TraceRiskCOSOInformation & Communication

Information & Communication

COSO Integrated Framework

COSO consists of five interrelated components: Control Environment, Risk Assessment, Control Activities, Information & Communication and Monitoring. These components affect the bank’s management of risk within tolerance levels. See FAQs page for a more complete definition and explanation of the acronym “COSO”.

 

Control Environment:

The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values and competence of the entity’s people; management’s philosophy and operating style; the way management assigns authority and responsibility, and organizes and develops its people; and the attention and direction provided by the board of directors.

 

Risk Assessment:

Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives, linked at different levels and internally consistent. Risk assessment is the identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risks should be managed. Because economic, industry, regulatory and operating conditions will continue to change, mechanisms are needed to identify and deal with the special risks associated with change.

 

Control Activities:

Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entity’s objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties.

 

Information and Communication:

Pertinent information must be identified, captured and communicated in a form and timeframe that enable people to carry out their responsibilities. Information systems produce reports, containing operational, financial and compliance-related information, that make it possible to run and control the business. They deal not only with internally generated data, but also information about external events, activities and conditions necessary to informed business decision-making and external reporting. Effective communication also must occur in a broader sense, flowing down, across and up the organization. All personnel must receive a clear message from top management that control responsibilities must be taken seriously. They must understand their own role in the internal control system, as well as how individual activities relate to the work of others. They must have a means of communicating significant information upstream. There also needs to be effective communication with external parties, such as customers, suppliers, regulators and shareholders.

 

Monitoring Activities:

Internal control systems need to be monitored–a process that assesses the quality of the system’s performance over time. This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two. Ongoing monitoring occurs in the course of operations. It includes regular management and supervisory activities, and other actions personnel take in performing their duties. The scope and frequency of separate evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures. Internal control deficiencies should be reported upstream, with serious matters reported to top management and the board.


Cybersecurity Guide!

cybersecurity
Data breaches resulting in the compromise of personally identifiable information affects of thousands of Americans. Intrusions into financial, corporate and government networks are no longer rare or isolated incidents. Complex financial schemes committed by sophisticated cyber criminals against businesses and the public in general are now commonplace. These are just a few examples of crimes perpetrated online over the past year or so, and part of the reason why FBI Director James Comey, testifying before Congress last week, said that “the pervasiveness of the cyber threat is such that the FBI and other intelligence, military, homeland security, and law enforcement agencies across the government view cyber security and cyber attacks as a top priority.” The FBI, according to Comey, targets the most dangerous malicious cyber activity—high-level intrusions by state-sponsored hackers and global cyber syndicates, and the most prolific botnets. And in doing so, we work collaboratively with our domestic and international partners and the private sector.

Financial institutions, regardless of size, are particularly vulnerable to cyber attacks and that’s why it’s so important to assess your risks in this critical area of your operations. To assist you in this effort TraceRisk has developed a Cyber Security Risk Management Guide. Our clients have found it to be very helpful and, just like we do for our ERM clients, we’re making it available to you FREE OF CHARGE! A copy of the Table of Contents is attached so you can see what is covered.

Guide to Developing a Cyber Security and Risk Mitigation Plan
A Community Bank White Paper from TraceRisk™

Table of Contents
Preface
Purpose
Scope
Target Audience
Introduction
Building a Risk Management Program
Appointing Leadership
Establishing a Risk Management Framework
Defining the System
Cyber Asset Identification and Classification
Identifying Critical Cyber Assets (Additional Guidance URLs)
Classifying Cyber Assets
Personally Identifying Information (PII)
Identifying the Electronic Security Perimeter (ESP) Protecting Cyber Assets
Conducting a Vulnerability Assessment (Additional Guidance URLs)
Assessing and Mitigating Risks
Assessing Impact and Risk Levels
Mitigating Risks with Security Controls (Additional Guidance URLs)
Evaluating and Monitoring Control Effectiveness
Addressing People and Policy Risks
Cyber Security Policy
Security Policy Elements
Security Related Roles and Responsibilities
Policy Implementation and Enforcement
Policy Exceptions (Additional Guidance URLs)
Personnel and Training
Security Awareness and Training (Additional Guidance URLs)
Due Diligence in Hiring
Access Privileges
Operational Risks
Perform Periodic Risk Assessment and Mitigation
Enforce Access Control, Monitoring and Logging
Perform Disposal or Redeployment of Assets (Additional Guidance URLs)
Enforce Change Control and Configuration Management
Conduct Vulnerability Assessments (Additional Guidance URLs)
Control, Monitor and Log all Access to Assets
Configuration and Maintenance (Additional Guidance URLs)
Incident Handling (Additional Guidance URLs)
Contingency Planning (Additional Guidance URLs)
Insecure Software Development Life Cycle (SDLC) Risks
Physical Security Risks
Plan and Protection
Monitoring, Logging and Retention
Maintenance and Testing
Third Party Relationships
Addressing Technology Risks
Network Risks
Platform Risks
Application Layer Risks
Communications Systems
Supervisory Control and Data Acquisition (SCADA)
Identifying and Protecting Private Data (Additional Guidance URLs)
Steps in Vulnerability Assessments
Incident Response Planning Items
Disaster Response Planning Items
Glossary and Appendices


