Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Project Management

Enterprise Risk Management and Controls-Monitoring

advertisement 
Risk Management
Enterprise Risk Management and
Controls-Monitoring Automation Can
Reduce Compliance Costs
By Mark Nelson and James Ambrosini
A framework to reduce risk and compliance costs.
F
ew would disagree that financial services is one
of the most heavily regulated and risk-conscious
industries. Banks and other financial institutions
must continually enhance their risk management strategies to keep up with the changing landscape brought
about by new technologies, financial products and
global strategies. A decade ago, most financial services
firms’ risk management activities were limited to market and credit risk in an attempt to minimize financial
loss caused by market fluctuations or poor lending.
Today,
plethora of new regulations and customer
day,, with
hap
demands,
banks
de
eman
nds,
d bank
b
ks
k must account for other multidimensional
facets
risk, including
related
privacy,
sio
onal face
ets off ris
ri
cluding those re
ated to p
information
technology,
and
operations.
inf
form
matio
on te
ech og reputation
uta
nd oper
How
does a com
company
through
and focus
Ho
ow d
mp
p y sift thro
ugh the details
etails an
on
n thee risks
risk
ks most
m
mo t important
im ortant to
o it? For
For that purpose,
pu
banks should
shoul use an enterprise risk management (ERM)
approach along with a controls
automation
solution.
ont s autom
mation so
utio
on.
What Is ERM?
First, let us explain what ERM is not. It is not a tool;
it is not a onetime project; and, most of all, it is not an
end state. ERM is a framework supported by various
tools and methods that helps organizations answer
questions such as, “What are my biggest risks?” and
“How do I manage these risks to get them to a level
suitable for my business?”
The Committee of Sponsoring Organizations of the
Treadway Commission (COSO) gives the following
definition of ERM1:
Enterprise risk management is a process, effected
by an entity’s board of directors, management
and other personnel, applied in strategy setting
FEBRUARY–MARCH 2007
and across the enterprise, designed to identify
potential events that may affect the entity, and
manage risk to be within its risk appetite, to
provide reasonable assurance regarding the
achievement of entity objectives.
COSO elaborates on this definition by stating that
ERM is a process with the following characteristics:
Ongoing and flowing through an entity
Effected by people at every level of an organization
Applied in strategy setting
Applied across the enterprise, at every level
and unit, and includes taking an entity-level,
portfolio view of risk
Able to provide reasonable assurance to an
entity’s management and board of directors
Designed
D
esign
ned to
to identify
identif potential
potential events
events
ve that,
that if they
they
occur,
will
affect
the
entity
and
to
manage
ccur,
affect
entity
to manage risk
within its risk appetite
Geared to achievement of objectives in one or
more separate but overlapping categories
ERM Components
According to the COSO framework,2 which is becoming a de facto standard in ERM frameworks, ERM
consists of eight interrelated components:
Internal environment. The internal environment
encompasses the tone at the top or controls conMark Nelson is Managing Director at Protiviti, New York, New York.
Contact him at mark.nelson@protiviti.com.
James Ambrosini is Associate Director at Protiviti, New York, New York.
Contact him at james.ambrosini@protiviti.com.
BANK ACCOUNTING & FINANCE
25
Risk Management
sciousness and sets the basis for how risk is viewed
and addressed by an entity’s people, ethical values
and the environment in which they operate.
Objective setting. Objectives must exist before
management can identify potential events affecting their achievement. Further, these are aligned
with the organization’s risk tolerance.
Event identification. Internal and external
events that could affect the achievement of an
entity’s objectives must be identified and reported to management.
Risk assessment. Risks are analyzed, and their
likelihood and impact are evaluated, to determine how they should be managed. Risks are
assessed on an inherent and a residual basis
(that is, before and after considering any threat
mitigation efforts or controls).
Risk response. Management determines how to
handle the risks (accept, avoid, reduce or share
them) and develops a set of actions to align risks
with the entity’s risk tolerances.
Control activities. Policies and procedures are
established and implemented to help ensure the
risk responses are applied effectively.
Information
and communication. Relevant
In form
ma
iinformation
inf
fform
matio
tion is identified, captured and communicated
frame
mu
uniccated
d in a form
rm and time fra
me that enable
people
carry out
responsibilities.
pe
oplee to car
u their re
ibilities Effective
communication
also
occurs
in a broader
tiv
ve co
omm
mu
tio
o o
b
sense,
flowing
down,
across
sen
nse, flow
nse
w ng
gd
wn acr
ss and up the eentity.
