Raising Your Risk Management Profile to Protect Your Assets
Growing Your Business Starts With Evaluating, Governing and Managing Risk
Naturally, after unfortunate incidents, risk governance and security are on top of mind for many. Building an actionable risk management program provides security and a clear response to any emerging event. For many in the banking, technology, and venture capital communities, it has been an intense few weeks. Increased industry activity that impacts enterprise risk includes the:
- Revelation of questionable financial decision-making hiding in plain sight.
- Seemingly reasonable “flight to safety” by some depositors moving deposits to Systemically Important Banks (SIBs).
- Technology firms worried about access to cash for basics, such as making payroll.
- Federal Deposit Insurance Corporation (FDIC) making an unprecedented move in providing an unlimited deposit insurance guarantee.
- SIBs depositing billions with their smaller industry siblings to shore up confidence in the banking system.
- Recent bi-partisan groups rallying around reassuring depositors through the proposed roll-back of pre-COVID deregulation.
- Addition of risk protection through other regulators, such as the U.S. Securities and Exchange Commission (SEC), to evaluate cybersecurity guidance for Financial Firms.
All the while, the chances of entering an economic downturn this year have significantly increased.
It was three years ago that we experienced a COVID-induced economic shutdown that was unlike anything ever seen before. And just like that experience, as business leaders, we have a responsibility to protect our shareholders, clients and employees. This protection starts with enterprise risk governance: the process of evaluating, managing and governing business risk.
Preventative Measures in the Face of Adversity: Where Do You Begin?
As we ideate on how businesses in all industries should be readying for additional economic disruptions and preparing for post-recession economic growth, we must enact business resiliency and risk governance principles which are established through solid risk management solutions. These risk management principles apply equally to businesses in all sectors, but due to the immediacy of the topic at hand, we will use the banking and technology sectors as examples.
Third-party Risk Management: Ensuring Internal Controls
In larger companies, Third-party Risk Management (TPRM) is often thought of as a burden brought about by procurement. But if approached appropriately, TPRM starts with an alignment with the overall business strategy. Third-party firms working with businesses can align with, enhance and protect the business’ reputation.
There are specific third-party financial risks that are evaluated in a leading practice TPRM analysis. These include evaluating credit ratings, financial statements and contract terms between parties, thereby aligning the benefits of the business relationship with the potential risks of the partnership.
A specific form of TPRM includes System and Organization Controls (SOC). With more companies outsourcing financial and information technology services to third parties, it has become critical to understand each service entity and its internal controls. As such, the American Institute of Certified Public Accountants (AICPA) replaced prior SAS 70 and SSAE16 audits, as well as Webtrust and Systrust reports/seals, with a set of standards referred to as the Statement on Standards for Attestation Engagements No. 18 (SSAE 18) and No. 21 (SSAE 21), which governs SOC attestations.
SOC reports allow organizations that perform information system and transaction processing services to other entities to demonstrate that they maintain effective internal controls by periodically issuing a report that is independently assessed by a certified public accountant. Relying on a SOC 1 or SOC 2 report from an independent certified public accounting firm can assure user organizations and their auditors, as well as key stakeholders and/or prospective clients, that a third-party service provider’s system of internal control is sound.
Financial Risk Management: Preparing for the Unpredictable
Financial Risk Management (FRM) takes many forms. It relies on having solid financial reports on a company and the third parties with which it does business. The size of the organization is not always a good predictor of the condition of the financial statements’ trustworthiness, nor their accurate interpretation. For example, a footnote in SVB’s financial statement highlighted its liquidity risk, but this got past quite a few “third-party” CFOs (depositors), TPRM reviewers and Board Members.
Effective Financial Risk Management relies on modern finance and accounting capabilities coupled with data that is digitally accessible, interactive, and easy to understand to enable leadership to quickly make vital decisions and move toward their business goals. Finance and accounting teams need to be business partners in their organization’s operations to provide accurate financial information that accelerates decision-making.