Governance and Risk Management in the Wake of Wells Fargo Bank’s Misbehavior!

wells-fargo-ceo-john-stumpf-testifies-before-a-senate-banking-committee-hearing-on-the-firms-sales-practices-on-capitol-hill-in-washington-us-september-20-2016-reutersgary-cameron

Governance and Risk Management in the Wake of Wells Fargo Bank’s Misbehavior!

OH BOY, what a mess, huh? The newspapers, Internet bloggers, business and social commentators, Twitter and all the rest are posting endless commentaries about Wells Fargo Bank’s indiscretions embedded in their sales culture and the OCC’s punitive actions. And, to be sure, everybody has a legitimate complaint. WFB is, at minimum, guilty of violating Unfair, Deceptive & Abusive Acts and Practices regulations and the fundamental trust of its customers and shareholders, plain and simple. What’s worse is that WFB’s former CEO, John Stumpf did neither himself, nor his bank, nor the banking industry at large any favors when he wrote his [apology?] letter to WFB customers acknowledging the problem and offering his ‘solutions’. Here’s part of what he said:
“Every day we strive to get things right. In this instance we did not – and that is simply not acceptable. So we are making it right. The first step we’ve taken is to fully reimburse any customers who were affected by these actions.”

Mr. Stumpf’s so-called first step is to “fully reimburse affected customers”. Really? Is that how WFB will “strive to get things right” – by reimbursing affected customers? Isn’t that a given? He goes on to say,

“We have been making some changes to how we do business over the last several years to ensure we are always aligned with our customers’ interests. To that end, the second change is to ensure Team Members in our Retail Bank are compensated on what matters most: delivering great experiences and ensuring positive outcomes – not on product sales.”

So, what he’s saying is, as a second (and presumably last) change, WFB is going to ensure that team members are not compensated on product sales. Wow, that’s it? The sales culture was OK before, but now it’s not? Why, because they got caught? Nothing said about strengthening internal audit and supervisory practices? Nothing mentioned about actions that will be taken against the perpetrators and their superiors – all the way up the line? Nothing offered about how WFB will rebuild trust? Mr. Stumpf and his Board along with their legal counsel and their public relations firm missed the point entirely when issuing that tepid letter.

And, with subsequent action taken by the OCC on WFB just two weeks ago where they assessed a $20 million civil money penalty and ordered the bank to make restitution to Servicemembers who were harmed by the bank’s repeated violations of the Servicemembers Civil Relief Act (SCRA), WFB’s reputational risk profile has reached new lows. Somehow, Mr. Stumpf and his Board of Directors seemed to have overlooked the fundamental tenet that guides all business enterprises, including banks – it’s called sound Corporate Governance and Risk Management.

In light of the foregoing, the team at TraceRisk has developed tools for performing corporate governance assessments and enterprise risk management assessments using current regulatory guidance and proprietary resources to prepare this reminder for your Board and senior management of their combined responsibility for developing and implementing related policies and procedures. We hope you find it helpful.

Corporate Governance & Risk Management
Federal regulatory agencies have an expectation that financial institutions under their supervision will develop, adopt, execute and maintain governance and risk management policies and procedures that comply with both the spirit and the letter of Section 39 of the Federal Deposit Insurance Act (FDIA and codified to 12 U.S.C. 1831p-1{a}(1-2)).

