top priorities for internal audit in financial services ......top priorities for internal audit in...

Top Priorities for Internal Audit in Financial Services OrganisationsDiscussing the Key Financial Services Industry Results from the 2016 Internal Audit Capabilities and Needs Survey

1 Top Priorities for Internal Audit in Financial Services Organisations

IntroductionEach year Protiviti conducts its Internal Audit Capabilities and Needs Survey to assess current skill levels of internal audit executives and professionals identify areas in need of improvement and help to stimulate the sharing of leading practices throughout the profession The 2016 report that follows describes the outlook of internal audit leaders within the financial services industry For the first time in many years this survey reflects the views of internal audit professionals during a time when the global economy and its financial system were recovering from the global financial crisis The risk landscape it paints therefore reflects peoplersquos risk perceptions in a newly evolving world

The findings discussed in our paper are based on responses from nearly 300 chief audit executives (CAEs) and internal audit professionals in the US financial services industry In the opinion of these respondents cybersecurity represented the greatest area for internal audit functions to address We have devoted one entire section of this report to the increasing attention that cybersecurity continues to garner But this is far from the only area internal audit organisations seek to improve as they look forward to the coming year A few areas that organisations prioritised as particularly acute challenges include

bull Agile Risk Management

bull Model Risk Management amp Data Analytics

bull Mobile Applications

Michael Thor is a Managing Director with Protiviti and leads the firmrsquos North American Internal Audit practice


It Is a near certaInty that fInancIal InstItutIons wIll suffer cyber-related outages In the next few

years the key Issue Is how they respond and recover

Cybercrime Concerns DominateChief among the issues identified this year is technology risk because of growing concerns about cybercrime and the vulnerability of outdated systems to outages and attack Escalation in the frequency and sophistication of cyberattacks as well as the increased regulatory scrutiny around ensuring firms have adequate cyber-risk programs in place have driven this risk to the top of the list1 Exacerbating this is a growing reliance on old and overly complicated IT systems which are more susceptible to security breaches and unpredictable outages that can cause disruption A major challenge is that financial services firms are playing catch-up in a technology environment that continues to evolve rapidly

As financial institutions rely to an even greater extent on technology (see ldquoMobile Applications Challengerdquo on page 3) they also need to be concerned with risks arising from third-party outsourcing and off-shoring activities Vendorsrsquo different and possibly less stringent security standards could create the potential for data loss or leakage This increases the risk of a firm losing control of parts of its operations as supply chains get longer and more complex

As financial institutions grow even more reliant on digital technology the severity of a potential cyber breach increases exponentially Cybersecurity has traditionally been the responsibility of the chief security officer andor the chief information officer however risk management and internal audit have a key role to play in securing the organisation by working closely with senior management to ensure cybersecurity is embedded into the enterprise

Agile Risk Management Incorporating Risk Appetite and Risk Culture into the Third Line of DefenceIn the immediate aftermath of the financial crisis financial institutions especially banks have invested a great deal of time energy and money on developing more robust risk management functions focused on identifying and negating emerging risks Although the perceived threat has fallen slightly the responses we received suggest still more needs to be done to meet both the demands of the modern environment as well as the heightened expectations from regulators Firms have recognised that they need to become more efficient in managing risk compliance and internal audit requirements Dealing with the myriad regulatory demands and changes in the operating environment requires firms to have agile and effective risk management and compliance functions that operate more like business functions providing value through being agile responsive and more forward-looking Equally firms need to maintain their focus on integrating risk appetite and risk culture into their organisations to create a risk-aware environment that allows an agile risk management philosophy to flourish Even for those firms that have embraced the concept integrating and embedding risk culture into the entire enterprise is a constant challenge A greater challenge for internal audit is recognising its role within an agile risk management philosophy and how it can assist in reinforcing and independently testing both risk appetite and risk culture in the organisations

1 The 2015 annual report by the Financial Stability Oversight Council said that although US banks and financial businesses have been leaders in erecting barriers to hackers cyberattacks still present a potential systemic danger wwwtreasurygovinitiativesfsocstudies-reportsDocuments201520FSOC20Annual20Reportpdf


IncreasIng relIance and complexIty of models especIally In the area of stress testIng has drIven

Increased demand for resources wIth the knowledge and skIlls to address the rIsks assocIated wIth

the use of these same models

Model Risk ManagementInternal auditors have ranked model risk management one of the top areas where they need to improve their technical knowledge ndash and for good reason The internal audit function is tasked with verifying that financial institutions have a comprehensive model risk management practice which includes governance processes policies adherence to policies and documentation

Having internal audit staff with the competence and skillset to provide effective challenge to the first and second line functions using and providing oversight of the models and overall model risk management continue to be a challenge for financial institutions especially those that do not have the scale to support an in-house team of model professionals within the internal audit function

As organisations continue to increase the use and complexity of models and with increasing regulatory focus on stress testing already scarce modelling skillsets are in even greater demand

mobIle Is lauded for Its abIlIty to connect organIsatIons wIth consumers but It brIngs Its own

unIque challenges and rIsks to the organIsatIon

Mobile Applications ChallengeContinuing with the earlier technology trend the survey shows a clear focus on auditing risks related to the development management and use of mobile applications within financial services institutions Mobile banking and mobile payments are exploding in popularity as financial institutions are responding to demands from their customers to offer more convenience through mobile channels The speed of change the introduction of new third parties offering mobile services as well as the myriad risks presented by such brand new technology are presenting a wave of new challenges for financial services firms as well as the internal audit functions that have to help the organisation navigate the risks presented by these new channels processes and technologies

The Changing Internal Audit Environment

Three years ago the financial services industry results from the 2013 Internal Audit Capabilities and Needs Survey showed that the focus of the entire industry was mainly on regulatory compliance ndash from stress test-ing requirements to the broader concerns over compliance with the various regulations being issued under the Dodd-Frank Act Even though internal auditors are continuing to grapple with regulatory compliance an increasing focus is being placed on ensuring programs that have already been implemented such as risk appetite and risk culture are being embedded into the organisation as well as looking ahead to adopting a more agile risk management function to help drive efficiency The additional scrutiny regulators are placing on firmsrsquo cybersecurity controls is also reflected in cybersecurity being ranked third by internal auditors for improving their technical skills Respondents specifically called out the NIST Cybersecurity Framework as an area for greater attention


Unlocking the Power of Data to Help Manage RiskFinally data analysis continues to be a topic that internal auditors across financial institutions wrestle with The industry agrees that data analysis holds great promise however how to effectively deploy and utilise expanding data analysis capabilities to harness the power of advanced analytics remains a challenge to most internal audit organisations That said the use of analytics by internal audit functions is continuing to evolve driven by internal audit functionsrsquo desire to make informed decisions on data from key risk indicators in the various lines of business to help them dedicate their audit hours and testing more efficiently and effectively The more advanced firms report that they are implementing the use of aids such as visualisation tools and continuous monitoring accessing enterprisewide data as well as running analytics to help them better understand where the biggest risks exist

Impacts on Internal AuditThe role of internal audit ndash the third line of defence ndash is changing Under the US Office of the Comptroller of the Currency (OCC) Heightened Standards for Large Financial Institutions2 the role of internal audit is to opine on the readiness and design of risk management systemsrsquo corporate governance structures including risk culture and risk appetite Financial institutions are also facing a changing risk landscape as highlighted within the topics above

Internal audit functions face a growing list of priority areas for the next 12 months The foremost of these are addressed in the following pages with separate chapters exploring the impact of cybersecurity mobile applications model risk and the challenge of integrating risk appetite and risk culture within an agile risk management philosophy

2016 Internal Audit Concerns

Further areas of concern that firms need to consider in developing their 2016 audit plans include

bull Development of dynamic risk assessment and audit planning

bull Talent management and acquisition

bull Reliance across the three lines of defence

bull Assessing effective risk management

bull Vendor management

bull Communication with stakeholders

2 wwwocctreasgovnews-issuancesnews-releases2014nr-occ-2014-4apdf


About the Internal Audit Capabilities and Needs Survey

This year the 2016 Internal Audit Capabilities and Needs Survey consisted of questions grouped into four divisions cybersecurity and the audit process general technical knowledge audit process knowledge and personal skills and capabilities Respondents from US financial services companies were also asked to assess industry-specific skills

The results based on information provided by all respondents (who numbered more than 1300) are contained within the master report (available at wwwprotiviticomIASurvey) In addition to the overall findings Protiviti collected and analysed specific data from respondents in a number of different industries including financial services The intent of this report is to provide internal audit executives and professionals in the financial services industry with more focused insights about the unique issues within their domains


Everyone from individuals to large businesses is at high risk of cybercrime ndash identity theft account takeover account cloning fraudulent payments andor transfers the list goes on But it is financial institutions that are battling against cyber criminals on the frontline

Cyber risk is recognised around the world as the foremost risk for most financial services firms which for the moment at least remain liable for any losses Financial institutions are also increasingly reliant on their technology and systems infrastructure with many banksrsquo growth strategies shifting to digital models Such a high degree of dependence on digital technology exponentially increases the risk and the potential severity of cyberattacks for financial services firms

General Technical Knowledge (top 10 areas)

ldquoNeed to ImproverdquoRank

Areas Evaluated by RespondentsCompetency (5-pt scale)

1 Agile risk and compliance 22

2 Internet of Things 27

3(tie)

NIST Cybersecurity Framework 23

GTAG 16 ndash Data Analysis Technologies 27

5 (tie)

ISO 14000 (environmental management) 21

ISO 27000 (information security) 27

7 Mobile applications 23

8(tie)

International Financial Reporting Standards (IFRS) 22

Country-specific enterprise risk management framework 29

10(tie)

Assurance around outsourced service providers 26

2013 COSO Internal Control Framework ndash Evaluation of ldquoPresence Functioning and Operating Togetherrdquo

33

Cybersecurity and the Audit Process

an organIsatIon can have all of the audIt controls checks and balances In place but If It doesnrsquot know what It Is tryIng to protect Its cybersecurIty program Is ultImately flawed

ndash Cal Slemp Managing Director

Cal Slemp is a Managing Director with Protivitirsquos IT Consulting practice

James Armetta is a Managing Director with Protivitirsquos Internal Audit and Financial Advisory practice


Audit Process Knowledge (top 10 areas)



1 Data analysis tools ndash statistical analysis 35

2 Auditing IT ndash program development 30

3 Auditing IT ndash security 31

4(tie)

Auditing IT ndash continuity 32

Quality Assurance and Improvement Program (IIA Standard 1300) ndash Ongoing Reviews (IIA Standard 1311)

32

6(tie)

Operational auditing ndash effectiveness efficiency and economy of operations approach

32

Fraud ndash fraud detectioninvestigation 32

Assessing risk ndash emerging issues 22

9 Audit planning ndash process location transaction level 35

10 Operational auditing ndash risk-based approach 24

A flurry of high-profile breaches at banks credit card and payment providers as well as large retailers has succeeded in embedding the message that every firm will be the target of a cyberattack at some point The only unknown is when an attack will happen and if the firm is prepared for the counterattack with processes in place to deal with the aftermath

The growing importance of cybersecurity at financial services firms is evident in the financial services industry findings from Protivitirsquos 2016 Internal Audit Capabilities and Needs Survey Many internal audit professionals at financial services firms stated that key priorities for improvement include leveraging the NIST Cybersecurity Framework3 as well as the Internet of Things Understandably respondents to the survey are also eager to improve their capabilities with auditing IT security