Organizations should be thinking about how to avoid their own balance sheet financial risk by considering a balance sheet hedging strategy. This is a strategy that can be quite effective in environments of both increasing and decreasing interest rates. One never knows exactly when the economy will shift, therefore most firms consider hedging to be a risk-neutral activity. In addition to the larger banks, some of the larger community banks also consider balance sheet hedging. Although oftentimes hedging can be perceived as risky, or too complicated for smaller-sized banks, it is an effective risk management strategy geared for the long-term. It’s easy for a bank that hasn’t used derivatives to have the notion that derivatives are a bet on rates. However, when layered into the bank’s overall Asset and Liability Management (ALM) program, committee conversations and related tool kits, derivatives are simply another risk management tool to manage the bank’s rate risk. Hedging programs can be designed and executed with relative simplicity with the right financial and/or accounting advisor.
In addition, many banks have adopted the recent Current Expected Credit Losses (CECL) accounting standard, which requires consideration of current events and future reasonable, supportable forecasts to help companies evaluate their allowance methodologies. Under CECL, companies report financial assets at the amount that are that are expected to be collected. However, a CECL estimate isn’t something to just “set and forget.”
CECL is an allowance that should be considered immediately upon recording financial assets. Market changes can happen fast, and rapidly rising interest rates, unemployment, GDP and other factors may not be accounted for as markets continually evolve. If a bank has a number of unrealized losses, investors may not be aware of the extent of those losses because the financial statements don’t appropriately account for CECL estimates.
As an example, if banks hold a number of bonds that are “held-to-maturity,” the interest rates are fixed for accounting and reporting. If market interest rates rise dramatically relative to when those bonds were issued, those bonds may be worth significantly less to potential buyers. Unrealized losses may cause a liquidity challenge if banks suddenly need capital to repay depositors, and the banks need to sell those bonds quickly. The price they sell them at will be less than the price recorded on the balance sheet.
Banks should remember that the genesis of CECL was related to the events in the Financial Crisis of 2008. Based on current events, and what market participants are observing and experiencing in future forecasts, it’s a good idea to perform a robust review of bank data and their future expectations, and validate data used to generate CECL forecasts. To reduce liquidity risk, banks need rigorous, robust policies in relation to all in-scope instruments. And all companies, not just banks, need to provide investors and users of their financial statements information necessary to understand the potential risks in financial instruments including duration risk, credit risk, interest-rate risk and liquidity risk of financial instruments.
Finally, organizations need to leverage internal controls to manage risks and meet organizational objectives. The internal audit function of an organization helps protect value, power performance and build resilience using risk management solutions tailored to their priorities and business risks. Information technology (IT) is increasingly important to every organization’s business strategy, operations and internal audit function. However, leveraging technology and automation to deliver meaningful benefits can raise additional issues of security, integrity and control. An effective Financial Risk Management framework must include IT internal audit methodologies to help protect an organization’s information systems, assets, ensure compliance with regulatory requirements, and provide insights to leverage IT controls to reduce costs and gain competitive advantage.
Operational Risk and Controls: Evaluating Solutions for Your Business
It often makes sense for a business to have an explicit risk appetite statement. The U.S. financial services regulators require the largest of banks to have risk appetite statements, but this is helpful for businesses of all shapes and sizes. Ensuring that the board is aligned with senior management in its ongoing decision-making process prepares the organization for situations like the recent bank fallout.
With many teams still working from home or enjoying a hybrid work model, evidencing review and approvals will continue to be a challenge as the evidence may still be distributed through collaboration virtual meeting tools or other electronic platforms. It is important to consider how communication styles and preferences can provide evidence of review and approval. While this has been ongoing for over two years, it continues to be a point of stress for newer public companies.
The war for talent is ongoing. Companies are assessing their talent and identifying gaps. Many organizations are experiencing material weaknesses around insufficient accounting personnel, as well as a lack of financial oversights and levels of review. In addition, with the related increase in salaries, there is an opportunity to reevaluate hiring practices and budgets. An obvious way to fill the talent gap is to consider co-sourcing to a third-party provider.
One item that will generate a good deal of conversation in the short term due to the recent bank failures will pertain to processes and controls management, and auditors’ performance regarding subsequent events. Oftentimes as companies rush to file their financial statements, it is easy to conclude on controls that operate within a period, or at the end of the period (“as of date”) as these controls are operating and tested frequently and have become part of the “DNA” of a company.
