in a shared understanding and compliance with the risk appetite, is equally as important as having a written RAS. Especially in large organizations, consistency in understanding and realizing risk appetite throughout business lines is critical, as stated by Thomas J. Curry, Comptroller of the Currency, in a speech on May 8, 2014: [Over] the years we found instances in which large, complex, and highly interconnected banks allowed operational units to define risk appetite in terms of their own needs and priorities. At best, this resulted in organizational confusion. At worst, it contributed to major breakdowns in risk management. And for banks with such broad impact on the financial system and the economy, that is simply unacceptable Remarks by Thomas J. Curry, Comptroller of the Currency, before RMA s Governance, Compliance and Operational Risk Conference in Cambridge, Massachusetts, May 8, 2014: Top Priorities for Internal Audit in Financial Services Organizations 27

30 Need to Improve Rank Audit Process Knowledge (top 10 areas) Areas Evaluated by Respondents Competency (5-pt. scale) 1 Data analysis tools statistical analysis Auditing IT program development Auditing IT security Auditing IT continuity 3.2 Quality Assurance and Improvement Program (IIA Standard 1300) Ongoing Reviews (IIA Standard 1311) Operational auditing effectiveness, efficiency and economy of operations approach Fraud fraud detection/investigation 3.2 Assessing risk emerging issues Audit planning process, location, transaction level Operational auditing risk-based approach Most of the focus has been around setting a risk appetite statement at the board level but at some point regulators are going to start pushing risk appetite down into the individual lines of business, which is exactly where it needs to be, says Timothy Long, a Managing Director with Protiviti s Risk & Compliance Solutions practice. A risk appetite statement for a $100 billion bank written at the board level is almost meaningless because the practices in the various divisions from real estate to mortgages are completely unrelated and separate; they need their own framework, defense lines and understanding of their own risk appetite. Until risk appetite statements are pushed down to the lines of business, they don t add value. Integration of risk appetite was an area that internal auditors identified as requiring increased knowledge, skills, and capabilities. Integrating risk appetite is a difficult task for the organization as a whole and one which many internal audit functions are also struggling to determine their role in providing assurance to management and the board. According to the Financial Stability Board s Principles for an Effective Risk Framework, published in November 2013, 18 the RAS must include measurable, frequency-based, understandable and comparable metrics that can be translated into risk limits applicable to business lines, legal entities and group levels, and linked to the enterprisewide RAS. The RAS needs to include qualitative statements that articulate motivations for taking on or avoiding certain types of risks, as well as a reasonable number of appropriately selected risk metrics. The RAS then has to be supported by appropriate controls and stress tests. Putting the RAS into action requires the creation of a risk appetite framework (RAF), which pushes the RAS down into the LOBs and the various support functions. The RAF proposed by the FSB comprises key aspects for the internal audit function to consider when auditing risk appetite. Key components of the RAF are risk appetite metrics, enterprise key risk indicators (KRIs) and business unit KRIs, which all have defined tolerances and thresholds that are monitored frequently. 18 Available at 28 Top Priorities for Internal Audit in Financial Services Organizations

