How do we determine the “Year of Compliance” {“YOC”}? We’ve been asked this so many times, I thought it was finally time to put this in writing as a planning tool. The FDICIA compliance trigger is $1 billion in assets (at the Bank level – holding companies are officially not part of this, even though we recommend inclusion). The SOX trigger is based on the company’s market cap level (but the FDICIA planning example below “retrofits” easily). For FDICIA, The Year of Compliance is the year that opens with assets exceeding $1 billion. For example, if a Bank ends 12/31/17 at $1 billion, 2018 becomes the YOC. Here’s how we might phrase the “are we compliant?” question: On the final day of the YOC (12/31/18 in our example), have the financial controls underlying the preparation of our year-end audited statements as well as our four Call Reports, been identified, articulated, and tested to a zero tolerance standard for the the entirety of the year just past? (add 3 Q’s and a K for SOX) That “entirety” word begs the question of being fully “ready” on January 2nd of the YOC (we’ll still give you New Year’s Day off). What does this mean for project planning? In the 25 or so FDICIA/COSO/SOX projects that we have facilitated, occasionally an institution has waited until they were actually “in” the YOC. Being ready entering the year is smarter, better, more productive, less chaotic, and overall, more valuable as an introspective controls exercise. In many cases, banks have elected to prepare a full year in advance in order to have a “practice” year ahead of paying for testing. In this example, we would recommend that the controls matrix be fully articulated and ready for sample testing no later than September 30 of the year before the YOC (or 3 months ahead of the fiscal year-end if other than a calendar year). Our typical project plan runs from planning to kick-off to subject-matter interviews/sessions to controls drafts to controls review and edit and on to controls sign-offs. Our facilitation and execution of such takes approximately 25 days over a 3 to 4 month period. Therefore, a project start of June 1st makes sense; and allowing for a two-month resource drain as folks take their summer vacations, we might look backwards to April, March or even February to get going. There is no downside to being ready early! What else comes into play? We’ve experienced two significant changes that influence this standard timing; a new CFO or a core system conversion. A FDICIA/SOX/COSO project provides an incredibly valuable and efficient look at the entirety of the financial process details for a newly installed CFO. In some cases, we have stalled implementation waiting for the arrival of the new CFO; in other cases we have started sooner to provide this “look”. A core conversion often provides an opportunity for banks long compliant with FDICIA to perform a “refresh”. For a newly minted billion dollar bank, the conversion does provide a challenge. The YOC may be a split year, partially on two different systems. However, offering a little perspective, we typically ID 100-120 controls in our projects. Approximately 20 to 25% of those will be core system specific. All other financial controls are likely not impacted by the core change. Examples: policies, payroll processes, underwriting processes, investment processes and accounts payable processes are not governed by the core. In addition to our controls matrix, our projects also include a management assertion narrative that aligns with COSO’s 17 principles and 87 focus points. This narrative tackles many of the so-called entity-level controls. This component of the project is a bit of a caboose. Critical timing within our example? Approximately October 15 of the YOC, basically in time for your external firm’s preliminary interim visit ahead of year-end. Our overall message? Be proactive, your institution will benefit. ---------------------------------------------------------------------------------------------------------- Authors note: After penning YOC, I decided to Google YOC to make sure I wasn’t embarrassing myself in this day and age of text shorthand and acronyms gone wild. I found five: YOC = Your Opinion Counts YOC = Yearly Ownership Cost YOC = Years of Coverage
YOC = Year of Conception
And, direct from the texting world …. YOC = You on Crack?