Most companies are beyond thinking that it is not a matter of if they are attacked itrsquos when ldquoThe executive management and boards of most organisations recognise that it is probable and perhaps inevitable that they will be compromisedrdquo says Cal Slemp a Managing Director with Protiviti and a leader with the firmrsquos Security and Privacy practice ldquoThis is the main driver for boards calling for more enhanced robust incident response plans that are tested through tabletop exercises to determine potential gaps in responding to attacks on the key assets of their organisations The real challenge is establishing enterprisewide security and breaking down the silos that have traditionally addressed IT security requirements and controls with technology and limited processes if any Many companies have adopted leading industry standards such as ISO 27001 or the NIST Cybersecurity Framework to guide them in assessing the strength of their security programs Organisational governance needs to be established for these frameworks to be effective when organisations adopt them This approach will ensure it is integrated into the culture of the organisation Firms need to have that top-down approach The board should state that it knows breaches are inevitable but it needs to know when the firm has been compromised and that it has a robust response plan in placerdquo

One of the most important aspects to any firmrsquos cybersecurity plan is identifying its key assets ndash the proverbial crown jewels4 ldquoAn organisation can have all of the audit controls checks and balances in place but if it doesnrsquot know what it is trying to protect its cybersecurity program is ultimately flawedrdquo says Slemp ldquoFirms need to identify what they are trying to protect and then need to be able to detect when there is a potential compromise or an attack on those key assets And when they are compromised firms must be able to respond effectivelyrdquo

3 See Protivitirsquos Flash Report Cybersecurity Framework Where Do We Go From Here wwwprotiviticomen-USDocumentsRegulatory-ReportsInformation-TechnologyIT-FlashReport-NIST-Cybersecurity-Framework-Where-Do-We-Go-From-Here-022514-Protivitipdf

4 See Protivitirsquos Board Perspectives Risk Oversight Volume 1 Issue 66 ldquoManaging Cyber Threats with Confidencerdquo wwwprotiviticomen-USDocumentsNewslettersBoard-PerspectivesBoard-Perspectives-Risk-Oversight-Issue66-Managing-Cyber-Threats-Protivitipdf


Having the right response plan in place is crucial to be able to mitigate the damage to the organisation and restore the business quickly Many companies may have an incident response process in place but many do not always have the appropriate personnel tools and stakeholders on board to be able to respond effectively to a breach

ldquoIf a company is breached it is not exclusively the responsibility of IT security to respond and recoverrdquo says Slemp ldquoMany stakeholders of the organisation need to be involved from legal to PR and communications The board of directors and executive management also need to be involved as well as the crisis management team ndash the list goes onrdquo

Internal audit has a key role to play in ensuring the organisation has an effective cybersecurity policy and response process in place preferably taking a proactive role in helping the firm to develop its cybersecurity strategy and policy from the outset then ensuring this strategy is maintained throughout the organisation Cybersecurity risk must be formally integrated into the audit plan while auditors need to ensure they have the required knowledge to be able to evaluate the organisationrsquos cybersecurity program against the NIST Cybersecurity Framework

The NIST framework is not a regulation and therefore is not a requirement for firms In many cases firms already have many of the controls recommended by NIST but the degree of compliance varies between organisations Firms that conduct business with the US government or with regulators are required to demonstrate that they are following the framework and even though others may have a policy in place the maturity level may still need to be developed

One area of concern for firms has been the cybersecurity risk posed by third parties such as vendors Financial institutions can spend millions securing their own infrastructure and systems from cyberattacks but all too often the threat comes from within from their own employees or from their suppliers which may not have such sophisticated defence systems

Companies including internal audit need to evaluate the cyber risks associated with their vendors with the same rigour they evaluate their own internal risks Protivitirsquos 2015 Vendor Risk Management Benchmark Study showed that organisations are striving to make improvements in their third-party risk management programs and have a better understanding of the nature of vendor threats It also shows that boards are seeking assurances from management that vendor risk is being assessed managed and monitored appropriately especially if it relates to the loss or exposure of sensitive data through cyberattacks or other compromises

The improvement in understanding of vendor risk may be due to the release of new regulatory guidance over the past few years including the NIST Cybersecurity Framework as well as the 2013 update to ISO 27001

The NIST framework is US-centric ndash global banks often prefer an internationally recognised framework ldquoTraditionally these banks have used ISO 27001rdquo says Slemp ldquoThey are not abandoning that standard but Protiviti is helping a lot of companies to leverage ISO and map it to the NIST control framework Companies that have embraced this culturally are more able to understand itrdquo

The NIST framework was first published three years ago so it is not a new development and chief information officers and chief security officers are familiar with it It is new from an internal audit perspective however and as such it may not have been automatically included in annual audit plans Companies that partner internal audit with IT andor the security function to benefit from their guidance and insight are often more successful in understanding and implementing the NIST framework


Regulators Focus on CybersecurityThe FFIEC published its findings in March 2015 from a joint assessment conducted by US banking agencies the year before to assess cybersecurity preparedness at more than 500 institutions The paper contains key observations and questions that chief executive officers and boards of directors need to consider when assessing their institutionsrsquo cybersecurity preparedness5 This includes high-level guidance for firms to take appropriate risk mitigation steps including conducting ongoing information security risk assessments performing security monitoring prevention and risk mitigation protecting against unauthorised access implementing and testing controls around critical systems regularly enhancing information security awareness and training programs and participating in industry information-sharing forums

In June 2015 the FFIEC issued a Cybersecurity Assessment Tool for institutions to use to evaluate their risks and cybersecurity preparedness which OCC examiners will gradually incorporate into examinations of national banks to benchmark and assess bank cybersecurity efforts6

ldquoThe FFIECrsquos Cybersecurity Assessment Tool was introduced with a mapping of its controls to those in the NIST Cybersecurity Framework and also supports a risk-based approach to determine the target maturity level for an organisation and whether the cybersecurity preparedness is aligned with its riskrdquo says Slemp ldquoHowever it is worth noting that the maturity levels start at a lsquobaselinersquo level that ties back to the FFIECrsquos IT Examination Handbook so financial institutions should already operate at this level Where there is additional perceived risk the bar is higher so it will be interesting to see what the examinersrsquo expectations are for security as they begin to assess organisations using the toolrdquo

The assessment tool incorporates concepts and principles contained in the FFIEC IT Examination Handbook regulatory guidance applicable laws and regulations FFIEC joint statements and concepts from well-known industry standards such as the NIST Cybersecurity Framework

There are two parts to the assessment an inherent risk profile and cybersecurity maturity

The inherent risk profile identifies the amount of risk posed to a bank by the types volume and complexity of the bankrsquos technologies and connections delivery channels products and services organisational characteristics and external threats ndash notwithstanding the bankrsquos risk-mitigating controls

Cybersecurity maturity is evaluated in five domains cyber risk management and oversight threat intelligence and collaboration cybersecurity controls external dependency management and cyber incident management and resilience Each domain has five levels of maturity baseline evolving intermediate advanced and innovative A bankrsquos appropriate cybersecurity maturity levels depend on its inherent risk profile

Internal audit needs to be in tune with these regulatory guidelines market developments and any cyber issues experienced by their peers to ensure they are prepared to handle those types of emerging risks

With the OCCrsquos Heightened Standards internal audit functions are expected to not only evaluate areas like cybersecurity in terms of how the IT department is addressing it but also opine on what the IT compliance andor IT risk functions are doing Between the level of technical depth needed to look at the different aspects of cybersecurity to the need to examine the practice of both the first and second lines of defence the bar has definitely been raised for financial services internal audit shops

5 wwwffiecgovpressPDFFFIEC_Cybersecurity_Assessment_Observationspdf6 Understanding the FFIEC Cybersecurity Assessment Tool An Internal Audit Perspective is available at wwwprotiviticomen-USDocuments

White-PapersIndustriesFFIEC-cybersecurity-assessment-tool-IA-perspective-whitepaper-Protivitipdf


Impacts on Internal AuditChief audit executives and the internal audit function need to raise their awareness and knowledge of the cybersecurity threat and relevant regulatory guidelines to be able to develop a robust cybersecurity strategy Below are cybersecurity action items for CAEs and internal audit to consider in their annual audit plans

Action Items for Chief Audit Executives and Internal Audit Functions to Consider

1 Strategy and Policy Work with management and the board to develop a cybersecurity strategy and policy

2 Cybersecurity Risk Seek to have the organisation become ldquovery effectiverdquo in its ability to identify assess and mitigate cybersecurity risk to an acceptable level

3 Cybersecurity Breach Recognise the threat of a cybersecurity breach resulting from the actions of an employee or business partner

4 Board of Directors Leverage board relationships to (a) heighten the boardrsquos awareness and knowledge of cybersecurity risk and (b) ensure that the board remains highly engaged with cybersecurity matters and is up-to-date on the changing nature and strategic importance of cybersecurity risk

5 Audit Plan Ensure cybersecurity risk is formally integrated into the audit universe and audit plan based on the risk it represents to your organisation

6 Emerging Technology Develop and keep current an understanding of how emerging technologies and technological trends are affecting the company and its cybersecurity risk profile

7 NIST Cybersecurity Framework Evaluate the organisationrsquos cybersecurity program against the NIST Cybersecurity Framework while recognising that the framework does not go to the control level and therefore may require additional valuations of ISO 27001 and 27002

8 Preventative Capabilities Recognise that with regard to cybersecurity the strongest preventative capabilities require a combination of human and technology security ndash a complementary blend of education awareness vigilance and technology tools

9 Clear Escalations Protocol Make cybersecurity monitoring and cyber-incident response a top management priority ndash a clear escalation protocol can help make the case for (and sustain) this priority

10 Staffing Shortages Address any ITaudit staffing and resource shortages which represents a top technology challenge in many organisations and can hamper efforts to address cybersecurity issues


Improving Model Risk Management

the Internal audIt functIon Is tasked wIth ensurIng that fInancIal InstItutIons have a complete model rIsk management practIce whIch Includes governance processes polIcIes adherence to polIcIes and documentatIon

ndash Shaheen Dil PhD Managing Director

Charlie Anderson is a Managing Director and Practice Leader for Model Risk Services within Protivitirsquos Data Management amp Advanced Analytics Solutions practice

Steve Lafrance is a Managing Director with Protivitirsquos Internal Audit and Financial Advisory practice

Shaheen Dil PhD is a Managing Director with Protiviti and Global Leader of the Data Management amp Advanced Analytics Solutions practice

Financial services industry internal auditors responding to Protivitirsquos 2016 Internal Audit Capabilities and Needs Survey have ranked model risk management (MRM) as a major area where they need to improve their technical knowledge And for good reason The internal audit function is tasked with ensuring that banks have a complete model risk management practice which includes governance processes policies adherence to policies and documentation

Technical Knowledge ndash US Financial Services Industry (top 10 areas)



1 (tie)

Basel guidance on internal audit 29

Basel III 22

3 Model risk management 27

4 Volcker Rule 22

5 Dynamic risk assessment 32

6 Interest ratemarket risk 27

7 CFPB examination readiness 27

8 (tie)

Federal Reserve Guidance on Internal Audit (SR 13-1) 30

Vendor management 34

10 (tie)