31 Risk appetite metrics cannot be developed by the board and senior management to be pushed down into the LOBs since there is significant risk that the risk appetite measurement and management process will become a check-the-box exercise. The development process needs to be collaborative among top management, independent risk management and front-line units to avoid a disconnect at the front-line level. Risk appetite metrics are designed to measure risk across the enterprise, encompassing all LOBs, regions, products and services, says Matthew Perconte, Director at Protiviti. Some LOBs are struggling with designing these metrics, which need to evolve as the organization evolves. The creation of these metrics could be one area where internal audit focuses efforts to ensure the risk department and the business continually update and improve risk appetite metrics. To drive risk appetite effectively, organizations need to be consistent in promoting good risk culture with ongoing education and dialogue. A well-operating risk management framework should enable an ongoing, enterprisewide conversation about risk, while maintaining focus on how risk management objectives are achieved. Another area where internal audit can test to see if the RAS is being implemented properly throughout the organization is by monitoring communication channels, such as town hall and staff meetings and LOB committees, to check if the RAS is being discussed widely in the company rather than being limited to the risk committees. LOBs need to show they are actively considering the risk appetite when making business decisions. Another good test is whether the organization s risk appetite is being discussed in mandatory internal training at all levels, adds Perconte. Impacts on Internal Audit Chief audit executives and the internal audit function need to first ensure that they fully understand the firms risk appetite statement and framework. From such a solid grounding, the internal audit department forms an integral part of the risk appetite framework by providing oversight to ensure the framework is being embedded into the lines of business. Auditors need to ensure they audit the strategic planning process to check if the three- and five-year plans are informed by the organization s risk appetite and risk capacity. This then needs to be linked to the company s capital stress tests to show that in a stressed environment the firm will have the capacity to keep its set risk appetite and be able to hold the correct amount of capital. Regulators will be looking for that linkage. Internal auditors almost need to become risk managers. They need to understand where risks are being generated and how they are supposed to be controlled. They are required to opine on the risk management systems the business has in place in order to control those risks. That is not what internal audit has traditionally done and in a lot of cases they are not equipped to do it. Timothy Long, Managing Director Top Priorities for Internal Audit in Financial Services Organizations 29

32 The graphic below shows the key areas internal audit needs to consider when auditing risk appetite. Key Aspects to Consider When Auditing Risk Appetite The Financial Stability Board noted specific components of a strong risk appetite statement in the November 2013 report entitled Principles for An Effective Risk Appetite Framework. The RAS allows the financial institution to view the desired risk profile under a variety of scenarios. The RAS is supported by appropriate controls and stress tests. Supported The RAS includes key background information and assumptions that informed the strategic and business plans at the time they were approved. Forward- Looking Informed Effective Risk Appetite Statement Linked to Corporate Goals Defines Risks The RAS has strong linkages with the short- and long-term corporate strategy, capital and financial plans. Risk metrics are aligned to the incentive compensation plan and employees are appropriately incented to support prudent risk taking in line with corporate goals. The RAS clearly establishes the type and amount of risk the organization is prepared to accept in pursuit of its strategic objectives and business plan. Quantitative Material Risk-Focused The RAS includes measurable, frequencybased, understandable and comparable risk metrics that can be translated into risk limits applicable to business lines, legal entities and group level, and linked to the enterprisewide RAS. Qualitative The RAS includes qualitative statements that articulate the motivations for taking on or avoiding certain types of risks and includes a reasonable number of appropriately selected risk metrics. The RAS expresses the maximum level of risk (material and overall) the organization is willing to operate within under normal and stressed conditions. 30 Top Priorities for Internal Audit in Financial Services Organizations

33 Coping With the Pace of Change in Mobile Applications Firms need to design their programs and control structures around much faster cycle times, which is where Agile software delivery and DevOps... can help. Auditors need to embrace the fact that continuous change is coming and they need to build their control programs around it. Ed Page, Managing Director Ed Page leads Protiviti s U.S. Financial Services Industry IT Consulting practice. Jason Goldberg is a Director with Protiviti s Business Performance Improvement practice. Mobile banking and mobile payments are growing in popularity as financial institutions are responding to demand from their customers to offer more convenience and more products through mobile channels. Just as smartphones are evolving, mobile payment technologies are being developed just as quickly, with many different participants in a burgeoning ecosystem of traditional and non-traditional players, including the likes of Apple, Samsung, Google, and PayPal, among others. The speed of change, the introduction of new third parties as well as the myriad risks presented by such brand new technology are presenting a wave of new challenges for financial services firms. It is unsurprising, therefore, that internal auditors in the financial services industry have pinpointed mobile applications as an area where they need to improve their technical knowledge in Protiviti s 2016 Internal Audit Capabilities and Needs Survey (mobile banking was ranked second by internal auditors in the same survey conducted in 2015). Top Priorities for Internal Audit in Financial Services Organizations 31