Transforming organizations through skillful alignment of people, process and technology.
The Hilltop Companies

Risk Policy, Structure, Process and Controls Assessment

The Hilltop Companies’ Risk Management practice often begins with an overall assessment of our client’s areas of risk.  We assess these areas of risk from the perspective that each area requires proper policy, organizational structure, processes and controls to be in place to mitigate the applicable risk.   Before we even begin to audit the risk area, each of the above components must be in place.

Most companies manage various risks in the specific area where the risk’s impact is most obvious i.e. interest rate risk in the Trading or Treasury areas.  However, an integrated approach that assesses the overall enterprise risk is more effective.  Many risk areas overlap, some risks are counter to each other (the increase of one risk is offset by the decline of another risk).  All too often, hedging or mitigating a particular risk in one area will cause another area of the company to be negatively affected.  Our risk management assessment has an integrated approach which considers all risks at the enterprise level and then the individual risks at the business unit or transaction level. Our assessment of the policy, structure, process and controls can assess one or more of the following risk areas:

  • Enterprise risk – a comprehensive view of all risks across the Company
  • Financial statement risk – risk that the financials are materially misstated through errors, policy application or fraud
  • Credit risk – credit loss risk related to all loans/leases, credit enhancements, guarantees, recourse, etc.
  • Regulatory risk – risk of non-compliance with the many and changing regulations
  • Interest rate risk – ALCO issues, cost of brokered deposits, deposit and loan pricing, hedging, etc.
  • Counter party risk – all vendors and trading partners who are extended credit and transaction dependent
  • Operations risk – policy issues, procedural issues, backlogs, business continuity, etc.
  • IT risk – development or implementation errors, access/security, change control and poor business requirements
  • Fraud risk assessments and corporate investigations (see – Fraud risk, controls & assessments and Fraud Audits)

To expand on each of the risk areas noted above, our assessment will address the many different risks as to whether the corresponding risk policy, organization structure and responsibility, processes, and controls are appropriate to identify and mitigate such risks.  Some examples are shown below:

  • Financial Statement Risks have to consider:
    • Internal financial controls – are these effective to prevent a misstatement?
    • Fraud risk – are fraud policies and controls in place to identify, prevent and/or mitigate fraud risk?
    • G/L to Sub ledger reconciliation errors
    • Asset valuation and impairment analysis involve significant judgment that can be “obscured”
    • Personnel qualifications of the CFO and accounting team
    • Systems investment in accounting systems (an overhead item)
  • Credit Loss risk management:
    • Credit loss identification and trend analysis being incomplete or inaccurate
    • Loss mitigation activities being ineffective
    • Collections and payment processing being incomplete or inaccurate
    • Management personnel’s experience with credit losses
  • Regulatory:
    • Regulatory requirements not identified or known
    • Examination un-preparedness
    • Policy and process does not ensure compliance
    • Legal compliance interpretation of Federal & State Laws is wrong
    • Cease and Desist orders
  • Interest Rate and Prepayment Risk:
    • Asset Liability management process is flawed
    • ALCO models are not effective
    • Tracking rate movements and hedge transactions not effective
    • Asset or Debt hedge policy not consistent with bank’s risk tolerance
    • Hedge processes and instruments used not consistent with hedge policy
    • Tracking of loan prepayments not effective and understated
  • Counter Party Risks
    • Counter Party risk process is ineffective or non-existent
    • Counter party approval – initial is lax or weak controls exist
    • Counter party ongoing oversight and review is lax or weak controls exist
    • Ineffective monitoring techniques
    • Avoiding the “surprise” that a counter party will not execute or has left your company
      with the loss
  • Operations Risks:
    • Process backlogs are systemic
    • Transaction processing and reconcilement is weak, incomplete, or inaccurate
    • Incorrect error correction processing
    • Data integrity issues
    • Performance benchmarks are not properly reflective of operating level
    • Management override risks
  • Systems Risks
    • General controls risks are weak
    • Applications controls are weak
    • System outages are frequent and unexplained
    • SDLC process is undefined or not applied
    • Implementation errors are present
    • Change controls are poor
    • Poor business requirements for developed or purchased applications
    • Data integrity – completeness, accuracy and reasonableness checks ineffective to warn of data problems

A critical element of our risk management assessment focuses on overall risk reporting and data integrity.  We can help identify any “gaps” in the process of reporting and monitoring, as well as, identify data integrity risks.   We can help identify and implement risk management tools used for risk quantification and analysis of each of the above risks.

A final step in our risk management assessment process is to measure your Company’s reaction (management’s communications) in response to high risk factors, non-compliance consequences, regulatory concerns, fraud risks, errors made, etc.  The corporate response often sets the unofficial risk policy, which may be unanticipated and inconsistent with written approved risk policy.  Our objective is not to “second guess” management but rather to determine if any critical factors/indicators were not addressed and why i.e. was it because of inaccurate or incomplete information.