Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
Risk Monitoring
© 2020 American Bankers Association
Risk Monitoring
ABA course content is not a substitute for professional legal advice.
Version 1
Risk Monitoring
© 2020 American Bankers Association
Menu
Introduction
Overview
Role and Importance of Risk Monitoring
Report Metrics and Frequency
Designing Effective Reports
Key Risk Indicators
Targeting Reports to the Audience
Control Design and Effectiveness
Evaluating First Line Controls
Wrap Up
Risk Monitoring
© 2020 American Bankers Association
Introduction
About the Instructor
Tally Ferguson SVP/Director of Enterprise Risk Management BOK Financial
Bio Tally Ferguson is currently the Director of Enterprise-wide Risk Management with BOK Financial (BOKF). As such, he works with four teams critical to the success of the company’s enterprise-wide risk management: Risk Governance, Market Risk, Model Analytics, and Operational Risk. Tally has served at BOK Financial for over 20 years, having responsibilities ranging from dealer and capital markets compliance to the corporate insurance program.
Prior to joining BOKF in 1996, Tally was a regulatory consultant for Ernst & Young and helped clients implement numerous regulatory initiatives including comprehensive risk management programs and interest rate risk initiatives. Tally got his introduction to banking as an examiner with the Federal Reserve Bank of New York, where he began in 1985 and progressed to Supervising Examiner by March of 1994.
Tally has an undergraduate degree in Economics and Mathematics from Yale University and an Executive MBA from the Wharton School. He is a CFA charterholder, CERP certified, and carries Series 7, 24, 63, 4, and 53 licenses. Tally is also an adjunct instructor of finance at the University of Tulsa.
Page 1
Risk Monitoring
© 2020 American Bankers Association
Introduction
Course Description
Risk Monitoring explains the importance of monitoring within a risk management framework, provides you with standards for effective monitoring, and uses examples to highlight key concepts.
The following key topics are discussed in the course:
Approaches for designing and producing standardized and ad hoc reporting
Techniques for effectively summarizing and communicating risk information
Methods to assist in identifying and defining key risk indicators (KRIs)
Logical steps to analyze report output
Evaluating controls for design and operating effectiveness
Evaluating the quality of the business line monitoring performance
ABA course content is not a substitute for professional legal advice.
Page 2
Risk Monitoring
© 2020 American Bankers Association
Introduction
Objectives
By the end of Risk Monitoring, you will be able to
Describe the importance of monitoring within an effective risk management program
Identify the role of line managers, senior executives, and the board in risk monitoring
Identify metrics to include in monitoring reports and how often metrics should be reported
Describe approaches for designing effective monitoring reports
Identify appropriate measurement techniques for types of risk
Describe the level of monitoring detail to include for each audience
Describe the process for evaluating control effectiveness
Identify the tools and documentation available for evaluating first line controls
Page 3
Risk Monitoring
© 2020 American Bankers Association
Overview
Introduction
In this lesson, you will learn where monitoring fits within the enterprise risk management (ERM) framework.
You will also learn about characteristics of effective risk monitoring.
Note: Complete the Introduction to Enterprise Risk Management course in this Certificate Program for a deep dive into the components of an effective ERM framework.
Page 4
Risk Monitoring
© 2020 American Bankers Association
Overview
Introduction, continued
This section discusses where monitoring fits within the ERM framework and compares effective and ineffective risk monitoring approaches.
Monitoring is not just looking at exposures and comparing to limits. Monitoring is an oversight process with many parts, a deficiency in any one of which can lead to a broken monitoring system.
Page 5
Risk Monitoring
© 2020 American Bankers Association
Overview
Monitoring and the ERM Framework
Committee of Sponsoring Organizations (COSO) COSO highlights the role of monitoring within enterprise risk management (ERM) as follows:
“The entirety of enterprise risk management is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both.”
— COSO Enterprise Risk Management – Integrated Framework, September, 2004
Office of the Comptroller of the Currency (OCC) The OCC includes monitoring prominently in the following ERM expectations:
Integrated framework structured to identify, aggregate, measure, monitor, and control risks across the firm. Risk assessments and monitoring systems (e.g. actual outcomes, key performance and key risk indicators) that promote a continual and forward-looking view of risk
Risk limits and concentration limits established and monitored consistent with the appetite statement and defined risk tolerance
Business lines identify, measure, monitor and control risk in accordance with bank risk management framework and establish and maintain an effective system of internal controls
Robust, timely, accurate, and forward-looking management information systems (MIS) designed to proactively identify, measure, monitor, and control risks
— OCC ERM Program Expectations for $10-50bn banks & thrifts
Page 6
Risk Monitoring
© 2020 American Bankers Association
Overview
Monitoring and the ERM Framework, continued
The diagram illustrates that risk monitoring fits within an ERM Framework. It is not apart like some objective, indifferent watcher—it is imbedded.
Click each characteristic of risk monitoring to learn more.
Dynamic A monitoring program must adjust as business lines, products and services, even the economy changes. Monitoring today’s environment with yesterday’s monitoring is inadequate.
Transparent Monitoring does not hide its light under a bushel. All stakeholders need to know the results of monitoring and what they mean. Moreover, stakeholders must react to monitoring results and not ignore them. As part of transparency, each bank should have a well-known and practiced escalation protocol in place before monitoring finds exposures beyond tolerances.
Consistent A moving target (different measure, new assumptions, changed limits) prevents evaluation over time and across business lines. That is not to say that monitoring programs should become stagnant and report for reporting’s sake, irrespective of changes to the system.
Shared Finally, monitoring is shared responsibility, not just the responsibility of the first line, second line, auditors, or examiners.
Page 7
Risk Monitoring
© 2020 American Bankers Association
Overview
Effective vs. Ineffective Monitoring
Click each box in this table to compare effective with ineffective monitoring.
Effective Monitoring
Tracks risk measures Effective monitoring tracks risk measures over time and across divisions. For example, it alerts monitors when system outages grow unusually high BEFORE the system fails.
Frequent and current Effective monitoring gives information in time to address issues, and frequently enough to proactively recognize trends.
Follows clear reporting protocol
Effective monitoring incorporates a well-known and standard reporting process. Little time is wasted figuring out who must review monitoring reports, nor explaining what they mean.
Leads to escalation when needed
Effective monitoring is acted upon using a documented exception response protocol. Little time is wasted figuring out who must make the decision to accept, transfer or reduce out of tolerance conditions.
Hits the appropriate audience
Effective monitoring goes to people and committees with knowledge and authority to act.
Ineffective Monitoring
More false positives than true exceptions
Ineffective monitoring just regurgitates a list of outages and has so many false positives that monitors ignore the results.