Definitions
 Chief Audit Executive means an individual who leads internal audit and is one level below the Chief Executive Officer in a bank’s organizational structure
 Chief Risk Executive means an individual who leads an independent risk management unit
 Front Line Unit means any organizational unit or function thereof at the bank that is accountable for a risk that:
 Engages in activities designed to generate revenue or reduce expenses for the bank;
 Provides operational support or servicing to any organizational unit or function within the bank for the delivery of products or services to customers; or,
 Provides technology services to any organizational unit or function within the bank
 Independent risk management means any organizational unit within the bank that has responsibility for identifying, measuring, monitoring or controlling residual and aggregate risks. Such units maintain independence from front line units through the following reporting structure:
 The Board of Directors or the Board’s Risk Committee reviews and approves the risk governance framework;
 The Chief Risk Executive has unrestricted access to the Board of Directors and its committees to address risks and issues identified through independent risk management’s activities;
 The Board of Directors or its Risk Committee approves all decisions regarding the appointment or removal of the Chief Risk Executive(s) and approves the annual compensation and salary adjustment of the Chief Risk Executive(s); and,
 No front line unit executive oversees any independent risk management unit.
 Internal audit means the organizational unit within the bank that is designated to fulfill the role and responsibilities outlined in Section 39 (including outsourced internal audit service providers). Internal audit maintains independence from front line units and independent risk management through the following reporting structure:
 The Chief Audit Executive has unrestricted access to the Board’s Audit Committee to address risks and issues identified through internal audit’s activities;
 The Audit Committee reviews and approves internal audit’s overall charter and audit plans;
 The Audit Committee approves all decisions regarding the appointment or removal and annual compensation and salary adjustment of the Chief Audit Executive;
 The Audit Committee or the Chief Executive Officer oversees the Chief Audit Executive’s administrative activities; and,
 No front line unit executive oversees internal audit.

STANDARDS FOR RISK GOVERNANCE FRAMEWORK

Risk Governance Framework
The bank should establish and adhere to a formal, written risk governance framework that is designed by independent risk management and approved by the Board or its Risk Committee. The risk governance framework should include delegations of authority from the Board to management committees and executive officers as well as the risk limits established for material activities. Independent risk management should review and update the risk governance framework at least annually and as often as needed to address improvements in industry risk management practices and changes in the bank’s risk profile caused by emerging risks, its strategic plans or other internal and external factors.

Scope of Risk Governance Framework
The risk governance framework should cover, at minimum, the following risk categories that apply to the bank: credit risk, interest rate risk, liquidity risk, price risk, operational risk, compliance risk, strategic risk, and reputation risk. Other risk categories may also apply (e.g., technology risk, vendor management risk).

Roles and Responsibilities
The risk governance framework should include well-defined risk management roles and responsibilities for front line units, independent risk management and internal audit. Front line units should take responsibility and be held accountable by the Chief Executive Officer and the Board for appropriately assessing and effectively managing all of the risks associated with their activities. In fulfilling this responsibility, each front line unit should, either alone or in conjunction with another organizational unit that has the purpose of assisting a front line unit:
 Assess, on an ongoing basis, the material risks associated with its activities and use such risk assessments as the basis for fulfilling its responsibilities and for determining if actions need to be taken to strengthen risk management or reduce risk given changes in the unit’s risk profile or other conditions;
 Establish and adhere to a set of written policies that include front line unit risk limits. Such policies should ensure risks associated with the front line unit’s activities are effectively identified, measured, monitored and controlled, consistent with the bank’s risk appetite statement, concentration risk limits and all policies established within the risk governance framework;
 Establish and adhere to procedures and processes, as necessary, to maintain compliance with the bank’s risk policies;
 Adhere to all applicable policies, procedures and processes developed by Operating Management in conjunction with independent risk management;
 Develop, attract, and retain talent and maintain staffing levels required to carry out the unit’s role and responsibilities effectively;
 Establish and adhere to talent management processes; and,
 Establish and adhere to compensation and performance management programs that are in keeping with regulatory guidance, reasonableness, transparency and prudent banking practice.

