understanding the payments risk environment · the payments institute july 21-24, 2019 • emory...
TRANSCRIPT
The Payments InstituteJuly 21-24, 2019 • Emory University, Atlanta GA
Understanding the Payments Risk Environment
Jen Wasmund, AAP, CTP, NCPEnterprise Payments Risk Manager, Capital One
Agenda
• Key terms and definitions
• The risk management lifecycle
• Payments risk management
– By channel
– Horizontal risk and control programs
• Best practices discussion
• Questions?
KEY TERMS AND DEFINITIONSUnderstanding the Payments Risk Environment
• Risk– Something that could negatively affect an
organization’s ability to meet its business objectives
• Internal control (per COSO)– A process, effected by an entity’s board of
directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives
– May be manual or automated
Key terms and definitions
• Risk appetite
– Amount of risk an entity is willing to accept in pursuit of value
– Reflects culture and philosophy of risk management and operating style
• Risk tolerance
– Acceptable level of variation, relative to the importance to a specific objective
Key terms and definitions
Key terms and definitions
• Inherent risk
– Risk to an entity in the absence of any actions management might take to alter either the risk’s likelihood or impact
Key terms and definitions
• Example of determining inherent risk
Like
liho
od
Impact
L
M
H
L M H
Key terms and definitions
• Residual risk
– Risk remaining after management’s response to the risk (e.g. application of controls based on risk tolerance)
Residual RiskInherent Risk Controls
Key terms and definitions
• What types of risk does your organization encounter and address in your risk management program?
• How would you define or give an example of each of these?
• Ancillary risks
– Consequences or byproducts of not managing the primary risks listed previously
– What are some examples?
Key terms and definitions
• Key controls
– Necessary or critical to mitigate risk
• Secondary (non-key) controls
– May be relied upon in the event of a failure of a key control
– May be important for process efficiency, but essential for risk mitigation
Key terms and definitions
• Preventive controls
– Intended to stop an adverse outcome before it occurs
• Detective controls
– Intended to detect errors or irregularities that may have already occurred
Key terms and definitions
Key terms and definitions
Source: “Leveraging COSO Across the Three Lines of Defense Model” (2015) https://www.coso.org/Documents/COSO-2015-3LOD.pdf
THE RISK MANAGEMENT LIFECYCLEUnderstanding the Payments Risk Environment
Risk management lifecycle
Source: https://www.rmahq.org/enterprise-risk-management-workbooks/
Risk identification
Risk analysis
Risk response and planning
Risk response execution
Monitoring and validation
Risk management lifecycle
• How can you respond to identified risks?
– Accept
– Mitigate
– Transfer/share
– Avoid
• Cycle is designed to be continuous to accommodate for new risks or changes in environment
Risk management lifecycle
PAYMENTS RISK MANAGEMENTUnderstanding the Payments Risk Environment
Payments risk management
• Each group will choose one type of risk defined earlier in this session
– The group will take 15 minutes to discuss examples of how its risk is inherent in the following types of payments
• ACH
• Wire
• Check
• Card
Payments risk management
• What are some types of risk and control programs or teams that might have a centralized program across all payment types?
Payments risk management
AC
H
Wir
e
Ch
eck
Car
d
Cas
h
Disaster Recovery and Business Continuity
Name some additional programs that may operate this way…
BEST PRACTICES DISCUSSIONUnderstanding the Payments Risk Environment
Best practices discussion
• How do your organizations manage risk? Are there centralized departments across the “lines of defense”?
• How do you manage risk throughout its lifecycle for payments? What about for new products or changes to software?
• What types of breakdowns worry you and your management team the most, either ones you have incurred or ones you have heard of?
• What are some of the biggest risk concerns across payments?• What are some of the most important controls that your
organization leverages?• Do you do any type of special risk reporting? If so, what types of
metrics do you use to measure your payments risk and how strong your controls are?
• How would you describe the maturity of your payments risk tolerance and appetite at your organizations?
QUESTIONS? THANKS AND DON’T FORGET TO COMPLETE YOUR EVAL!
Understanding the Payments Risk Environment