Monitoring.
The entirety of ERM is monitored and
M
onito
modifications are made
necessary.
Monitoring
ade ass n
ecessary Mon
M
ito ing
g
is accomplished through
ongoing
management
oug ongoing ma
m nagement
activities, separate evaluations or both.
Organizations usually perform well in most of
these categories, at one time or another. The key is to
integrate them holistically across the enterprise, specifically among their strategic, operational, financial
reporting and compliance-related functions.
It is important to note that not all of these components will apply equally in all institutions due
to variations in size. For example, smaller banks or
financial institutions have a significantly different
risk landscape than larger ones. Thus, these principles of ERM should be applied and tailored for a
custom fit.
In addition, there is no single aspect of ERM that is
more important than another. There is one key element
where companies continually struggle: monitoring.
26
BANK ACCOUNTING & FINANCE
Monitoring is the glue that holds the ERM framework
together. In an information-rich society, where we continually monitor data such as market swings, expenses
and financial information, etc., the importance of monitoring should come as no surprise. Without effective
monitoring, all the best-laid ERM plans are for naught
because the quality, amount and speed of required information will be compromised.
Technology to Monitor
Controls and Reduce
Compliance Costs
The Sarbanes-Oxley Act of 2002 (“SOX”) provides
a good example to illustrate how companies can
make better use of compliance and controls-related
information. Each year, organizations have spent
millions of dollars and tens of thousands of hours to
complete the documentation, testing and reporting
required by SOX. In retrospect, many organizations
faced two very common issues:
1. Documenting Too Many Controls
When SOX compliance was in its infancy, no one was
certain how many documented controls were too
few, too many or the right amount. Preferring to err
on the side of caution, most companies documented
every control they could find.
2. Documenting Mostly
Manual
Man
ua Controls
C n rols
Co
SOX
OX teams
teams often lacked
lack
ke application
pplication experts with
witth a dede
tailed understanding of the embedded system-based
controls (often called configurable controls). Therefore, they mostly documented manual controls.
The effect of these errors is that companies performed very extensive and largely manual testing.
These “testing projects” occur quarterly and annually for the 302 and 404 certifications required of
SOX. Often, this costly work is not adding value or
improving the internal control environment.
Most companies seasoned in SOX compliance are
beginning to change their approaches. Rather than
approach SOX compliance as a project, they see the
advantages of treating it as an ongoing process. Taking a process-based approach to SOX compliance
helps companies maintain strong internal control
over financial reporting and saves money in the
FEBRUARY–MARCH 2007
Risk Management
long term. To accomplish this, the proper use of
technological tools is key in creating an effective and
sustainable transition from project to process.
Automating and
Optimizing Controls
Technology plays a significant role in moving SOX
compliance—and ERM in general—from a project
to an ongoing, sustainable process. Manual controls
are more prone to failure than automated controls.
They are detective rather than preventive, identifying problems only after they have occurred,
and they are ad hoc, meaning only a portion of all
transactions is evaluated and tested.
Optimized automated controls are system based,
preventive and managed. These features allow
companies to engage in more self-assessment, entitylevel and process-level monitoring and automated
testing. In addition, automated testing more accurately covers a larger universe than manual testing.
A manual control test is based on a selected sample
size of typically 10 to 30 transactions; automated
controls
is performed on the full universe
ntro
ols testing
teesti
of tran
ttransactions.
nsacction
ti ns Because of this larger number of
transactions,
tra
ansaction
ns there
ns,
tthe is inherently
inherently greater
greater assurance
assu
provided
automated
pro
ovid
ded by
b aaut
te controls
ro testing.
ng.
The rolee of tec
technology
regulatory
compliance
T
logy in regulat
ry comp
can
broken
down into ttwo
parallel
tracks: (1)
an
n bee bro
oken
n dow
o para
llel trac
automation
matio of the internal control environment and
(2) automation of the com
compliance
process.
auliance pro
p
ess. By au
tomating the control environment
and
compliance
nvir ment
complian e
process, companies are able to test and review controls
throughout the year, providing the documentation
and reporting materials needed to more easily comply
with quarterly and annual reporting requirements.
