Full text

If you receive a $100 bill from someone as a gift, you would take precautions to prevent losing it. For example, you may place it in your purse or wallet, or you may even put the $100 in a bank account. In either case, you are implementing a control, placing the money in a secure location, to prevent the risk of creating personal financial loss. This is risk management.

All businesses, consciously or unconsciously, engage in risk-management practices to prevent unexpected and unwanted financial losses. Sometimes these risk-avoidance activities fall short and are well publicized. Companies can sustain large losses from inadequate risk-management practices:

Sumitomo Corporation, a Japanese bank, declared in June 1996 that it would realize a nearly $2 billion loss resulting from high-risk trading in the copper market. The bank blames this loss on one trader, Yasuo Hamanaka. Hamanaka worked as a copper trader for Sumitomo for approximately 20 years.l How did his long position in the copper market go unnoticed or unchecked for 10 years? This Japanese bank did not have controls in place to effectively monitor Hamanaka's investment activities.

A recent study by the Computer Security Institute indicated that businesses recognized financial losses of $136.8 million in 1997 due to computer hacking activities.2 With the growth in Internet commerce, businesses must place sophisticated alarm systems and complicated encryption algorithms, or technology controls, in their computer infrastructures to detect unauthorized access. According to Michael Vatis, FBI Deputy Assistant Director of the National Infrastructure Protection Center (NIPC), "Although we have not experienced the electronic equivalent of a Pearl Harbor or Oklahoma City, the statistics and our cases demonstrate our dangerous vulnerabilities to cyber attack."3

Organizations must develop and implement a comprehensive and quantitative risk-management program in the culture of the organization. The responsibility to identify and monitor risks should be not just a senior- or middle-management ef fort. All levels of a company-CEO to frontline workers-must be involved in helping the company achieve its business objectives through risk prevention. And every function, from human resources to technology services, must be monitored.

Involvement by business units at all levels of an organization is the essence of a new risk-management program called business self-assessment (BSA). Business self-assessment is a business-unit self-monitoring process that identifies and documents the risk profile of a business activity and provides a mechanism to verify that those risks are appropriately controlled. This article discusses the self-assessment concept, the development and implementation of BSA at First Union, the Home Equity Bank's BSA program, and a case study of the successful use of BSA in a vital functional unit.

RISK MANAGEMENT: SOME DEFINITIONS

Risk management means something different to everyone. For the purposes of this article, risk is defined as any potential adverse business event that could harm the financial performance of a company. Exhibit 1 defines other components of risk management to provide a common ground for discussion in this article.

Beyond the core definitions of risk, First Union Home Equity Bank monitors risk according to the 10 categories of risk as prescribed by the Office of the Comptroller of the Currency (OCC): credit, operational, strategic, reputation, interest rate, foreign exchange, compliance, liquidity, price, and market sensitivity. The OCC uses this risk framework to assess the overall safety and soundness of a bank's operations.

RISK SELF-ASSESSMENT: A PARADIGM SHIFT

Every industry in the world is experiencing rapid change. The business news media is saturated with reports of record-setting mergers, downsizing, increased global competition, and so on. Therefore, the probability for substantial financial loss resulting from poorly integrated operations, productivity declines resulting from low employee morale, and misunderstandings from business culture differences is extremely high if not properly controlled.

Audit professionals have served as the main source of knowledge and testing of business control environments. The tests, or traditional audits, are typically conducted annually, or semiannually, culminating in the preparation and distribution of a state-of-the-company audit report. The audits provide point-in-time findings and recommendations, and senior managers may or may not use the findings to improve risk performance. These independent reviews of a business operation by an internal or external auditor remain a very important, objective assessment of the issues on which a company should focus. However, rapid organizational and procedural changes demand more frequent risk reviews and analyses.

In the late 1980s, many auditors began discussing the need to expand control evaluation beyond traditional audits within a company. Control self-assessment (CSA) developed as a new tool to enhance the audit function by allowing companies, business units, and departments to self-identify their business risks and to self-monitor the performance of the controls necessary to prevent those business risks. The premise of CSA is to leverage the best source of business risk information, frontline workers and management, to assess the risk and control environment.

