Sarbanes-Oxley Section 404 implications for ALM model applications By William J. McGuire, Ph.D.



Similar documents
Choosing the Right Asset/Liability Management Model and Keeping It Verified!

The International Certificate in Banking Risk and Regulation (ICBRR)

ALM Stress Testing: Gaining Insight on Modeled Outcomes

ASSET LIABILITY MANAGEMENT (ALM)

Auditing Asset-Liability Management (ALM) Functions

SSI 1 - INTRODUCTION TO CREDIT UNION FINANCIAL MANAGEMENT

Choosing the Right Asset/Liability Management Model Solution and Keeping It Accurate! By William J. McGuire, Ph.D. Fifth Edition

Making Asset Liability Management Work for You

Measurement of Banks Exposure to Interest Rate Risk and Principles for the Management of Interest Rate Risk respectively.

CITIGROUP INC. BASEL II.5 MARKET RISK DISCLOSURES AS OF AND FOR THE PERIOD ENDED MARCH 31, 2013

Checklist for Market Risk Management

A Closer Look Financial Services Regulation

Capital Management Standard Banco Standard de Investimentos S/A

SENSITIVITY TO MARKET RISK Section 7.1

Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Frequently Asked Questions

Sample Financial institution Risk Management Policy 2011

@ HONG KONG MONETARY AUTHORITY

1. FPO. Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Second Edition

Blind spot Banks are increasingly outsourcing more activities to third parties. But they can t outsource the risks.

Auditing Standard 5- Effective and Efficient SOX Compliance

Interest Rate Risk Management at Community Banks

Commercial Loan Prepayment Behaviors: Knowledge is Profit!

(Refer Slide Time: 01:52)

Third Party Relationships

A Guide to Radiology Practice Revenue Management and Performance Evaluation

The purpose of Capacity and Availability Management (CAM) is to plan and monitor the effective provision of resources to support service requirements.

January 6, The financial regulators 1

Interest-Rate Risk Management Section

Sarbanes-Oxley 404. Sarbanes-Oxley Background. SOX 404 Internal Controls. Goals of Sarbanes-Oxley

Asset/Liability Management in a New Era of Regulatory Scrutiny

Leveraging a Maturity Model to Achieve Proactive Compliance

Board of Directors and Senior Management 2. Audit Management 4. Internal IT Audit Staff 5. Operating Management 5. External Auditors 5.

Essential Elements of FFIEC Vendor Due Diligence

INTEREST RATE RISK IN THE BANKING BOOK

BANCWARE FOCUS ALM. Managing Risk Across Your Balance Sheet

White Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA

TABLE OF CONTENTS INTERAGENCY ADVISORY ON ACCOUNTING AND REPORTING FOR COMMITMENTS TO ORIGINATE AND SELL MORTGAGE LOANS

White Paper. ALM: Manage Your Interest Rate Risk From the Bottom Up

YEAR END ISSUANCES BY FEDERAL REGULATORS ADDRESS A MULTITUDE OF PRIVACY ISSUES Jane Hils Shea January 23, 2008

Audit of NSERC Award Management Information System

Development, Acquisition, Implementation, and Maintenance of Application Systems

Community Banking. Regulators raise the bar on outsourcing relationships. A D V I S O R Fall 2014

Risk Based Capital Guidelines; Market Risk. The Bank of New York Mellon Corporation Market Risk Disclosures. As of December 31, 2013

Interest Rate Risk Management for the Banking Book: Macro Hedging

WHITE PAPER Leveraging GRC for PCI DSS Compliance. By: Chris Goodwin, Co-founder and CTO, LockPath

AVANTGARD Treasury, liquidity risk, and cash management. White Paper FINANCIAL RISK MANAGEMENT IN TREASURY

Guidelines on interest rate risk in the banking book

Dr Christine Brown University of Melbourne

Internal Audit Practice Guide

The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act*

Guidance for the Development of a Models-Based Solvency Framework for Canadian Life Insurance Companies

Application Security in the Software Development Lifecycle

NCUA LETTER TO CREDIT UNIONS

Guidance on the management of interest rate risk arising from nontrading

Business Continuity Management Software

Static Pool Analysis: Evaluation of Loan Data and Projections of Performance March 2006

HOCH CAPITAL LTD PILLAR 3 DISCLOSURES As at 1 February 2015

Staff Consultation Paper No The Auditor s Use of the Work of Specialists

RISK FACTORS AND RISK MANAGEMENT

Funds Transfer Pricing A gateway to enhanced business performance

White Paper on Financial Institution Vendor Management

Federal Home Loan Bank Membership Version 1.0 March 2013

Portfolio Management for Banks

Oracle Financial Services Funds Transfer Pricing

Solutions for Balance Sheet Management

DCU BULLETIN Division of Credit Unions Washington State Department of Financial Institutions Phone: (360) FAX: (360)