Community Banks, Integrity, and the Issue of Trust

Ron Petersen, The Navis Group

As we contemplate the stunning revelations that have come forth from the Wells Fargo scandal, and the similar circumstances that seem to have been involved in the recent findings of the Consumer Financial Protection Bureau of unethical and fraudulent collection practices by the Navy Federal Credit Union, I am reminded of one of the paradigms that I discovered in my twenty years of experience in two major corporations dealing with ethics, integrity, compliance, and investigations. What further spurred this contemplation was a story in my local newspaper that reported that the former treasurer of the Bourne, Massachusetts Parent Teacher Association had been arrested for embezzling more than $25,000. In my current role as a consultant to the community banking industry, I constantly encounter the “it can’t happen here” response, and that the relative smallness of an organization provides some sort of shield from fraudulent, unethical behavior. The Bourne story, along with many others, proves beyond a doubt that fraud and ethical misconduct can and does occur anywhere. A basic principle that appears to be involved in nearly every fraud is what I have come to call the trust paradigm. First, let’s be clear; trust is an essential element in the culture of any organization. Managers and leaders must have trust in their subordinates and employees must have trust in management and leadership. Lack of trust in any area can create a toxic environment that can threaten the success of an organization. Organizations thrive on trust, but the other side of the coin is, so do fraudsters. Fraudsters trust you and your organization in many ways, including: · They trust that you will trust them, and not question them too closely about their work. · They trust that your Code of Ethics is just a document that your organization has because it is required, and that nobody pays it much mind. It exists on paper, but not in the heart and mind of the organization. · They trust that your whistleblower process exists on paper, but they don’t view it as much of a threat. They trust that whistleblowers will be ignored, or better still, retaliated against. · They trust that your internal controls are weak and unmonitored. · They trust that your internal investigation process is ill-defined, weak, seldom used, and ineffective. There are two approaches to addressing the trust paradigm. One is to become cynical of everyone and everything. Assume that all employees will commit fraud and that all anomalies are indicative of fraud. This, of course, is a non-starter. Most employees want to do the right thing, are ethical, and do not commit fraud. The toxic atmosphere created by a culture of non-trust would be devastating to the organization. Rather than cynicism, leaders and managers should develop an approach of “healthy skepticism” along with an overriding spirit of trust. Ask questions about anomalies in results in a consistent, non-judgmental way, and be sure that you fully understand the cause and results. In other words, turn over the rocks in the road when you find them every time. Encourage a speak-up culture, and take the concerns of your employees seriously. If you do these things consistently, your employees will interpret it as the actions of an interested, concerned and supportive boss, rather than the arbitrary actions of a cynic. Leadership can support the effective navigating of the “trust paradigm” by insuring that a genuine culture of integrity thrives in the organization. You will never be able to prevent all misconduct, but an effective culture can enable you to quickly identify aberrations so that you can address them promptly, before they can cause real problems. Here is a series of questions that we encourage the leadership in our client organizations to contemplate introspectively when evaluating the overall culture of integrity in his/her organization: · Is our Code of Conduct comprehensive? Is it written in plain English in a manner to provide meaningful guidance to our employees in making ethical decisions, or is it legalistic, arcane, and written more to protect the institution? · Do the board and the leadership team communicate the importance of the Code and the institution’s commitment to integrity in a meaningful and effective way and on a regular basis? · Is the board effectively and publicly invested in the integrity of the institution? Is someone on the leadership team responsible for reporting to the board on this issue on a regular basis? Does the board spend meaningful time on components of your integrity program? · Is our process for receiving employee complaints clear, accessible, inviting, and well-publicized, or is it vague, obscure, and discouraging? Can an employee who wishes to report anonymously do so with complete confidence? Can we truly say that we have a “speak-up culture”? · Do we have an effective investigative process where complaints and allegations are investigated promptly, professionally, and objectively? Are the consequences of our investigations applied consistently across the organization? Do our employees believe that we have “organizational justice”? · Do we provide effective and regular training across the organization reinforcing the Code of Conduct and our expectations of ethical behavior? These questions provide a starting point for the evaluation of your integrity infrastructure. If you pursue this exercise, other questions will undoubtedly arise. The Navis Team has the experience and expertise to help you navigate this process and to take effective action to tune up your infrastructure. Many of the institutions where we performed the COSO exercise had good “check the box” compliance with the integrity and governance principles (1-5), but that is not enough in the post Wells Fargo era. Regulators have already served notice that they will be searching for similar symptoms in other banks. With focused attention on the process described above, you can move your institution from a “fraud won’t happen here because we are small and local” approach to a “fraud is less likely here because of the persistent attention that we place on our culture of integrity and its underlying infrastructure”.