Systemic false negatives Ineffective monitoring is too slow to act on and leads to false negatives—essentially missing out of tolerance conditions.
Reports inactionable situations
Ineffective monitoring reports metrics about which management can do nothing. For example, measuring the change in interest rates is ineffective measuring the projected net interest income impact of such change is helpful. That said, management may still choose to monitor metrics about which they can do nothing if such metrics inform actions that they can take.
Risk Monitoring
© 2020 American Bankers Association
Limited to historical and not forward looking metrics
Ineffective monitoring looks backwards, like driving and looking only in the rear-view mirror.
Metrics with no analysis Credit metrics don’t go to operating committees. Ineffective monitoring presents raw data with no meaningful analysis.
Page 8
Risk Monitoring
© 2020 American Bankers Association
Overview
Self Check Quiz
Which two items are characteristics of effective monitoring?
Select the correct answer and click Submit.
A) Leads to escalation when needed B) Reports inactionable situations C) Includes metrics with no analysis D) Tracks risk measures
A and D are correct.
B and C are incorrect because they are characteristics of ineffective monitoring.
Page 9
Risk Monitoring
© 2020 American Bankers Association
Overview
Review
In this lesson, you learned where monitoring fits within the ERM framework and the characteristics of effective risk monitoring. Risk monitoring should be imbedded in a bank’s day-to-day risk management activities.
You also learned about the characteristics of effective risk monitoring. For example, effective risk monitoring tracks risk measures, follows clear reporting protocol, and leads to escalation when needed.
Page 10
Risk Monitoring
© 2020 American Bankers Association
Role and Importance of Risk Monitoring
Introduction
In this lesson, you will learn about the importance of risk monitoring in an effective ERM program.
You will also learn about the role of line managers, senior executives, and the board in risk monitoring.
As you review this section, pay attention to the terms that we introduced earlier, like risk tolerance relative to exposure and continuing and iterative processes. Also focus on the role each management level plays in an effective risk monitoring process.
Page 11
Risk Monitoring
© 2020 American Bankers Association
Role and Importance of Risk Monitoring
Determines if Exposure is Within Tolerance
Risk monitoring is essential for determining that exposure is within risk tolerance. Risk monitoring accomplishes the following three objectives.
Click each item to learn more.
Detects exposures Absent risk monitoring, changes in risk exposure will go undetected until they result in deviations from expectations that are outside of management’s risk tolerance.
Finds stale risk responses Control activities may no longer be performed or a bank’s objectives may change. This can be due to the arrival of new personnel, changes in entity structure or direction, or the introduction of new processes.
Identifies ineffective controls An entity’s enterprise risk management changes over time. Risk responses that were once effective may become irrelevant or control activities may become less effective. In the face of such changes, management needs to determine whether the functioning of enterprise risk management continues to be effective.
Page 12
Risk Monitoring
© 2020 American Bankers Association
Role and Importance of Risk Monitoring
Provides Protocol for Escalation
Monitoring effectiveness stems from its role in the ERM process. Knowing our risks is of no use unless they are monitored with a firm protocol for escalating exceptions. What do we do about the risk, and does it matter which risk? Which product? Which business lines? To whom must risks be escalated? Who can say excesses are ok? Who can second guess that decider? Compare the images, where monitoring is imbedded in the continuing evaluation of risk on the left, but off to the side as an after thought for examiners or auditors on the right.
Page 13
Risk Monitoring
© 2020 American Bankers Association
Role and Importance of Risk Monitoring
Enables Focus on Issues and Follow Up
Monitoring effectiveness stems from its role in the financial institution’s organization. Ongoing monitoring activities differ from control activities embedded in “business as usual” processes. For example, approvals of transactions, reconciliations of account balances, and verifying the accuracy of changes to master files, are best defined as control activities. Checking that such activities are performed constitutes monitoring.
By focusing on relationships, inconsistencies, or other relevant implications, line managers raise issues and follow up with other personnel as necessary to determine whether corrective or other action is necessary.
Click the graphic to learn more.
Ongoing monitoring activities differ from control activities embedded in “business as usual” processes. For example, approvals of transactions, reconciliations of account balances, and verifying the accuracy of changes to master files, are best defined as control activities. Checking that such activities are performed constitutes monitoring.
Note the role of monitoring at the executive and board level as shown in the graphic. A key idea is the filtering of information from granular at the lower levels to high level but consistent at the higher levels. The board has responsibility to ask for and review sufficient level of reporting to affirm that the bank is operating within its risk tolerance. Executive management is responsible for delivering on this and for making sure it is the information requested and that it is accurate.
Page 14
Risk Monitoring
© 2020 American Bankers Association
Role and Importance of Risk Monitoring
Self Check Quiz
Which level in the bank has the responsibility to ask for and review sufficient level of reporting to affirm that the bank is operating within its risk tolerance?
Select the correct answer and click Submit.
A) Board of directors B) Executive management C) Line operating or functional support managers
A is correct.
B is incorrect because executive management is responsible for delivering the information requested and for making sure it is accurate. C is incorrect because ongoing monitoring activities are generally performed by line operating or functional support managers.
Page 15
Risk Monitoring
© 2020 American Bankers Association
Role and Importance of Risk Monitoring
Review
In this lesson, you learned about the importance of risk monitoring in an effective ERM program. For example, risk monitoring is essential for determining that exposure is within risk tolerance.
You also learned about the role of line managers, senior executives, and the board in risk monitoring. For example, senior line managers own monitoring report production, accountability, and response.
Page 16
Risk Monitoring
© 2020 American Bankers Association
Report Metrics and Frequency
Introduction
It is considerably easier to describe an effective monitoring program than it is to build and implement one. In this lesson, you will learn about approaches for developing monitoring reports, including what to measure and how often to report.
You will also learn about the types of measures—risk indicators and performance indicators.
Page 17
Risk Monitoring
© 2020 American Bankers Association
Report Metrics and Frequency
What Do You Report?
What should be reported? This differs by recipient. There is not one monitoring report that serves all needs., but there are guiding parameters we can use.
First, at the top of this pyramid, all identified enterprise risk management deficiencies that affect an entity’s ability to develop and implement its strategy and to set and achieve its objectives should be reported. Call these “material risk metrics.”
How do we filter from the blue to the yellow to the red? The monitoring report designer should ask these questions:
(1) What authority does my report audience have to deal with circumstances that arise?
(2) What are the implications of findings? Reporting a list of transaction or event errors is less useful than summarizing potentially faulty procedures that led to these results.
(3) How significant is the metric reported?
(4) How interconnected is the metric reported?
This schematic offers characteristics of reporting metrics by level of recipient.
The Board needs metrics showing company is within risk appetite.
