Remarks by Governor Susan Schmidt Bies
At the Bank Administration Institute's Fiduciary Risk Management Conference 2004, Las Vegas, Nevada
April 26, 2004
Current Issues in Corporate Governance
Internal Control Fundamentals and Enterprise Risk Management
The Committee of Sponsoring Organizations (COSO) Internal Control Integrated Framework is still the U.S. standard on internal controls.1 The COSO model serves as the basis for meeting the internal control assessment and reporting requirements for depository institutions laid out in section 112 of the Federal Deposit Insurance Corporation Improvement Act (FDICIA 112). This model is also broadly applicable to public companies in complying with section 404 of the Sarbanes-Oxley Act.
Under COSO, directors have responsibility for overseeing internal control processes so that they can reasonably expect that their directives will be followed. Although directors are not expected to understand the nuances of every line of business or to oversee every transaction, they are responsible for setting the tone regarding their corporations' risk-taking and for establishing an effective monitoring program. The implication is that directors should be vigilant in maintaining a clear understanding of how COSO is being implemented in their organizations.
Directors should also keep up with innovations in corporate governance. For example, directors should be aware that a new COSO framework has been proposed to encompass Enterprise Risk Management.2 A draft of the updated COSO framework was released for comment last summer, and a final document is expected later this year.
For those of you not familiar with the new COSO framework, let me briefly explain that enterprisewide risk management is a discipline that an organization can use to identify events that may affect its ability to achieve its strategic goals and to manage its activities consistent with its risk appetite. Such events include not only those that may result in adverse outcomes, but also those that give rise to opportunities. When embraced, an enterprisewide risk management framework improves the quality and flow of information for decisionmakers and stakeholders, focuses attention on the achievement of organizational goals, and improves the overall governance of an organization.
Some key steps in effective enterprisewide risk management include identifying and assessing the key risks within an organization and determining the appropriate response to those risks. Companies should determine the level of risk they are willing to accept given the return they can achieve. Management then must implement effective processes to limit risk to the acceptable level. Once these steps have been taken, business line managers are expected to monitor actual risk levels and test the effectiveness of the risk responses.
Several elements are essential to the successful implementation of enterprisewide risk management. One is clearly articulated risk-management goals which provide a foundation for the enterprisewide risk management program and for related training and communication. A second is a common risk language which is critical because it enables individuals throughout the organization to conduct meaningful cross-functional discussions about risk. A third element essential to the implementation of successful enterprisewide risk management is that individuals clearly understand their roles in the risk-assessment and risk-management framework. In today's environment, all organizations should consider embracing this discipline. Indeed, the Federal Reserve is currently considering how enterprisewide risk management can better be integrated into its management processes.
Tone at the Top
While the ethical tone of a financial institution comes from the top, a successful ethics program must be demonstrated by staff at all levels and throughout the organization. The environment should empower any employee to elevate ethical or reputational concerns to appropriate levels of management without fear of retribution. In other words, the culture of the organization should raise issues to senior management that they may not be aware of; management can then demonstrate their commitment by responding appropriately.
Role of Internal Audit
To support this goal, the audit committee should ensure that internal audit has an effective quality assurance process. This becomes increasingly important as organizations grow in scale, enter new lines of business, become more complex, or acquire organizations with different cultures. As organizations grow, internal auditors must learn new technical skills, manage larger staffs, and be continually alert for emerging gaps or conflicts of interest in the system of internal controls. This often requires that the quality assurance process around the internal audit process become better defined and alerts the general auditor and the audit committee to weaknesses in the internal audit program promptly.
Risk-focused audit programs should be reviewed regularly to ensure that audit resources are focused on the higher-risk areas as the company grows and produces and as processes change. As lower-risk areas come up for review, auditors should do enough transaction testing to be confident in their risk rating. Audit committees should receive reports on all breaks in internal controls in a form that will help them determine where the controls and the auditing process can be strengthened.
Before a company moves into new or higher-risk areas, the board of directors and senior management should receive assurances from appropriate management and internal audit that the tools and metrics are in place to ensure that the basics of sound governance will be adhered to. The audit committee should actively engage the internal auditor to ensure that the bank's risk assessment and control process are vigorous.
Many of the organizations that have seen their reputations tarnished in the past few years have simply neglected to consider emerging conflicts of interest when adding new products and lines of business. It is important to make sure that appropriate firewalls and mitigating controls are in place before the product or activity begins.