Adding a “CASH PLAN” to your Business Continuity Plan - Proactivity Beckons

 

Ever since Y2K, the concepts of disaster recovery planning, business continuity planning, and now cyber-security response readiness have become constant points of focus for all of us in our institutions. As our firm has conducted table-top tests year after year, we point our clients to the action verbs in those three concepts: recover, continue, respond. Those table-top tests all seemingly come down to the basic elements of communication and decision making, regardless of the specifics of the disaster. Taking inspiration from Edgar Allan Poe and Stephen King, we have fashioned hurricanes, tornados, pandemics and chemical spills requiring immediate evacuation. We have burned down buildings and shut off electricity and communications everywhere east of the Mississippi. We have played out terrorist activities that severely impact the flow of commerce. We haven’t yet rolled out our Zombie Apocalypse or the invasion of New England by Quebec, but stay tuned. Interestingly, an additional “basic” element has been emerging. It seems that many different scenarios result in fear and uncertainty that create a short-term cash economy. We’ve all considered this haven’t we? And we have almost always recalled the George Bailey moment in “It’s a Wonderful Life” as he doles out a limited amount of cash to an angry and nervous community of customers. Allow me to pose this as a list of questions. In a cash rationing scenario ….. · How much cash do we have on hand? (branches and ATMs combined) · How would we move that around if normal security is unavailable? (if armored delivery is not available) · What’s the “number”? i.e. how much would you allow each customer per day, and for how long? · What about the safety of your staff as they execute this unpopular strategy? · If we don’t have access to balances, now what? · Do we understand the stand-in limits on our ATMs? · What if the ATMs can’t communicate with their underlying provider? · Can we shut off foreign transactions? i.e. non-customers? Would we want to? Would be allowed to? · Can we get more cash from the Fed and/or other suppliers? · What are their plans? · And so on and so on ….. One of the frustrations of business continuity planning is the vagary and seeming “black-hole”, “rabbit-hole” as you ponder various scenarios. But, BCP is about minimizing surprises and limiting the decision tree encountered under adverse circumstances, so here’s something very tangible that may be planned well in advance under calm conditions. We do know how much cash we have on hand, and we certainly know how many deposit customers we have and where they are located. It seems like an Excel moment to me. What-if analysis could easily use a daily allowable disbursement number as a variable and then calculate how long your institution could continue along that path. So why not do that in a quiet moment and add an appendix to your plan? This is no small suggestion. As we do these table-top tests and the subject arises, we spend a significant amount of time and resources speculating with no data in front of us. In a crisis mode, every moment may be precious, so proactivity beckons.

The Rhythm of the Bank Year -
A Conductor's Musical Score for Efficient Risk Management

