ERM Toolbox – Why Do I Need Risk Appetite and Tolerance Statements?
- Ed McCaulley
- Internal Controls
- minute(s)Risk Appetite and Tolerance Statements: Identifying the Risk You’re Prepared to Accept Have you ever been skydiving? I have not. To quote Clint Eastwood, “Jumping out of a perfectly good airplane is not a natural act.” Yet the US Parachute Association reported that in 2021, around 39,412 of its members made 3.57 million jumps. Do you have an adjustable-rate (ARM) or fixed-rate mortgage? When I was younger and poorer, I considered an ARM before choosing a fixed rate. Back then, ARMs were trendy. They became less popular in the low-interest rate environment of our recent past. Perhaps they’ll gain popularity once again. Do you drive faster than the speed limit? As a young man, I was clocked at 65 mph in a 35-mph zone. My defense? I was driving a straight-away on a clear, country road. The officer didn’t buy it, and I ended up spending two hours in remedial driving school for “aggressive drivers.” Why all the questions? To make a point. Both the ways in which each of us measures risk and the amount of risk we’re willing to assume can vary widely. We are individual and unique humans, with awareness and risk tolerance built into our DNA. Brain chemicals like dopamine impact our perception of risk—as do age, gender, race, stress, upbringing, etc. RISK APPETITE & TOLERANCE FOR ORGANIZATIONS In 1987, Nick Leeson, a currency trader with Barings Bank, made failed bets on Nikkei futures totaling approximately $1.3 billion. His bets exceeded the total value of his employer’s capital and reserves. As a result, the 233-year-old bank was forced into bankruptcy. One audacious individual brought down a sophisticated and mature organization that most certainly did not share his appetite for risk. To align risk, it’s important to develop risk appetite and risk tolerance statements—written documentation of the risks an organization is and is not willing to accept. Risk appetite statements serve as guidelines for developing strategic plans, operational processes, and business continuity plans. An excellent example is TD Bank’s statement, which reads as follows: TD takes risks required to build its business, but only if those risks: Fit its business strategy, and can be understood and managed. Do not expose the enterprise to any significant single-loss events. Do not risk harming the TD brand. Here’s another example from the Office of the Comptroller of the Currency (OCC): The OCC has no appetite for unauthorized access to systems and confidential data, and will maintain strong controls to mitigate external threats against its technology infrastructure. The OCC has a low appetite for losing continuity of business operations stemming from unreliable telecommunications or system availability. Business resiliency planning and execution must be aligned with strategic objectives. The OCC has a moderate appetite for innovative technology solutions to meet user demands in a rapidly changing environment. The agency will exercise appropriate governance and discipline when considering and adopting new technology. Risk tolerance statements further refine and “operationalize” broader appetite statements to provide specific context. They serve as tangible risk limits, setting clear boundaries within which a business must operate. Risk tolerance statements must be measurable, realistic, and capable of being monitored. For example: At all times, the [organization] will maintain a rating of [xx] from [rating agency] Annual employee turnover will not exceed [xx%] Operational losses will not exceed [xx%] of [transaction type] Minimum investment grade of no less than “A” for investment securities For many risks, there is a range of acceptable levels. Let’s take information security risk as an example. We want to avoid this risk, right? What is the easiest way to do so? Disconnect all your computers from the internet. But taking this extraordinary step has consequences—no (external) email, no cloud computing, and no working from home. In other words, requiring zero risk can hamper or even prevent us from accomplishing our objectives. Recognizing the benefits of being interconnected, most organizations have chosen to accept some level of information security risk. Some level of risk is fine, but too much risk is not. Over time, navigation of these risks starts to resemble a road, with edge lines and guard rails; the acceptable place to drive is in the middle. WHAT DO I DO WITH RISK APPETITE AND RISK TOLERANCE STATEMENTS? Use them. Ensure that individuals who make decisions affecting the organization’s risk profile understand these statements. Decision makers should consider how their choices affect an organization’s risk level—specifically, whether their decisions leave the organization within its established risk appetite and tolerance parameters or push the organization outside those limits. Report on them. Senior executives and risk committees should require regular updates on their organization’s status related to risk appetite and risk tolerance statements. Discussions might include: Is the organization within its risk tolerance for 15 of its 16 metrics? If so, what does the organization feel about the final metric? If the organization is uncomfortable accepting this level of risk, then the metric effectively identifies an area that needs attention. Risks in this area need to be reduced. In contrast, if the organization does not feel that current risks are unacceptable, then risk metrics might need adjustment. This is common. Initial risk metrics are like a new pair of shoes; you need to experience them for a while to see if they pinch. Don’t let them get stale. The last thing you want to do is create these statements, then put them on the shelf to forget. Just as organizations change over time, so does risk appetite. Periodically revisit your organization’s risk appetite and risk tolerance statements to determine whether they are still appropriate and relevant or need to be adjusted. Also consider whether the statements are understood by everyone or require additional context. We recommend conducting this evaluation while developing a strategic plan. After all, where we want our organization to go and where we don’t want it to go are interrelated considerations. CONCLUSION Risk appetite and risk tolerance statements provide important guidance to employees about which risks are acceptable and which are not. They help align individual employee tolerances to organization-wide tolerances, for more consistent risk response across the board.