Regulatory Compliance ndash Holding Company (Reg W) 27

UDAAP 28

Reliance on 1st and 2nd line monitoring 34


Although internal audit generally is well-equipped to perform these types of activities the function confronts several significant challenges including access to the quantitative expertise required to evaluate whether the model validations were conducted appropriately

Basel III and the European Market Infrastructure Regulation (EMIR) along with guidance issued for US institutions by the Federal Reserve Federal Deposit Insurance Corporation (FDIC) and Office of the Comptroller of the Currency (OCC) are driving the need for significant changes in the model governance infrastructures of affected financial institutions7 This inevitably impacts the role of internal audit since it has to review the effectiveness of the model governance infrastructure

Among other needs these requirements mandate that institutions hold more risk capital the definition of which has narrowed Additionally this capital has to undergo periodic stress testing which necessitates the need for various additional models within institutions These issues will still monopolise the attention of affected financial institutions and their internal audit functions in 2016

In the United States regulatory bodies have been concentrating on model risk model governance and stress testing Regulators have been heavily testing compliance with SR 11-7 and OCC 2011-12 ldquoSupervisory Guidance on Model Risk Managementrdquo At the same time regulators have been concentrating on Comprehensive Capital Analysis and Review (CCAR)8 and Dodd-Frank Act Stress Test (DFAST)9 results

The Federal Reserve evaluates the stress testing and capital planning processes of US banking organisations with assets greater than $10 billion through DFAST and organisations with assets of $50 billion or more through CCAR Note that many organisations must comply with both The Federal Reserve reviews and assesses the results of both exercises on both a quantitative and qualitative basis

These regulations require banks to create forward-looking projections of major balance sheet and income statement items under hypothetical economic scenarios The items being projected include credit losses as well as Pre-Provision Net Revenues (PPNR) Some large banks are also required to conduct a Global Market Shock exercise involving large changes in values and identification of key counterparty vulnerabilities

Producing such calculations is a complex undertaking which calls for extensive governance and new processes Regulators have made it clear that data completeness and data quality are crucial and banks are rapidly building their data capabilities in order to be ready to produce the periodic DFAST and CCAR reports

In addition banks are working quickly to develop models that can be used to create the necessary projections and calculations The models are sophisticated and must be tested and shown to be capable of producing suitable results

As with other models the CCARDFAST models must be developed implemented governed and validated per SR 11-7 and OCC 2011-12 ldquoSupervisory Guidance on Model Risk Managementrdquo Each new model must be separately validated prior to being used Midsize banks may have dozens of new models for stress testing purposes and large banks may have hundreds

7 For more comprehensive analysis on these changes Protiviti has published several articles including ldquoReducing Risk Through Model Validationrdquo ldquoModel Governance and Effective Risk Managementrdquo and ldquoBuilding Confidence in ALLL Models ndash a Timely Practicerdquo (available at wwwprotiviticom)

8 wwwfederalreservegovbankinforegbcreg20130819a1pdf9 wwwfederalreservegovbankinforegsrletterssr1403pdf


10 For more comprehensive guidance on model risk management compliance challenges see Shaheen Dilrsquos article ldquoComplying with the New Supervisory Guidance on Model Riskrdquo in the February 2012 issue of The RMA Journal

Size Makes a Difference

The model risk management challenges financial services companies and their internal audit functions face generally vary by the size of the institution

bull Large institutions ndash The 20 or so largest US banks already have varying degrees of mature model governance infrastructure in place their focus tends to be on upgrading the quality of their model documentation and model validation processes Although a number of large institutions have model risk functions most still have difficulty obtaining specialised skills and completing large model building (or model validations) in a timely manner

bull Midsize institutions ndash These companies may face the most formidable model risk management challenges Many of these firms are just beginning to build their model risk infrastructure This process typically begins with a model risk oversight committee or the equivalent consisting of members of risk management modellers and business owners Internal audit frequently serves in a nonvoting capacity on these committees Since many of these efforts are starting from scratch finding the talent and specific skill sets necessary to fuel these efforts represents a major challenge for midsize financial services institutions ldquoMany medium-size banks do not have the skills on board necessary to build or validate modelsrdquo Dil observes ldquoFor many midsize banks it has been a struggle to embed these skills and this capability into their culturesrdquo

bull Small institutions ndash Few smaller banks can afford to hire full-time personnel with the skills necessary to fulfill new model risk management requirements Instead these companies are competing for external experts to come in and provide assistance

Finally there are several model risk management challenges all internal audit functions must contend with regardless of the size of their organisations These include data quality and availability maintaining independence between model developers and model validators and access to specific technical (eg quantitative) expertise and talent10

By addressing these challenges internal audit functions will help management and boards of directors understand the limitations of their models so they can make confident business decisions which could help advance business strategies and achieve regulatory compliance


Internal audit teams are challenged with having quantitative expertise to assess whether the models meet the regulatory requirements Significant needs include

bull Assessing the model governance program (under SR11-7OCC 2011-12)

bull Assessing each model validation for consistency with those rules

bull Assessing model development implementation and use and

bull Assessing compliance with CCAR and DFAST regulations

The banking organisations that are subject to either the Federal Reserversquos CCAR or DFAST exercise are expected to have sound model risk management practices that are consistent with existing supervisory guidance on model risk management11 As such model risk management practice extends beyond model validation and requires input from the business and the second line of defence while the internal audit function reviews the effectiveness of the overall capital planningCCAR process including the relevant models Notably while CCAR banks largely have established overarching model risk management functions DFAST banks tend to operate in more flexible ways ranging from pockets of model validation and model risk expertise in various risk functions and business lines all the way to outsourcing the entire function to external vendors

Incorporating the regulatory expectations set forth in SR 11-7 into the banking organisationrsquos stress testing and capital planning exercise presents specific and unique challenges

The nature and requirements of the stress testing and capital planning exercises necessitate participation collaboration and transparency between all model risk stakeholders including model developers users validators internal audit and bank management and the board of directors to manage model risk and apply mitigating controls12 or overlays where applicable These mitigating controls and overlays can be identified or quantified by any model stakeholders during every stage of the stress testing and capital planning exercises For instance if the strict timelines of the stress testing and capital planning exercise do not allow the validation team to perform a validation of a complete set of models the validation team should make the validation results transparent to all stakeholders This allows the other stakeholders to apply controls and overlays to mitigate any model risk

Although internal audit as an independent oversight function will not participate in such a process it is essential that such a process is understood in relation to model risk management

Firms need to ensure they have sufficient skill sets in the internal audit team ndash as well as sufficient staffing levels ndash to assess model risk components The difficulty is compounded by the scarcity of qualified resources Some banks have started to staff quantitative expertise directly in their internal audit teams but many are relying chiefly upon outside resources to assist the bankrsquos audit team

11 SR 11-7 Supervisory Guidance on Model Risk Management12 Mitigating controls may include the following (a) restriction of use (b) limited scope validation


Audit Process Knowledge ndash US Financial Services Industry (top 10 areas)



1 Current Expected Credit Loss (CECL) 22

2 Stress testing (CCARDFAST) 24

3 Derivatives and securities 24

4 Derivatives and hedging 24

5 Mergers and acquisitions due diligence 27

6(tie)

Wholesale products 23

International regulation 22

Capital markets planning 24

9(tie)

Other Than Temporary Impairment (OTTI) 26

Criticised asset management 24

Financial services industry internal auditors responding to Protivitirsquos 2016 Internal Audit Capabilities and Needs Survey in a section specific to financial institutions ranked the new Current Expected Credit Loss (CECL) rules as the main area where they need to improve their audit process knowledge

CECL is a proposed credit impairment accounting standard which is expected to be adopted shortly The new standard is intended to address concerns that loss reserves were insufficient during the recent stress period

The proposed CECL standard would require financial services institutions to generate forward-looking and lifetime loss estimates to support their loss reserve decisions Generating such estimates will entail more sophisticated models which in turn will require more historical data incorporating more types of information The loss reserve estimation process would also involve multiple management judgements to be made using sufficient supporting information Furthermore institutions would need to review and reclassify their portfolios as required for the revised loss reserve standard and estimation models Accommodating these changes will entail significant changes in data governance data sourcing and related areas

As institutions conform to the new accounting standard internal audit would need to update the audit program for the loss reserve process The updated audit program should assess the quality of the collected data the consistency of asset classification the information supporting management judgements the accuracy of reserve calculation and reporting the robustness of the loss reserve model and other areas

For example under the new accounting standard it is expected that troubled debt restructuring (TDR) and available-for-sale (AFS) assets will need to have reserves consistent with CECL methodology Therefore internal audit would need to verify that the supporting systems have updated filters and codes as required to assign these assets to CECL-conforming models Under the proposed CECL methodology institutions would also need to determine the lifetime for each type of asset Internal audit should also design controls and tests to determine whether the lifetime estimation and methodology conform to the requirements and are correctly applied to the loss reserve models

Internal audit will also need to review several more areas that are not applicable to the current loss reserve accounting rule including the long-term and possibly quantifiable economic and market scenarios applied to the lifetime model the decision of the supportive forecast window and the support of the lifetime of different types of assets


Impacts on Internal AuditInternal audit has a key role to play in ensuring the organisation has an effective model risk management (MRM) policy in place which should also be formally integrated into the annual audit plan

Action Items for Chief Audit Executives and Internal Audit Functions to Consider in Their Annual Audit Plans

1 Ensure MRM is included within the audit universe

2 Review the overall MRM process governance design resources and adequacy to manage risk within the appetite and tolerances set by the board of directors

3 Address the functional adequacy of models within the business processes the models are supporting (eg the Allowance for Loan and Lease Losses (ALLL) validation)

4 Ensure the organisation has the resources and capabilities internally or externally necessary to both challenge the effectiveness of models and review a validation for adequacy

5 Conduct regular model governance audits and ensure audit tests of CCAR and audit conceptual soundness review of models and adjustmentsoverlays are completed

6 Evaluate data integrity controls and testing and evaluate source data quality and data completeness

7 Conduct audit review of policies for board and senior management governance over CCAR as well as audit testing of board and management committee meetings for credible challenge

8 Review that all material risks are covered in stress testing and CCAR and that all risks are modelled appropriately


Barbi Goldstein is a Managing Director with Protivitirsquos Internal Audit and Financial Advisory practice


Survey respondents indicated that the number one area where they need to improve their audit process knowledge is data analysis tools and statistical analysis This interest in advanced analytics capabilities is being driven by several factors including

bull Internal auditrsquos increasing role in supporting regulatory compliance needs and monitoring and a growing need to apply continuous monitoring on a broader scale to increase efficiency and add value to the organ-isation through better insights into risks

bull External guidance calling for internal audit departments to better leverage data analytics to increase sam-ple size and analysis of information for the organisation

bull A growing focus on data quality and data governance driven by organisationsrsquo growing reliance on big data and big data tools increasing the need for sophisticated data analysis within internal audit

bull Rapid adoption of data analytics in other functions and groups throughout the enterprise (enterprise risk management data governance compliance) leading to a similar expectation for the internal audit function

Protiviti developed a second quantitative benchmarking study in 2015 that was distributed to a select group of the largest US financial institutions13 The study showed that internal audit functions were seeking to achieve several strategic goals in data analytics chiefly to increase more robust testing increase efficiency achieve continuous auditing raise visibility of risk indicators and meet the heightened expectations of regulators