“Can’t see the forest for the trees” goes the old expression. Sting says it differently in one of his early solo songs – “Can’t hear the rhythm for the drums”. Sort of sums up a conundrum for the modern day banking risk manager; how to hear and be heard above the constant beating of the drums. There is always another new initiative “beating”; core conversions, loan system conversions, mobile banking, remote deposit capture, online loan applications, and so on and so on. There is always yet another audit to respond to; internal compliance, technology audits, loan review, and regulatory exam. And if the regulatory commentary is attached to “Matters Requiring Attention”, we’re dealing with a droning big bass drum. If the regulatory commentary is attached to a Board Resolution, we’re hearing a full conga percussion section in our sleep. And if the regulatory commentary is attached to a Cease and Desist Order, we may be hearing the full drum section of the University of Southern California’s marching band for months on end. “Tusk”, ad infinitum and ad nauseum, for you Fleetwood Mac fans out there. How does a risk manager rise above the din and provide value? How about capturing the rhythm of your bankyear? Or, probably better stated, how about suggesting a rhythm for the bankyear? Here’s what happens. This will sound familiar. We take the Information Security Policy / Program to the Board annually and provide a Board training session, complete with current results of our risk assessments and evidence of annual employee training compliance. Every year, same meeting, without fail or interruption? Coming off a handful of triage engagements in which client banks completely missed this annual “thing” by more than an annual interval, a “known” problem has been amplified. Nothing says “yikes” better than a good old-­fashioned Board Resolution. This is not to single out the Info Security folks by any means. Loan policies, Investment policies, and the entire family of silo’d risk assessments are in the mix as well. As professionals, how can we miss an annual requirement the size of a house? How? We’re busy. We get waylaid. If you’re in the middle of a full upgrade of your technology infrastructure, you might postpone the policy and risk work. Perfectly logical. And then the 9 month project ends up being 24 months because your core provider won’t support Windows 10, Internet Explorer 12 or Apollo 6, and the USB won’t talk to the VGA, HDMI, or CIA or some other inconceivable, unimagined speedbump rises up to rip the chassis off your ride. The policy and risk assessment update was scheduled (in its annual rhythmic flow) for April, 2015. We were only pushing it out six months to October, 2015, but by June, 2016, in marched the examiners, and the most recently approved doc we could throw at them was dated April, 2014. Oops! We of course argued that to risk assess systems in such a state of re-­build was not all that practical or useful. I needn’t tell you how that argument panned out. First question: at inception, before roll-­out, did the network architecture project consider the rhythm of the policy/program risk assessment necessity? Of course not. It was only going to be 6 months, remember? So how do we respond? We scramble to put in place an updated policy/program document and rush it to the Board to meet the deadline imposed by the Board Resolution. In my fictional composite example, that board update happens effective July, 2016. When do we re-­do? Next July, re-­setting the annual cycle? Why not April, honoring the original rhythmic logic? Oh ….. no logic! Or, another example. Remember how the examiners sliced and diced your institution’s loan portfolio starting back in 2009-10. “Reserve for this”, they cried. “Recognize impairment for that” they demanded. “Take the Loss.” “TDR it!” “Downgrade that one!” “Still not on non-­accrual?” ”No more commercial loans for you guys!” “Hmmmm, FAS 5 or FAS 114 or whatever new codification reference applies?” And you were supposed to remember to update the Loan Policy, Appraisal Policy, ALLL Policy and Concentrations of Credit policy and get it to the Board in its annual rhythm? Are you kidding me? Please recognize two components of this issue. One, management clearly failed to meet its reporting and compliance obligations. Two, the Board didn’t notice! Why not? Probably because no one heard the break in the rhythm. You know how cranky you get when your Internet speed can’t keep up with the buffering for the video you’re trying to watch? The regulators would tell you that the Board should be aware and be just as cranky. Let’s stick to the music analogy and talk about a proposed strategy. Classical children’s music’s best known piece may well be Sergei Prokofiev’s Peter and the Wolf. A risk tale. Each character in the story has his/her own musical theme or instrument. The main melody line representing Peter is performed by the string section, with the Wolf’s presence represented by a somewhat sinister “undercurrent” sounded by the French Horns. The bird is a flute, the duck an oboe, the cat a clarinet, Peter’s grandfather a bassoon. The hunters are represented by a woodwind theme, with gun shots on timpani and bass drum. And when they come together in various combinations, we get a rich and memorable symphonic rhythm. So how about hiring Prokofiev to write the bankyear score? Maybe he could make some sense of your departmental discordance and get everyone singing from the same hymnal. I’m guessing, however, that he would not work his story and his composition around an ill‐timed IT risk assessment or policy update just because the regulators forced your hand with respect to calendar placement last year. So how can you as risk manager convince that bassoon you report to that re-setting the harmony would be a good idea? As I think about the role of a newly minted risk manager and his/her Risk Committee (or risk committee-­ish reporting channels), I see an opportunity for an introspective