Executive Management also needs metrics showing company is within its risk appetite, but this audience needs metrics specific enough to know which risk categories are out of tolerance.
Business line leaders need metrics showing business line is functioning within tolerances and expectations. These metrics must be sufficiently granular to know what will keep line from being successful.
Let’s discuss significance. It can be argued that no problem is so insignificant as to make investigation of its implications unwarranted. An employee taking a few dollars from a petty cash fund for personal use, for example, would not be significant in terms of that particular event, and probably not in terms of the amount of the entire petty cash fund. Thus, investigating it might not be worthwhile. However, such apparent approval of personal use of the entity’s money might send the wrong message to employees.
Risk Monitoring
© 2020 American Bankers Association
Finally, we tend to focus on what “went or could go wrong.” A fully effective monitoring system also identifies opportunities to increase the likelihood that the entity’s objectives will be achieved. For example, as customers demand more digital access to financial services, a company might measure “degree of digital access” as a metric.
Page 18
Risk Monitoring
© 2020 American Bankers Association
Report Metrics and Frequency
What is Reported at Each Level
Granularity example Below is an example of different degrees of granularity by level. Note the same pattern of fewer metrics as we move up the corporate hierarchy.
Lending Exposure Example
Lender Manager CRE Commercial Business Executive Board Credit Committee
Balance of book by loan Portfolio balance by type of borrower/loan
Balance by industry according to concentration limits
Balance by industry according to concentration limits
Aging (past due) by loan Aging by portfolio Trend in portfolio past due Composition by credit grade and classification
Policy exceptions by borrower Policy exceptions by lender
Trend in portfolio policy exceptions
Composition by credit grade and classification
Composition by credit grade and classification
Composition by credit grade and classification
Pipeline aging by borrower Pipeline aging by lender
Page 19
Risk Monitoring
© 2020 American Bankers Association
Report Metrics and Frequency
Types of Measures
This diagram shows the overlap of the following three dimensions of measures:
Risk indicators vs. performance indicators
Actionable
Quantitative vs. qualitative
Risk is forward looking and measures the size of deviation from expectation. Risk indicators tell us what risk we must manage now to reduce future deviations from expectations.
Performance measures history. Performance indicators tell how well we managed risk in the past.
Actionable means we can do something about it. And, a measure is either quantitative or qualitative.
Page 20
Risk Monitoring
© 2020 American Bankers Association
Report Metrics and Frequency
Types of Measures—Examples
Highlighted in the diagram are the following four examples of measures:
Regulatory changes
Net interest income at risk
Charge-offs
Information security maturity level
Click each measure in the diagram to learn more.
Regulatory changes Regulatory changes cannot be quantified other than as a list, but the list of changes and trend in frequency and detail serve as good risk indicators. There is nothing management can do to prevent regulatory changes, other than, perhaps lobby and write your congressperson.
Net interest income at risk In contrast, net interest income at risk is a risk indicator that we can measure and take action upon.
Charge-offs Of the two performance indicators, charge-offs can be measured, but the only action we can take to mitigate them is recovery efforts. It is too late to manage that risk.
Information security maturity level Information security maturity level is more a state of being than a quantifiable measure. One determines this based on a number of subjective factors. As with charge-offs, this level reflects the results of risk management actions taken in the past. It might inform where we need to focus efforts in the future, but of itself it is not actionable.
Page 21
Risk Monitoring
© 2020 American Bankers Association
Report Metrics and Frequency
Frequency of Monitoring
Consider the following characteristics when determining reporting frequency:
Function of the risk being monitored
Reflects how frequently metric is calculated
Dependent upon how swiftly management can respond
Measures over relevant history
Page 22
Risk Monitoring
© 2020 American Bankers Association
Report Metrics and Frequency
Frequency of Monitoring, continued
Shown here is a frequency attribution for a set of metrics. This is not a complete list of metrics, but it compares metrics that require different reporting frequencies to be effective.
Note that all the daily metrics can move significantly overnight. These are worth tracking daily.
In contrast, the metrics listed under the quarterly column take a good deal of transactions and time to change. These offer little value if tracked more frequently than quarterly.
Note: Complete the Enterprise Risk Management Reporting and Risk Evaluation and Measurement courses in this Certificate Program for a deep dive into risk management reporting and metrics.
Page 23
Portfolio asset quality
IS maturity level
Capital ratios
Asset/revenue concentration
Rating agency evaluations
Examination/ audit results
Quarterly
Net interest income at risk
Industry concentrations
Funding ratios
Complaint trends
P&L based measures
Monthly
Trading positions
System outage
Suspicious transactions
Overdraft levels
Funding levels
Daily
Risk Monitoring
© 2020 American Bankers Association
Report Metrics and Frequency
Self Check Quiz
Which three statements about risk indicators are correct?
Select the correct answer and click Submit.
A) Risk indicator metrics are forward looking B) Risk indicator metrics tell us what risk we must manage now to reduce future deviations C) Risk indicator metrics tell how well we managed risk in the past D) Risk indicator metrics are typically actionable
A, B, and D are correct.
C is incorrect because risk indicators are forward looking. Performance indicators tell how well we managed risk in the past.
Page 24
Risk Monitoring
© 2020 American Bankers Association
Report Metrics and Frequency
Review
In this lesson, you learned about approaches for developing monitoring reports, including what to measure and how often to report. For example, the board will want to see measures showing that the bank is operating with the risk appetite. In terms of frequency, metrics that can change overnight, such as trading positions, should be tracked daily. In contrast, the metrics tracked quarterly take a good deal of transactions and time to change.
You also learned about the two broad categories of metrics—risk indicators and performance indicators. Risk indicators are forward looking and tell us what risk we must manage now to reduce future deviations from expectations. Performance indicators tell how well we managed risk in the past.
Page 25
Risk Monitoring
© 2020 American Bankers Association
Designing Effective Reports
Introduction
In this lesson, you will learn about approaches for designing effective monitoring reports.
You will also learn about techniques for getting your message across.
Page 26
Risk Monitoring
© 2020 American Bankers Association
Designing Effective Reports
Introduction, continued
This section discusses how to prepare effective monitoring reports.
Effective monitoring reports are designed with the following characteristics in mind:
Separates wheat from chaff
Backed by detailed, granular data
Instant recognition of problem areas
Tailored to audience
Page 27
Risk Monitoring
© 2020 American Bankers Association
Designing Effective Reports
Deconstructing Risk Information—Not All Metrics Are Equal
Let’s explore the “wheat from the chaff”—one of the sine qua nons of good reporting. The pyramids illustrate this important characteristic of effective reporting. Each color inverted pyramid is a different business line. The red pyramid is the commercial lending segment. The blue is the trading and derivatives function. Green is Vendor Management and Yellow is Finance.