Role and Responsibilities of Independent Risk Management
Independent risk management should oversee the bank’s risk-taking activities and assess risks and issues independent of front line units. In fulfilling these responsibilities, independent risk management should:
 Take primary responsibility and be held accountable by the Chief Executive Officer and the Board for designing a comprehensive written risk governance framework that meets these Guidelines and is commensurate with the size, complexity, and risk profile of the bank;
 Identify and assess, on an ongoing basis, the bank’s material aggregate risks and use such risk assessments as the basis for fulfilling its responsibilities and for determining if actions need to be taken to strengthen risk management or reduce risk given changes in the bank’s risk profile or other conditions;
 Establish and adhere to enterprise policies that include concentration risk limits. Such policies should state how aggregate risks within the bank are effectively identified, measured, monitored and controlled, consistent with the bank’s risk appetite statement and all policies and processes established within the risk governance framework;
 Establish and adhere to procedures and processes, as necessary, to ensure compliance with the policies;
 Identify and communicate to the Chief Executive Officer and the Board or the Board’s Risk Committee:
 Material risks and significant instances where independent risk management’s assessment of risk differs from that of a front line unit; and
 Significant instances where a front line unit is not adhering to the risk governance framework, including instances when front line units do not meet the established standards
 Identify and communicate to the Board or the Board’s Risk Committee:
 Material risks and significant instances where independent risk management’s assessment of risk differs from the Chief Executive Officer; and,
 Significant instances where the Chief Executive Officer is not adhering to, or holding front line units accountable for adhering to, the risk governance framework;
 Develop, attract, and retain talent and maintain staffing levels required to carry out its role and responsibilities effectively; and,
 Establish and adhere to compensation and performance management programs.

Role and Responsibilities of Internal Audit
Internal audit should ensure that the bank’s risk governance framework complies with these Guidelines and is appropriate for the size, complexity and risk profile of the bank. In carrying out its responsibilities, internal audit should:
 Maintain a complete and current inventory of all of the bank’s material processes, product lines, services and functions, and assess the risks, including emerging risks, associated with each, which collectively provide a basis for the audit plan;
 Establish and adhere to an audit plan that is periodically reviewed and updated that takes into account the bank’s risk profile, emerging risks and issues, and establishes the frequency with which activities should be audited. The audit plan should require internal audit to evaluate the adequacy of and compliance with policies, procedures and processes established by front line units and independent risk management under the risk governance framework. Significant changes to the audit plan should be communicated to the Board’s Audit Committee;
 Report in writing, conclusions and material issues and recommendations from audit work carried out under the audit plan to the Board’s Audit Committee. Internal audit’s reports to the Audit Committee should also identify the root cause of any material issues and include:
 A determination of whether the root cause creates an issue that has an impact on one organizational unit or multiple organizational units within the Bank; and,
 A determination of the effectiveness of front line units and independent risk management in identifying and resolving issues in a timely manner;
 Establish and adhere to processes for independently assessing the design and ongoing effectiveness of the risk governance framework on at least an annual basis. The independent assessment should include a conclusion on the Bank’s compliance with the standards set forth in these Guidelines;
 The annual independent assessment of the risk governance framework may be conducted by internal audit, an external party, or internal audit in conjunction with an external party.
 Identify and communicate to the Board’s Audit Committee significant instances where front line units or independent risk management are not adhering to the risk governance framework;
 Establish a quality assurance program that ensures internal audit’s policies, procedures and processes comply with applicable regulatory and industry guidance, are appropriate for the size, complexity and risk profile of the bank, are updated to reflect changes to internal and external risk factors, emerging risks, and improvements in industry internal audit practices and are consistently followed;
 Develop, attract, and retain talent and maintain staffing levels required to effectively carry out its role and responsibilities;
 Establish and adhere to talent management processes; and,
 Establish and adhere to compensation and performance management programs.

Strategic Plan (Strategy Drives Risk)
The Chief Executive Officer should be responsible for the development of a written strategic plan with input from front line units, independent risk management, and internal audit. The Board should evaluate and approve the strategic plan and monitor management’s efforts to implement the strategic plan at least annually. The strategic plan should cover, at a minimum, a three-year period and:
 Contain a comprehensive assessment of risks that currently have an impact on the bank or that could have an impact on the bank during the period covered by the strategic plan;
 Articulate an overall mission statement and strategic objectives for the bank and include an explanation of how the bank will achieve those objectives;
 Include an explanation of how the bank will update, as necessary, the risk governance framework to account for changes in the bank’s risk profile projected under the strategic plan; and,
 Be reviewed, updated and approved, as necessary, due to changes in the bank’s risk profile or operating environment that were not contemplated when the strategic plan was developed.

Risk Appetite Statement
The bank should have a comprehensive written statement that articulates the bank’s risk appetite and serves as the basis for the risk governance framework. The risk appetite statement will include both qualitative components and quantitative limits. The qualitative components describe a safe and sound risk culture and how the bank will assess and accept risks, including those that are difficult to quantify. Quantitative limits should incorporate sound stress testing processes, as appropriate, and address the bank’s earnings, capital and liquidity. The bank should set limits at levels that take into account appropriate capital and liquidity buffers and prompt management and the Board to reduce risk before the bank’s risk profile jeopardizes the adequacy of its earnings, liquidity and capital.