and thoughtful look at the flow of a bankyear from a “blank canvas” perspective. Why does the Loan Policy go to the Board every November? Was/is the timing part of a master plan? Was the timing somehow considered to be the absolute optimal moment to update the policy and get full Board attention and consideration? Of course not. When the first push to establish a Loan Policy came from the regulators 25-­30 years ago, it may have been September, and November was the best we could do. The tradition was born, and optimal timing has never been a factor. Take this theory and apply it to the other 50 or 60 policies and myriad risk assessments and other reporting “stuff”, and there you have it – an ill-­conceived calendar – a discordant bankyear. Here’s a plan. Make a list. Check it twice. Got everything? Policies? Risk assessments? Role-­specific officer designations? Financial reporting requirements? Training requirements? Disaster planning? Business continuity planning? Budget planning? Succession planning? Strategic planning? Internal audit schedules? Intrusion and penetration tests? New initiatives? Insurance reviews? Performance/compensation reviews? Now, let’s lay out a calendar, identifying the two work periods that are available to us in any given year. Work period #1 is from January 2 to June 15. Twenty­four weeks. This work period might have some “slow” weeks embedded; school vacation weeks and the two weeks every February that the external auditors are on site. It’s good to recognize this. June 16 through August 31 is clearly not good for us; graduations and weddings in June, vacations during the summer, Wednesday afternoon golf, Tuesday evening golf league, Monday charity golf events and so on. If you’re not on vacation or on the golf course, people above and below you in the organization chart are on vacation or on the golf course. Work period #2 starts right after Labor Day and runs through November 21. Twelve weeks. In the six week period that ends the year, three holidays create the possibility of three short 3‐day weeks, but, in any event, only 3 full weeks are available at this point. Our priorities include holiday parties, holiday shopping, and using up that unused vacation time before we lose it. The hard cold fact? Only 36 weeks are available to do any meaningful stuff! So now we know everything that we need to accomplish each and every year and have realistically identified the time allotted to the task. Let’s use the GLBA information Security Policy / Program / Training as an example. Let’s try to get everything to the Board at the June meeting shall we? This might be part of master rhythm that has loan‐related items chiming in sometime in February; investment and ALCO items reaching a crescendo in April; IT risk performed as a duet with information security; and BSA, disaster planning, continuity planning as part of our Hallelujah Chorus heading into the holidays. Look backward from the June Board meeting. One week ahead of that meeting, everything needs to be wrapped up and ready to send in advance to our Board. Management may want to have blessed everything, so perhaps the Senior Management meeting in the first week in June is a good target. If we expect that our Risk Committee took a look at it, we might be talking about the mid‐May Risk meeting. Which means …. the information security officer needs to have the policy/program updates ready ahead of that meeting. Backing up, GLBA risk assessments would have needed to have been conducted during March and April, which means the ISO must have been ready for a kick‐off meeting on March 1st, following his/her planning starting on about February 15th. Annual employee GLBA training is probably tracking concurrently to be completed during the first quarter of the year. All of which essentially means that as soon as the ISO recovers from the New Year’s Eve hangover, this task commences, and the bankyear calendar needs to tell you so. What’s more normal in your institution? A May 1 wake‐up call that within 6 weeks, all this stuff has to get crammed into our schedule? As risk managers ask me what I think the risk committee agenda should look like, I’d like to be able to point to a logical bankyear rhythm and suggest that the risk committee remain 2 beats ahead of each major “thing”. In the example above, Board GLBA in June means Risk Com GLBA in May. Maybe Board DRP/BCP in November means Risk Com DRP/BCP in September or October. As you holistically view a bankyear, remember that other “intervals” remain important, other management committees and the bank’s Audit Committee. How does this help a Board? If I serve as a Director, and I am well versed in this musical score, I expect the string section to kick in at the beginning of the last movement and should notice if the music stops or is off-­key. Translated? If, as a Director I expect to receive a DRP/BCP update in November, and I can refer to the sheet music to check when this should occur, I can manage, and I can harmonize. How does this help management and the operation of the institution? Take my example. If GLBA is not thought about starting on January 2, we are perhaps creating an unnecessarily chaotic and inefficient environment. Where does the risk manager fit in? In part, as conductor and choreographer! There are of course many business related and compliance risks that need be considered, but calendar risk may now be one of the leading causes of regulatory orders. I keep my djembe and my keyboard in my office. How about you? And one of my client CFOs keeps his electric guitar collection in his office, with a working amp/speaker to boot. It’s all about rhythm. Summing up. Risk Manager Choreography plus Logic plus Complete Task Lists plus Rhythmic Calendar minus Summer Weeks minus Holiday Weeks divided by Proper Delegation of Departmental Responsibilities = Smart Bankyear = Peace of Mind = Efficient Risk Management = no MRA; no Board Resolution; no C&D = more golf! CRO = Chief Rhythm Officer.