Here, the larger section of each pyramid reflect “core” limits recorded in the Risk Appetite statement. The smaller triangle segments reflect granular limits.
All the limits shown should be recorded, but for illustrative purposes here, I separate the highest level from the most granular.
Take the Commercial lending triangle for example. Note the Prudential lending limits. Violating those limits leads to corrective action by regulators.
In contrast, going over a single facility limit might just be a comment on a lenders’ performance evaluation. Note the similar differences for the other three departments. This helps direct us how to format our monitoring report.
Here you can see a box that is built from the highest-level limits, or “Core Limits”, and a circle I refer to as Desk level metrics.
The company’s regulatory capital minima will likely be unchanged for years at a time. However, business line capital will adjust with activity, possibly as often as quarterly.
Page 28
Risk Monitoring
© 2020 American Bankers Association
Designing Effective Reports
Wheat vs. Chaff—Example
This table shows how limits compare to exposures across business lines. Columns on the left reflect core metrics, or the “wheat”. These go to the executive level and the board. In contrast the “chaff” on the right stops at the senior management level. Executive and board metrics need to be backed by granular data.
Core Limit Core Exposure Desk Limit Desk Exposure
Prudential Lending Limit
$300 million
Joe’s Garage exposure
$320 million
Joe’s Garage Derivatives line
$60 million
Joe’s Garage swaps exposure
$70 million
Regulatory Capital Minimum
7% T1 Common
T1 Common/risk weighted assets
6.5%
Capital allocated to Mortgage
$600 million
Actual Mortgage Business Capital
$650 million
Corporate VAR Limit
$100 million
Highest VAR Usage
$110 million
Muni Desk VAR limit
$20 million
Muni Desk VAR usage
$30 million
Percent employees working at capacity from home
>=75%
Two-week rolling average WFH with no reported problems
62%
Main City Department Percent employees working at capacity from home
>75%
Main City Department Two-week rolling average WFH with no reported problems
Wheat—Escalate, correct and analyze Chaff—React according to business line priorities or regulatory developments
Sidebar
Executive and board metrics
Risk Monitoring
© 2020 American Bankers Association
Core metrics on the left (wheat) columns should be consistent, if not made up of aggregates from, the (chaff) metrics on the right.
Page 29
Risk Monitoring
© 2020 American Bankers Association
Designing Effective Reports
Escalation vs. Crying Wolf
An effective monitoring program avoids “crying wolf”, unless we are confident the wolf is there. To gain that confidence, we must first know what the wolf is. A “wolf” is exposure in excess of risk tolerance and “crying wolf” means a false alarm that may result because of:
Bad data or exposure calculation
A tolerance position that is already under resolution
Now that you can identify a “wolf” verses a false alarm, we can discuss appropriate escalation and reporting protocols, commonly comprised of color-coded assessments:
Red: means we are outside of our tolerance
Yellow: means we are outside normal, but within our tolerance
Green: means we are within our normal operating range
Banks should not understate the value of the “yellow” zone. For example, let us imagine the traffic light near your house has a yellow light that lasts two seconds. You interpret it as a red and always stop, however, your neighbor interprets it as a green light and always proceeds through the intersection. In this example, the light does not serve its function as a warning that exposure is about to change. The yellow danger zone needs to last longer than the two second traffic light example because it is useful only if it gives room to act.
Page 30
Risk Monitoring
© 2020 American Bankers Association
Designing Effective Reports
Getting Your Message Across—Ineffective Reporting
Is this report helpful in determining whether the desk is in tolerance? Of course not. You might not even know what these column headings mean. This is probably helpful for a trader, but not for her manager, executive, or the board. You cannot readily see what our excess exposure is, nor where it is.
Page 31
Risk Monitoring
© 2020 American Bankers Association
Designing Effective Reports
Getting Your Message Across—Effective Reporting
This example shows more effective monitoring. Can you identify which area faces the highest risk in this hypothetical bank?
Note that only one radial dial is red—the information security vulnerability. The reader quickly sees that the vulnerabilities measure is too high for our tolerance, but that it is getting better. This is an excerpt of a profile similar to what midsize banks use.
Page 32
Risk Monitoring
© 2020 American Bankers Association
Designing Effective Reports
Getting Your Message Across—Risk By Colors
Color coding is effective and informative if the color code is clear.
Click each color code to see examples of business activities in each risk category.
Red Risk tolerance exceeded
Exposure too high
Controls ineffective
Borrower funded for more than their line
Sales practice complaints triple beyond peer average
Cyber vulnerabilities unaddressed
Yellow Risk above normal
Recent increasing trend
Approaching risk tolerance
Borrower draws down to 90% of their line
Sales practice complaints show sustained, increasing trend
Cyber vulnerability cure plan on schedule
Green Risk at normal levels
Borrower draw downs remain at 60% of line
Sales practice complaints remain within a range
No material cyber vulnerabilities identified
Page 33
Risk Monitoring
© 2020 American Bankers Association
Designing Effective Reports
Getting Your Message Across—Heat Maps
Heat maps are another effective technique for getting your message across. Heat maps quickly show pockets of risk—red warranting attention, and green suggesting all is well.
Click each heat map to learn more.
Heat map This heat map dashboard shows pockets of risk. Ideally, readers are not surprised by these reports. For this hypothetical bank, the first and second lines should expect credit to be high in commercial, market to be high in capital markets, and compliance and reputational risk to be high in consumer. This heatmap also gives insight to enterprise risk. We can look across credit risk to see globally if we have high, medium, or low credit risk. We can also aggregate by business line across risks. In this example, consumer boasts the most high-risk categories, but wealth management has almost all moderately high risks and may warrant the most risk management resources.
Trend heat map The trend heat map gives more insight into each business line. Note that something appears to have occurred in the third or fourth quarter when a number of risk evaluations popped up.
Page 34
Risk Monitoring
© 2020 American Bankers Association
Designing Effective Reports
Getting Your Message Across—Interactive Dashboards
Affordable technology today allows for interactive dashboards which allow users at different levels to view the same dashboard but drill down to the level of detail appropriate for them. These reduce operational risk by sourcing the same data rather than having one data source for the executives and a second data source for the business line managers. Click each report type to see an example of data in an interactive dashboard.