The audit committee should also require the highest possible level of independence for the internal audit process and eliminate any threats to this independence, such as the tendency for some internal auditors to act as management consultants within the organization. Internal auditors add value by being effective independent assessors of the quality of the internal control framework and processes. Auditors lose their independence when they perform management consulting roles for which they later will have to render an opinion. Internal audit is one of the few corporate functions with both the ability and the responsibility to look across all of the management silos within the corporation and make sure that the system of internal controls has no gaps and that the control framework is continually reviewed to keep up with corporate strategic initiatives, reorganizations, and process changes. When an auditor becomes part of the management process subject to internal audit review, the independent view is lost.
I would also like to add that internal auditors are the eyes and ears of the audit committee around the organization. As the complexity of financial products and technology has grown, the financial services industry has increased its reliance on vendors and third-party service providers for a host of technological solutions. Be mindful that these outsourcing arrangements may pose additional types of risks for the organization, such as security or data privacy risks. Internal auditors should remain vigilant in identifying risks as the organization changes or new products are delivered to the marketplace.
The U.S. Public Company Accounting Oversight Board
In addition, as part of its overall assessment of internal controls, the external auditor is expected to evaluate the effectiveness of the audit committee. If the audit committee is deemed to be ineffective, the external auditor is required to report that assessment to the company's board of directors.
This new standard will certainly put more demands on external auditors and public companies alike. But this is the price to be paid for "raising the bar" to achieve greater reliability in corporate financial statements and to regain the confidence of the public and the trust of financial markets.
Risk Management in the e-Commerce Environment
Let me say at the outset that the financial sector has performed extraordinarily well in responding to these incidents. Moreover, we are extremely proud that financial markets and participants have been able to meet these challenges and continue critical operations without any systemic effects or loss of confidence in our financial system. This is no accident. Financial institutions have increasingly devoted resources to addressing operations risk, business continuity, security (physical and cyber), and information-sharing. I would like to highlight some of the key developments we have observed and discuss where our business-risk-management efforts should be focused.
In February 2003, the Basel Committee on Banking Supervision released a paper titled "Sound Practices for the Management and Supervision of Operational Risk" that outlines a set of broad principles that should govern the management of operational risk at depository institutions of all sizes.5 These principles will likely play a key role in shaping our ongoing supervisory efforts in the United States with regard to operations risk management. As with COSO's enterprise risk management framework, I encourage you to read the operations risk paper.
Operations risk has always been a part of banking. But the increasing complexity of financial organizations, an increase in the number and variety of products and services they provide, the evolution of business processes (including substantially greater reliance on information technology and telecommunications), and changes in the ethical environment in which we live have all contributed to more observable exposures to this type of risk. Many of the community bank failures in recent years have been due to operations risks. In a few cases, dominant chief executives perpetrated fraud by manipulating the internal controls. In others, the management information systems necessary to monitor exposures in riskier lines of business were never built. As a result, other managers and the boards of directors did not have the information necessary to monitor and understand the growing risks inherent in what appeared to be profitable strategies.
Operations risk was a primary focus of Y2K preparations a few years ago. Identification of critical computer-reliant systems and infrastructures gave us a much clearer understanding of the financial system's dependence on technology and of the complexities of managing operations risk. Once institutions understood the considerable business risks that would result if they could not serve customers, they moved the management of Y2K preparations out of the back office and onto the desks of product-line and senior managers--where it belongs.
Moreover, it became clear that financial institutions needed to plan for the possibility that an external threat--a failure in the critical infrastructure or by a major service provider or material counterparty--might severely impact a financial institution's business operations. There was an increased understanding of the interdependencies across market participants and of how credit, liquidity, and operations risks at one organization could have a cascading impact on other financial institutions.
IT and Physical Security
The increasing role of information system networks and the Internet in business operations as a means of conducting business with customers has engendered new cybersecurity risks for financial institutions. Thankfully, banking organizations recognized these risks from the outset and became leaders in addressing cyberprotection issues. For example, financial services was the first private sector to incorporate encryption into business processes on a wide scale. Nevertheless, each year the continuous stream of cyberattacks, such as the Bugbear.B virus (which targeted banks) and the SoBig.F worm, demonstrate that cybersecurity will need to be an ongoing battle. Experience to date shows that banking organizations are effectively managing cybersecurity risk. There have been relatively few serious intrusions, and there have been virtually no disruptions of critical systems. Nevertheless, financial institutions can expect to remain a target of cyberattacks. I believe there is a need for heightened attention to managing this risk. This includes monitoring warnings carefully, acting quickly to apply patches in a controlled environment, and taking other steps necessary to preclude any damage to information systems.