Validating Third Party Software Erica M. Torres, CRCM

OCC 98-3 OCC BULLETIN

Network Configuration Management

Number 200 July The primary objectives of SJFCU's ALM Policy include the following:

Central Bank of The Bahamas Consultation Paper PU Draft Guidelines for the Management of Interest Rate Risk

Growing Vendor Management

Third-Party Risk Management: Busting Myths and Telling Truths

Archiving Digital Records

Outsourcing Balance Sheet Risk Management Analyses

Sage HRMS The choice between compliance risk and compliance confidence lies in HR management systems

Anticipating and meeting regulatory compliance

Preventing Fraud: Assessing the Fraud Risk Management Capabilities of Today s Largest Organizations

Recommended Practice for Software Acquisition

The Importance of Credit Data Management

Securing the Cloud Infrastructure

Data Quality Governance: Proactive Data Quality Management Starting at Source

The future of industrial asset management: New opportunities for oil and gas, power generation and aviation industries

Capital Policy and Safeguards Statement for Merchant Acquirer Limited Purpose Banks

Service Desk Management Works for Insurance Firm s Enterprise and SMB Clients

Data Quality for BASEL II

Best Practices in Asset Liability Management

Regulatory Stress Testing For Mortgage Loan Portfolios

REAL SECURITY IS DIRTY

Module 5: Interest concepts of future and present value

Attachment A. Identification of Risks/Cybersecurity Governance

TO CREDIT UNIONS DATE:, May 12, 1998

Model Template for 165(d) Tailored Resolution Plan

IBM Algo Asset Liability Management

BASEL III PILLAR 3 DISCLOSURES. March 31, 2014

Using TechExcel s DevSuite to Achieve FDA Software Validation Compliance For Medical Software Device Development

How To Manage A Call Center

W H I T E P A P E R S A P E R P L i f e - C y c l e M a n a g e m e n t O v e r c o m i n g t h e D o w n s i d e o f U p g r a d i n g

Using COBiT For Sarbanes Oxley. Japan November 18 th 2006 Gary A Bannister

Transcription:

FMS Special Report Sarbanes-Oxley Section 404 implications for ALM model applications By William J. McGuire, Ph.D. Introduction The full dimensions of Sarbanes-Oxley Section 404 compliance are now being felt across all public companies in the U.S. Few industries have the compliance burden that financial institutions have, though, because financial processes are the essence of what they do--almost everything depends on a financial report! Supporting that financial reporting are many resources and processes, each with its own control environment and its own control process risks. Simulation models are used in many financial institution applications. But the risk associated with such models is an area of compliance that has received very limited discussion despite its centrality to Sarbanes-Oxley 404 needs in financial institutions. In this context, model risk is defined as the exposure arising from management and the board of directors reporting financial information that is based on unreliable and/or inaccurate model outputs (e.g. in SEC filings). Model risk can arise from any financial model employed, although it is potentially at its most serious threat level in ALM models because they cross all areas of the balance sheet, and their outputs appear in so many financial reports and filings. There has, of course, been prior regulatory concern in this area. The most notable are OCC Bulletin 2000-16 and the 1996 Interest Rate Risk; Joint Agency Policy Statement by the FFIEC. The regulatory interest in model risk is a logical outcome of the industry s reliance on computerbased model results as key decision inputs. Experience has shown that such confidence is often illfounded, and the OCC bulletin goes so far as to bluntly state that a computer based financial model that is improperly validated or tested is worse than useless. Clearly this statement applies all the more to Sarbanes-Oxley 404 compliance issues--a poor model can now also be dangerous. This article reviews elements of ALM model risk in a Sarbanes-Oxley context, describes key model risk assessment principles, and discusses practical considerations for achieving success. The principles laid down here also apply to other financial models as well, such as mortgage pipeline management tools and funds transfer pricing, profitability, and special hedging models. General environment of Sarbanes-Oxley 404 model risk ALM models produce many financial reporting inputs, from simple FAS 107 asset and liability valuations to the complex analyses of embedded interest rate risk (IRR) cited in SEC 10K reports. Model risk from a Sarbanes-Oxley 404 perspective can arise at three levels: (a) the model itself; (b) definition of model inputs and assumptions; and (c) the control environment surrounding the model. Basic issues in this view of risk and compliance are summarized in Exhibit 1. ALM model itself as a risk source ALM models are complex software programs that incorporate thousands of features in even a simple financial institution s application. Fortunately, in vendor provided models, underlying code and the accuracy of results is attested to based on pre-release and ongoing internal reviews, and the experiences of large numbers of users on a day-to-day basis. The institution, however,

