Skip to content
BOL Conferences
Thread Options
#1669139 - 02/23/12 08:04 PM Who approves accepting risk?
biz Offline
Diamond Poster
Joined: Nov 2005
Posts: 1,032
Midwest
We have an internal audit program. We have an audit committee (AC). The audit charter does not give (AC) the authority to "accept risk" for the bank. It says "AC should determine if management’s responses appear adequate; reporting them to the Board."

So here are my questions: When management, for whatever reason has an audit finding and they state in their answer that management wants to accept this risk, who should give the final OK-certainly not management, everything would be "we want to accept this risk."

Do you give your AC the authority to accept or approve acceptance of risk or does that go by the Board. And how would you word it in your AC minutes. Thanks.

Return to Top
Audit
#1669149 - 02/23/12 08:15 PM Re: Who approves accepting risk? biz
AFaquir Offline
Platinum Poster
AFaquir
Joined: Jan 2011
Posts: 763
Top of the world... and never ...
Audit Committee has the responsiblity in my opinion... you can take it to the full board, but if AC is done right it can be a "buck stopper"

I would simply word it that open item/finding XYZ issued by federal regulator or auditor has been discussed. The bank management described the risk and AC feels that the risk of XYZ is at a level acceptable to smooth continued operation of the organization.

I would also make sure to develop a REVIEW mechanism for this as risk tolerances and risks themselves change depending on the issue... so make sure that AC circles back every 6 months to reveiw all "accepted risks"

Just my opinion.

Cheers!
_________________________
In life, there is a lot less that could get better and a lot more that could get worse.

MBA Fin/MBS HR

My views only!

Return to Top
#1669161 - 02/23/12 08:27 PM Re: Who approves accepting risk? biz
biz Offline
Diamond Poster
Joined: Nov 2005
Posts: 1,032
Midwest
And here's the rest of the story . . .sorry.

The problem we have is that the AC is more strict than the Board as a whole. So when management doesn't like what AC recommends, like "sorry . . .you may want to accept it, but we don't" they bring it up at Board level. Many times it gets hashed over and the Board overrides AC recommendation.

So AC is wondering how it should be worded so that the Board is actually approving the acceptance of risk, when they accept the AC minutes into their minutes. Does that make sense? They are concerned as individuals that the minutes don't actually spell out where the decisions are really being made.

Return to Top
#1669209 - 02/23/12 09:28 PM Re: Who approves accepting risk? biz
BrendaC Offline
Power Poster
BrendaC
Joined: Sep 2001
Posts: 6,029
Sweet Home AL
I don't feel this is a function of Audit. Audit and compliance identify deficiencies, waive red flags and make recommendations for improvement of controls and corrective actions they feel are needed to effectively mitigate risk.

In a multi-faceted business structure, it might be the business unit owner that would have the authority to accept the risk. Executive management and the board would ultimately be responsible for all such decisions.

There should be a well-defined process for Audit and Compliance to escalate higher risk issues to senior/executive management and/or Audit Committee of the Board.
_________________________
Life without Jesus is like an unsharpened pencil - it has no point.

Return to Top
#1675024 - 03/08/12 05:19 PM Re: Who approves accepting risk? biz
COMPLIcated Offline
Diamond Poster
Joined: Mar 2003
Posts: 1,035
OK
Our audit recommendations have to be responded by the appropriate member of Sr. Management. They might respond that they are not going to act upon the recommendation but they have to provide a reason why. This goes to Audit Committee (which includes 4 Directors) so they have to be pretty confident in thier responses and reasoning. If Audit Committee doesn't agree they could override it but usually they are on board with it. Our Audit Committee minutes are presented to the Board but the individual items are not so there is not an opportunity for any further rebuttal or discussion.

Return to Top
#1675072 - 03/08/12 06:04 PM Re: Who approves accepting risk? biz
rlcarey Online
10K Club
rlcarey
Joined: Jul 2001
Posts: 83,219
Galveston, TX
I assume these recommendations are not actually violations of law and are more in the best practices arena?
_________________________
The opinions expressed here should not be construed to be those of my employer: PPDocs.com

Return to Top

Moderator:  Andy_Z