Dealing with Data Analysis Tools

[Internal audItors] are ImplementIng the use of vIsualIsatIon tools and contInuous monItorIng they are accessIng data wIthout a tradItIonal ldquorequestrdquo of It and they are runnIng analytIcs to help them understand where the bIggest rIsks exIst

ndash Barbi Goldstein Managing Director

13 Changing Trends in Internal Audit and Advanced Analytics is available at wwwprotiviticomen-USDocumentsWhite-PapersIndustriesInternal-Audit-Data-Analytics-whitepaper-Protivitipdf






1 Data Analysis Tools ndash Statistical Analysis 35



4(tie)



32

6(tie)


32





It was clear from the benchmarking study that analytics is treated as a high priority for large financial institutionsrsquo internal audit functions since the majority of participants reported an increase in demand for data analytics within their audits Most internal audit functions (87 percent) reported that they had a dedicated data analyticsinformation management group within their function while these groups indicated that they needed to ensure they had immediate access to business data within their own data warehouse or similar environment The survey also showed that the vast majority of firmsrsquo internal audit analytics functions are continuing to evolve toward a risk-based approach with the goal of providing continuous monitoring to some degree to be able to plan individual audits monitor key risk indicators (KRIs) and support risk assessments Continuous auditing is also being pushed out to new areas within the enterprise since at the moment the survey showed that firms now only monitor areas where there are known risk issues

Although there is clearly more work to be done the findings of this benchmarking study show that internal auditors are committed to developing a forward-looking internal audit analytics capability that allows for deeper business insights via the monitoring of KRIs rather than just analysing data in support of individual audits

ldquoThe use of analytics by internal audit functions has definitely evolved and continues to do sordquo says Protiviti Managing Director Barbi Goldstein ldquoHistorically data analysis for internal auditors has consisted of performing population testing in support of specific audits Today internal audit functions want to have a view of the business linesrsquo key risk indicators based on current data and use that knowledge to make informed decisions about where to dedicate their audit hours and testing They are implementing the use of visualisation tools and continuous monitoring they are accessing data without a traditional lsquorequestrsquo of IT and they are running analytics to help them understand where the biggest risks exist This allows them to take a truly risk-based approach to creating their audit planrdquo

Building an internal audit analytics function requires time and more resources however The financial services industry results from Protivitirsquos 2016 Internal Audit Capabilities and Needs Survey show that larger financial services firms intend to hire more data analytics specialists this year but talent is scarce which means firms have been retaining outside help to support the internal audit team

Chief audit executives and the internal audit function need to raise their awareness and knowledge of data analytics tools to be able to improve efficiencies and capabilities by adding more advanced techniques such as continuous monitoring and other indicators


Adopting Agile Risk and Compliance

rIsk Is movIng away from beIng a control checker and referee to an enabler of busIness performance drIvIng a sIngle approach for rIsk management and Is fully takIng responsIbIlIty for ImprovIng the rIsk culture of the organIsatIon

ndash Cory Gunderson Managing Director

Cory Gunderson leads Protivitirsquos Global Financial Services Industry practice

Matthew Moore leads Protivitirsquos Risk amp Compliance practice

Organisations are realising that their risk and compliance capabilities need to be agile flexible and nimble in order to respond more efficiently to the changing operating environment






3(tie)



5 (tie)




8(tie)



10(tie)



33

Managing risk and compliance has become increasingly complex and expensive for financial services organisations post-financial crisis The increased regulatory expectations the ever-changing risk landscape and rise of inherent risk represent a new and permanent operating paradigm for the industry To adapt firms are expending significant time money and resources to implement required changes and prioritise risk management and compliance


As costs continue to increase it is becoming clear that the overly manual reactive and siloed approach to risk management and compliance is unsustainable

ldquoMany organisations are beginning to change their vision for risk managementrdquo says Cory Gunderson who leads Protivitirsquos Global Financial Services Industry practice ldquoRisk is moving away from being a control checker and referee to an enabler of business performance driving a single approach for risk management and is fully taking responsibility for improving the risk culture of the organisation Leading practices in risk management suggest creating a mantra ndash a simple and repeatable slogan that can be repeated in frameworks policies and corporate messaging to help frame culturerdquo

Responding to Risk and Compliance Gaps Over the Years Has Left the Financial Services Industry in an Unsustainable Situation

Growth and innovation have been forced to take a back seat given risk and compliance challenges

Large bank fines have topped $100B over the past five years

Operating costs have become unsustainable as quick-fix solutions and increasing headcount are the norm to improve risk management practices

Inherent risk continues to rise given the underlying business complexity and increased pace of change

Unsustainable Costs

Significant Fines$100B

Inherent RiskGrowth and

InnovationRisk and

Compliance

A better risk and compliance model is one that is technology-enabled proactive aligned across all three lines of defence and embedded into business processes Business risk compliance and internal audit groups need to work within an integrated framework with clear accountabilities to create an aligned organisation that can make sound decisions while also driving efficiencies This is the solution we refer to as Agile Risk Management where internal audit has a major role to play in proving independent assurance Firms are becoming more aware of the benefits of adopting such a program and agile risk and compliance was ranked as the top area where internal auditors would like to improve their general technical knowledge according to Protivitirsquos 2016 Top Priorities for Internal Audit in Financial Services Organisations survey


What Is Protivitirsquos Agile Risk Management Philosophy

Protiviti Agile Risk Management Philosophy

OperationalExcellence

Risk Management

AlignedOrganisation

CustomerSatisfaction

At the foundation of the Agile Risk Management philosophy is the central premise that business management and risk management should create a unified operating model with clear first second and third line accountabilities

bull Agile Risk Management enables successful anticipation and response to a rapidly changing environment resulting in informed executive decisions through an aligned organisation operational excellence and customer satisfaction

bull An Aligned Organisation of proactive collaboration and engagement is achieved by converging business and risk processes while risk and business acumen is enhanced throughout the organisation

bull Operational Excellence is sustained by the successful execution of business strategy supported by efficient processes optimised technology and risk agility

bull Customer Satisfaction is improved by risk management and controls driving consistent customer experiences and ensuring the needs of customers are considered in the design of processes products and services

Creating an organisation that can respond to change more easily is central to the Agile Risk Management concept Forward-looking organisations have designed components of their business model to be more configurable Applying a more flexible business model allows firms to plug in new requirements and strategic changes smoothly eliminating the current model of approaching change on a piecemeal basis which only serves to increase costs and complexity


Bringing risk management and compliance closer to the first line and integrating them more fully with the business creates a model that can automatically respond to changing business strategies as well as regulatory change

Embedding agile risk management throughout the organisation requires the front-line business units to still be accountable for risks while also being supported in a proactive way by independent risk management A meaningful and well-understood risk appetite is used to make business decisions while risk identification and monitoring are integrated within business processes

By more effectively aligning the business and the risk and compliance functions firms benefit in a number of different ways They are able to leverage integrated and coordinated business IT risk and compliance monitoring The organisation has agile risk skills and common tools and methodologies to act efficiently while reporting is used jointly to measure business goals and risk limits

In all this risk management enables the business which leads to respected risk and compliance functions that add value to the organisation

ldquoInternal audit plays a critical role in agile risk management by providing independent assurance on the design and effectiveness of risk management systemsrdquo says Matthew Moore who leads Protivitirsquos Risk amp Compliance practice ldquoThis includes reinforcing the firmrsquos risk culture and holding front-line and risk management units accountable for fulfilling their responsibilities within the agile risk management framework Internal audit has the unique perspective of being able to observe risk management activities across lines of defence and business units which allows it to add value by providing important feedback on the extent to which there is alignment across the organisation and the agile risk management philosophy is operating as intendedrdquo

The time has come for proactive organisations to take the lead and adopt an agile risk management framework to better meet the challenges of todayrsquos customers shareholders employees and the risk and regulatory environment


Understanding and Integrating Risk Culture

when the leadershIp team takes audIt fIndIngs serIously and ImmedIately puts pressure on the lIne of busIness where the Issues were IdentIfIed to resolve the problem It tells you a lot about the rIsk culture of that fIrm

ndash Michael Brauneis Managing Director

Risk culture remains a key concern for internal auditors Although the subject is not specifically flagged in the 2016 survey results it was singled out as an area for auditors to improve their technical knowledge in last yearrsquos results The concept of risk culture has been a hot topic for the industry and global regulatory bodies in the wake of the global financial crisis but it remains an enigma for many financial institutions Regulators around the world have been encouraging financial institutions to articulate and formalise their risk culture On July 8 2015 the Basel Committee on Banking Supervision (BCBS) released a set of revised guidelines for enhancing corporate governance at banks which includes the importance of a sound risk culture to drive risk management within a bank14 The Financial Stability Board (FSB) also has been very active in providing guidance to financial services firms on the subject of risk culture In April 2014 the FSB published Guidance on Supervisory Interaction with Financial Institutions on Risk Culture A Framework for Assessing Risk Culture to assist firms in identifying the foundational elements that contribute to a sound risk culture as well as core practices and dynamics that may be indicators of the effectiveness of an enterprisersquos risk culture15

The FSBrsquos view is that the soundness of an institutionrsquos risk culture is based on the extent to which it governs its riskreward decision-making process successfully executes its agreed upon strategy within its defined risk appetite on a day-to-day basis and structures its compensation practices to take into consideration prospective risks and risk outcomes that are already realised The FSB recognises that risk culture has to be embedded in the overall corporate culture which will evolve over time

14 wwwbisorgbcbspubld328pdf15 Guidance on Supervisory Interaction with Financial Institutions on Risk Culture A Framework for Assessing Risk Culture

wwwfinancialstabilityboardorg201404140407

James McDonald is a Managing Director with Protivitirsquos Risk amp Compliance Solutions practice

Dolores Atallo is a Managing Director with Protivitirsquos Risk amp Compliance Solutions practice

Michael Brauneis is a Managing Director with Protivitirsquos Risk amp Compliance Solutions practice


In a survey conducted by Protiviti and the Risk Management Association (RMA) in 2013 only 37 percent of respondents noted that they evaluated risk culture while only 28 percent said that they believed risk culture is fully integrated into their respective organisations16

ldquoThrough internal employee surveys some firms are trying to analyse today how their risk culture is being embedded in the organisation to see how well their employees understand the risk culturerdquo says Protiviti Managing Director James McDonald ldquoThe fact that firms need to do so shows it is a challenge The CEO can state that the company is going to do the right things and live within its risk appetite but that message needs to be continually reinforced Firms need to empower employees and provide them with examples of what good behaviour looks like such as instances where an employee raises their hand and identifies an issue early on so the problem can be resolved before it becomes a larger issuerdquo

Another impediment to integrating risk culture can be pushback from employees who are resistant to change Firms often build incentive plans to reinforce risk culture that are focused on punishing bad behaviour ndash taking compensation from people who misbehave or break limits ndash rather than rewarding employees that are beacons of good culture That is a backward-looking behaviour modification more so than incentivizing proper future behaviour ldquoThose employees who raise their hands when they have an issue with the issue then being debated and escalated and addressed as appropriate need to be rewardedrdquo adds McDonald