needs to be running the latest available fully tested version of the model and any supporting software; being under a current maintenance contract with the vendor is the best way to ensure this. Assuming a current model is implemented, limitations in the fundamental accuracy of a vendorprovided ALM model are rare, and thus this area of model risk is normally minimal. Note that this statement does not normally apply to ALM models developed in-house or an outsource ALM model solution provided by an independent consultant using a non-vendor model. In such instances, a comprehensive program of testing and precision certification must be completed and documented. This affirmation process will need to be repeated periodically also, as needed. ALM model components as risk sources There are five basic components that define any ALM model. These are data, category setup, contractual-based inputs, behavioral assumptions, and reporting. Each of these can be a source of model risk, arising either from the basic structure of the model or failures in the model s control environment and control activities. Consider each model risk source in turn. Data-related risks, relating to having the wrong data or data that does not foot across the model, are obvious. In most cases, model data is assessed in other reviews (e.g. of underlying automated systems) or controlled as part of model user procedures (e.g. balancing tests each time the model is run). Thus, this is not typically a key model risk area. However, prior to assuming that model data is accurate, rigorously assess all data-related model risk issues and document all control activities. Category setup entries tell the ALM model how to interpret incoming data. Because they define that set of all categories analyzed in the model, and the fundamental behaviors of each category in the model, they are crucial to the success of all subsequent model applications. As such, they are a source of potential model risk arising from both their initial specifications and their ongoing maintenance over time. Contractual-based inputs are category behavior definitions that can be read directly from underlying asset and liability contracts. Pricing spread terms, repricing limits (caps/floors), and new volume maturity definitions are common examples; call and put features (e.g. in investments and wholesale funding) are further common illustrations. These inputs are also a key source of potential model risk, again arising from both initial specifications and ongoing maintenance over time. While experience suggests that initial category setup and contractual-based input specifications are most often correct (they are usually defined by the vendor during model installation), many change control processes are weak. This results in definition drift, as balance sheet category specifications and contract terms slowly diverge from (unchanged) model definitions. Such drift is an important source of model risk, and it must be aggressively controlled. Behavior assumptions are the weak link in almost all ALM models. This risk source includes the inputs for institution specific loan prepayment behaviors for all relevant loan categories (not just 1-4 family mortgages), to include inputs controlling for any inter-tendencies among loan types (e.g. second mortgage or HELOC prepayments driven by 1-4 family prepayments). Inputs for CD early withdrawals and core deposit supply, repricing, and average life/value behaviors are also important. These inputs, in particular the treatments of core deposits, can swing basic FAS 107 valuations and IRR analyses by large amounts and thus accuracy is an utmost consideration. It is no

exaggeration to state that virtually all financial institutions using an ALM model have material model risk originating from this element of their ALM model implementation. Reporting that originates directly from a vendor provided ALM model is normally error free and thus rarely a source of model risk. Custom produced model reports, however, and especially reports created from standard or custom model outputs imported into separate external spreadsheets, are material risk concerns. There is ample evidence in the business literature of widespread spreadsheet errors, yet normally few controls over them are seen in most ALM model applications. Address this in an uncompromising manner, preferably by treating each spreadsheet as a model and focusing on its embedded risk potentials as such. A successful Sarbanes-Oxley 404 ALM model-risk solution The sources of model risk above require multiple dimensions of action to control them. A control environment, with specific control activities, needs to be defined to address, monitor, and document each source of model risk from a Sarbanes-Oxley 404 perspective. Fortunately, many of these control activities are already part of current regulatory mandates and good business practices, so fine tuning is all that is needed to bring them up to the new higher standards. Few completely new compliance actions are typically needed. Note, however, that such a statement is made assuming that ALCO policies, procedures, and risk controls fully meet the new standards. ALM model risk controls cannot operate within an ineffective or poorly documented ALCO risk environment. The first area of action in regards to model risk is to initially install and populate the model correctly. For many models this will be distant history and thus not directly applicable. But for new models, the best risk defense is to ensure that every element of model risk is addressed and documented at installation. The model vendor doing the work should have comprehensive installation policies, data, setup, input, assumption, and reporting process control, and documentation that mitigates all dimensions of model risk at this step. The second action area relating to model risk is to assess the ALM model periodically, using a competent and independent source. This includes a review of each source of model risk, absolutely and on a prioritized basis in light of potential risk exposures, and then proving that model forecasts are accurate. Many sources are quoting the need for an annual model risk assessment. Less frequent responses could be permissible in some instances, however (e.g. a simple and stable balance sheet, relatively unchanging interest rate environment, static business plan, etc.). Note that model risk assessment goes far beyond just verifying that a model is constructed in such a way that it could forecast correct financial reporting values. The model risk assessment must also prove that the model does forecast correctly--i.e. the model must be validated in addition to being verified. Validation includes a review of both constant interest rate and scenario-specific model forecast data to ensure that baseline and interest rate sensitivity forecasts are correctly capturing all balance sheet behaviors. A special behavior diagnostic system is typically employed to provide appropriate documentation. A model s validity can also be demonstrated through comparisons of near-term margin forecasts vis-à-vis actual prior month values and comparing model forecasts of interest rate related margin/value exposure potentials against recent actual data (e.g., the correlation of model margin exposure forecasts versus recent margin changes as rates change). The third area of action in regards to model risk is to build and implement a comprehensive control environment within and around the model. This includes user controls (including cross training and backup operators to minimize single model user situations), detailed model