Risk appetite and tolerance statements help align individual and organizational tolerance for consistent risk response.READ MORE
Essential considerations when employing Balance Sheet Account ...
- Ed McCaulley
- minute(s)Given the nature of the public sector industry, with its vast constituent base, any process and control failures can become highly visible, highly contentious, and highly damaging to an organization’s reputation. Yet, with budget constraints and the hiring challenges from the “Great Resignation”, how are we to keep our organizations’ safe and out from under this magnifying glass? The challenges are significant and demand rational approaches as well as application of one of the oldest — yet most effective — accounting control processes: balance sheet account reconciliations. Reconciliations have long been an important control for ensuring the accuracy of financial statements. Validating balances in general ledger accounts through the reconciliation process provides management with assurances that controls are in place and are working effectively. Performing accurate and timely reconciliations receives considerable attention under various government regulations focused upon public sector reporting. For example, in the United States, the Office of Management and Budget’s (OMB) Circular No. A-123 (A-123), the Federal Managers’ Financial Integrity Act (FMFIA), and the Government Accountability Office’s (GAO) Standards for Internal Control in the Federal Government (known as the “Green Book”) have been at the center of Federal requirements to improve accountability in Federal programs and operations. Within the Green Book, “reconciliations” are specifically called out both as “transaction control activities” and “ongoing monitoring”. Yet even without the regulatory emphasis, it is because of their summary and comprehensive nature that reconciliations often become key, rather than secondary, controls. As accountants and auditors, we should understand best practices related to account reconciliations and have a clear plan for reviewing reconciliations. RECONCILIATION TYPES There are various types of reconciliation, and each has nuances that will indicate the nature, timing, and extent of audit tests. Some of the more common types include: Basic account reconciliations. Often far from basic or simple, these account reconciliations may be reconciled to an accounts receivable aging schedule, fixed asset ledger report, or an accounts payable report. There should be account reconciliations for all asset, liability, and equity accounts. Bank account reconciliations. This type of reconciliation is between a bank statement and a general ledger account. Zero balance accounts (ZBAs) add a twist to the generic bank account reconciliation, because the bank account is swept or funded daily, leaving the end-of-day balance at zero. Suspense account reconciliations. Suspense accounts are used as a “holding” account until the appropriate disposition or classification of the transaction can be made (e.g., a lockbox used for all deposits). Once the cash deposit is recorded on the organization’s books, the organization will then determine why it was received and book the corresponding entry to clear suspense (e.g., to post it against a notes receivable or to book revenue). Thus, testing procedures should be added or modified to address the specific nature or characteristics of the account being reconciled. BENEFITS There are many benefits that come from performing high-quality account reconciliations, but here are the key benefits: Identify necessary adjusting entries before financial or other regulatory reports are issued, thus reducing restatement risk Identify operational issues earlier, when the problem is smaller, resolution is more manageable, and before the “fog of time” starts to obscure events Improved confidence in the financial statements from investors, managers, constituents, and external auditors Emphasizes to all employees the need for accuracy in transaction processing when the feedback is closer to the error BEST PRACTICES Both accountants and auditors should understand the best practices being utilized around account reconciliations. The following are practical ideas for improving the effectiveness of an organization’s account reconciliation efforts: Formalize a policy for reconciling and reviewing all balance sheet accounts. Complete a risk assessment of all balance sheet and off-balance sheet accounts and determine their risk level. Designate a regular cycle for the process (e.g., monthly reconciliations for high- and medium-based risks and quarterly for low-based risks). Complete account reconciliations by a specific calendar day of the subsequent month. Use a standard format for preparing reconciliations across the organization, and ensure each reconciliation contains standard information. Assign different individuals to both preparer and reviewer roles for each reconciliation to be performed. Confirm that the preparer and the reviewer possess the adequate skill sets to perform their functions, understand the nature of the account being reconciled, and understand the documentation and analysis required to support and substantiate the account balance. Consider automating the reconciliation process. There are various tools available to help with reconciliations. For example, many tools will automatically match up transactions from the G/L to the bank records, which frees reconcilers to focus on the more value-added task of researching unmatched records. Other tools help track