Using Technology to Support ERM: A Case Study
Originally Published: December 31, 2003
Company Background and Risk Goals: Zions Bancorporation is a financial services company that operates six bank charters across the western United States. With the diverse, broad services that it offers, comes a complicated risk profile. One of the main questions of management was what type of technology system would fit the company's needs and facilitate meeting Sarbanes-Oxley Section 404 requirements. Zions came up with three goals for its risk framework:
• Allow Zions to effectively manage risk
and cut losses
• Increase shareholder value and customer service
• Meet regulatory requirements
The overarching goal was also to fit this all into one system with a common framework in order to suit management's plans.
Zions enlisted the input of a multitude of internal groups to help develop the requirements the new risk system would need in order to be successful. Since Zions deals with banks, it also worked closely with the Federal Reserve Bank and the U.S. Office of the Comptroller. One of the key groups was the Internal Audit department, who provided feedback on many areas such as functionality, methodology, and user guidelines. After gathering all necessary feedback, the following requirements were established:
• Automated ERM system
• Use of a variety of risk tools
• User-friendly screen designs
• Broad reporting applications for all departments
• Automatic alerts
• Web-based, scalable system
• Data feeds from multiple systems
This list provided a building block for Zions' risk management system. The company enlisted the help of an outside software vendor for development, Providius Software Solutions, Inc.
Zions management studied the COSO Internal Control-Integrated Framework when deciding on how to approach risk management, and it based its own framework on that model. There are four steps to the Zions risk management process:
1. Determine objectives and risks
2. Identify controls and assess their strength
3. Develop actions necessary to eliminate gaps in control
4. Establish accountability and sustainability
The business-line users determine the objectives and identify the risks associated with those objectives. The risk management system calculates the inherent risk score for analysis. This step helps with the evaluation of the company's risk levels. The same business-line users then populate the system with controls and ratings. These controls are either preventive or detective. The risk management system then calculates control and residual risks scores to identify risk exposures.
Management can then use these analyses to demonstrate that the internal controls are effective and should meet the Section 404 requirements. Internal audit still needs to review the controls and provide feedback internally. If any control exposures exist, managers put developed actions into place to close those holes. In order to create greater management involvement, Zions uses its risk system for online certifications and for management approvals on controls and actions. The Zions systems can provide custom reports and graphics to allow the users to quickly identify potential issues.
Zions' Risk Culture
The response to the risk management system has been positive across the company. It effectively allows Zions to manage existing issues and plan for future issues. The company has also found that it allows for better disclosure to its auditors in a more timely manner, as well as providing focus to its Internal Audit department. Zions has been able to combine multiple risk tools into one common system, providing the company a more effective way to manage its risk and increase its customer service.
Companies today need to develop risk management systems that outline future risk issues and provide detailed information. Zions Bancorporation designed a web-based application for facilitating its risk management program. The company used several steps to come up with a solution that it felt would be able to meet all of its needs. Defining the system requirements is a large part of beginning the risk management system framework, followed by determining the approach to tackle risk issues. Zions identified the steps its management needed to take to ensure effective risk management, while also meeting its Sarbanes-Oxley Section 404 requirements. By mapping out the plan for its new risk management system, the company experienced a positive outcome which strengthened its risk culture.