Credit concentration
Executives see three industries and their proportion of capital
Business lines can drill down to the customer(s) leading to that concentration
Complaint severity
Executives see corporate-wide trend
Business lines can drill down to the branches or causes leading to the complaint
Branch 1 Branch 1
Branch 2
Branch 2 Complaint 1
Industry Capital Percentage Hotels 200%
Star Hotel 15%
Major Hotel 10%
Global Hotel 10%
B&B Inc. 9%
CRE 180%
C & I 150%
Risk Monitoring
© 2020 American Bankers Association
Branch 3 Complaint 2
Branch 4 Branch 3 Complaint 3
Branch 4 Complaint 4
Quarter 1 Quarter 2
Page 35
Risk Monitoring
© 2020 American Bankers Association
Designing Effective Reports
Exercise
Review the heat map and answer the two questions below.
1. Which one of the following divisions has the highest operational risk?
Commercial
Consumer
Wealth
Capital Markets
2. What does this report suggest at the enterprise-wide level that is less obvious at the business line level?
Type your answers in the field. When finished, click the Suggested Results button to view possible responses.
Suggested Results
1. Consumer has the highest operational risk. Consumer seems tied with Wealth, but recall what we learned about indirect risks. With Consumer’s high compliance and reputational risk, we can safely assume there is indirect operational risk in that division that does not exist in Wealth.
2. Some market or compliance driven risk even occurred in the first quarter. Management thought this was addressed, but it came back to impact credit and reputational risk in the third and fourth quarter.
Page 36
Risk Monitoring
© 2020 American Bankers Association
Designing Effective Reports
Self Check Quiz
Which limits are least likely to change from quarter to quarter?
Select the correct answer and click Submit.
A) Joe’s Garage credit line B) Tier 1 capital ratio C) Municipal trading desk VaR D) ACH returns
B is correct.
A is incorrect because credit lines should change according to the credit quality of the borrower, which could change monthly. C is incorrect because management will change the desk-level value at risk to take advantage of market circumstances, year-to-date results, or perceived customer demand. D is incorrect because standards for ACH returns may change with volume. At higher volumes, management may choose a lower exception rate.
Page 37
Risk Monitoring
© 2020 American Bankers Association
Designing Effective Reports
Review
In this lesson, you learned about approaches for designing effective monitoring reports. The level of detail should be tailored to the audience. You also learned about techniques for getting your message across. For example, using color coding and heat maps to quickly show problem areas and pockets of risk.
Page 38
Risk Monitoring
© 2020 American Bankers Association
Key Risk Indicators
Introduction
In this lesson, you will learn about the broad categories of metrics, which include risk indicators and performance indicators.
You will also learn how monitoring risk and performance indicators enable a bank to determine whether it is operating within its risk tolerance.
Page 39
Risk Monitoring
© 2020 American Bankers Association
Key Risk Indicators
Introduction, continued
An effective risk monitoring program involves the right metrics. This section will cover the core definitions of key risk indicators, key performance indicators, and controls.
Pay particular attention to the types of measures that you can select, and get familiar with types of controls that effectively mitigate these categories of risk. Also, look for how the monitoring system fits into the risk appetite.
Page 40
Risk Monitoring
© 2020 American Bankers Association
Key Risk Indicators
Terminology
Risk indicators are forward-looking in nature and can be managed before tolerance is exceeded.
Performance indicators are complete and cannot be undone. Performance indicators are great for evaluation, but not for managing risk.
Control activities are the policies and procedures that help ensure that management’s directives are carried out.
Risk Indicators
Forward-looking
Reflect exposure
Can be measured
Ideally allow action to be taken
Performance Indicators Measure past activity
Provide benchmarks on how well we did
Comparable to Service Level Agreements
Controls Actions or processes in place to mitigate risks
Preventative and detective
Implicit in determining residual risk
Example The board has indicated they have a low risk tolerance for wire transfer losses, and there are controls in place such as ensuring good funds are available and funds for the outgoing wire are withdrawn from the sender’s account prior to sending the wire, yet you are made aware of a $5,000 loss because the funds used for the wire were not collected. These are issues that must be promptly investigated and corrected to avoid issues in the future. This could be a training issue or point to a more serious problem.
Page 41
Risk Monitoring
© 2020 American Bankers Association
Key Risk Indicators
Types of Measures
Listed here are several broad categories of metrics.
Click each category to view examples. Note that some examples are risk indicators and some are performance indicators.
Position limits (absolute size)
Net market value
Lending limit
Net foreign currency position
Potential exposure
Settlement limit
Value at risk limit
Relative size
Capital ratio
Concentration limit
Past due percentage guidelines/HUD compare ratio
Risk-adjusted return on capital (RAROC)
Time constraints
Maximum/minimum holding period
Maturity limit
Maximum past due aging
Retention period
Risk Monitoring
© 2020 American Bankers Association
Standards
Loan processing service level agreement (SLA)
Vendor application service provider (ASP) downtime maximum
Information security standards
Customer information protection standards
Compliance exception percentage guidelines
Policy exception guidelines
Page 42
Risk Monitoring
© 2020 American Bankers Association
Key Risk Indicators
Connection to Risk Appetite and Tolerance Levels
As illustrated here, monitoring connects to risk appetite.
Start at the top with risk trait. This is what can lead to deviations from expectations.
Next is risk measure followed by limits—the two items included in a monitoring report. Note how this needs to be consistent with business line strategy and the attendant risk appetite component. This is a continual process.
Next, you will see some examples.
Page 43
Risk Monitoring
© 2020 American Bankers Association
Key Risk Indicators
Key Risk Indicator Applications—Example 1
Take a look at an example of the continual process using a municipal trading desk. Start by looking at the appetite components.
Click Appetite Components to begin your review of this cycle.
Appetite components
The following four risk appetite components are applicable to this desk:
Price
Compliance
Operational
Strategic
Once you complete the cycle, you will return to these appetite components with insight into newly determined tolerances.
Categories
The following are categories of risk measures:
Absolute size
Potential exposure
Time constraint
Standards
From these categories, we select the specific measures that will find their way into a monitoring report.
Measures
Measures include the following:
Position size
Value at risk (VaR)
Holding periods
Risk Monitoring
© 2020 American Bankers Association
Municipal securities rulemaking board (MSRB) reporting
Risk adjusted return on capital (RAROC)
Underwriting metrics
Recall that measurement is ineffective without a limit to compare it to, so we need to establish limits.
Limits
Limits might include the following factors:
XX million position limit
$YY thousand VaR
30 day holding limit
Report trades within 15 minutes
Investment quality standards
Strategy implications
Remember that monitoring is not stagnant, but changes with the business and environment—we need to consider strategy implications. For example:
Does potential loss of tax-exempt status, or reduced tax benefit, threaten holding period?
Does Basel III definition of public sector entity lower risk adjusted return on capital (RAROC) or mandate change
to allowable inventory?
To respond to these changes, we may need to lower RAROC, or mandate change to allowable inventory. When you return to the appetite components, you may now have newly determined tolerances.