Maintaining the consistency of risk culture messaging throughout the enterprise in all locations is a major barrier to the effectiveness of risk culture in large financial services firms Organisations can stage all-hands town hall staff meetings to reinforce this messaging but it has to have the support of the board and executive management who need to work to ensure risk culture is integrated with the growth objectives and strategy of the firm Risk culture also needs to grow and change with the organisation as it evolves providing an additional challenge for firms to maintain consistency in their risk culture messaging

The BCBS guidelines on risk governance also recognise that compensation systems are a key component for a financial institution to convey acceptable risk-taking behaviour and reinforce its operating and risk culture It states that remuneration programs ldquoshould encourage a sound risk culture in which risk-taking behaviour is appropriate and which encourages employees to act in the interest of the company as a whole rather than for themselves or only their business linesrdquo

16 Risk Culture From Theory to Evolving Practice RMA and Protiviti 2013 wwwprotiviticomen-USDocumentsRMA-Journal-From-Theory-to-Evolving-Practicepdf


Risk Culture is the Keystone

Culture is the keystone that holds things together providing a source of strength or weakness for the organisation An actionable risk culture helps balance the inevitable tension between (a) creating enterprise value through the strategy and driving performance on the one hand and (b) protecting enterprise value through risk appetite and managing risk on the other hand In effect it balances the push between strategy and risk appetite

Source Establishing and Nurturing an Effective Risk Culture ndash Enabling the Chief Risk Officerrsquos Success (Fourth in a Series) (wwwprotiviticomcro-series)

Per

form

ance

Management c

ulture Risk Management

Bus

ines

sS

trat

egy R

iskA

ppetite

Impacts on Internal AuditChief audit executives and the internal audit function have a pivotal role in fostering a strong risk culture which is the keystone of an organisationrsquos risk management framework

Compensation and incentive schemes are one obvious area for internal audit functions to review for their alignment with the companyrsquos intended risk culture but there are other areas that warrant internal auditrsquos focus Although the intangible nature of risk culture makes it difficult for firms to conduct specific standalone audits to determine the level of cultural integration in the organisation several topics that internal audit reviews in the daily course of business can provide insights into this area Examples of these include evaluating the percentage of known issues that were first identified by a business process owner (versus internal audit a regulatory agency or another independent source) and the status of remediation of issues (issues that take too long to address or are in ldquopast duerdquo status often are indicators of a firmrsquos risk culture)


Internal audit certainly has a greater role to play in reinforcing risk culture within the organisation An effective internal audit department could and should have a role in reporting risk culture but few audit functions at financial institutions currently have the capabilities to perform a standalone audit of risk culture Firms can however include risk culture aspects in their existing audit processes ldquoThis is almost a continual process where audit can pick up on where risk culture has been embedded particularly successfully or not at allrdquo says Protivitirsquos Director Mathew Perconte ldquoInternal audit can reinforce some of the firmrsquos risk culture messaging through their existing auditsrdquo

Under the OCCrsquos Heightened Standards internal auditrsquos role is to opine on the readiness and design of risk management systems corporate governance structures and risk appetite statements ldquoIf internal auditors are truly acting as independent practitioners inside a firm they can drive culture because they are going to report issues that are outside of boundariesrdquo says Timothy Long a Managing Director with Protivitirsquos Risk amp Compliance Solutions practice

Indeed a good measure of the risk culture of any firm is how audit findings are viewed in the organisation and how seriously their recommendations are taken ldquoWhen the leadership team takes audit findings seriously and immediately puts pressure on the line of business where the issues were identified to resolve the problem it tells you a lot about the risk culture of that firmrdquo says Protiviti Managing Director Michael Brauneis ldquoThe same is true for firms where audit exceptions are not considered to be a significant problem and where there are many repeat findingsrdquo

Effective root cause analyses are key to this effort Beyond simply identifying a control breakdown and recommending an immediate fix audit can go a step further in evaluating the origin of the breakdown to consider whether a risk appetite breach or incentives problem (eg pressure to cut control corners in order to speed cycle time) might have contributed to the issue Encouraging process owners to confront and respond to these considerations can help the organisationrsquos thinking and actions on risk culture evolve past tone at the top to become a more practical consideration in day-to-day business activities

Weaving risk culture audits into existing audit plans could also help when seeking to align the firm to the OCCrsquos Heightened Standards which require firms to show they have a strong risk management framework an engaged board a risk appetite framework and a strong risk culture ldquoRegulators are requiring firms to show their assessments on how their company is aligned with the heightened standardsrdquo says McDonald ldquoWe are being asked by audit departments how they can show this Our response is that they should throughout the year have a number of audits of lines of businesses and support functions to gauge how the companyrsquos risk framework risk appetite and risk culture are being followed Audit needs to assess how well they are aligned to the OCC Heightened Standards and a big part of that is risk culturerdquo


Understanding and Integrating Risk Appetite

most of the focus has been around settIng a rIsk appetIte statement at the board level but at some poInt regulators are goIng to start pushIng rIsk appetIte down Into the IndIvIdual lInes of busIness whIch Is exactly where It needs to be

ndash Timothy Long Managing Director

Scott Jones is a Managing Director with Protivitirsquos Internal Audit and Financial Advisory practice

Timothy Long is a Managing Director with Protivitirsquos Risk amp Compliance Solutions practice

A financial institutionrsquos risk culture and its risk appetite are explicitly interlinked Risk culture should inform a bankrsquos risk appetite statement (RAS) and in turn the risk appetite statement should inform the bankrsquos risk culture

Guidelines from regulators around the world state that formal written risk frameworks should be maintained that cover all applicable risk categories as well as any other material risk types to which an institution may be exposed Until now driven by regulatory demands the focus has been on establishing a high-level risk appetite statement at the board level However firms need to push the risk appetite framework into the lines of business (LOB) for it to achieve its ultimate goal of aligning the enterprisersquos risks with the stakeholdersrsquo priorities in the most effective and efficient manner The highest levels of management up to and including the board of directors must sponsor the initiative but involvement of LOB leadership and independent risk management are crucial to ensure that all stakeholders embrace the overall approach

Many financial services regulators around the world have stated that driving a risk culture throughout an organisation resulting in a shared understanding and compliance with the risk appetite is equally as important as having a written RAS Especially in large organisations consistency in understanding and realising risk appetite throughout business lines is critical as stated by Thomas J Curry Comptroller of the Currency in a speech on May 8 2014 ldquo[Over] the years we found instances in which large complex and highly interconnected banks allowed operational units to define risk appetite in terms of their own needs and priorities At best this resulted in organisational confusion At worst it contributed to major breakdowns in risk management And for banks with such broad impact on the financial system and the economy that is simply unacceptablerdquo17

17 Remarks by Thomas J Curry Comptroller of the Currency before RMArsquos Governance Compliance and Operational Risk Conference in Cambridge Massachusetts May 8 2014 wwwoccgovnews-issuancesspeeches2014pub-speech-2014-69apdf

Matthew Perconte is a Director with Protivitirsquos Risk amp Compliance Solutions practice








4(tie)



32

6(tie)


32





ldquoMost of the focus has been around setting a risk appetite statement at the board level but at some point regulators are going to start pushing risk appetite down into the individual lines of business which is exactly where it needs to berdquo says Timothy Long a Managing Director with Protivitirsquos Risk amp Compliance Solutions practice ldquoA risk appetite statement for a $100 billion bank written at the board level is almost meaningless because the practices in the various divisions from real estate to mortgages are completely unrelated and separate they need their own framework defence lines and understanding of their own risk appetite Until risk appetite statements are pushed down to the lines of business they donrsquot add valuerdquo

Integration of risk appetite was an area that internal auditors identified as requiring increased knowledge skills and capabilities Integrating risk appetite is a difficult task for the organisation as a whole and one which many internal audit functions are also struggling to determine their role in providing assurance to management and the board

According to the Financial Stability Boardrsquos Principles for an Effective Risk Framework published in November 201318 the RAS must include measurable frequency-based understandable and comparable metrics that can be translated into risk limits applicable to business lines legal entities and group levels and linked to the enterprisewide RAS The RAS needs to include qualitative statements that articulate motivations for taking on or avoiding certain types of risks as well as a reasonable number of appropriately selected risk metrics The RAS then has to be supported by appropriate controls and stress tests Putting the RAS into action requires the creation of a risk appetite framework (RAF) which pushes the RAS down into the LOBs and the various support functions The RAF proposed by the FSB comprises key aspects for the internal audit function to consider when auditing risk appetite

Key components of the RAF are risk appetite metrics enterprise key risk indicators (KRIs) and business unit KRIs which all have defined tolerances and thresholds that are monitored frequently

18 Available at wwwfinancialstabilityboardorgwp-contentuploadsr_131118pdf


Risk appetite metrics cannot be developed by the board and senior management to be pushed down into the LOBs since there is significant risk that the risk appetite measurement and management process will become a check-the-box exercise The development process needs to be collaborative among top management independent risk management and front-line units to avoid a disconnect at the front-line level

ldquoRisk appetite metrics are designed to measure risk across the enterprise encompassing all LOBs regions products and servicesrdquo says Matthew Perconte Director at Protiviti ldquoSome LOBs are struggling with designing these metrics which need to evolve as the organisation evolves The creation of these metrics could be one area where internal audit focuses efforts to ensure the risk department and the business continually update and improve risk appetite metricsrdquo

To drive risk appetite effectively organisations need to be consistent in promoting good risk culture with ongoing education and dialogue A well-operating risk management framework should enable an ongoing enterprisewide conversation about risk while maintaining focus on how risk management objectives are achieved

ldquoAnother area where internal audit can test to see if the RAS is being implemented properly throughout the organisation is by monitoring communication channels such as town hall and staff meetings and LOB committees to check if the RAS is being discussed widely in the company rather than being limited to the risk committees LOBs need to show they are actively considering the risk appetite when making business decisions Another good test is whether the organisationrsquos risk appetite is being discussed in mandatory internal training at all levelsrdquo adds Perconte

Impacts on Internal AuditChief audit executives and the internal audit function need to first ensure that they fully understand the firmsrsquo risk appetite statement and framework From such a solid grounding the internal audit department forms an integral part of the risk appetite framework by providing oversight to ensure the framework is being embedded into the lines of business Auditors need to ensure they audit the strategic planning process to check if the three- and five-year plans are informed by the organisationrsquos risk appetite and risk capacity This then needs to be linked to the companyrsquos capital stress tests to show that in a stressed environment the firm will have the capacity to keep its set risk appetite and be able to hold the correct amount of capital Regulators will be looking for that linkage

Internal audItors almost need to become rIsk managers they need to understand where rIsks are

beIng generated and how they are supposed to be controlled they are requIred to opIne on the

rIsk management systems the busIness has In place In order to control those rIsks that Is not what

Internal audIt has tradItIonally done and In a lot of cases they are not equIpped to do It



The graphic below shows the key areas internal audit needs to consider when auditing risk appetite

Key Aspects to Consider When Auditing Risk Appetite

The Financial Stability Board noted specific components of a strong risk appetite statement in the November 2013 report entitled Principles for An Effective Risk Appetite Framework

