The Evolution of Risk Reporting

Cory Gunderson MD NYCby Cory Gunderson, Managing Director
Global Leader, Financial Services Industry



One of the key questions financial services firms ask every morning is, “Am I riskier today than I was yesterday?” Institutions need to know whether their risk profile has changed, and why. In such a highly competitive industry and a constantly evolving economic environment, knowing how and why their risk profile is changing – or is about to change – is a significant advantage because it can enable them to capitalize on potential business opportunities or to mitigate risk. Having a holistic, real-time view of risk also helps firms meet the heightened expectations of regulatory agencies across the globe.

The Protiviti Risk Index™ is an innovative technology tool and corresponding methodology that can enable firms to confidently assess their risk exposure. It is simple and scalable and can be as real time as the data is available. This powerful solution is designed to capture, calculate and assist management in evaluating a large volume of complex risk measures and streamline them to a single-number snapshot.

The methodology, designed to then allow risk managers, stakeholders and executive management to drill down into risk to understand the drivers and ultimately take action, is strategic because it is designed and focused on the most important risk measures linked to the organization’s strategies, goals and business objectives.

The solution can be designed at an enterprise level, a divisional level or an individual business-unit level, or within specific geographic regions, or to solve a specific business problem like measuring data quality or levels of model risk. Because the tool is highly customizable, leading indicators and risk measures can be displayed to present the firm’s risk exposure in different ways.

The Protiviti Risk Index™ has been designed to allow users to drill down into core components derived from principal or material risks and specific measures or indicators (qualitative and quantitative) aligned to the firm’s strategy. As an added value, Protiviti has as an accelerant a library of best-in-class metrics and measures derived from its experience, a mix of leading and lagging measurement indicators that can be used within any customized index.

A highly engaging, user-friendly tool, The Protiviti Risk Index™ utilizes intuitive data visualization software that allows the dashboard to be customized to a particular user, who gains access via computer or mobile devices using a mouse or touchscreen technology. It scales readily from phone to tablet to laptop and desktop.

Supporting a multitude of platforms and programs, including risk appetite, board and executive risk reporting, The Protiviti Risk Index™ is also aligned with many of the key principles from the Basel Committee on Banking Supervision’s guidance on risk data aggregation, BCBS 239, which was designed with the goal of strengthening firms’ risk data aggregation capabilities and risk reporting capabilities.

Firms gain valuable insights from using The Protiviti Risk Index™, as it efficiently focuses attention on the highest-priority items in an intuitive and straightforward manner while proactively addressing key risk management issues – a much-needed advantage in this crowded and fast-changing marketplace.

CECL/IFRS 9 Update: New Credit Impairment Model Deadlines and Implementation Considerations



Charles Soranno - MD New Jerseyby Charlie Anderson, Managing Director, Model Risk Management


Charles Soranno, Managing Director, Financial Reporting Remediation & Compliance

As Protiviti reported back in May, the Financial Accounting Standards Board (FASB) and the International Accounting Standards Board (IASB) have been looking for lessons in the global banking crisis of 2007-08 and have come up with new forward-looking predictive models for financial institutions to use when estimating how much to reserve against potential loan losses.

The FASB’s CECL model will become effective in 2020, with the IASB’s International Financial Reporting Standard 9 (IFRS 9) standard beginning that year if early adoption is not elected. Protiviti strongly recommends immediate action because of the extensive changes in data-collection practices, systems configuration, loan classification and risk modeling required by the change.

The new impairment model from FASB, which applies to banks, savings and loans, credit unions, and non-bank lenders in the United States, and global institutions traded on U.S. exchanges, is called Current Expected Credit Loss (CECL). Final guidance on the model was issued on June 16, 2016. The new impairment model from IASB, which applies to institutions based outside the United States, is a part of IFRS.

