Implement Enterprise Risk Management
Organizations have long practiced various parts of what has come to be called enterprise risk management. Identifying and prioritizing risks, either with foresight or following a disaster, has long been a standard management activity. Treating risk by transfer, though insurance or other financial products, has also been common practice, as has contingency planning and crisis management.
What has changed, beginning very near the close of the last century, is treating the vast variety of risks in a holistic manner, and elevating risk management to a senior management responsibility. Although practices have not progressed uniformly though different industries and different organizations, the general evolution toward ERM can be characterized by a number of driving forces.
What is Risk Management?
Risk management is simply a practice of systematically selecting cost effective approaches for minimizing the effect of threat realization to the organization. All risks can never be fully avoided or mitigated simply because of financial and practical limitations. Therefore all organizations have to accept some level of residual risks.
Whereas risk management tends to be pre-emptive, business continuity planning (BCP) was invented to deal with the consequences of realized residual risks. The necessity to have BCP in place arises because even very unlikely events will occur if given enough time. Risk management and BCP are often mistakenly seen as rivals or overlapping practices. In fact these processes are so tightly tied together that such separation seems artificial. For example, the risk management process creates important inputs for the BCP (assets, impact assessments, cost estimates etc). Risk management also proposes applicable controls for the observed risks. Therefore, risk management covers several areas that are vital for the BCP process. However, the BCP process goes beyond risk management’s pre-emptive approach and moves on from the assumption that the disaster will realize at some point.
Financial risk management is the practice of creating value in a firm by using financial instruments to manage exposure to risk. Similar to general risk management, financial risk management requires identifying the sources of risk, measuring risk, and plans to address them. As a specialization of risk management, financial risk management focuses on when and how to hedge using financial instruments to manage costly exposures to risk.
In the banking sector worldwide, Basel Accord are generally adopted by internationally active banks to tracking, reporting and exposing operational, credit and market risks.
Currently working for Compass Bank, a smaller regional bank, the same general risk is still apparent. From deposit fraud including check kiting, Insider Trading fraud, Internet Banking concerns, and robbery. Compass Bank must insure to continually track, monitor, rethink or revamp, and implement.
Finance theory (i.e. financial economics) prescribes that a firm should take on a project when it increases shareholder value. Finance theory also shows that firm managers cannot create value for shareholders, also called its investors, by taking on project that shareholders could do for themselves at the same cost. When applied to financial risk management, this implies that firm managers should not hedge risks that investors can hedge for themselves at the same cost. This notion is captured by the hedging irrelevance proposition: In a perfect market, the firm cannot create value by hedging a risk when the price of bearing that risk within the firm is the same as the price of bearing it outside of the firm. In practice, financial markets are not likely to be perfect markets. This suggests that firm managers likely have many opportunities to create value for shareholders using financial risk management. The trick is to determine which risks are cheaper for the firm to manage than the shareholders. A general rule of thumb, however, is that market risks that result in unique risks for the firm are the best candidates for financial risk management.
Why the Change?
The Sarbanes-Oxley Act of 2002 (Pub. L. No. 107-204, 116 Stat. 745, also known as the Public Company Accounting Reform and Investor Protection Act of 2002 and commonly called SOX or Sarbox; July 30, 2002) is a United States federal law passed in response to a number of major corporate and accounting scandals including those affecting Enron, Tyco International, Peregrine Systems and WorldCom (recently MCI and currently now part of Verizon Businesses). These scandals resulted in a decline of public trust in accounting and reporting practices. Named after sponsors Senator Paul Sarbanes (D-Md.) and Representative Michael G. Oxley (R-Oh.), the Act was approved by the House by a vote of 423-3 and by the Senate 99-0. The legislation is wide ranging and establishes new or enhanced standards for all U.S. public company boards, management, and public accounting firms. The Act contains 11 titles, or sections, ranging from additional Corporate Board responsibilities to criminal penalties, and requires the Securities and Exchange Commission (SEC) to implement rulings on requirements to comply with the new law. Some believe the legislation was necessary and useful, others believe it does more economic damage than it prevents, and yet others observe how essentially modest the Act is compared to the heavy rhetoric accompanying it.
The first and most important part of the Act establishes a new quasi-public agency, the Public Company Accounting Oversight Board, which is charged with overseeing, regulating, inspecting, and disciplining accounting firms in their roles as auditors of public companies. The Act also covers issues such as auditor independence, corporate governance and enhanced financial disclosure. It is considered by some as one of the most significant changes to United States securities laws since the New Deal in the 1930s.
