2016 Annual Risk Management Seminar

Transcription

1 2016 Annual Risk Management Seminar *The views and opinions presented in this presentation are the speakers and are not official guidance from the Federal Deposit Insurance Corporation (FDIC).

2 Andrew (Andy) Ferrell - FDIC Columbia, SC Field Office - Charlotte Territory / Atlanta Region - 10 years / Senior Risk Management Examiner Subject Matter Expert (SME) - Accounting: Allowance for Loan & Lease Losses (ALLL) / Acquisition Accounting - Specialized Lending: Subprime / Indirect Lending - Trust: Trust & Wealth Management

3 Identify outstanding Regulatory guidelines and discuss best practices: FDIC Rules and Regulations: Appendix A to Part 364 Interagency Guidelines Establishing Standards for Safety and Soundness Interagency Policy Statement on the Internal Audit Function and its Outsourcing Elements of an effective internal audit program BoPMI?!?!?! Discuss common practices / findings for institutions with total assets: $500 million or less $500 million to $1 billion $1 billion and above

4 An institution should have an internal audit system that is appropriate to the size of the institution and the nature and scope of its activities and that provides for: 1) Adequate monitoring of the system of internal controls; 2) Independence and objectivity; 3) Qualified persons; 4) Adequate testing and review of information systems; 5) Adequate documentation of tests and findings and any corrective actions; 6) Verification and review of management actions; and 7) Review by the institution s Audit Committee or Board of its effectiveness.

5 Effective internal control is the foundation for the safe and sound operation of a financial institution. Reiteration of Appendix A to Part 364, but also addresses: Board and Senior Management Responsibilities Small Institutions Internal Audit Outsourcing Arrangements

6 The board of directors and senior management are responsible for having an effective system of internal control and an effective internal audit function in place at their institution. Ensure control systems are understood throughout institution; Ensure the internal audit function (scope, personnel, and quality) is commensurate with complexities of the bank; Ensure confidence that internal audit function is impartial and not influenced by day-to-day operations (Audit Committee); and Ensure continuity and contingency planning.

7 An effective system of internal control and an independent internal audit function form the foundation for safe and sound operations, regardless of an institution's size. Ensure adequate testing and internal function commensurate with the size and complexity of the institution. Cost savings vs. effectiveness. Self-Assessment vs. Director s Examination

8 Applicable to banks of all sizes. Partial outsource vs. fully-outsourced. - Considerations should be made to internal capabilities, resources, and experience / expertise. Other considerations include: - Commensurate with risks of the bank; - Define expectations / responsibilities for both parties; - Set scope, frequency, lines of communication, etc.; and - Vendor competence (due diligence).

9 Depth, skill-level, and continuity of personnel Risk-focused, multi-year audit plan Due diligence of third-party / outsourced audits Validation of third-party audit scope Independent reporting channels Validation of audit findings / responses

10 Boardoversight Policy & limits Management information systems (MIS) Internal Controls

11 Effectiveness of the Board-established program considering: Individuals involved in process: - Role - Individual - Function / responsibilities / authority - Identify gaps/overlaps -Third-party outsourcing (due diligence) Board-established risk limits: - Appropriateness (risk assessments) - Implementation of goals / objectives commensurate with risk - Appropriateness of monitoring systems

12 Effectiveness of the Board-established policies and procedures: Document lines of authority and responsibilities. Establish reporting standards and types. Specify risk limits, and/or measureable performance / red flag indicators. Define internal controls and risk mitigation strategies.

13 Effectiveness of the Board-established reports and information flow: Data reports are meaningful and measure Board-established risk tolerances. Identification of key sources of data / individuals involved. Determine how reports / data move and change amongst various levels of management. Assess whether the information received at each management level is appropriate / lacking.

14 Effectiveness of the Board-established policies and procedures to be implemented: Individuals / functions / responsibilities are defined and duties are segregated in practice. Assess the integrity of data / reports to ensure factual information. Ensure written policy and procedures are being followed.

15 Typically function consists of one person. Limited amount of internal reviews focusing on branch / operational controls. More complex areas (i.e. loans, IRR, ALLL, etc.) are outsourced. Experience difficulties in true independence (multiple hats). Audit Committees typically consist of more inside directors than outside.

16 1 to 3 individuals within internal audit function. Less outsourcing of complex areas; however, scope / depth depends on internal knowledge. Two year plans. Experience difficulties in timing / frequency of audits (delays / roll-over). Audit Committees consist of all outside directors.

17 Internal audit staff (5 or more) Development of ERM and Audit Universe. Multi-year plans. More granular reviews / outsourcing of specific areas. Experience difficulty in validating findings / outsourced scope. Contained vs. bank-wide. Audit Committee works closely with a Risk Committee to ensure risks are properly identified.

18 Questions / Comments? Contact Information: Andrew (Andy) Ferrell FDIC Columbia, SC Field Office aferrell@fdic.gov x 4307