For a detailed analysis of these new methodologies, see Protiviti’s Point of View briefing, Impact of the New Current Expected Credit Loss (CECL) Methodology, and the companion paper, IFRS 9 Impairment — Practical Implications. Both models are discussed, along with implementation considerations, in our Aug. 17 webinar, “Impact and Challenges of CECL and IFRS,” available in our online webinar archive.

The methodologies are similar in that they both replace traditional reserve requirements based on historical losses with new predictive models incorporating past, present and future data, as well as market intelligence and macroeconomic trends. The primary difference is that IFRS 9 uses a three-stage loan classification model not included in CECL.

The basics of these two methodologies have been covered in our previous blog post, so we don’t want to rehash them here, but we do want to share some implementation considerations we discussed in the webinar. Successful implementation is going to require an enterprisewide effort with input from most, if not all, departments. Some of the bigger details to be worked out include:

  • Gathering required data assets/history to feed the new model requirements
  • Creating underlying models and IT infrastructure for determining the required reserves
  • Identifying required business process updates, along with resources required to validate the updated reserving methodologies

Specific deadlines for CECL include:

  • SEC filing institutions effective for years beginning after Dec. 15, 2019
  • Non-SEC filing public business entities effective for years beginning after Dec. 15, 2020
  • All other entities, plus nonprofit organizations, effective for fiscal years beginning after Dec. 15, 2020, and interim periods with fiscal years beginning Dec. 15, 2021

IFRS 9 is effective for all entities for annual periods beginning on or after Jan. 1, 2018, but firms may choose to adopt the standard early.

Protiviti is already working closely with clients to help them prepare, and we encourage all financial institutions to act without delay. We fully expect practical issues and questions to be raised during the implementation and auditing phases, and further evolution of the guidance is quite likely. Financial service organizations need to start assessing the implications of these approaches sooner rather than later.

Thank you to Protiviti Associate Director Benjamin Shiu for his contributions to our CECL and IFRS 9 materials as well as our webinar.

FCPA and the DoJ: Compliance Beats Defiance

Scott Moritz - Protiviti NY 2013 (hi res) (2)By Scott Moritz
Managing Director, Protiviti Forensic




I’ve written before about how the Department of Justice (DoJ) is stepping up efforts to root out and prosecute corporate fraud, particularly bribery and corruption, under the Foreign Corrupt Practices Act (FCPA). One of the biggest complaints I’ve heard from clients and their counsel is that there are varying degrees of credit and reduced fines and disgorgements granted for companies that self-report and that some have found it difficult to calculate the potential benefits of self-reporting.

The DoJ recognizes this perceived disparity and in April launched a pilot program to encourage corporate compliance through an incentive program offering up to 50 percent off of fines and minimum sentencing guidelines for companies that self-report FCPA violations, cooperate with investigators and take measures to prevent future fraud.

In May, Protiviti held its first FCPA and Anti-Kleptocracy Conference, bringing corporate executives and compliance officers together with government corruption investigators in a neutral environment to share ideas and build constructive alliances. It was a lively exchange. I came away with a lot to think about, and I’ll be sharing some of it here on The Protiviti View, beginning with this post on compliance considerations.

Last year, the Department of Justice signaled an increased focus on corporate crime and international corruption with the creation, in March, of three dedicated FCPA squads, and a subsequent memo from Deputy Attorney General Sally Quillian Yates to DoJ attorneys on the importance of holding individuals accountable in corporate prosecutions.

At the same time, to encourage corporate cooperation and transparency, the DoJ began touting incentives, such as reduced penalties, for executives and corporations that demonstrate good faith in the investigation and a proactive stance toward prevention going forward. The recently announced pilot program is a good example of that. With so much to gain from cooperation and so much to lose, compliance has never been more important.

One of the speakers at the FCPA conference was Laura Perkins, an assistant chief in the DoJ’s FCPA unit, where she supervises and prosecutes FCPA cases against individuals and companies. According to Perkins, one of the first things the DoJ looks at, upon responding to an incident, is the quality of a company’s compliance program and controls. They initiate discussions with the company and quickly begin to form opinions about how transparent and cooperative the organization is going to be in the investigation.