David B. Sidon, CPA, Managing Consultant, The Navis Group

In the past two years, our firm has been knee-deep in COSO 2013 implementation for our client banks. We have now worked collectively on these efforts with over 20 banks and, at last count, eight different external audit firms. We decided to create this whitepaper to assemble the common themes, questions, and issues into one document that might serve as a primer, a guide, and a blueprint for the practical implications, pitfalls and benefits of the COSO/FDICIA/SOX effort.
Three voices resound within this document. In addition to my own thoughts and observations, my associates Ron Petersen and Kevin Nunes have contributed to this tome. Ron’s expertise is COSO 1 through 5, which focuses on integrity, corporate governance, authorities and responsibilities, succession planning, corporate response / discipline and such. Integrity, “tone from the top”, whistleblower protocols and the related response thereto are his specialties. Kevin’s banking operational/finance background lends itself to the practical implications of identifying and articulating the operational controls over financial reporting. click here for pdf

David B. Sidon CPA
The Navis Group

Enterprise risk is the buzzword, the mantra, the focus, the catch-all; technology risk, credit risk, interest rate risk, operational risk, BSA risk, information security (GLBA) risk, financial reporting control (FDICIA) risk, reputation risk, compliance risk, investment risk, pricing risk, this risk and that risk. Often silo’d within our banks, often misunderstood within our banks; often assessed without thanks.
So how do we pull this together into something cohesive and useful? How do we get to the “so now what?” moment? How do we gain some efficiency? How do we make this risk exercise a “value-add”?
What’s the common thread? Fraud potential, compliance gaffs, missed annual policy and training deadlines, information breaches, suspicious activity, money laundering, security lapses, identity theft, short-sighted pricing and product decisions, poor investment choices, insufficient loan underwriting, and lackluster personnel management all have one thing in common – people!
click here for pdf

Are you old enough to remember the game Twenty Questions?

Wikipedia’s description:
“Twenty Questions is a spoken parlor game which encourages deductive reasoning and creativity.”
Remember the standard questions? Is it bigger than a breadbox? animal or vegetable? Admittedly dated; just what the heck is a breadbox anyhow and how big might it be? Today’s equivalent? Is it bigger than an XBox 3? Is there an app for that? If you have just been named as your institution’s risk manager or chief risk officer (CRO) you probably have at least 20 questions, as do the executives who appointed you. And like the game, the questions are fairly standard from bank to bank.....click here for pdf

As a follow-up to an article that I wrote on enterprise risk management (ERM) last year, the folks at CBA asked me to put on a reporter's hat and find out how the industry is responding. Once I got over the fact that this was not an article for me to spout my opinions as I usually do, I set to the task of talking to risk experts in the trenches....click for pdf

I’m sorry, I was wrong, can I come back?

David B. Sidon CPA
The Navis Group

 

No, this is the not the chorus to the latest country-western hit. This is a confession, an admission of guilt, an apology, an attempt to patch up a really important relationship; my union with my local community bank....click for pdf