W E LO O K AT TH I N G S D I F F E R E NTLY Conducting an Operational Risk Audit Kevin Loughnane, ILCU Training Department National Supervisors Forum Westport, Co. Mayo 5th November 2011 National Supervisors Forum W E LO O K AT TH I N G S D I F F E R E NTLY Purpose of Presentation To provide supervisors with practical knowledge to assist in conducting an operational risk audit in their credit union. National Supervisors Forum 2011 W E LO O K AT TH I N G S D I F F E R E NTLY Overview Topic Introduction Concept of internal control & operational risk Step 1: Identifying risks Step 2: Analysing risks Step 3: Determining residual risk Step 4: Reporting findings to the board Closing comments National Supervisors Forum 2011 W E LO O K AT TH I N G S D I F F E R E NTLY Categories of Financial Risk Reputational Operational Credit Liquidity Market National Supervisors Forum 2011 4 W E LO O K AT TH I N G S D I F F E R E NTLY Risk Management 1. Identify the risks Role of Internal Audit (Supervisors) 4. Monitor & Review 2. Analyse Risks 3. Create response to risk ISO, Defined Risk Management Process National Supervisors Forum 2011 5 W E LO O K AT TH I N G S D I F F E R E NTLY What are Internal Controls? • Any deliberate measure or plan put in place by the credit union to minimise and/or manage risk • Operational risk is the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events. National Supervisors Forum 2011 W E LO O K AT TH I N G S D I F F E R E NTLY Discussion Credit Union Operational Structures 1. The loan application form 2. A fire evacuation procedure 3. An employee’s contract of employment 4. Holding a data protection training session for the board 5. Having in place a cash handling procedure for all staff 6. The auditor verifying the annual accounts of the credit union 7. Directors being obliged to declare a conflict of interest 8. Virus protection software 9. A smoke alarm in the kitchen of the credit union National Supervisors Forum 2011 Example of an Internal Control? W E LO O K AT TH I N G S D I F F E R E NTLY Discussion Credit Union Operational Structures Example of an Internal Control? 1. The loan application form Yes 2. A fire evacuation procedure Yes 3. An employee’s contract of employment Yes 4. Holding a data protection training session for the board Yes 5. Having in place a cash handling procedure for all staff Yes 6. The auditor verifying the annual accounts of the credit union Yes 7. Directors being obliged to declare a conflict of interest Yes 8. Virus protection software Yes 9. A smoke alarm in the kitchen of the credit union Yes National Supervisors Forum 2011 W E LO O K AT TH I N G S D I F F E R E NTLY Why Conduct an Audit? Rule: A credit union must establish, maintain and implement a fully documented system of control. Guidance: (i) It should be comprehensive (ii) …the system should be cross referred so that the system can be viewed as a whole. (iii) It should identify risks, and the controls established to manage those risks. (v) It should state how the operation of the control is evidenced. Extract from Section 4.3 of “CRED”, FSA guidelines for UK credit unions National Supervisors Forum 2011 9 W E LO O K AT TH I N G S D I F F E R E NTLY Benefit of Conducting an Audit Micro National Supervisors Forum 2011 Macro 10 W E LO O K AT TH I N G S D I F F E R E NTLY Conducting an Audit of Operational Risk Step 1 • Identify operational risk Step 2 • Analyse risks Step 3 • Determine “residual risk” Step 4 • Report findings to board National Supervisors Forum 2011 11 W E LO O K AT TH I N G S D I F F E R E NTLY Step 1: Identifying Risks • Must identify operational risks which could impact upon the credit union • Use the six categories of operational risk as a guide • No need to analyse at this stage • Wording of each risk is important National Supervisors Forum 2011 W E LO O K AT TH I N G S D I F F E R E NTLY Categories of Operational Risk 1. Internal and external fraud - (embezzlement) 2. Employment practices and workplace safety - (sued by employee for breach of contract) 3. Damage to physical assets - (office damaged due to fire) 4. IT systems and software failures - (loss of records due to database corruption) 5. Business practices & service delivery - (misinforming members on insurance products) 6. Organisational processes - (incomplete documentation relating to a member’s loan resulting in invalid loan contract) National Supervisors Forum 2011 13 W E LO O K AT TH I N G S D I F F E R E NTLY Example: Identifying Risks 1. Internal and External Fraud An officer of the credit union defrauds the credit union of significant sums of money by setting up false loans for fictitious members. An officer of the credit union grants several large connected loans to family members / friends which to not meet the requirements of the lending policy of the credit union. An officer of the credit union steals a series of small sums of cash from the cash drawer over a period of months, resulting in a financial loss to the credit union. An officer of the credit union has been transferring funds from dormant member accounts into his/her own credit union or bank account. A member cashes a number of fraudulent cheques through the credit union resulting in a significant financial loss. National Supervisors Forum 2011 14 W E LO O K AT TH I N G S D I F F E R E NTLY Step 2: Analysing Risks • This step will highlight the risks which pose the biggest risk to the credit union. • The impact of each risk is scored from 1 to 5 • The prevalence (likelihood of occurrence) is score 1 to 4. • Both scores are multiplied for each risk to get the risk ranking score. • Some lower scoring risks may be excluded from the audit at this point. National Supervisors Forum 2011 15 Prevale Impact W E L O O K A T T H I N G S D I F F E R E nce NTLY 1. Internal and External Fraud Risk 1.1 An officer of the credit union defrauds the credit union of significant sums of money by setting up false loans for fictitious members. 1.2 An officer of the credit union grants several large connected loans to family members / friends which to not meet the requirements of the lending policy of the credit union. 