The Institute of Internal Auditors (IIA), the governing body for the audit profession, is sponsoring the formulation of the definition, principles, and practices for CSA. The assessment objective can be achieved through a number of methods. Surveys, questionnaires, and workshops are some of the methods used. To set a common ground for these methods, the IIA published in 1996 a list of basic elements for control self-assessment:4

front-end planning and preliminary audit work;

the gathering of a group of process owners and a facilitator;

a structured agenda that the facilitator uses to lead the group through an examination of the group's risks and controls;

the presence of a scribe to take a transcription of the session;o a e a transcrlption of reporting and the development of action plans.

BUSINESS SELF-ASSESSMENT AT FIRST UNION CORPORATION

Using concepts from control self-assessment, the First Union internal audit division began to tailor a risk self-assessment process for First Union Corporation (FTU). Internal audit division managers decided to name the process "business self-assessment," removing the "control" reference used by the IIA. The intent was to ensure that business units would accept more ownership of the process to prevent it from being viewed as purely an internal audit requirement. Internal audit managers presented the BSA concept, including industry standards and a proposed application at First Union, to the bank's senior management in early 1996.

The business need, as presented by internal audit, was primarily based on several organizational challenges. One such challenge was, and still is, First Union's tremendous growth (Exhibit 2). Since 1984, First Union has completed 70 acquisitions, an average of 5.4 acquisitions per year. In addition, First Union senior management issued new performance targets for the corporation in 1997, raising the bar substantially to meet shareholders' and Wall Street analysts' expectations. Therefore, the question was, How will First Union effectively achieve these aggressive growth plans in a controlled manner? The answer is business self-assessment.

EXHIBIT 1

EXHIBIT 2

Senior management agreed to augment the internal audit function with a business-unit-owned, risk-management process. Soon after the presentation, a corporate directive was issued to all business units requiring the implementation of business selfassessment.

BUSINESS SELF-ASSESSMENT AT FIRST UNION HOME EQUITY BANK

First Union Home Equity Bank (FUHEB) (Exhibit 3) was the first business unit to implement a formal BSA program in First Union Corporation. FUHEB began formulating its BSA strategy in third quarter 1996. The FUHEB BSA team issued a policy statement on September 16, 1996, indicating its commitment to incorporate BSA into FUHEB operations.

To initiate implementation, the FUHEB riskmanagement and First Union internal audit divisions worked together in September 1996 to complete preliminary risk assessments of each functional unit. The assessments were conducted during meetings with functional unit managers. A meeting facilitator asked the managers to explain briefly the main responsibilities of the unit. Then the facilitator led a discussion to identify the key risks and controls for these processes. The output of these meetings was a completed risk and control matrix (RCM) (example, Exhibit 4).

In early January 1997, the FUHEB BSA team held concept meetings to construct the FUHEB BSA program. The BSA team based the program on three core principles:

to educate teams to self-monitor risk;

to build a quantitative risk-scoring methodology;

to create frequent results reporting.

To sustain these core principles, the program needed specialized tools to provide functional units with specific risk-identification and control-measurement capabilities.

The risk-identification process is accomplished through the facilitated workshop approach from the control self-assessment. As discussed earlier, CSA promotes the use of facilitated workshops to discuss business objectives, obstacles (or risks) to achieving those objectives, and the controls needed to mitigate those risks. CSA encourages functional unit management to include all functional unit associates in the risk and control identification process.

The BSA team used a widely known measurement technique called the balanced scorecard (BSC) to provide the measurement and reporting mechanics of the program. The balanced scorecard theory, formulated by Robert Kaplan and David Norton, advocates a multifaceted performance view of an organization by using "measures of past performance with measures of the drivers of future performance."5 The development and monitoring of scorecard-like measures provide a method to quantify the level of risk associated with the business objectives identified during the CSA workshop. Combining the methodologies of CSA and BSC provided a strong foundation on which to build the FUHEB BSA program.

THE FUHEB BUSINESS SELF-ASSESSMENT PROGRAM

The FUHEB BSA program begins with the BSA team gathering information about the unit to tailor an implementation strategy. The BSA team member reads policies and procedures manuals, reviews work flow analyses, and refers to prior audit reports to learn about the unit. The BSA team member then meets face-to-face with the manager to gain an overview of the business processes and to discuss the desired results of the process. During this preliminary meeting, or contracting session, the BSA team member and unit manager agree on responsibilities and develop the workshop calendar. This preliminary planning is vital for a successful program.