The DoJ will ask about compliance programs prior to the incident, efforts to find root causes, discipline of responsible parties and actions taken post-incident to prevent future corruption.

Perkins mentioned that one of the more significant changes within the DoJ is its retention of a compliance counsel – someone who attends compliance meetings at target companies to get an inside picture, as well as helps some of the trial attorneys who don’t have as much exposure to compliance and controls and what they should look like.

When it comes to discipline, the DoJ isn’t as concerned with outright dismissal as it is with ensuring that the punishment fits the crime.  With minor infractions, training is often sufficient. The important thing here, from a compliance perspective, is being able to document and demonstrate the controls and practices in place to ensure FCPA compliance, the mechanisms in place to detect violations, and the rigor and sincerity of corrective efforts to prevent future violations.

From my perspective here at Protiviti, I would add that the best compliance programs are those based on real-world examples. There is much that can be learned from the mistakes of others and from the open exchange of ideas – which was one of the primary motivations for our FCPA conference.

Finally, I would note that a strong anti-corruption culture discourages corrupt parties from targeting your organization in the first place. Here’s what such a culture looks like, according to the DoJ:

  • Sufficient compliance-dedicated resources;
  • Competent compliance personnel who are sufficiently compensated and promoted;
  • Compliance function independence and reporting structure;
  • Compliance program crafted from an effective risk assessment; and
  • Compliance program audited regularly to assess its effectiveness.

In future posts, I’ll examine the DoJ’s pilot program in greater detail, discuss ways to avoid FCPA successor liability through acquisitions and contracts with third parties, and address some other topics discussed during our FCPA and Anti-Kleptocracy Conference.

PCI DSS 3.2 – What You Need to Know

Jeff SanchezScott Laliberte

By Jeff Sanchez, Managing Director, IT Security and Privacy


Scott Laliberte, Managing Director, IT Consulting

We’ve been getting a lot of inquiries from clients on the new payment card industry (PCI) compliance standard issued by the PCI Security Standards Council in April. The new data security standards (DSS) release, dubbed PCI DSS Version 3.2, contains some major changes from the previous version.

The changes are explained pretty clearly in our May 9 Flash Report, but we recently had the opportunity for a more interactive discussion and to answer questions via a webinar we held on August 18. In a future post, we will follow up with some of the questions we did not have a chance to address. Here, we’d like to focus on the upcoming changes.

Some of the upcoming changes may require a significant effort to achieve. This affects all entities transacting business by credit, debit or cash cards and could result in many organizations being out of compliance for an extended period of time.

The biggest changes affecting all organizations (effective Feb. 1, 2018) are as follows:

  • Multifactor authentication will be required for administrative access to any system within, or connected to, the cardholder data environment (CDE), even when connecting from within the corporate network. That means that, in addition to a password, anyone seeking to access the system must present some other form of identification, such as a fingerprint or optical scan. This requirement already applies to users, administrators and third parties accessing the system remotely. Note: Companies currently using multifactor authentication as a compensating control for technical noncompliance will no longer be able to list this as a compensating control after it becomes a requirement.
  • File integrity monitoring (FIM), or some kind of change-detection solution, will be required for all in-scope systems, which includes all systems connected to – not just those within – the CDE. Many organizations do not currently have FIM technology on point-of-sale terminals or administrative workstations.
  • Change management is an area of increasing concern for the Security Standards Council. PCI 3.2 requires organizations to carefully document all changes to in-scope systems, plus any controls that might be affected by each change, and prove that the controls have been tested post-implementation and that corrective action was taken, if needed, to restore an effective control environment.

Service providers face even greater scrutiny under the new standards.