the status of all reconciliations. Consider use of continuous monitoring tools and testing to immediately alert staff to potential issues (e.g., search for duplicate payments based upon payee, amount, and payment date) when they can take preventative action, instead of waiting to detect the issue when the reconciliation is performed. There are no guarantees but employing these practices can help reduce the risks… of fraud, financial loss, or misstatements, while identifying operational issues early before they become too large. INTERNAL AUDIT’S ROLE Internal audit should be responsible for independently assessing compliance with stated procedures. When performing audits of reconciliations, it is essential that auditors consider various attributes. Including the following testing procedures can help auditors perform a complete and adequate review. Does the “balance per the general ledger” on the reconciliation agree to the amount reported on the general ledger? One common problem is not reconciling to the full general ledger balance (e.g., to a subaccount, to only the cash or accrual or tax subledgers, or to only a subsidiary account). Does the “balance per bank” or “balance per system” agree with the bank or system report? A recurring issue is reconciling the general ledger activity to the general ledger balance rather than to an outside, confirming source. Reconciling one general ledger source to another, such as a trial balance to an online balance report, will accomplish nothing — unless the intent is to test the general ledger system’s reports. Are there any unreconciled differences? Unreconciled or unknown differences should set off alarm bells. These differences mean the reconciliation work has not successfully identified all reconciling items. This typically indicates that the individual preparing the reconciliation does not have the appropriate skills, did not devote the time necessary to complete the reconciliation, or simply does not have access to all the appropriate data required. Be careful about de minimis limits that some groups have established. The theory behind a de minimis limit is that the difference is too small to warrant the time and effort to track down the difference and that it is more efficient to simply write off the unreconciled amount. However, the use of de minimis limits have dropped out of favor because the unreconciled balance may be hiding more than one error if the transaction amounts offset each other. In other words, a $10 unreconciled balance might be two or more transactions… a million-dollar credit, largely offset by a $999,990 debit. Are reconciling items being cleared timely? Unless the reconciling items identified are purely timing issues, they should result in some action (e.g., a journal entry or an entry to correct a subledger). These actions should clear the item before the next reconciliation is performed. If they are not cleared, it is an indication that the work is not being performed. As many organizations are operating with lean accounting departments, completing account reconciliations both correctly and timely can be a difficult task. However, staff shortages do not justify rolling reconciling items forward from period to period. Although this approach is quicker and may seem to be an acceptable solution to the overworked individual performing the reconciliation, it is often the cause of a restatement. Was the reconciliation signed by the preparer and reviewer, and are the preparer and reviewer different individuals? Having both roles is important for three reasons. First of all, it introduces a measure of segregation of duties, especially useful in smaller organizations where everyone wears multiple (and sometimes incompatible) hats. Secondly, the reviewer may offer a broader understanding of the transactions flowing through the account. Finally, the reviewer also should help ensure that reconciliations are being performed with consistent diligence between accounts. Was the reconciliation completed on time? Reconciliations should be completed before the data or report for the next reconciliation becomes available. Thus, a bank account reconciliation would be considered late if it was not completed before the next month’s bank statement was received. Has the organization established a monitoring control over reconciliations? Reconciliations are such an important control that many organizations have implemented an organization-wide policy or centralized monitoring to ensure their timely completion. All balance sheet accounts should be reconciled. SUMMARY Performing appropriate and timely reconciliations is a critical control function that should be in place in all organizations. Although account reconciliations may seem mundane and repetitive, a strong account reconciliation process is an important component of a solid system of internal controls. Implementing account reconciliation best practices — such as accountability, risk-based prioritization, and reconciliation automation — provides management with insight into the substance of transactions and account balance content. A robust reconciliation process can identify necessary adjusting entries before financial or other regulatory reports are issued, while also reducing restatement risk, improving investor confidence, and eliminating write-offs.
Accurate and timely reconciliations are a critical control function that should be in place in all organizations. Understand best practices related to account reconciliations and develop a clear plan for reviewing reconciliations.READ MORE