In many instances, companies do not need to
purchase expensive new technology tools. Many
companies can make significant advances by making better use of the applications and tools they already
have. The result is improved sustainability, lower
costs and greater value to the internal control environment and compliance process.
Enterprise Resource Planning (ERP) companies
and other technology vendors recognize the benefits
they can provide to the control environment and
compliance process. As a result, they have been improving their products in an evolutionary way.
FEBRUARY–MARCH 2007
Continuous Controls
Monitoring to Support ERM
The highest levels of compliance technology
provide continuous control monitoring and improvement and support ERM (Exhibit 1). With
continuous control monitoring, companies achieve
preemptive segregation of duties (“SOD”), conflict
analysis, real-time transaction exception monitoring and master data and confi guration change
alerts. These features keep management on top of
and, often, ahead of changes to their control environment. They can immediately detect problems
or often anticipate and avoid them.
With ERM, companies have the ability to integrate compliance frameworks, tools and data.
They gain the benefits of proactive risk identification and evaluation. Employees gain portal access
to individual risk management information.
To achieve sustained value from application
controls, organizations must first attain a high
level of process maturity. Process maturity
implies a high degree of control automation,
control reliability and preventive versus detective controls. This entails properly configuring
controls for the control universe, assessing existing controls, identifying gaps and opportunities
and implementing necessary control and process
changes. SOD issues must also be addressed, including the design and acquisition of rule sets,
assessment
off exi
existing
roles
and
assignments,
sse ss m en
nt o
sti
ro
le s an
d ass
gn me nts
identification
and
mitigation
of
potential
gaps,
dentification and m gat on
potential ga
aps
redesign of roles where necessary and reprovisioning user access rights.
Once the process maturity is achieved, SOX
compliance costs become more predictable. They
are also lower than the expected costs of a manually driven project approach. This decrease in
cost occurs because most of the controls testing,
monitoring and documentation are automated and
woven into business processes.
The move from manual processes to control automation requires an investment in people, tools
and time. Once automated controls and SOD are in
place, however, organizations can actively maintain the environment. It is this active maintenance
that ensures compliance becomes an ongoing process rather than a stand-alone project.
BANK ACCOUNTING & FINANCE
27
Risk Management
Active Maintenance
Is Essential
to stay on top of employee turnover, quickly address
SOD issues and address changes in the environment
to keep the technological tools current.
Continuous controls monitoring is a rapidly growing
market with solutions from ERP leaders SAP
Active maintenance is critical. Without active mainand Oracle, as well as niche vendors Applimation,
tenance, companies with a strong automated control
Approva and Logical Apps.
environment can eventually fall back into the “projFor example, a midsize bank in the Southeast selected
ect” mode of compliance. This happens over time as
Oracle’s Internal Controls Manager (ICM) software to
a result of employee turnover, poor change manageautomate its SOD processes. Previously, the bank was
ment and other factors that decrease the effectiveness
using internally developed scripts to test for security
of the control environment. Eventually, the organizaviolations only when the auditors were working ontion reaches a point where it must engage in another
site. With the implementation of Oracle’s solution,
expensive project to bring the control environment
it added a level of continuous automation to check
back to a high level of effectiveness.
and prevent SOD violations when changes to new or
Along with active maintenance, continuous moniexisting users are performed. Automated tools are key
toring and automated testing enable organizations
to helping organizations
Exhibit 1. Development of Compliance Technology
ensure active maintenance
of
their control environment
High
Enterprise Risk Management
so that controls are operating
Enterprise Risk Management
for the entire period, not just
at testing time.
A story about a Protiviti
Continuous Control
Control Monitoring
Monitoring &
and
Improvement
Continuous
Improvement
SOX client illustrates the efSophistication
ticatio of
fectiveness of these tools.
ompli
p iance
Compliance
Company A had been
T
echnoology
Technology
Controll &
d
and
Control
through nearly two years
As
en Automation
ma
Assessment
Automation
Assessment
of SOX compliance when
Protiviti was asked to
evaluate its compliance
Automation of
off
Automation
program and look for imCertification
Process
Certification Process
provement
opportunities.
provem
ment opp
ortunities
Through
an
assessment
of
Through an assessm
ment o
Document
the company’s high-risk
Document
Internal
control areas, we identified
Internal
Controls
Controls
four categories of issues:
Low
1.