Where possible, the bank should establish aggregate risk appetite limits that can be disaggregated and applied at the front line unit level. However, where this is not possible, the bank should establish limits that reasonably reflect the aggregate level of risk that the Board and executive management are willing to accept (called Risk Tolerance).

Concentration and Front Line Unit Risk Limits
The risk governance framework should include concentration risk limits and, as applicable, front line unit risk limits, for the relevant risks. Concentration and front line unit risk limits should limit excessive risk taking and, when aggregated across such units, provide that these risks do not exceed the limits established in the bank’s risk appetite statement.

Risk Appetite Review, Monitoring and Communication Processes
The frequency of monitoring and reporting should be performed as frequently as necessary, based on the size and volatility of risks and any material change in the bank’s business model, strategy, risk profile, or market conditions. The bank’s risk governance framework requires:
 Review and approval of the risk appetite statement by the Board or the Board’s Risk Committee at least annually or more frequently, as necessary;
 Initial communication and ongoing reinforcement of the bank’s risk appetite statement throughout the bank in a manner that causes all employees to align their risk-taking decisions with applicable aspects of the risk appetite statement;
 Monitoring by independent risk management of the bank’s risk profile relative to its risk appetite and compliance with concentration risk limits and reporting on such monitoring to the Board or the Board’s Risk Committee at least quarterly;
 Monitoring by front line units of compliance with their respective risk limits and reporting to independent risk management at least quarterly; and,
 When necessary due to the level and type of risk, monitoring by independent risk management of front line units’ compliance with front line unit risk limits, ongoing communication with front line units regarding adherence to these limits, and reporting of any concerns to the Chief Executive Officer and the Board or the Board’s Risk Committee, all at least quarterly.

Processes Governing Risk Limit Breaches
The bank should establish and adhere to processes that require front line units and independent risk management, in conjunction with their respective responsibilities, to:
 Identify breaches of the risk appetite statement, concentration risk limits and front line unit risk limits;
 Distinguish breaches based on the severity of their impact on the bank;
 Establish protocols for when and how to inform the Board, front line unit management, independent risk management, internal audit and the bank’s regulators of a risk limit breach that takes into account the severity of the breach and its impact on the bank;
 Include in the protocol the requirement to provide a written description of how a breach will be, or has been, resolved; and,
 Establish accountability for reporting and resolving breaches that include consequences for risk limit breaches that take into account the magnitude, frequency, and recurrence of breaches.

Concentration Risk Management
The bank’s risk governance framework should include policies and supporting processes appropriate for the bank’s size, complexity and risk profile for effectively identifying, measuring, monitoring and controlling the bank’s concentrations of risk.

Risk Data Aggregation and Reporting
The bank’s risk governance framework should include a set of policies, supported by appropriate procedures and processes, designed to provide risk data aggregation and reporting capabilities appropriate for the size, complexity, and risk profile of the bank, and to support supervisory reporting requirements. Collectively, these policies, procedures, and processes provide for:
 The design, implementation and maintenance of a data architecture and information technology infrastructure that support the bank’s risk aggregation and reporting needs during normal times and during times of stress;
 The capturing and aggregating of risk data and reporting of material risks, concentrations, and emerging risks in a timely manner to the Board and the regulators; and,
 The distribution of risk reports to all relevant parties at a frequency that meets their needs for decision-making purposes.

Relationship of Risk Appetite Statement, Concentration Risk Limits and Front Line Unit Risk Limits to Other Processes
The bank’s front line units and independent risk management shlould incorporate, at a minimum, the risk appetite statement, concentration risk limits and front line unit risk limits into the following:
 Strategic and annual operating plans;
 Capital stress testing and planning processes;
 Liquidity stress testing and planning processes;
 Product and service risk management processes, including those for approving new and modified products and services;
 Decisions regarding acquisitions and divestitures; and,
 Compensation and performance management programs.

Talent Management Processes
The bank should establish and adhere to processes for talent development, recruitment and succession planning to ensure that management and employees who are responsible for or influence material risk decisions have the knowledge, skills and abilities to effectively identify, measure, monitor and control relevant risks. The Board or an appropriate committee of the Board should:
 Appoint a Chief Executive Officer and appoint or approve one or more C-level executives who should be responsible for risk governance and internal audit and who possess the skills and abilities to carry out their roles and responsibilities within the risk governance framework;
 Review and approve a written talent management program that provides for development, recruitment and succession planning regarding the individuals described above, their direct reports, and other potential successors; and,
 Require management to assign individuals specific responsibilities within the talent management program and hold those individuals accountable for the program’s effectiveness.