However, one can surmise that controls that are performed at the end of the audit and done less frequently, might not have the same formality and rigor around them. Subsequent event controls could potentially fall into this category. Having the rigor and process for management to evaluate post-balance sheet-date matters is an important area for management to design controls for. At the simplest level, it could be accomplished via inquiry and discussions with officers and other executives that have responsibility for financial and accounting matters. A best practice could be to design a certification control across the company to inquire officers and executives about their understanding of events that would fall into this category, prior to the issuance of the financial statements.
Operational Risk Management: Securing Your Data
Operational risk requires controls development, evaluation and testing to go one step further by ensuring that key areas of the operation are secured. Two key areas of any business’ operation include cybersecurity and data. In recent conversations with boards, we often hear cybersecurity risk and threats of cyber-attacks being a large threat and source of uncertainty.
Recent failures in banking are likely to increase regulatory scrutiny on banks and other financial institutions. Regulators were already receiving pressure to tighten scrutiny prior to the current crisis (e.g., the recent report on the FDIC by the Office of the Inspector General). Provided that aspects of recent failures and near-failures are digitally driven, scrutiny of technical controls will likely be thorough and rigorous. The details of where data resides and how it is protected, will receive more attention than ever before, as failures in data protection can accelerate the kinds of challenges faced recently by banks.
In addition, any unprecedented event tends to drive up phishing and other social engineering attacks, such as business email compromise. Customers, employees and providers are all likely to be targeted by fraudulent messages taking advantage of the fear and uncertainty induced by recent events. If successful, these kinds of attacks can expose further risk, induce unnecessary fund transfers or open the door to outright theft of funds.
Therefore, it is incumbent of the banks and financial institutions to address their approach to managing anti-money laundering (AML) and fraud activities. Assessing what has been done to date should include testing the current policies, procedures and supporting controls. However, for the overall program to be successful, support by dedicated senior resources is required. Continuous training from the most senior team members to the most junior should be considered. With modern analytical tools and expansive data sets, the incident response teams will have the ability to assess increased volumes of attacks, and payment processing teams will have the tools and support to ensure that controls remain in effect.
An often-overlooked area of business risk is data assurance. The single largest source of issues found by bank regulators starts with inaccurate or outdated data being used by senior leaders for decision making. When a systemic event occurs, many assessments come forward. Risk management activities often depend on reports and models that are designed to highlight trends and identify risks to the organization. However, many times attention to the accuracy, completeness and timeliness of the data used in these models is not sufficiently managed. Some may assume that the IT department ensures that the data is accurate, and others simply expect a business analyst using the data to reconcile and correct the data before use. These approaches eventually reduce the effectiveness of the analysis used in decision making throughout the organization because they lack data consistency and transparency.
For institutions who substantiate effective risk mitigation processes and models, the data is part of the operational construct. When reviewed from a BASEL III or operation, credit and market risk perspective, it is imperative for organizations to demonstrate their ability to understand and manage the data used. This will address investor, compliance and regulatory risk questions and concerns through demonstrable understanding of the data used in reporting and decision making.
Three years ago as we entered the COVID era, businesses that were prepared or quick to react to the circumstances emerged the strongest. As we enter the latest chapter of economic uncertainty, we as business leaders have a responsibility to protect our shareholders, customers and employees. For our businesses to emerge on the other side stronger than ever, our responsibility is to evaluate our organization’s risk and ensure ongoing business resiliency for long-term success and sustained growth.
How We Can Help
At Cherry Bekaert, our goal is to help clients protect value, power performance, and build financial and operational resilience. Increased volatility in the business and regulatory environment is a strong incentive to mature your organization’s risk management program. Let Cherry Bekaert guide you through a comprehensive risk assessment, evaluating internal controls, cybersecurity and incident response plans, and risk data aggregation programs. For more information on establishing or enhancing your organization’s risk program, contact Cherry Bekaert’s Risk & Accounting Advisory practice or your Cherry Bekaert advisor.