CORE PRINCIPLE 1: THE RISK WORKSHOP

The workshop is designed to meet the business and time demands of each unit. In some cases, it may not be appropriate to include everyone on staff, as recommended by the CSA methodology. The objectives of this formal workshop can be achieved by working exclusively with the unit manager and unit supervisors. However, the lost benefit from this approach is the risk education of all functional unit employees.

The workshop format presented is offered as a guideline, not the rule. The workshop is divided into five two-hour sessions. After the sessions are complete, functional units will be able to begin reporting control data that requires only a minimal amount of time to complete each month. A description of the five sessions and their goals follows:

Session 1: Introduction to Risk Management and the BSA Program

The first session focuses on workshop expectations and risk education. The BSA team describes to participants the objectives of the workshop and the timeline for completion. The BSA team presents the history of business self-assessment at FTU, FUHEB, and other companies. The group learns the definitions for many BSA terms (for example, risk, control, risk and control matrix, functional unit selfassessment).

Session 2: Business Overview

This session is devoted to understanding the business objectives and major operational processes of the functional unit. Session 2 begins with a recap of Session 1 including a question and answer period about BSA terminology. Then, the group discusses the major functions and processes of the team in order to correlate to the unit's business objectives. The BSA team facilitates a discussion for each major process to understand the subprocesses. During Session 3, this work will be used to identify and document risks.

Session 3: Development of the Risk and Control Matrix

Using the process information from Session 2, participants discuss each subprocess and its relative risk importance. We complete the standard risk and control matrix in order to adequately document all risks inherent to the unit's operation. For some units, the two-hour time allotment may not be sufficient. The BSA team and functional unit team leaders should attempt to estimate this time during the preliminary meetings.

Session 4: Development of the Functional Unit Self-Assessment

The objective of this session is to create the self-assessment tool based on the risk data from Session 3. Each identified risk must have a control in place to monitor and mitigate the occurrence of the risk. The functional unit self-assessment, or FUSA, is the document the unit uses monthly to report its control measure performance to the BSA team for inclusion in the monthly FUHEB risk report. The group identifies the control measures with goals and weightings (percentage of impact to the total score).

Session 5: Success Planning

Some control measures may not be in place, or an existing control may need a modification. This session is devoted to understanding the control gaps, then creating a success plan to implement or fix a control. The BSA team provides an example of the success plan format. The functional unit agrees to submit its action plan by a specific date. The workshop ends with the completion of this session. At this point, the BSA team transfers ownership of the BSA program so that the unit manages its own BSA program.

Here are some important points to remember about the workshop. The BSA process can be perceived as a change in operations. The team members may expect process improvement or simply want to voice opinions about issues. All conversations must be controlled to maintain the agenda and achieve workshop results. Therefore, the facilitator must have strong facilitation skills. To allow the facilitator to guide each session, a scribe is needed to document all activities of the workshop. The BSA team is responsible for using the information gained during prior sessions to prepare for each subsequent session and to build the RCM and FUSA for the unit. All unit employees should have the opportunity to review the RCM and FUSA prior to building the risk score of the unit with actual performance results.

A SUCCESS STORY: PROBLEM ASSETS

The success of any BSA program is measured by the performance improvement achieved by a functional unit. If properly implemented, the program offers the unit the capability to analyze performance trends, then enact change to significantly reduce potential risk. The problem assets team at FUHEB accepted the challenge by admitting its operational problems, learning a new method to monitor performance, and improving its control environment.

A critical function of any lending institution is the management and resolution of nonperforming assets. The team manages the foreclosure, bankruptcy, and real estate owned processes. During these processes, an important consideration for the team is to comply with state and federal regulations regarding the collection efforts for severely delinquent accounts to protect consumer rights. The following are other critical elements of the problem assets process:

to work accounts proactively along prescribed process steps;

to execute all legal documentation appropriate to secure FUHEB's lien position;

EXHIBIT 3 EXHIBIT 4

EXHIBIT 5

to obtain regular updates from attorneys, trustees, and courts;

to determine the proper course of action regarding real estate owned;

to maintain a sound loss-forecasting methodology to predict income statement impact.