1.3 An officer of the credit union steals a series of small sums of cash from the cash drawer over a period of months, resulting in a financial loss to the credit union. 1.4 An officer of the credit union has been transferring funds from dormant member accounts into his/her own credit union or bank account. 1.5 A member cashes a number of fraudulent cheques through the credit union resulting in a significant financial loss. National Supervisors Forum Risk Ranking 16 Prevale Impact W E L O O K A T T H I N G S D I F F E R E nce NTLY 1. Internal and External Fraud Risk Risk Ranking 1.1 An officer of the credit union defrauds the credit union of significant sums of money by setting up false loans for fictitious members. 2 2 4 1.2 An officer of the credit union grants several large connected loans to family members / friends which to not meet the requirements of the lending policy of the credit union. 3 4 12 1.3 An officer of the credit union steals a series of small sums of cash from the cash drawer over a period of months, resulting in a financial loss to the credit union. 2 2 4 1.4 An officer of the credit union has been transferring funds from dormant member accounts into his/her own credit union or bank account. 2 4 8 1.5 A member cashes a number of fraudulent cheques through the credit union resulting in a significant financial loss. 4 3 12 National Supervisors Forum 17 W E LO O K AT TH I N G S D I F F E R E NTLY Risk Ranking – Fraud Risk 1.2 1.5 1.4 Score An officer of the credit union grants several large connected loans to family members / friends which to not meet the requirements of the lending policy of the credit union. 12 A member cashes a number of fraudulent cheques through the credit union resulting in a significant financial loss. 12 An officer of the credit union has been transferring funds from dormant member accounts into his/her own credit union or bank account. 8 1.1 An officer of the credit union defrauds the credit union of significant sums of money by setting up false loans for fictitious members. 4 1.3 An officer of the credit union steals a series of small sums of cash from the cash drawer over a period of months, resulting in a financial loss to the credit union. 4 National Supervisors Forum 2011 18 W E LO O K AT TH I N G S D I F F E R E NTLY Step 3: Determining Residual Risk • This step will determine the threat posed by a risk once internal controls have been considered. • Must identify all internal controls which correspond to each risk. • Determine how effective these internal controls are – very poor to excellent. • Risk ranking score is multiplied by the controls’ effectiveness to determine the residual risk. National Supervisors Forum 2011 19 W E LO O K AT TH I N G S D I F F E R E NTLY Mapping Internal Controls Policy / Plan People Practices Paperwork National Supervisors Forum 2011 20 Risk Code Risk Ranking Corresponding int. score controls Findings of supervisory committee Effectivene ss of internal Residual controls Risk 1. Internal & external fraud 1.2 12 Section in lending policy dealing with loans to friends / family members. Last year 3 staff members attending training on loan assessment. Loan approval procedure which requires one officer to sign off application and issue loan. No specific section of lending policy dealing with connected loans. Lending policy not updated since 2009. No monitoring of approved loans for connected loans / connected individuals. Loan approval procedure only requires one signature of manager or treasurer for loans up to €30,000. Weak 9.6 0.8 W E LO O K AT TH I N G S D I F F E R E NTLY Step 4: Reporting findings to the board • Crucial that findings are clearly communicated to the board. • Committee should include risk analysis, evaluation of internal controls and residual risk. • Not the responsibility of the committee to make the changes – responsibility of the board. • Encourage the board / risk management committee to maintain the documented system of control. National Supervisors Forum 2011 24 W E LO O K AT TH I N G S D I F F E R E NTLY Summary of Key Points • Must have understanding of prevailing risks before internal controls can be assessed • An operational risk audit is a key tool for the credit union • Use checklists to identify gaps and weaknesses against prevailing risks • An evidence-based written report to the board should be compiled • Encourage CU to maintain a documented system of control National Supervisors Forum 2011 25 W E LO O K AT TH I N G S D I F F E R E NTLY Part II: Developments in the Regulatory Supervision and Auditing of Credit Unions National Supervisors Forum 26 W E LO O K AT TH I N G S D I F F E R E NTLY Evidence of movement towards a risk-based approach in credit unions “Our risk-based supervision model will mean that our level of engagement will vary depending on the size and impact of each credit union…. The biggest credit unions can expect more engagement from us as a result. Our risk-based approach also means that you can “earn” a less intense level of supervisory engagement by having a well governed and well run credit union that scores low in terms of risk.” Matthew Elderfield, Financial Regulator Extract from Speech at ILCU AGM 2010. National Supervisors Forum 2011 W E LO O K AT TH I N G S D I F F E R E NTLY Evidence of movement towards a risk-based approach in credit unions “The Monitoring Department scores credit unions on various risk areas (e.g. PEARLS ratios, financials) and these scores are used as part of a risk-based approach to monitoring credit unions, and assigning Monitoring resources (e.g scheduling of visits by Field Officers and Business Unit Managers).” Dave Hewson, ILCU Monitoring Department National Supervisors Forum 2011 W E LO O K AT TH I N G S D I F F E R E NTLY Role of Supervisory Committee in Monitoring Internal Controls Principle 5: (Credit Unions) should implement a process to regularly monitor operational risk profiles and material exposures to losses. There should be regular reporting of pertinent information to senior management and the board of directors that supports the proactive management of operational risk. Sound Practices for the Management and Supervision of Operational Risk, 2003, BIS National Supervisors Forum 2011