Forty controls matched
to the automated assessment
Time to Implement
and tested without exception.
The potential for improveThe basic level of technology enables the documentation of internal controls.
The next level builds on that to automate the compliance process, providing features such as control ment here resided in the
ability to replace manual testowner updates, quarterly certifications, control self-assessment and routine risk assessment.
Control and assessment automation enables organizations to move from manual to systemic and ing with automated testing.
Sixty-nine controls
from detective to preventive controls. Automation at this level also provides improved system-en- 2.
matched but tested with
forced SOD, automated assessment of SOD transaction analysis and configurable control testing.
Continuous controls monitoring allows real-time and proactive monitoring of an organization’s exception. This means
that Company A was imtransactions and application controls.
With ERM, companies tailor their monitoring initiatives to specific areas of risk and integrate properly relying on these
69 controls. Potential for
various tools and frameworks.
28
BANK ACCOUNTING & FINANCE
FEBRUARY–MARCH 2007
Risk Management
improvement included enhancing security and
configurable controls and automating testing to
achieve efficient and replicable results.
3. Ninety-eight controls were turned on but were
not mentioned in the control documentation. As
a result, the company was missing opportunities to place more reliance on these controls and
reduce manual testing.
4. One hundred and forty-five controls that could have
been implemented were not. They were not identified
in the documentation and tested with exception.
At the completion of the analysis, there were:
one hundred and nine already identified application controls that could be tested more efficiently,
including the 69 that tested with exception;
two hundred and forty-three application controls
that could be used to replace manual controls; and
two hundred and fourteen potential security/
configuration issues.
Based on these findings, it’s likely that the company’s prior-year testing and conclusions may have
been wrong due to the inherent limitations of manual
testing of sophisticated applications. This example
is typical of most organizations, an overreliance on
manual
control
nua
al co
ont of activities.
A further
argument
for using automated tools to
fu
furthe
ther ar
rgu
transition
project
process
tra
ansittion from
mp
ct to pro
cess is tthe
he stance of the
external
audit
They appear
preparing to
exttern
nal au
uditt firms.
r
Th
pe to bee prepa
deploy
sophisticated
application
analysis
tools for
deeploy
y sop
phisstic d application analysis to
future
audits
Section
404 assess
assessments.
utture aud
dits aand
d Se
ion 40
me
By automating
controls where possible and shiftutom
ing the focus away from
detailed
testing
m de
iled aapplication
pp
plicat on tes
ing
g
and on to the tools and rule sets
used
to
monitor
the
ts used monitor t e
applications, time and effort can be saved, with the
reliability of results greatly enhanced.
The need for active maintenance cannot be overemphasized. Without a process to maintain and monitor
the control environment, it will weaken over time,
forcing companies to spend significant resources to
bring it back up to a high level of efficiency. Maintenance ensures SOX compliance remains a process
that can be predictably and reliably managed.
Which Controls to Automate?
Moving a control structure and the associated testing
toward a reliance on automated controls takes time. It
will require input from a variety of internal business
constituents and at least some technology investments.
FEBRUARY–MARCH 2007
In this regard, organizations should begin by examining the sources of evidence supporting management’s
conclusion as to the operating effectiveness of internal
control over financial reporting. This examination
ordinarily should drive efforts to start rebalancing the
automated controls portfolio (Exhibit 2).
The effort begins with a fresh look at the organization’s
current key controls, with an eye toward several factors.
We have found control automation efforts to be most successful in yielding value-added benefits when they are:
applied through an integrated solution (for example, ERP) because the improvements have a
multiplier effect across common processes;
used to replace manual controls that are particularly expensive to operate and test;
used in risk areas that have the most impact on
reports and performance if the controls fail;
employed in areas of heightened external audit
sensitivity, such as SOD, and areas of concern to
the audit firms;
directed toward current practices that are more
prone to error and breakdowns; and
operated in association with procedures that are
repetitive and require little judgment or human
intervention.
Applying the factors above to manual or poorly
automated controls can help rank management’s
options for automating or optimizing controls.
Prerequisites to relying on automated controls include
sound program and configuration change management
controls, as well as strong security controls. If either of
these
general
weak,, automated
hese g
enera ccontrols
ntro s is weak
u oma ed ccontrols
ont ols are
vulnerable
to
circumvention
by
management
and
other
vulnerable o circumv
ve on by management an
do
ther
personnel. In addition, the compliance team would be
unable to prove conclusively that the automated controls remained intact through year-end.
