The role of internal audit in recovery and resolution planning

Introduction

US regulators continue to flex their muscles and push resolution planning as a key regulatory driver to reduce systemic risk and the likelihood of an institution being “too big to fail.” On April 13, 2016, the Federal Reserve Board (FRB) and the Federal Deposit Insurance Corporation (FDIC) (collectively, the “Agencies”) jointly determined, for the first time, that certain resolution plans submitted by domestic systemically important banks (D-SIBs) were “not credible or would not facilitate an orderly resolution”1 under the US Bankruptcy Code. Further, the Agencies issued prescriptive guidance increasing expectations for the eight US D-SIBs’ resolution plan submissions due July 1, 2017 (2017 Guidance).2

Internal audit in the spotlight

Over the past several years, banks have faced heightened regulatory scrutiny around capital planning programs, and, subsequently, internal audit’s role in assessing these programs for soundness and compliance with internal and regulatory requirements has increased. In January of 2016, the FRB published a final rule requiring chief financial officers (CFOs) of the largest systemic firms3 to attest to the “material correctness of data” and to “agree to report material weaknesses and any material errors in the data” submitted in the FR Y-14 forms.4 With the implementation of the attestation, internal expectations of internal audit are heightened as stakeholders will be looking to the third line of defense to ensure that effective controls are in place to assure the accuracy of the submission.

Most recently, in June 2016, the FRB published its report on the Comprehensive Capital Analysis and Review (CCAR) exercise for larger bank holding companies (BHCs). The FRB noted that “a number of the largest BHCs have weaknesses in their internal audit programs for capital planning, which may limit their effectiveness in assessing the quality of key components of their capital planning practices.”5 Additionally, the FRB went on to advise that they would be conducting a “thorough review of the largest firms’ internal audit coverage” as part of the year-round supervisory program supporting CCAR. Because resolution planning has recently received similar focus as capital planning on the regulatory reform agenda, similar regulatory scrutiny is expected on the horizon for internal audit’s role in recovery and resolution planning as the Agencies rely on internal audit to assure that related processes and controls are in place and operational.

Risk powers performance: Internal audit makes its impact

In response to these developments, institutions have allocated more resources and implemented strategic initiatives to address requirements outlined in the recovery and resolution planning guidance. Regulators expect that institutions will embed resolvability concerns into business-as-usual (BAU) processes, potentially modifying risk management practices, contingency planning, operational policies and procedures, and governance practices. The risks arising from the collective action of these moving parts create several opportunities for internal audit as the third line of defense. Internal audit departments that are able to effectively assess the associated risks can make an impact on business performance and extend their influence among stakeholders.

Currently, the level of internal audit involvement in recovery and resolution planning varies broadly from institution to institution. While some institutions have developed more mature programs with an emphasis on auditing recovery and resolution planning prior to submitting their plans, others are still defining their lines of defense. Institutions are operating under tight cost constraints and the Agencies are sensitive to ensuring that all three lines of defense are allocating adequate resources to address all regulatory mandates. The Agencies have not yet provided specific guidance or commentary on the role of internal audit in assessing the recovery and resolution plans, but the role is evolving similar to what was expected for other regulatory mandates, such as capital planning and stress testing as evaluated during the FRB’s CCAR exercise for larger BHCs. Those expectations are comparable to the aspects of recovery and resolution planning in terms of complexity, broad scope, and an end-to-end evaluation of the integrity and appropriateness of the effort.

In an effort to successfully navigate this complex and dynamic regulatory landscape—and power improved performance—internal audit should:

  • Develop an appropriate framework and strategy for the evaluation of recovery and resolution plans, taking into consideration the interrelationship between recovery and resolution plans and other regulatory requirements involving the first and second lines of defense as well as competing priorities
  • Identify audit objectives based on the seven key vulnerabilities identified by the Agencies’ 2017 Guidance
  • Evaluate the current audit plan and map objectives for each key vulnerability area to planned audits to identify gaps in coverage
  • Perform a risk assessment to drive the type, scope, and intensity of the audits
  • Identify skill sets and training required to execute the enhanced audit plan for recovery and resolution planning
  • Communicate key findings, limitations, status, and results for recovery and resolution planning to appropriate stakeholders
  • Establish a continuous monitoring program to oversee risk management, control, and governance processes

Internal auditors looking for a roadmap to evaluate their firms’ recovery and resolution plans can reference a few existing resources. First is the 2017 resolution planning guidance itself, which clearly describes the new and enhanced requirements and expectations for resolution plans. Second are the firm-specific feedback letters which provide insight into the Agencies’ rationales for individual firm resolution plan determinations. And third, the Agencies’ disclosures referencing the high-level components of the assessment framework used to evaluate and issue joint determinations on the 2015 resolution plans.6 In addition, they should consider the requirements from the FRB and OCC for recovery planning.

Ultimately, internal audit should evaluate whether the planning process had adequate governance and controls and produced a plan or related recovery and resolution capability that is complete, accurate, and consistent with internal and regulatory expectations. Taking it further, leading internal audit departments should find opportunities to turn the complex business issues associated with recovery and resolution planning into an opportunity for growth and resilience. Learn more about the role of internal audit in recovery and resolution planning by reading our latest paper.

1Agencies Announce Determinations and Provide Feedback on Resolution Plans of Eight Systemically Important, Domestic Banking Institutions
http://www.federalreserve.gov/newsevents/press/bcreg/20160413a.htm
2Guidance for 2017 §165(d) Annual Resolution Plan Submissions By Domestic Covered Companies that Submitted Resolution Plans in July 2015, Federal Deposit Insurance Corporation and Board of Governors of the Federal Reserve System (April 13, 2016), available at
https://www.federalreserve.gov/newsevents/press/bcreg/bcreg20160413a1.pdf
3Listing of LISCC Firms available at http://www.federalreserve.gov/bankinforeg/large-institution-supervision.htm
481 Fed. Reg. 3,412 (Jan. 21, 2016), available at https://www.federalreserve.gov/boarddocs/press/foiadocs/2016/20160121/foia20160121f.pdf
5Comprehensive Capital Analysis and Review 2016: Assessment Framework and Results, Board of Governors of the Federal Reserve System (June 2016), available at http://www.federalreserve.gov/newsevents/press/bcreg/bcreg20160629a1.pdf
6Resolution Plan Assessment Framework and Firm Determinations (2016), Board of Governors of the Federal Reserve System and Federal Deposit Insurance Corporation, available at https://www.federalreserve.gov/newsevents/press/bcreg/bcreg20160413a2.pdf

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s