The RAS includes key background information and assumptions that

informed the strategic and business plans at the time they were approved

The RAS includes qualitative statements that articulate the

motivations for taking on or avoiding certain types of risks and includes a reasonable number of appropriately

selected risk metrics

The RAS has strong linkages with the short- and long-term corporate strategy capital and financial plans Risk metrics are aligned to

the incentive compensation plan and employees are

appropriately incented to support prudent risk taking in

line with corporate goals

The RAS allows the financial institution to view the desired risk profile under a variety of

scenarios

The RAS expresses the maximum level of risk

(material and overall) the organisation is willing to

operate within under normal and stressed conditions

The RAS includes measurable frequency-

based understandable and comparable risk metrics that

can be translated into risk limits applicable to business

lines legal entities and group level and linked to the

enterprisewide RAS

The RAS clearly establishes the type and amount of risk the organisation is

prepared to accept in pursuit of its strategic

objectives and business plan

The RAS is supported by appropriate

controls and stress tests

Effective Risk

Appetite Statement

Informed

Qualitative

Linked to Corporate

Goals

Defines Risks

Supported

Material Risk-Focused

Quantitative

Forward-Looking


Coping With the Pace of Change in Mobile Applications

fIrms need to desIgn theIr programs and control structures around much faster cycle

tImes whIch Is where agIle software delIvery and devops can help audItors need to

embrace the fact that contInuous change Is comIng and they need to buIld theIr control

programs around It

ndash Ed Page Managing Director

Jason Goldberg is a Director with Protivitirsquos Business Performance Improvement practice

Ed Page leads Protivitirsquos US Financial Services Industry IT Consulting practice

Mobile banking and mobile payments are growing in popularity as financial institutions are responding to demand from their customers to offer more convenience and more products through mobile channels Just as smartphones are evolving mobile payment technologies are being developed just as quickly with many different participants in a burgeoning ecosystem of traditional and non-traditional players including the likes of Apple Samsung Google and PayPal among others The speed of change the introduction of new third parties as well as the myriad risks presented by such brand new technology are presenting a wave of new challenges for financial services firms It is unsurprising therefore that internal auditors in the financial services industry have pinpointed mobile applications as an area where they need to improve their technical knowledge in Protivitirsquos 2016 Internal Audit Capabilities and Needs Survey (mobile banking was ranked second by internal auditors in the same survey conducted in 2015)







3(tie)



5 (tie)




8(tie)



10(tie)



33

ldquoNew technologies are appearing at a very rapid pacerdquo says Ed Page Managing Director and Leader of Protivitirsquos US Financial Services Industry IT Consulting practice ldquoKeeping up with such a rapidly changing environment is a challenge for everyone from risk managers to IT practitioners and auditors That bleeds into all kinds of change management and control considerations that we probably didnrsquot have to deal with before at least at the rate of change that exists nowrdquo

The old model of branch-based banking and even online services was protected by the fact that financial institutions owned the infrastructure on which those services were being provided In the mobile world there are many more variables the devices are owned by the customer there are dozens of variations of smart phones with varying operating systems and there has also been an influx of new third-party service providers which are offering services such as in-app payments or mobile wallets

All of these different factors create a complex disparate mobile environment Page advises professionals in all financial services departments to ldquoEmbrace the pace of change and the fact that there are so many variables in the environment as the new normrdquo

Page adds ldquoFirms need to design their programs and control structures around much faster cycle times which is where Agile software delivery and DevOps which is about continuous change management can help Auditors need to embrace the fact that continuous change is coming and they need to build their control programs around itrdquo

The traditional Waterfall method of delivering software is giving way to Agile software delivery methods Controls that IT auditors have become familiar with over time are largely based on a Waterfall methodology To cope with the rapidly changing environment of mobile banking and mobile payments auditors need to adapt

ldquoRather than fight this change auditors need to become part of the team that develops the new software services from the beginning using the Agile method to ensure it is delivered in a method that still has the necessary controls around itrdquo says Page

There are many risks associated with mobile applications ndash security being the most obvious Although the cybersecurity regulatory framework is dealt with in other chapters of this paper financial institutions that are considering offering mobile payment services also have issues to consider around account provisioning data management vendor management and complex systems integration as well as other operational and reputational risks The fragmented nature of the legacy technology and operations environment is only compounded by the emerging technology overlay making these challenges particularly acute


Account ProvisioningThe main risk of mobile applications for firms is around user authentication ndash making sure the user is who they say they are When using any type of mobile payment application ndash Apple Pay and LoopPay are just two examples ndash the customer is required to provision their credit or debit card account onto their device Banks have experienced relatively high levels of fraud related to Apple Pay specifically related to the organisation of its account provisioning system where the issuer has been contacted to verify their identity and card information

ldquoThis is where all of the fraud was occurringrdquo says Jason Goldberg Director at Protiviti ldquoFraudsters are incredibly sophisticated In cases where financial institutions were using personal data to verify an account prior to provisioning the fraudsters were socially engineering that information Auditors need to think about the user authentication process and account provisioning process to ensure they are doing all they can to identify fraud Auditors need to ask questions such as What is the appropriate amount of time to allow users to remain logged in without re-authentication What levels of authentication should be required Is there a need for multi-factor authentication of a devicerdquo

Firms also need to make use of intelligent monitoring of transactions and intelligent alerting which is based on all of the data they have related to account past behaviour Working with geo-location information with mobile applications is one way to help reduce fraud as it can be used to match customersrsquo past transaction history Banks should be working with their core banking platform provider or third parties to look at all of the data going through their networks

There are additional challenges for firms now that the liability has shifted from the credit card issuers to the weakest link in the transaction which came into force in October 2015 There is an added complication in the United States as it continues to transition from magnetic strip cards to EMV or chip-and-pin enabled cards that pose a potential problem for retailers because the liability during a LoopPay transition shifts to them since the technology bypasses the need for the customer to enter their pin number

As well as the fraud liability issues these payment services are relatively new technology with glitches that can impact the consumer experience These services are also not clearly understood by consumers or retailers who often blame the bank when payments fail impacting their reputation

Additionally when the technology fails or there are issues with account provisioning customers are increasingly contacting their banks for technical support Banks have to be prepared to train their customer service teams or put in place new servicing teams that have more technical expertise

With all of these new entrants into the payments space financial institutions need to have robust vendor management policies and procedures in place Increasingly firms are outsourcing mobile payment functions to third parties and are also using core banking platforms that are also managed by third parties These functions or modules often donrsquot integrate well Auditors need to take a close look at the end-to-end customer experience on every path to make sure that it is controlled from module to module and controlled in a way that makes sense


Impacts on Internal AuditMobile applications and mobile banking will continue to evolve rapidly Internal audit must ensure that it is up-to-date with the latest technology which will be adopted by their organisations and that their firms are considering all potential risk exposures

Action Items Chief Audit Executives and Internal Audit Functions Need to Consider

1 Ensure mobile applications and banking are covered in the audit universe completely (all productsservices platforms vendors etc)

2 Ensure that third parties are addressed in vendor management policies and procedures

3 Consider fraud risk related to mobile transactions within customer-facing processes (originations and servicing)

4 Understand the security approach to having a mobile presence

5 Consider the end-to-end process for servicing Mobile is typically a gateway to other services and platforms

6 Understand mobile application change management plans and controls

7 Consider all applicable mobile platforms supported (iOS Android Windows etc) in audit plans

8 If applicable consider the controls necessary to support an Agile software delivery model

9 Consider cross-platform service management including third-party components

10 Consider the firmsrsquo liabilities policies and procedures in relation to account provisioning on mobile devices


In ClosingChief audit executives and internal audit departments will continue to be challenged by regulatory requirements and advances in technology that subject organisations to a continually changing risk profile As this paper has shown the list of internal audit priorities for financial services firms continues to grow and with it the need for internal auditors to improve their knowledge in key areas specifically cybersecurity and model risk

Advances have been made by internal audit to connect more with the lines of business and management as part of collaborative efforts to improve oversight and to help the organisation understand its risks and achieve its strategic objectives Such collaboration improves communication between the three lines of defence while also helping organisations become more efficient and work to optimise existing resources as difficulties in hiring and retaining talent become ever more acute

In light of the lack of talent firms need to consider additional investment in technology-enabled auditing approaches and tools to help them meet their growing list of priorities especially since emerging technologies will continue to be adopted by banks eager to remain competitive in a changing marketplace

Through enhancing efficiencies knowledge and effectiveness internal audit functions will be able to focus on improving their skills in order to assist organisations in their continued growth while at the same time ensuring internal audit becomes a key strategic partner in the broader enterprise


About ProtivitiProtiviti (wwwprotiviticom) is a global consulting firm that helps companies solve problems in finance technology operations governance risk and internal audit and has served more than 60 percent of Fortune 1000reg and 35 percent of Fortune Global 500reg companies Protiviti and our independently owned Member Firms serve clients through a network of more than 70 locations in over 20 countries We also work with smaller growing companies including those looking to go public as well as with government agencies

Ranked 57 on the 2016 Fortune 100 Best Companies to Work Forreg list Protiviti is a wholly owned subsidiary of Robert Half (NYSE RHI) Founded in 1948 Robert Half is a member of the SampP 500 index

Contacts

ARGENTINAYves Davila+541140013124yvesdavilaprotivitiglobalcompe

CHINA (MAINLAND)Chris Low+862151536900chrislowprotiviticom

CANADADavid Dawson+16472884886daviddawsonprotiviticom

CHILESoraya Boada+56225738580sorayaboadaprotivitiglobalcl

CHINA (HONG KONG)1048586Albert Lee+85222380499albertleeprotiviticom

FRANCEBernard Drui+33142962277druiprotivitifr

NETHERLANDSAnneke Wieling+31203460400annekewielingprotivitinl

OMANShatha Al Maskiry+968 24699402shathamaskiryprotivitiglobalme

MEXICORoberto Abad+525553429100robertoabadprotivitiglobalcommx

GERMANYMichael Klinger+4969963768155michaelklingerprotivitide

KUWAITSanjeev Agarwal+96522426444kuwaitprotivitiglobalme

or

Rakesh Kabra+96522426444kuwaitprotivitiglobalme

PERUMarco Loayza+5112081070marcoloayzaprotivitiglobalcompe

AUSTRALIAGary Anderson+61399481200garyandersonprotiviticomau

INDIASanjeev Agarwal+911246618600sanjeevagarwal1protivitiglobalin

QATARAndrew North+97444215300andrewnorthprotivitiglobalme

BAHRAINArvind Benani+97317100050arvindbenaniprotivitiglobalme

ITALYAlberto Carnevale+390265506301albertocarnevaleprotivitiit

SAUDI ARABIASaad Al Sabti+966112930021saadalsabtiprotivitiglobalme

BRAZILRaul Silva+551121984200raulsilvaprotivitiglobalcombr

JAPANHyo Kambayashi+81352196600hyokambayashiprotivitijp

SINGAPORESidney Lim+6562206066sidneylimprotiviticom

SOUTH AFRICAFana Manana+27112310600fanamsngzacom

UNITED ARAB EMIRATESArindam De+97144380660arindamdeprotivitiglobalme

UNITED KINGDOMPeter Richardson+442079308808peterrichardsonprotiviticouk

UNITED STATES Cory GundersonManaging DirectorGlobal Leader Financial Services Industry Practice+12127086313corygundersonprotiviticom

VENEZUELAGamal Perez+582124184646gamalperezprotivitiglobalcomve

copy 2016 Protiviti Inc An Equal Opportunity Employer MFDisabilityVeterans PRO-0516-108152Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services