Moreover, I urge you to review your internal security requirements to make sure that effective controls are in place and being followed. You may recall that my definition of operations risk includes employee fraud. We are still seeing evidence that most successful--or nearly successful--hacking incidents can be traced back to current or former employees.
We regulators have been mindful of the tremendous growth in your reliance on information technology, such as the shift from mainframe computing to the use of distributed systems and the Internet, increased reliance on commercial off-the-shelf software, and a general expansion of potential external access to enterprise data. This increase in operations risk raises significant safety and soundness concerns for financial institutions and privacy concerns for consumers. In January 2003, the FFIEC (Federal Financial Institutions Examination Council) issued revised guidance for examiners and financial institutions to use in identifying information security risks and evaluating the adequacy of controls and applicable risk-management practices.6 The guidance, contained in the Information Security Booklet, describes how an institution should protect and secure the systems and facilities that process and maintain information. It calls on financial institutions and technology service providers to maintain effective security programs that are tailored to the complexity of their operations. Several years ago, as part of the shift to a risk-focused approach to supervision, the Federal Reserve integrated information technology reviews into safety and soundness examinations. This assures that our evolving understanding of the elements of operations risk is reflected in supervisory assessments of the adequacy of risk management across the entire enterprise. I hope that you are already familiar with the supervisory expectations in the Information Security Booklet.
I would also like to remind everyone of the importance of securing customer information. This privacy requirement goes beyond the IT systems themselves to the output of those systems. Distributed processing means paper copies of customer information tend to proliferate. Information security should include protection of paper documents, including their safe disposal, so that customers' private information does not inadvertently fall into the wrong hands.
On the physical security side, I am aware that some of you have had to step up physical security protocols to ensure that your facilities and staff are protected. Over the past year, we have had several occasions when the government raised the threat level to Orange (High). Responding responsibly to physical threat warnings is costly and can be confusing, but it cannot be avoided. The Department of Homeland Security has provided some general guidelines on how to adjust security measures to its threat-level warning system. Industry groups have been sharing information on the measures they plan to take at various threat levels--including measures to protect staff by conducting operations from homes or back-up locations. This discussion has led to a greater awareness and commitment by financial institutions to ensure that all practical measures are taken to protect employees and facilities. I commend the industry for the work it has done in responding to homeland security issues. I hope you will continue to share information on ways to protect your businesses in the post-September 11 environment. I also suggest that you make every effort to coordinate with local protection authorities so that they are aware of your special needs and you understand their emergency protocols.
Allowance for Loan and Lease Losses
Banking institutions should be applying an ALLL methodology that is well defined, consistently applied, and auditable. Institutions are required to maintain written documentation to support the amounts of the ALLL and the provision for loan and lease losses reported in the financial statements. This methodology should be validated periodically and should be modified to incorporate new events or findings as needed. Interagency supervisory guidance specifies that management, under the direction of the board of directors, should implement appropriate procedures and controls to ensure compliance with the institution's ALLL policies and procedures. Given that many banks use credit models, it is important that those models be validated periodically. Institutions should be vigilant to ensure the integrity of their credit-related data and that the loan review process provides the most up-to-date and accurate information possible for management to consider as part of its ALLL assessment.
Call Report Modernization
The Federal Reserve is also making improvements in the reporting process for bank holding companies (BHCs). All BHCs are now required to file the Y-9 financial reports electronically, thereby eliminating paper-copy reporting. In addition, similar to the Call Report modernization effort that has been undertaken on an interagency basis, the Federal Reserve will be implementing a process that more quickly validates the BHC Y-9 data so that the data are released faster to the public. You can contact your district Federal Reserve Bank if you would like additional information on this initiative. Information is also available on a Federal Reserve web site (www.reportingandreserves.org/).
Boards of directors and senior management have the responsibility to establish effective risk-management and assessment processes across their organizations and to integrate the results of those efforts into their strategic and operating planning processes. The internal audit function can play an important role in reviewing the quality of corporate governance, internal control, and enterprisewide risk management because of its unique, firmwide perspective and its independence.
1. COSO defines internal control as "a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of: effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations." Internal Control Integrated Framework is available for purchase from the American Institute of Certified Public Accountants; an executive summary is available at http://www.coso.org/publications/executive_summary_integrated_framework.htm. Return to text
3. A copy of the interagency policy statement, which was released on March 17, 2003, can be obtained at http://www.federalreserve.gov/boarddocs/press/bcreg/2003/20030317/default.htm. Return to text