Page 44
Risk Monitoring
© 2020 American Bankers Association
Key Risk Indicators
Key Risk Indicator Applications—Example 2
This second example uses a mortgage desk.
Start at the top with the five risk appetite components applicable to this desk: operational, compliance, price, credit, and strategic.
Next note the categories of risk measures: absolute size, potential exposure, time constraint, standards.
From these, we select the specific measures that will find their way into a monitoring report. The measures include pipeline size, Mortgage Servicing Rights stress value, secondary marketing performance, repurchase loans percent, warehouse age, and RAROC.
Measurement is ineffective without a limit to compare it to, so we establish limits. Limits here include: hedge coverage limits, repurchase loan percent, MSR/capital, delinquency rate, HUD compare ratio, and investor defect percentage.
Monitoring isn’t stagnant, but changes with the business and environment—we need to consider strategy implications. For example
Does BCFP definition of qualified mortgage change our customer base?
Does Basel III treatment of MSRs warrant change in valuation approach or MSR/capital limits?
This brings us back to the appetite, with our newly determined tolerances.
Page 45
Risk Monitoring
© 2020 American Bankers Association
Key Risk Indicators
Key Risk Indicator Applications—Example 3
Our third example uses commercial lending.
Start at the top with the risk appetite components applicable to this desk. There are four: credit, compliance, operational, and strategic.
Next note the categories of risk measures: absolute size, potential exposure, time constraint, and standards
From these, we select the specific measures that will find their way into a monitoring report. For example: position size, stress internal performance, and economic variables such as interest rates, housing price indexes, and unemployment.
Note we introduce outside economic factors here! This is an increasingly common practice in risk monitoring as we better understand the interconnectedness of financial institutions and economic trends.
Measurement is ineffective without a limit to compare it to, so we establish limits. $XX million total concentration, __% required price hurdle, underwriting standards, and capacity ability over stress conditions.
Monitoring is not stagnant, but changes with the business and environment—we need to consider strategy implications. For example
Potential commercial property bust potential to erode collateral value?
Regulatory changes to acquisition development credits hurt return on capital?
Do these developments mandate change to concentration limits or tenors?
This brings us back to the appetite, with our newly determined tolerances.
Page 46
Risk Monitoring
© 2020 American Bankers Association
Key Risk Indicators
Self Check Quiz
Capital ratio is an example of which broad category of metrics?
Select the correct answer and click Submit.
A) Position limits B) Potential exposure C) Relative size D) Time constraints
C is correct.
A, B, and D are incorrect because capital ratio is not an example of these broad metric categories.
Page 47
Risk Monitoring
© 2020 American Bankers Association
Key Risk Indicators
Review
In this lesson, you learned about the broad categories of metrics, which include risk indicators and performance indicators. For example, two of the broad categories are position limits and potential exposure.
You also learned how monitoring risk and performance indicators enable a bank to determine whether it is operating within its risk tolerance.
Page 48
Risk Monitoring
© 2020 American Bankers Association
Targeting Reports to the Audience
Introduction
In this lesson, you will learn about the level of monitoring detail to include for each audience.
You will also learn about follow-up needed for ERM deficiencies.
Page 49
Risk Monitoring
© 2020 American Bankers Association
Targeting Reports to the Audience
Introduction, continued
In this section, we will discuss examples of what level of monitoring detail goes to which level of management.
Notice the emphasize we place on responding to monitoring reports.
Page 50
Risk Monitoring
© 2020 American Bankers Association
Targeting Reports to the Audience
Reporting Operating Activities
Information generated in the course of operating activities usually is reported through normal channels to immediate superiors. This is a granular monitoring report. These report upstream or laterally in the organization, so that the filtered information ends up with those in authority who can and should act on it. Alternative communications channels also should exist for reporting sensitive information such as illegal or improper acts.
Goes to department manager and their second line function frequently, with significant detail.
First line should initiate the process.
Desk level metrics and limits can change as tactics change
Page 51
Risk Monitoring
© 2020 American Bankers Association
Targeting Reports to the Audience
Reporting ERM Deficiencies
Findings of enterprise risk management deficiencies usually should be reported not only to the individual responsible for the function or activity involved, but also to at least one level of management above that person. This higher level of management provides needed support or oversight for taking corrective action and is positioned to communicate with others in the organization whose activities may be affected. Where findings cut across organizational boundaries, the reporting should cross over as well and be directed to a sufficiently high level to ensure appropriate action. The ERM department plays a role in determining content for board report and for compiling reports, but the first line should be the initiators of such reporting.
Goes to executive leader and their second line function (ERM department). Done as changes occur OR as tolerances are breached. Presented as heat maps, radial dials, or pithy tables.
First line should initiate the process.
Core metrics and limits should seldom change
Page 52
Risk Monitoring
© 2020 American Bankers Association
Targeting Reports to the Audience
ERM Deficiencies—Reporting is Not Enough
Providing needed information on enterprise risk management deficiencies to the right audience is critical. Protocols should be established to identify what information is needed at a particular level for effective decision-making. Such protocols should differ based on the level of authority.
Click each audience to learn more.
Managers A manager should receive information that affects activity within their responsibility, as well as information needed to achieve specific objectives.
Senior managers In the middle, senior managers should see reports showing risk management and control deficiencies affecting their units. Examples include circumstances where assets with a specified monetary value are not adequately protected, where the competence of employees is lacking, or where important financial reconciliations are not performed correctly. Managers should be informed of deficiencies in their units in increasing levels of detail, as one moves down the organizational structure.
Executive officers and CEO An executive officer normally wants to know of serious infractions to policies and procedures, including supporting information on matters that may have significant financial impacts, strategic implications, or effect the entity’s reputation. Documented protocols should establish: (1) which infractions need to be reported; (2) to who these should be reported, and (3) how infractions were, or will, be resolved.
Page 53
Risk Monitoring
© 2020 American Bankers Association
Targeting Reports to the Audience
ERM Deficiencies—Reporting is Not Enough, continued
Keep the following considerations in mind when addressing ERM deficiencies:
For risks large enough to warrant executive and board reporting, advising of a breach is not sufficient
Executives see too much information each day to prioritize alerts that they do not work with daily
Banks should have an escalation protocol mandating some form of follow up, often by the second line
There will be instances where executives might not share a second line’s discomfort with an out of tolerance position—that is what the board is for
Page 54
Risk Monitoring
© 2020 American Bankers Association
Targeting Reports to the Audience
Self Check Quiz
Which audience should receive information on matters that could have significant financial impacts or strategic implications or that could affect the entity’s reputation?
Select the correct answer and click Submit.
A) Managers B) Senior managers C) Executive officers including the CEO
C is correct.