Protiviti Member Firm

THE AMERICAS

UNITED STATES

AlexandriaAtlantaBaltimoreBostonCharlotteChicagoCincinnatiClevelandDallasDenverFort LauderdaleHouston

Kansas City Los Angeles Milwaukee Minneapolis New York Orlando Philadelphia Phoenix Pittsburgh Portland Richmond Sacramento

Salt Lake City San Francisco San Jose Seattle Stamford St Louis Tampa Washington DC WinchesterWoodbridge

ARGENTINA

Buenos Aires

BRAZIL

Rio de Janeiro Satildeo Paulo

CANADA

Kitchener-WaterlooToronto

ASIA-PACIFIC

AUSTRALIA

BrisbaneCanberraMelbourneSydney

CHINA

BeijingHong KongShanghaiShenzhen

INDIA

BangaloreHyderabadKolkata MumbaiNew Delhi

JAPAN

Osaka Tokyo

SINGAPORE

Singapore

CHILE

Santiago

MEXICO

Mexico City

PERU

Lima

VENEZUELA

Caracas

EUROPEMIDDLE EASTAFRICA

FRANCE

Paris

GERMANY

Frankfurt Munich

ITALY

Milan Rome Turin

THE NETHERLANDS

Amsterdam

UNITED KINGDOM

London

BAHRAIN

Manama

KUWAIT

Kuwait City

OMAN

Muscat

SOUTH AFRICA

Johannesburg

QATAR

Doha

SAUDI ARABIA

Riyadh

UNITED ARAB EMIRATES

Abu Dhabi Dubai


IntroductionEach year Protiviti conducts its Internal Audit Capabilities and Needs Survey to assess current skill levels of internal audit executives and professionals identify areas in need of improvement and help to stimulate the sharing of leading practices throughout the profession The 2016 report that follows describes the outlook of internal audit leaders within the financial services industry For the first time in many years this survey reflects the views of internal audit professionals during a time when the global economy and its financial system were recovering from the global financial crisis The risk landscape it paints therefore reflects peoplersquos risk perceptions in a newly evolving world

The findings discussed in our paper are based on responses from nearly 300 chief audit executives (CAEs) and internal audit professionals in the US financial services industry In the opinion of these respondents cybersecurity represented the greatest area for internal audit functions to address We have devoted one entire section of this report to the increasing attention that cybersecurity continues to garner But this is far from the only area internal audit organisations seek to improve as they look forward to the coming year A few areas that organisations prioritised as particularly acute challenges include

bull Agile Risk Management

bull Model Risk Management amp Data Analytics

bull Mobile Applications

Michael Thor is a Managing Director with Protiviti and leads the firmrsquos North American Internal Audit practice














































3(tie)



5 (tie)




8(tie)



10(tie)



33













4(tie)



32

6(tie)


32

























































1 (tie)


Basel III 22


4 Volcker Rule 22




8 (tie)



10 (tie)


UDAAP 28












































6(tie)




9(tie)









































4(tie)



32

6(tie)


32






















3(tie)



5 (tie)




8(tie)



10(tie)



33










Unsustainable Costs



InnovationRisk and

Compliance






Risk Management

AlignedOrganisation





































Per

form

ance

Management c


Bus

ines

sS

trat

egy R

iskA

ppetite



























4(tie)



32

6(tie)


32



































scenarios








enterprisewide RAS






Effective Risk

Appetite Statement

Informed

Qualitative

Linked to Corporate

Goals

Defines Risks

Supported


Quantitative

Forward-Looking






programs around It











3(tie)



5 (tie)




8(tie)



10(tie)



33





































Contacts












or



















THE AMERICAS

UNITED STATES




ARGENTINA

Buenos Aires

BRAZIL


CANADA


ASIA-PACIFIC

AUSTRALIA


CHINA


INDIA


JAPAN

Osaka Tokyo

SINGAPORE

Singapore

CHILE

Santiago

MEXICO

Mexico City

PERU

Lima

VENEZUELA

Caracas


FRANCE

Paris

GERMANY

Frankfurt Munich

ITALY

Milan Rome Turin

THE NETHERLANDS

Amsterdam

UNITED KINGDOM

London

BAHRAIN

Manama

KUWAIT

Kuwait City

OMAN

Muscat

SOUTH AFRICA

Johannesburg

QATAR

Doha

SAUDI ARABIA

Riyadh


Abu Dhabi Dubai














































3(tie)



5 (tie)




8(tie)



10(tie)



33













4(tie)



32

6(tie)


32

























































1 (tie)


Basel III 22


4 Volcker Rule 22




8 (tie)



10 (tie)


UDAAP 28












































6(tie)




9(tie)









































4(tie)



32

6(tie)


32






















3(tie)



5 (tie)




8(tie)



10(tie)



33










Unsustainable Costs



InnovationRisk and

Compliance






Risk Management

AlignedOrganisation





































Per

form

ance

Management c


Bus

ines

sS

trat

egy R

iskA

ppetite



























4(tie)



32

6(tie)


32



































scenarios








enterprisewide RAS






Effective Risk

Appetite Statement

Informed

Qualitative

Linked to Corporate

Goals

Defines Risks

Supported


Quantitative

Forward-Looking






programs around It











3(tie)



5 (tie)




8(tie)



10(tie)



33





































Contacts












or



















THE AMERICAS

UNITED STATES




ARGENTINA

Buenos Aires

BRAZIL


CANADA


ASIA-PACIFIC

AUSTRALIA


CHINA


INDIA


JAPAN

Osaka Tokyo

SINGAPORE

Singapore

CHILE

Santiago

MEXICO

Mexico City

PERU

Lima

VENEZUELA

Caracas


FRANCE

Paris

GERMANY

Frankfurt Munich

ITALY

Milan Rome Turin

THE NETHERLANDS

Amsterdam

UNITED KINGDOM

London

BAHRAIN

Manama

KUWAIT

Kuwait City

OMAN

Muscat

SOUTH AFRICA

Johannesburg

QATAR

Doha

SAUDI ARABIA

Riyadh


Abu Dhabi Dubai








4(tie)



32

6(tie)


32

























































1 (tie)


Basel III 22


4 Volcker Rule 22




8 (tie)



10 (tie)


UDAAP 28












































6(tie)




9(tie)









































4(tie)



32

6(tie)


32






















3(tie)



5 (tie)




8(tie)



10(tie)



33










Unsustainable Costs



InnovationRisk and

Compliance






Risk Management

AlignedOrganisation





































Per

form

ance

Management c


Bus

ines

sS

trat

egy R

iskA

ppetite



























4(tie)



32

6(tie)


32



































scenarios








enterprisewide RAS






Effective Risk

Appetite Statement

Informed

Qualitative

Linked to Corporate

Goals

Defines Risks

Supported


Quantitative

Forward-Looking






programs around It











3(tie)



5 (tie)




8(tie)



10(tie)



33





































Contacts












or



















THE AMERICAS

UNITED STATES




ARGENTINA

Buenos Aires

BRAZIL


CANADA


ASIA-PACIFIC

AUSTRALIA


CHINA


INDIA


JAPAN

Osaka Tokyo

SINGAPORE

Singapore

CHILE

Santiago

MEXICO

Mexico City

PERU

Lima

VENEZUELA

Caracas


FRANCE

Paris

GERMANY

Frankfurt Munich

ITALY

Milan Rome Turin

THE NETHERLANDS

Amsterdam

UNITED KINGDOM

London

BAHRAIN

Manama

KUWAIT

Kuwait City

OMAN

Muscat

SOUTH AFRICA

Johannesburg

QATAR

Doha

SAUDI ARABIA

Riyadh


Abu Dhabi Dubai















































1 (tie)


Basel III 22


4 Volcker Rule 22




8 (tie)



10 (tie)


UDAAP 28












































6(tie)




9(tie)









































4(tie)



32

6(tie)


32






















3(tie)



5 (tie)




8(tie)



10(tie)



33










Unsustainable Costs



InnovationRisk and

Compliance






Risk Management

AlignedOrganisation





































Per

form

ance

Management c


Bus

ines

sS

trat

egy R

iskA

ppetite



























4(tie)



32

6(tie)


32



































scenarios








enterprisewide RAS






Effective Risk

Appetite Statement

Informed

Qualitative

Linked to Corporate

Goals

Defines Risks

Supported


Quantitative

Forward-Looking






programs around It











3(tie)



5 (tie)




8(tie)



10(tie)



33





































Contacts












or



















THE AMERICAS

UNITED STATES




ARGENTINA

Buenos Aires

BRAZIL


CANADA


ASIA-PACIFIC

AUSTRALIA


CHINA


INDIA


JAPAN

Osaka Tokyo

SINGAPORE

Singapore

CHILE

Santiago

MEXICO

Mexico City

PERU

Lima

VENEZUELA

Caracas


FRANCE

Paris

GERMANY

Frankfurt Munich

ITALY

Milan Rome Turin

THE NETHERLANDS

Amsterdam

UNITED KINGDOM

London

BAHRAIN

Manama

KUWAIT

Kuwait City

OMAN

Muscat

SOUTH AFRICA

Johannesburg

QATAR

Doha

SAUDI ARABIA

Riyadh


Abu Dhabi Dubai











































6(tie)




9(tie)









































4(tie)



32

6(tie)


32






















3(tie)



5 (tie)




8(tie)



10(tie)



33










Unsustainable Costs



InnovationRisk and

Compliance






Risk Management

AlignedOrganisation





































Per

form

ance

Management c


Bus

ines

sS

trat

egy R

iskA

ppetite



























4(tie)



32

6(tie)


32



































scenarios








enterprisewide RAS






Effective Risk

Appetite Statement

Informed

Qualitative

Linked to Corporate

Goals

Defines Risks

Supported


Quantitative

Forward-Looking






programs around It











3(tie)



5 (tie)




8(tie)



10(tie)



33





































Contacts












or



















THE AMERICAS

UNITED STATES




ARGENTINA

Buenos Aires

BRAZIL


CANADA


ASIA-PACIFIC

AUSTRALIA


CHINA


INDIA


JAPAN

Osaka Tokyo

SINGAPORE

Singapore

CHILE

Santiago

MEXICO

Mexico City

PERU

Lima

VENEZUELA

Caracas


FRANCE

Paris

GERMANY

Frankfurt Munich

ITALY

Milan Rome Turin

THE NETHERLANDS

Amsterdam

UNITED KINGDOM

London

BAHRAIN

Manama

KUWAIT

Kuwait City

OMAN

Muscat

SOUTH AFRICA

Johannesburg

QATAR

Doha

SAUDI ARABIA

Riyadh


Abu Dhabi Dubai

































4(tie)



32

6(tie)


32






















3(tie)



5 (tie)




8(tie)



10(tie)



33










Unsustainable Costs



InnovationRisk and

Compliance






Risk Management

AlignedOrganisation





































Per

form

ance

Management c


Bus

ines

sS

trat

egy R

iskA

ppetite



























4(tie)



32

6(tie)


32



































scenarios








enterprisewide RAS






Effective Risk

Appetite Statement

Informed

Qualitative

Linked to Corporate

Goals

Defines Risks

Supported


Quantitative

Forward-Looking






programs around It











3(tie)



5 (tie)




8(tie)



10(tie)