In the last quarter of 1996, the problem assets team implemented significant process changes, realized an increase in nonperforming account balances, and received negative comments from an internal audit review. These events prompted management to ask for assistance from the BSA team to implement a BSA program. The BSA team began working with the problem assets team in January 1997. Using the preliminary audit work from internal audit and FUHEB risk management, the BSA team recommended to proceed with an abbreviated risk workshop to quickly implement new or revised control measures. The workshop began in March 1997.

A critical discovery during the workshop was the absence of any management reporting to monitor the stages of the account resolution process. Specifically, an account analysis was not completed for most accounts using an independent property appraisal to determine the bank's equity position. This analysis is crucial for a decision to proceed with foreclosure or to charge off the balance. Furthermore, the account charge-off approval procedure did not have sufficient oversight and documentation. These and other risk points revealed during the workshop discussions provided a baseline for creating a defined control-monitoring system.

The initial functional unit self-assessment was drafted in April 1997. The BSA team encouraged the use of performance measures already in place. Using the potential risks for each process weakness, the problem assets team developed 23 control measures. Of the 23, only 3 were actively monitored to ensure a controlled process environment. During April 1997 and May 1997, the BSA team assisted the problem assets team in identifying the data sources and appropriate measure calculations for the functional unit self-assessment. The problem assets team began reporting its risk performance for the July 1997 operations month. Since July 1997, the problem assets team has made progress; Exhibit 6 demonstrates the improvement for three control measures.

The results for the problem assets team have been very positive. The performance data provides valuable facts for the team to make informed business decisions to affect process improvements. The risk environment is more controlled and understood. Other benefits of the team's BSA program include increased awareness of all team members of the need to actively manage risk, a work flow database to support operations, and an improved loss forecast projection methodology that enhances the FUHEB budget planning effort.

COMPREHENSIVE, FLEXIBLE TOOL FOR RISK MANAGEMENT

The problem assets team is one of 14 FUHEB functional units monitoring risk performance with the BSA process. FUHEB has experienced improvements in monitoring its level of risk since beginning risk self-assessment in these units. In June 1997, there were a total of 127 control measures being reported, with 38.6% of the control measures potentially posing a risk due to below-goal performance. In comparison, the "Line of Sight" risk report for May 1998 included 151 control measures with only 9.3% posing a potential risk. These statistics show that even though more control measures are being monitored than last year, more are performing at acceptable risk levels.

FUHEB believes the BSA process affects the business in numerous ways. Communicating the control structure internally reduces the uncertainty of negative consequences to business. The risk-performance results are used to facilitate conversations with the bank's regulatory agency. This allows FUHEB to address issues proactively without waiting for an audit. In addition, the BSA process increases accountability on process owners for the results of the business actions they take. The BSA team plans to have all functional units reporting in 1998 to generate a company risk score.

For First Union Corporation, more business units are adopting BSA. The implementation of BSA enterprisewide has been primarily left to the individual business units. During the last 12 months, five other First Union business units have been formulating a BSA strategy. The internal audit division strongly encourages each business unit to develop a BSA process by mentioning the absence of the program in the annual business unit audit report. Internal audit developed a standard approach for reviewing the BSA program. The integrated risk-management self-assessment scorecard (Exhibit 7) provides the 11 requirements in four categories of a BSA program. The internal audit division will score each business unit's BSA program. Through this scorecard approach and by assigning accountability, the proliferation of BSA programs will undoubtedly increase.

EXHIBIT 6

EXHIBIT 7

The Institute of Internal Auditors continues to believe CSA will be an important part of the auditing function in the future. Since the practice of risk self-assessment is growing rapidly, the IIA has organized a learning and resource center for professionals engaged in CSA. The CSA Center directs research on the topic, sponsors CSA conferences, publishes a CSA magazine, and maintains a standards statement to include in IIA's governing audit standards and practices.

Risk self-assessment helps an organization dynamically monitor its potential risk exposure in any area of its business. As a result, a comprehensive and flexible risk-management practice can prevent damaging financial loss and image problems. If your organization does not have risk self-assessment, remember the following statements: What you don't know will hurt you. And what gets measured, gets prevented.