A is incorrect because managers typically receive information that affects activity within their responsibility, as well as information needed to achieve specific objectives. B is incorrect because senior managers should see reports showing risk management and control deficiencies affecting their units.
Page 55
Risk Monitoring
© 2020 American Bankers Association
Targeting Reports to the Audience
Review
In this lesson, you learned about the level of monitoring detail to include for each audience. Metrics for operating activities are usually reported through normal channels to immediate superiors. Core metrics and limits are reported to the individual responsible for the function or activity involved, and also to at least one level of management above that person.
You also learned about follow-up needed for ERM deficiencies. Banks should have an escalation protocol mandating some form of follow up, often by the second line.
Page 56
Risk Monitoring
© 2020 American Bankers Association
Control Design and Effectiveness
Introduction
In this lesson, you will learn about the role of controls in risk monitoring.
You will also learn about the process for evaluating control effectiveness.
Page 57
Risk Monitoring
© 2020 American Bankers Association
Control Design and Effectiveness
Introduction, continued
This section explains the role controls play in a risk monitoring environment, and provides a process for identifying and assessing controls.
Note: Complete Risk Management Control Frameworks in this Certificate Program for a deep dive into developing an effective control framework.
Page 58
Risk Monitoring
© 2020 American Bankers Association
Control Design and Effectiveness
Role of Controls
The composition of residual risk is illustrated here, and is often reported at the executive and board levels. Evaluations of enterprise risk management vary in scope and frequency, depending on the significance of risks and importance of the risk responses and related controls in managing the risks. Higher-priority risk areas and responses tend to be evaluated more often.
Evaluation of the entirety of enterprise risk management—which generally will be needed less frequently than the assessment of specific parts—may be prompted by for following reasons:
Major strategy or management change
Acquisitions or dispositions
Changes in economic or political conditions
Changes in operations
Changes in methods of processing information
Click Inherent Risk and Control Effectiveness to learn more about the role of controls.
Inherent risk Measure of potential loss to a financial institution's earnings and capital absent controls, e.g. size of a fraudulent wire absent validation controls. Measurement could be in dollar amount or in a relative risk score that maps to dollar amount.
Control effectiveness Measure of how much inherent risk is mitigated by controls. This measures both the design and effectiveness of controls. E.g., “Call back customer on large wires” may be a control that turns a high inherent risk of wires to a low residual risk. Keep in mind if a control is NOT effective (e.g., control owners do not call customer), then it does not mitigate inherent risk well.
Sidebar
Measuring residual risk is dependent on the effectiveness of your controls. The method used to calculate residual risk may differ depending on the bank.
Risk Monitoring
© 2020 American Bankers Association
Sidebar
Evaluations
When a decision is made to undertake a comprehensive evaluation of an entity’s enterprise risk management, attention should be directed to addressing its application in strategy setting as well as with respect to significant activities. The evaluation scope also will depend on which objectives categories—strategic, operations, reporting, and compliance—are to be addressed.
Page 59
Risk Monitoring
© 2020 American Bankers Association
Control Design and Effectiveness
Evaluating Control Effectiveness
Often, evaluations take the form of self-assessments, where persons responsible for a particular unit or function determine the effectiveness of enterprise risk management for their activities. For example, the chief executive of a division directs the evaluation of its enterprise risk management activities. He or she personally assesses the risk management activities associated with strategic choices and high-level objectives as well as the internal environment component.
Individuals in charge of the division’s various operating activities assess the effectiveness of enterprise risk management components relative to their spheres of responsibility.
Click each step in the process for evaluating control effectiveness to learn more.
Risk and Control Library A list of material risks and their attendant controls along with an evaluation of both. Risks are commonly evaluated as “high,” “moderate,” or “low.” Controls are commonly evaluated as “strong,” “satisfactory,” or “weak.” Ideally high risks are mitigated with strong controls.
Risk and Control Self Assessment (RCSA) A process conducted by business line management and often facilitated by second line enterprise-wide risk experts. This process identifies material risks, maps controls to these, and evaluates the level of risk and effectiveness of controls. This process is best done when business lines start with their business objectives.
Control Effectiveness Testing A discipline conducted by control owners who are generally senior management in business lines. The discipline identifies important controls, checks documentation (digital or manual) showing that controls steps are completed, and assesses whether the controls still mitigate the risks for which they were designed.
Self Identified Weakness Reporting A process whereby control owners report controls that are no longer effective or operating as designed. This reporting is to a second line function and needs to be accompanied with a plan for correcting the weakness. Note that if control owners find no control weakness, they do not complete this or the next step.
Retest Control Effectiveness For self identified weaknesses, repeats the control effectiveness testing.
Risk Monitoring
© 2020 American Bankers Association
Sidebar
Line managers focus on operations and compliance objectives, and the divisional controller focuses on reporting objectives. The division’s assessments are then considered by senior management, along with evaluations of the company’s other divisions. Internal auditors normally perform evaluations as part of their regular duties, or at the specific request of senior management, the board, or subsidiary or divisional executives. Similarly, management may utilize input from external auditors in considering the effectiveness of enterprise risk management. A combination of efforts may be used in conducting whatever evaluative procedures management deems necessary.
Page 60
Risk Monitoring
© 2020 American Bankers Association
Control Design and Effectiveness
Documenting Results of Control Testing
Different banks will have different monitoring standards, but they should all have the following components:
Describe the control in sufficient detail for an independent party to know what is being testing and how to know it has been tested
Establish some degree of materiality; the example below identifies “Sox” controls and “key” controls as “more equal” than other controls
Describe the documentation evidencing that the control is effective. Again, this needs to be done at sufficient detail for a third party to know the documentation is complete
Click the image to enlarge and view a sample log used to document the results of control testing.
Page 61
Risk Monitoring
© 2020 American Bankers Association
Control Design and Effectiveness
True or False?
Evaluations of control effectiveness often take the form of self-assessments, where persons responsible for a particular unit or function determine the effectiveness of enterprise risk management for their activities.
Select the correct answer.
True False
The statement is true.
Page 62
Risk Monitoring
© 2020 American Bankers Association
Control Design and Effectiveness
Review
In this lesson, you learned about the role of controls in risk monitoring. Effective controls mitigate inherent risk.
You also learned about the process for evaluating control effectiveness. For example, the risk and control library is a list of material risks and their attendant controls along with an evaluation of both.
Page 63
Risk Monitoring
© 2020 American Bankers Association
Evaluating First Line Controls
Introduction
In this lesson, you will learn about the tools and documentation available for evaluating first line controls.
You will also learn about the sources of information for identifying deficiencies in a bank’s enterprise risk management program. In addition, you will learn about the control evaluation work done by first, second, and third lines of defense.