  • Security controls monitoring needs to be able to detect failures, and the provider must have supporting processes that document how to fix control failures, as well as processes for documentation, determining root causes and getting security systems back into operation.
  • Executive management responsibility is another hot-button issue. PCI 3.2 requires service providers to assign a member of executive management to be responsible for protecting the CDE. This executive will oversee testing and sign an attestation of compliance.
  • Operational reviews must be conducted quarterly. Service providers are required to perform quarterly reviews of operational processes, including, but not limited to, daily logs, firewall rules, configuration standards, security alerts and change management procedures.
  • Penetration testing on segmentation controls will have to be conducted at least every six months under PCI 3.2, versus annually in 3.1. The scope of penetration testing needs to be coordinated to ensure that the CDE remains secure, even in the event of a total administrative takeover of a segmented system.
  • Service providers are also now required to provide auditors with a documented description of cryptographic architecture used in the CDE. This must include all algorithms, protocols and keys used for the protection of cardholder data, including key strength and expiration date.

PCI version 3.2 is available for use now and becomes the only valid standard when version 3.1 is retired on Oct. 31, 2016. However, many of the new requirements in 3.2 do not become effective until Feb. 1, 2018. As we said in the webinar, we strongly recommend that organizations work with a Qualified Security Assessor now to ensure compliance and avoid unpleasant surprises under deadline pressure.

Global CAEs Seeing Regulatory Convergence

Frederick MagliozziFrederick Magliozzi, Managing Director
Internal Audit and Financial Advisory



At The Institute of Internal Auditors International Conference in New York this July, I had the privilege of moderating a panel of CAEs on global audit issues, emerging risks and challenges in the financial services industry.

We had a large international group, including hundreds of CAEs, who were eager to hear from our panelists representing some of the world’s largest financial institutions. Among the panelists were Mark Carawan, CAE of Citi; Naohiro Mouri, Chief Internal Auditor of AIG Japan Holdings; Nicola Rimmer, General Manager Audit at ANZ Bank; and Stephan Schenk, Executive Vice-President and Chief Auditor at TD Bank.

Panelists began with a discussion of the evolving risk landscape. As you might imagine, fraud, reputation and cybersecurity topped the risk list, with cloud risk rising in response to growing demand for mobile banking and big data analytics.

Although those risks are not necessarily new, the conversation focused on ways the internal audit function is evolving to stay ahead of the risk curve. Panelists emphasized the importance of continuous monitoring and the need for audit automation, digitization and more sophisticated tools to support the ascendancy of internal audit into a more strategic role as risk advisor across all lines of defense.

The need for the implementation of new audit technology and ongoing training in how to make the most of these new and sophisticated tools was a recurring theme, echoed in a subsequent question about the future of the internal audit function. Our panelists all emphasized the critical need for internal auditors to be able to anticipate and identify potentially disruptive risks and work closely with first-line managers to bring value-added mitigation recommendations to the table.

For me, the biggest takeaway from the discussion was the consensus among both panelists and CAEs in attendance, that regulators around the globe are beginning to align their efforts particularly in areas such as anti-money-laundering (AML) and the Bank Secrecy Act (BSA).

There seems to be a growing acknowledgement that money knows no borders. Regulators from various geographies around the globe are in much closer communication than ever before. They communicate regularly and they are creating a lot of pressure for financial institutions to make sure they are addressing risks — not only strategic risks, but local regulatory risks. And they are interested in the credentials of the people assigned to watch over these risks, to ensure technical competency.

From an internal audit perspective, this future state of increased regulatory cooperation and scrutiny demands robust risk assessments and risk training, to ensure that stakeholders understand all of the significant risks institutions face. Current regulatory hot buttons include: vendor risk management, AML/BSA, and cybersecurity to name a few.

In closing, I’d emphasize again that when it comes to internal audit, the tendency is toward unification – this includes ability to see the big picture, connect the dots, articulate interdependencies and collaborate. Regulators increasingly practice the same. For a more in-depth analysis of global regulation, I’d recommend our recently published white paper, The Challenges of Running a Global AML Program. Your thoughts and comments are appreciated, as always.