It should be noted that automation is not appropriate for all situations. As always, there should be an
evaluation of the holistic cost of change against the
value of future savings and increased quality and
effectiveness of the internal controls structure.
Where Should Financial
Institutions Focus?
We believe there are several key areas where financial
institutions should apply their ERM and controlsmonitoring activities. This is based on our experience
BANK ACCOUNTING & FINANCE
29
Risk Management
within this industry, as well as discussions with our
banking clients and regulators:
Operational risk. Most financial institutions are quite
familiar with this risk dimension because this is a
frequent hot spot of regulators and SOX auditors. Financial institutions should use a risk-based approach
to implementing and testing internal controls. For
example, we have seen increased scrutiny over loan
processing and wire transfer functions, so it would
make sense for organizations to consider strengthening and automating controls in these areas.
Information security. The advent of the Web and
e-banking has enabled customers to conduct their
banking activities from their home computer and
manage their own accounts. While this has been a
significant benefit to both banks and customers, the
downside is that critical data could become compromised. It is no longer enough to merely have
strong passwords and encrypt transactions. Financial institutions must be proactive and employ the
latest tools and techniques to thwart the would-be
information assailants. Customers expect a certain
level of security and privacy; compromising this
could severely damage a company’s reputation.
Credit risk. It is not uncommon for financial institutions to monitor credit risk at the transaction
level rather than have a broad picture of the total
portfolio risk, which requires more sophisticated
tools and processes. In addition, geographic
diversity of lending may be beneficial, but it
also requires more real-time information about
emerging conditions in those markets.
Exhibit 2. Rebalancing the Automated Controls Portfolio
Controls That Are Not Optimized
• Manual
• Detective
• Ad hoc
Automated Controls
Test
ting
ting
Testing
Optimized Controls
• System-based
• Preventive
• Managed
Automated
Automated Controls
Controls
Testing
Testing
Manual
M
annuall C
Controls
onntro
t
Manual
Controls
Testing
Test
ting
Testing
Manu Contro
Manual
Controlss
T
stin
Testing
Sustainability
Testing
Using Technology
to Minimize Risk
In today’s complex financial
services arena, all organizations need, and are required to
have, sound risk management
techniques. An ERM approach
coupled with the efficient use
of technology and monitoring
could aid financial institutions
in achieving their goals while
minimizing risk. The exact process
by
which
initiatives
ess b
yw
hich these
hes ini
tiat ve
are
addressed
should
differ
re addressed sho
ould di
ffer
with an organization’s size, risk
appetite and overall goals.
Endnotes
1
Optimizing controls through continuous controls monitoring reduces the need for large
amounts of manual testing. As a result, an organization’s overall compliance cost is reduced
and its controls sustainability is increased.
2
Committee of Sponsoring Organizations of the Treadway
Commission, Enterprise Risk
Management—Integrated Framework, Executive Summary, 2004.
Id.
This article is reprinted with the publisher’s permission from Bank Accounting & Finance, a bimonthly journal
published by CCH, a Wolters Kluwer business. Copying or distribution without the publisher’s permission is prohibited.
To subscribe to Bank Accounting & Finance or other CCH Journals
please call 800-449-8114 or visit www.CCHGroup.com.
All views expressed in the articles and columns are those of the author
and not necessarily those of CCH or any other person.
30
BANK ACCOUNTING & FINANCE
FEBRUARY–MARCH 2007
Related documents
Automated Software Testing
Automated Software Testing
Introducing The Material Handling Industry
Introducing The Material Handling Industry
Comcover Fact Sheet - Department of Finance
Comcover Fact Sheet - Department of Finance
WCMSRiskManagement
WCMSRiskManagement
Dear Sir or Madam, I am responding to two questions only, as
Dear Sir or Madam, I am responding to two questions only, as
Continuous integration and test
Continuous integration and test
Testing Tools
Testing Tools
Risk
Risk
ENTERPRISE RISK MANAGEMENT, Implementation challenges
ENTERPRISE RISK MANAGEMENT, Implementation challenges
Shladover_4.9.15 (2)
Shladover_4.9.15 (2)
Download
advertisement