33





































Contacts












or



















THE AMERICAS

UNITED STATES




ARGENTINA

Buenos Aires

BRAZIL


CANADA


ASIA-PACIFIC

AUSTRALIA


CHINA


INDIA


JAPAN

Osaka Tokyo

SINGAPORE

Singapore

CHILE

Santiago

MEXICO

Mexico City

PERU

Lima

VENEZUELA

Caracas


FRANCE

Paris

GERMANY

Frankfurt Munich

ITALY

Milan Rome Turin

THE NETHERLANDS

Amsterdam

UNITED KINGDOM

London

BAHRAIN

Manama

KUWAIT

Kuwait City

OMAN

Muscat

SOUTH AFRICA

Johannesburg

QATAR

Doha

SAUDI ARABIA

Riyadh


Abu Dhabi Dubai













3(tie)



5 (tie)




8(tie)



10(tie)



33










Unsustainable Costs



InnovationRisk and

Compliance






Risk Management

AlignedOrganisation





































Per

form

ance

Management c


Bus

ines

sS

trat

egy R

iskA

ppetite



























4(tie)



32

6(tie)


32



































scenarios








enterprisewide RAS






Effective Risk

Appetite Statement

Informed

Qualitative

Linked to Corporate

Goals

Defines Risks

Supported


Quantitative

Forward-Looking






programs around It











3(tie)



5 (tie)




8(tie)



10(tie)



33





































Contacts












or



















THE AMERICAS

UNITED STATES




ARGENTINA

Buenos Aires

BRAZIL


CANADA


ASIA-PACIFIC

AUSTRALIA


CHINA


INDIA


JAPAN

Osaka Tokyo

SINGAPORE

Singapore

CHILE

Santiago

MEXICO

Mexico City

PERU

Lima

VENEZUELA

Caracas


FRANCE

Paris

GERMANY

Frankfurt Munich

ITALY

Milan Rome Turin

THE NETHERLANDS

Amsterdam

UNITED KINGDOM

London

BAHRAIN

Manama

KUWAIT

Kuwait City

OMAN

Muscat

SOUTH AFRICA

Johannesburg

QATAR

Doha

SAUDI ARABIA

Riyadh


Abu Dhabi Dubai









Unsustainable Costs



InnovationRisk and

Compliance






Risk Management

AlignedOrganisation





































Per

form

ance

Management c


Bus

ines

sS

trat

egy R

iskA

ppetite



























4(tie)



32

6(tie)


32



































scenarios








enterprisewide RAS






Effective Risk

Appetite Statement

Informed

Qualitative

Linked to Corporate

Goals

Defines Risks

Supported


Quantitative

Forward-Looking






programs around It











3(tie)



5 (tie)




8(tie)



10(tie)



33





































Contacts












or



















THE AMERICAS

UNITED STATES




ARGENTINA

Buenos Aires

BRAZIL


CANADA


ASIA-PACIFIC

AUSTRALIA


CHINA


INDIA


JAPAN

Osaka Tokyo

SINGAPORE

Singapore

CHILE

Santiago

MEXICO

Mexico City

PERU

Lima

VENEZUELA

Caracas


FRANCE

Paris

GERMANY

Frankfurt Munich

ITALY

Milan Rome Turin

THE NETHERLANDS

Amsterdam

UNITED KINGDOM

London

BAHRAIN

Manama

KUWAIT

Kuwait City

OMAN

Muscat

SOUTH AFRICA

Johannesburg

QATAR

Doha

SAUDI ARABIA

Riyadh


Abu Dhabi Dubai





Risk Management

AlignedOrganisation





































Per

form

ance

Management c


Bus

ines

sS

trat

egy R

iskA

ppetite



























4(tie)



32

6(tie)


32



































scenarios








enterprisewide RAS






Effective Risk

Appetite Statement

Informed

Qualitative

Linked to Corporate

Goals

Defines Risks

Supported


Quantitative

Forward-Looking






programs around It











3(tie)



5 (tie)




8(tie)



10(tie)



33





































Contacts












or



















THE AMERICAS

UNITED STATES




ARGENTINA

Buenos Aires

BRAZIL


CANADA


ASIA-PACIFIC

AUSTRALIA


CHINA


INDIA


JAPAN

Osaka Tokyo

SINGAPORE

Singapore

CHILE

Santiago

MEXICO

Mexico City

PERU

Lima

VENEZUELA

Caracas


FRANCE

Paris

GERMANY

Frankfurt Munich

ITALY

Milan Rome Turin

THE NETHERLANDS

Amsterdam

UNITED KINGDOM

London

BAHRAIN

Manama

KUWAIT

Kuwait City

OMAN

Muscat

SOUTH AFRICA

Johannesburg

QATAR

Doha

SAUDI ARABIA

Riyadh


Abu Dhabi Dubai






























Per

form

ance

Management c


Bus

ines

sS

trat

egy R

iskA

ppetite



























4(tie)



32

6(tie)


32



































scenarios








enterprisewide RAS






Effective Risk

Appetite Statement

Informed

Qualitative

Linked to Corporate

Goals

Defines Risks

Supported


Quantitative

Forward-Looking






programs around It











3(tie)



5 (tie)




8(tie)



10(tie)



33





































Contacts












or



















THE AMERICAS

UNITED STATES




ARGENTINA

Buenos Aires

BRAZIL


CANADA


ASIA-PACIFIC

AUSTRALIA


CHINA


INDIA


JAPAN

Osaka Tokyo

SINGAPORE

Singapore

CHILE

Santiago

MEXICO

Mexico City

PERU

Lima

VENEZUELA

Caracas


FRANCE

Paris

GERMANY

Frankfurt Munich

ITALY

Milan Rome Turin

THE NETHERLANDS

Amsterdam

UNITED KINGDOM

London

BAHRAIN

Manama

KUWAIT

Kuwait City

OMAN

Muscat

SOUTH AFRICA

Johannesburg

QATAR

Doha

SAUDI ARABIA

Riyadh


Abu Dhabi Dubai

























4(tie)



32

6(tie)


32



































scenarios








enterprisewide RAS






Effective Risk

Appetite Statement

Informed

Qualitative

Linked to Corporate

Goals

Defines Risks

Supported


Quantitative

Forward-Looking






programs around It











3(tie)



5 (tie)




8(tie)



10(tie)



33





































Contacts












or



















THE AMERICAS

UNITED STATES




ARGENTINA

Buenos Aires

BRAZIL


CANADA


ASIA-PACIFIC

AUSTRALIA


CHINA


INDIA


JAPAN

Osaka Tokyo

SINGAPORE

Singapore

CHILE

Santiago

MEXICO

Mexico City

PERU

Lima

VENEZUELA

Caracas


FRANCE

Paris

GERMANY

Frankfurt Munich

ITALY

Milan Rome Turin

THE NETHERLANDS

Amsterdam

UNITED KINGDOM

London

BAHRAIN

Manama

KUWAIT

Kuwait City

OMAN

Muscat

SOUTH AFRICA

Johannesburg

QATAR

Doha

SAUDI ARABIA

Riyadh


Abu Dhabi Dubai


























scenarios








enterprisewide RAS






Effective Risk

Appetite Statement

Informed

Qualitative

Linked to Corporate

Goals

Defines Risks

Supported


Quantitative

Forward-Looking






programs around It











3(tie)



5 (tie)




8(tie)



10(tie)



33





































Contacts












or



















THE AMERICAS

UNITED STATES




ARGENTINA

Buenos Aires

BRAZIL


CANADA


ASIA-PACIFIC

AUSTRALIA


CHINA


INDIA


JAPAN

Osaka Tokyo

SINGAPORE

Singapore

CHILE

Santiago

MEXICO

Mexico City

PERU

Lima

VENEZUELA

Caracas


FRANCE

Paris

GERMANY

Frankfurt Munich

ITALY

Milan Rome Turin

THE NETHERLANDS

Amsterdam

UNITED KINGDOM

London

BAHRAIN

Manama

KUWAIT

Kuwait City

OMAN

Muscat

SOUTH AFRICA

Johannesburg

QATAR

Doha

SAUDI ARABIA

Riyadh


Abu Dhabi Dubai






programs around It











3(tie)



5 (tie)




8(tie)



10(tie)



33





































Contacts












or



















THE AMERICAS

UNITED STATES




ARGENTINA

Buenos Aires

BRAZIL


CANADA


ASIA-PACIFIC

AUSTRALIA


CHINA


INDIA


JAPAN

Osaka Tokyo

SINGAPORE

Singapore

CHILE

Santiago

MEXICO

Mexico City

PERU

Lima

VENEZUELA

Caracas


FRANCE

Paris

GERMANY

Frankfurt Munich

ITALY

Milan Rome Turin

THE NETHERLANDS

Amsterdam

UNITED KINGDOM

London

BAHRAIN

Manama

KUWAIT

Kuwait City

OMAN

Muscat

SOUTH AFRICA

Johannesburg

QATAR

Doha

SAUDI ARABIA

Riyadh


Abu Dhabi Dubai







3(tie)



5 (tie)




8(tie)



10(tie)



33





































Contacts












or



















THE AMERICAS

UNITED STATES




ARGENTINA

Buenos Aires

BRAZIL


CANADA


ASIA-PACIFIC

AUSTRALIA


CHINA


INDIA


JAPAN

Osaka Tokyo

SINGAPORE

Singapore

CHILE

Santiago

MEXICO

Mexico City

PERU

Lima

VENEZUELA

Caracas


FRANCE

Paris

GERMANY

Frankfurt Munich

ITALY

Milan Rome Turin

THE NETHERLANDS

Amsterdam

UNITED KINGDOM

London

BAHRAIN

Manama

KUWAIT

Kuwait City

OMAN

Muscat

SOUTH AFRICA

Johannesburg

QATAR

Doha

SAUDI ARABIA

Riyadh


Abu Dhabi Dubai






























Contacts












or



















THE AMERICAS

UNITED STATES




ARGENTINA

Buenos Aires

BRAZIL


CANADA


ASIA-PACIFIC

AUSTRALIA


CHINA


INDIA


JAPAN

Osaka Tokyo

SINGAPORE

Singapore

CHILE

Santiago

MEXICO

Mexico City

PERU

Lima

VENEZUELA

Caracas


FRANCE

Paris

GERMANY

Frankfurt Munich

ITALY

Milan Rome Turin

THE NETHERLANDS

Amsterdam

UNITED KINGDOM

London

BAHRAIN

Manama

KUWAIT

Kuwait City

OMAN

Muscat

SOUTH AFRICA

Johannesburg

QATAR

Doha

SAUDI ARABIA

Riyadh


Abu Dhabi Dubai



THE AMERICAS

UNITED STATES




ARGENTINA

Buenos Aires

BRAZIL


CANADA


ASIA-PACIFIC

AUSTRALIA


CHINA


INDIA


JAPAN

Osaka Tokyo

SINGAPORE

Singapore

CHILE

Santiago

MEXICO

Mexico City

PERU

Lima

VENEZUELA

Caracas


FRANCE

Paris

GERMANY

Frankfurt Munich

ITALY

Milan Rome Turin

THE NETHERLANDS

Amsterdam

UNITED KINGDOM

London

BAHRAIN

Manama

KUWAIT

Kuwait City

OMAN

Muscat

SOUTH AFRICA

Johannesburg

QATAR

Doha

SAUDI ARABIA

Riyadh


Abu Dhabi Dubai