Page 64
Risk Monitoring
© 2020 American Bankers Association
Evaluating First Line Controls
Introduction, continued
This section discusses what an evaluator needs to know about the bank’s activities, and the conclusions the evaluator needs to draw from that information.
Also covered are the groups within the bank that should perform the evaluation and the standards that define “credible challenge.”
Page 65
Risk Monitoring
© 2020 American Bankers Association
Evaluating First Line Controls
The Evaluation Process
Here is a continual cycle of three components to ensure control design works and controls are effective.
A variety of evaluation methodologies and tools are available, including checklists, questionnaires, and flowcharting techniques. As part of their evaluation methodology, some companies compare or benchmark their enterprise risk management process against those of other entities.
Evaluating enterprise risk management is a process in itself. While approaches or techniques vary, a discipline should be brought to the process, with certain basics inherent in it.
— COSO
Warning: When conducting comparisons, consider differences that always exist in objectives, facts, and circumstances. All enterprise risk management components, as well as the inherent limitations of enterprise risk management, need to be kept in mind.
Control Owner
Monitoring Certification
Control Testing
Risk and Control Self- Assessments
Risk Monitoring
© 2020 American Bankers Association
Sidebar
An entity may, for example, measure its enterprise risk management against those companies with reputations for having particularly good enterprise risk management. Comparisons might be done directly with another company or under the auspices of trade or industry associations. Other organizations may provide comparative information, and peer review functions in some industries can help a company evaluate its enterprise risk management against its peers.
Page 66
Risk Monitoring
© 2020 American Bankers Association
Evaluating First Line Controls
Documentation
The extent of documentation of an entity’s enterprise risk management varies with the entity’s size, complexity, and similar factors. Larger organizations usually have written policy manuals, formal organization charts, written job descriptions, operating instructions, information system flowcharts, and so forth. Smaller entities typically have considerably less documentation.
Many aspects of enterprise risk management are informal and undocumented, yet are regularly performed and highly effective. These activities may be tested in the same ways as documented activities. The fact that elements of enterprise risk management are not documented does not mean that they are not effective or that they cannot be evaluated. However, an appropriate level of documentation usually makes evaluations more effective and efficient.
Sidebar
The evaluator may decide to document the evaluation process itself. He or she usually will draw on existing documentation of the entity’s enterprise risk management. Typically, this will be supplemented with additional documentation, along with descriptions of the tests and analyses performed in the evaluation. Where management intends to make a statement to external parties regarding enterprise risk management effectiveness, it should consider developing and retaining documentation to support the statement. Such documentation may be useful if the statement subsequently is challenged.
Page 67
Risk Monitoring
© 2020 American Bankers Association
Evaluating First Line Controls
Identifying Deficiencies
Deficiencies in a bank’s enterprise risk management program may surface from many sources, including the institution’s ongoing monitoring procedures, separate evaluations, and external parties.
Click each source of information to learn more.
Ongoing risk monitoring activities One of the best sources of information on enterprise risk management deficiencies is enterprise risk management itself. Ongoing monitoring activities of an enterprise, including managerial activities and everyday supervision of employees, generate insights from those who are directly involved in the entity’s activities. These insights are gained in real time and can provide quick identification of deficiencies.
Separate evaluations Other sources of deficiencies are the separate evaluations of enterprise risk management. Evaluations performed by management, internal auditors, or other functions can highlight areas in need of improvement.
External parties External parties frequently provide important information on the functioning of an entity’s enterprise risk management. These include customers, vendors and others doing business with the entity, external auditors, and regulators. Reports from external sources should be carefully considered for their implications for enterprise risk management, and appropriate corrective actions should be taken.
Sidebar
A deficiency is a condition within enterprise risk management worthy of attention that may represent a perceived, potential, or real shortcoming, or an opportunity to strengthen enterprise risk management to increase the likelihood that the entity’s objectives will be achieved.
Page 68
Risk Monitoring
© 2020 American Bankers Association
Evaluating First Line Controls
Credibly Challenging the First Line
The first line has primary responsibility and accountability for designing and implementing controls and monitoring their effectiveness.
When evaluating the effectiveness of first line controls, take the following factors into consideration:
First line has potential conflict, trading off revenue generation for risk mitigating controls
Second line has no such conflicts and can prove to be effective credible challenge to first line monitoring
Second line does not bear the loss if controls prove ineffective, and may lack the urgency for testing first line control monitoring
Third line comes behind the second line to ensure their first line testing is sufficient
Page 69
Risk Monitoring
© 2020 American Bankers Association
Evaluating First Line Controls
Credibly Challenging the First Line, continued
Below are examples of the control evaluation work done by the first, second, and third lines of defense.
First line
Design control
Monitor effectiveness of controls
Self-identify weaknesses and correct
Second line
Review 1st line risk assessment
Facilitate 1st line self assessments
Secure input from 2nd
line risk monitoring functions
Third line
Check 1st line documentation of control monitoring
Determine if scope of 2nd
line testing provides reliable assurance
Page 70
Risk Monitoring
© 2020 American Bankers Association
Evaluating First Line Controls
Self Check Quiz
Which line of defense has primary responsibility for designing and implementing controls and monitoring their effectiveness?
Select the correct answer and click Submit.
A) First line B) Second line C) Third line D) Fourth line
A is correct.
B is incorrect because the second line’s role is to provide effective challenge to monitoring effectiveness. C is incorrect because the third line’s role is to make sure the second line’s testing of control effectiveness is sufficient. D is incorrect because there is no fourth line of defense.
Page 71
Risk Monitoring
© 2020 American Bankers Association
Evaluating First Line Controls
Review
In this lesson, you learned about the tools and documentation available for evaluating first line controls. For example, tools include checklists, questionnaires, and flowcharting techniques.
You also learned about the sources of information for identifying deficiencies in a bank’s enterprise risk management program. Sources of information include the institution’s ongoing monitoring procedures, separate evaluations, and external parties.
In addition, you learned about the control evaluation work done by first, second, and third lines of defense. For example, the third line of defense checks the first line’s documentation of control monitoring and determines if the scope of second line testing provides reliable assurance.
Page 72
Risk Monitoring
© 2020 American Bankers Association
Wrap Up
Absent effective risk monitoring, the most sophisticated and detailed ERM program will fail. Financial institutions, indeed all companies, make profits by taking risks. Companies fail when they take risks outside of their tolerance.
Effective risk monitoring tells the appropriate people in a company when risk nears and exceeds tolerance.
By completing Risk Monitoring, you now know the standards for an effective risk monitoring program. You have examples of how to effectively communicate out of tolerance positions, what the responsibilities for enforcing a good monitoring program are, and how those responsibilities should be allocated.
Click Exit to close this course.
Page 73