The Sarbanes-Oxley Act’s major provisions include the following:
o Creation of the Public Company Accounting Oversight Board (PCAOB)
o A requirement that public companies evaluate and disclose the effectiveness of their internal controls as they relate to financial reporting, and that independent auditors for such companies “attest” (i.e., agree, or qualify) to such disclosure
o Certification of financial reports by chief executive officers and chief financial officers
o Auditor independence, including outright bans on certain types of work for audit clients and pre-certification by the company’s Audit Committee of all other non-audit work
o A requirement that companies listed on stock exchanges have fully independent audit
committees that oversee the relationship between the company and its auditor
o Ban on most personal loans to any executive officer or director
o Accelerated reporting of insider trading
o Prohibition on insider trades during pension fund blackout periods
o Additional disclosure
o Enhanced criminal and civil penalties for violations of securities law
o Significantly longer maximum jail sentences and larger fines for corporate executives who knowingly and willfully misstate financial statements, although maximum sentences are largely irrelevant because judges generally follow the Federal Sentencing Guidelines in setting actual sentences
o Employee protections allowing those corporate fraud whistleblowers who file complaints with OSHA within 90 days to win reinstatement, back pay and benefits, compensatory damages, and congressional page abatement orders, and reasonable attorney fees and costs.
But enacting a law with out a governing body to oversee the provisions and rules would be a waste of time and taxpayers dollars. The Sarbanes-Oxley Act was placed into law to help stop corruption and deception to protection the employees and citizen from scandal.
Governed by Whom
The committee of Sponsoring Organizations of the Treadway Commission (COSO) is a U.S. private-sector initiative, formed in 1985. Its major objective is to identify the factors that cause fraudulent financial reporting and to make recommendations to reduce its incidence. COSO has established a common definition of internal controls, standards, and criteria against which companies and organizations can assess their control systems.
COSO is sponsored and funded by 5 main professional accounting associations and institutes; American Institute of Certified Public Accountants (AICPA), American Accounting Association (AAA), Financial Executives Institute (FEI), The Institute of Internal Auditors (IIA) and The Institute of Management Accountants (IMA).
COSO has setup some internal controls. The controls are as follows.
o Internal control is a process. It is a means to an end, not an end in itself.
o Internal control is affected by people. It’s not merely policy manuals and forms, but people at every level of an organization.
o Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity’s management and board.
o Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.
Internal control consists of five interrelated components. These components provide an effective framework for describing and analyzing the internal control system implemented in an organization. The five components are the following:
Control environment: The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values, management’s operating style, delegation of authority systems, as well as the processes for managing and developing people in the organization.
Compass Bank tries to control the environment inside the company. We offer different foundations to help build an ethical place to work. We try to hire the “right” person for the position in hopes of aspiring the correct mindset. But hiring the right person is not always perfect. We have been tested by unethical decisions of our employees, which have placed the company in court, mitigation, or litigation.
Risk assessment: Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives and thus risk assessment is the identification and analysis of relevant risks to achievement of assigned objectives. Risk assessment is a prerequisite for determining how the risks should be managed.
Internal and external risk is a constant threat to any bank including Compass Bank. Some of the internal and external risk is the Internet and providing instant, on-demand results for our customer opens the door to Internet threats and/or fraud. We assess the risk, evaluate, and put into place backup plans. We try to eliminate risk before it happens.
Control activities: Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entity’s objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties.
Most companies provide a level of control activities. Compass Bank limits different control activities base on your position within the bank. At my level, a manger, I would have different authorities, like up to $5 million dollar transfer approvals, whereas a customer service representative would only have $100 thousand dollar transfer approvals abilities. Based on the position within Compass Bank, most activities are controlled based on risk involved.
Information and communication: Information systems play a key role in internal control systems as they produce reports, including operational, financial and compliance-related information, that make it possible to run and control the business. In a broader sense, effective communication must ensure information flows down, across and up the organization. Effective communication should also be ensured with external parties, such as customers, suppliers, regulators and shareholders.
Information and communication is key to any success for a company. Compass Bank assess the information and determines how much of the information to communicate. If the assessment determines there is not a lot of risk, the information is not always shared. But if the information is needed at the lower level employees, like the recent TJX problem of hackers compromising credit card information, limited information is provided to help our customers.
Monitoring: Internal control systems need to be monitored–a process that assesses the quality of the system’s performance over time. This is accomplished through ongoing monitoring activities or separate evaluations. Internal control deficiencies detected through these monitoring activities should be reported upstream and corrective actions should be taken to ensure continuous improvement of the system.
Compass Bank has internal monitoring of all activities. We are constantly audited to make sure we stay in compliance with all federal, state and local laws. One thing we do each year is to make sure all of our employees’ go through compliance testing. The test involves the Bank Secrecy Act and the Anti-money Laundering Act. Each employee must pass both test with an 80% or better. We have other monitors setup but I am unable to elaborate on them.
In conclusion, it is reasonable to expect that the forces cited above will continue. Accordingly, risk management practices will become more and more sophisticated. As capabilities continue to improve, organizations will increasingly adopt better ERM controls because they can.
Enterprise risk management is a “big idea.’ Among other things, ERM can be viewed as the broad conceptual framework that unifies the many varied parts of the actuarial discipline. ERM provides a logical structure to lin these subject area together in a compelling way to form an integrated whole. In so doing, ERM addresses critical business issues such as growth, return, consistency and value creation. It expresses risk not just as threat, but as opportunity – the fundament reason that business is conducted in a free enterprise system.