documentation, comprehensive model user guidelines, and a specific model operator checklist (used each time the model is run, dated and initialed, and placed into the record). It also includes specific change control procedures that stipulate (a) how often and by whom each model specification and input/assumption must be examined and updated, (b) acceptable sources of any new model information, and (c) documentation of changes and reporting of these to the ALCO. Change management processes are the weak link of many model implantations and they are thus often a major element of model risk. Taking action Reviews of ALM model risk areas will sometimes detect design or operating deficiencies embedded in current control activities and processes. In such instances, invoke a formal action plan to upgrade the controls involved. A typical program has five structured components: 1. Prioritize remediation efforts if more than one issue is outstanding. 2. Assign direct responsibilities for completing the remediation necessary. 3. Define what remediation efforts are necessary and what resources are required. 4. Establish a timeline for effecting risk control changes and enhancements. 5. Define the terms of project success and document/communication completion. Continue to specially monitor the control activity or activities of concern to ensure continued success. Comprehensively document the remediation process and report its successful resolution to the ALCO and then through to the Board. Final comments Establishing a full program of ALM model risk control requires knowing what to look for and how to blend in external risk assessment resources (as needed) with those available at the institution. Exhibit 2 provides a summary checklist of major areas that need to be looked at when examining model risk and setting up associated risk control processes. Use the framework presented to establish your institution s ALM model risk control environment, customizing specific risk control activity specifications as necessary. ALM model risk in a Sarbanes-Oxley 404 context can be managed and effectively controlled. A control environment that includes a pro-active program of correct model installation, ongoing model information review, update, and change control, independent verification of the model s potential forecast capabilities and validation of the model s actual forecast accuracy, and comprehensively designed and documented control activities is feasible for all institutions. Sarbanes-Oxley model risk compliance is an incremental effort and thus generally not an overly costly task--so on with it! William McGuire is President and CEO of McGuire Performance Solutions, Inc., Scottsdale, Ariz.

Exhibit 1 Sources of Sarbanes-Oxley Section 404 Simulation Model Risk Model Risk Control Environment Deficiency Identification Control Activities Remediation Plans Change Controls User/Other Controls Documentation Original Model Installation Simulation Model (e.g. ALM Model) Model Outputs to Financial Reporting Ongoing Model Risk Sources Data, Category Setup, Contractual Based Inputs, Behavioral Assumptions, Reports

Exhibit 2 ALM Model Risk Control Environment Checklist Is there a model risk control environment with appropriate control activities in place to ensure effective monitoring and control of all potential ALM model risk areas? Has the institution conducted an independent ALM model risk assessment at regular intervals (timing based on institution criteria)? Do ALM model verification activities adequately address all potential model risk areas? Can the model employed capture/forecast all categories defined and all potential balance sheet behaviors and complexity? Did the model verification adequately address all sources of model risk? Are data inputs correct Are all category set up definitions correct Are contractual-based inputs correct? Are behavior assumptions correct Are all model reports used correct Do ALM model validation activities adequately address all model risk areas? Base Case (no rate change) forecasts Multiple rate scenario specific forecasts Comparisons of prior margin behaviors to current model predictions Correlation between model forecasts of interest rate related risk and actual margin/value sensitivities to historic changes in the interest rate environment Is there a control processes for ongoing ALM model risk monitoring in place? Model access controlled plus user controls Change controls defined and rigorously enforced Model documentation and archiving up to date Is there a strictly defined action plan in place for remediation of identified control risks? Do model risk assessment activities verify the adequately of ALCO processes that support the ALM model implementation? Adequacy of ALCO policies and processes Adequacy of the ALCO control environment/activities Reasonableness of risk limits/effective communication of risk positions Are model risk assessment results and general model risk position communicated to management and board on a regular and effective basis?

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information