Compensation and Performance Management Programs
The bank should establish and adhere to compensation and performance management programs that comply with any applicable statute or regulation and are appropriate to:
 Ensure the Chief Executive Officer, front line units, independent risk management, and internal audit implement and adhere to an effective risk governance framework;
 Ensure front line unit compensation plans and decisions appropriately consider the level and severity of issues and concerns identified by independent risk management and internal audit, as well as the timeliness of corrective action to resolve such issues and concerns;
 Attract and retain the talent needed to design, implement, and maintain an effective risk governance framework; and,
 Prohibit any incentive-based payment arrangement, or any feature of any such arrangement, that encourages inappropriate risks by providing excessive compensation or that could lead to material financial loss.

STANDARDS FOR THE BOARD

Require an Effective Risk Governance Framework
The bank’s Board should:
 Oversee the bank’s compliance with safe and sound banking practices. The Board should also require management to establish and implement an effective risk governance framework that meets the minimum standards described in these guidelines. The Board or the Board’s Risk Committee will approve any significant changes to the risk governance framework and monitor compliance with such framework.
 Provide active oversight of management. The Board should actively oversee the bank’s risk-taking activities and hold management accountable for adhering to the risk governance framework. In providing active oversight, the Board may rely on risk assessments and reports prepared by independent risk management and internal audit to support the Board’s ability to question, challenge, and when necessary, oppose recommendations and decisions made by management that could cause the bank’s risk profile to exceed its risk appetite or jeopardize the safety and soundness of the Bank;
 Exercise independent judgment;
 Include independent directors;
 Provide ongoing training to all directors. The Board should establish and adhere to a formal, ongoing training program for all directors. This program should consider the directors’ knowledge and experience and the bank’s risk profile. The program should include, as appropriate, training on:
 Complex products, services, lines of business and risks that have a significant impact on the bank;
 Laws, regulations and supervisory requirements applicable to the bank; and,
 Other topics identified by the Board
 Perform Self-assessments. The bank’s Board should conduct an annual self-assessment that includes an evaluation of its effectiveness in meeting the standards of these guidelines.


Deposit Accounts

Use Case for Assessing Risk on Deposit Accounts

Why assess the risk? Deposits are funds that customers place with the bank and that the bank is obligated to repay on demand or after a specific period of time or after the expiration of some required notice period (e.g. certificate of deposit). Deposits are the primary funding source for most banks and, as a result, have a significant effect on the bank’s liquidity. Errors and omissions and fraudulent alteration of the amount or account number to which funds are to be deposited could result in a loss to the bank. Additionally, uncollected overdrafts, returned items, kiting and other check schemes and frauds can result in losses on deposit accounts.

Who should assess the risks? Chief Operating Officer, Chief Financial Officer, BSA Officer, Compliance Officer

How to assess the risk: Rate the KRIs to determine if a threat would successfully exploit a vulnerability and to justify expenditures to implement countermeasures to protect the bank’s assets or reputation. Use the “Focus Risk Assessment” tool for in-depth analysis of risks and mitigation techniques.

 

TraceRisk Demo Button

Credit Administration

Use Case for Assessing Risk on Loan Administration

Why assess the risk? Credit administration and the quality of the loan portfolio is among the most important aspects of the bank’s business strategy. To a great extent, it is the quality of a bank’s loan portfolio that determines the profitability of the bank and the ultimate return on investment to the shareholders. Conclusions regarding the bank’s condition and the quality of its management are weighted heavily by the degree of risk in lending practices. The loan portfolio and its administration recognizes that loans comprise a major portion of the bank’s assets and that it is this asset category which ordinarily presents the greatest credit risk and potential loss exposure to the bank. Moreover, pressure for increased profitability, liquidity considerations, and a vastly more complex marketplace have produced an ever-changing risk profile to the bank.

Who should assess the risks? Credit Administrator, Chief Credit Officer, Chief Lending Officer, Directors’ Loan Committee

How to assess the risk: Rate the KRIs to determine if a threat would successfully exploit a vulnerability and to justify expenditures to implement countermeasures to protect the bank’s assets or reputation. Use the “Focus Risk Assessment” tool for in-depth analysis of risks and mitigation techniques.

 

TraceRisk Demo Button