The bank with 100 risk managers: Zions Bancorporation's Strategy for Sarbanes-Oxley, Basel advanced management approach, and more

David Stone

The only thing more confusing than complying with seemingly overlapping regulations is having separate processes and systems directed toward each. The November 2002 issue of The RMA Journal gave readers an inside look at Zions Bancorporation's approach to operational risk. Now we see how Zions is adapting technology to manage risk and meet regulatory requirements.

For many institutions, the magnitude of work involved in complying with Sarbanes-Oxley Sections 302 and 404 is as daunting as the penalties faced for noncompliance. It is a significant challenge to identify all of the areas that affect financial reporting across an enterprise and to document and test controls quickly enough to meet stated deadlines. Compliance with 404 goes beyond mere documentation. A strong risk management culture, control framework, and systems must be in place for effective monitoring and maintenance.

The requirements of Sarbanes-Oxley combined with those of FDICIA, Basel II AMA, Gramm-Leach-Bliley, the USA PATRIOT Act, and other regulation led Zions Bancorporation to step back and consider how best to manage all of our risks. It didn't make sense to pursue separate approaches and systems to comply with each set of regulations:

* Multiple systems would make it much more difficult, if not impossible, to give executives a holistic view of risk across the enterprise.

* Business lines would need to learn multiple approaches and systems.

* Time would be used inefficiently as business lines addressed related, yet distinct, regulatory requirements.

In fact, Federal Reserve Board Governor Susan Bies recently stated that Sarbanes-Oxley, Basel II, and FDICIA are interrelated and should be addressed concurrently. The OCC has taken a similar position.

We knew we could benefit from a single framework and a consistent language across the enterprise to meet both immediate and long-term needs. All efforts would need to be focused on the same goals: to better manage risk, reduce loss, and to ensure exceptional service for our customers and consistent returns for our shareholders.

Requirements

Headquartered in Salt Lake City, Utah, Zions Bancorporation is a $26 billion holding company operating six bank charters and 400 full-service banking offices in the western U.S. Our decentralized structure and business complexity demanded a robust and enduring risk management solution.

In evaluating our options, we discovered that many approaches designed to support Sarbanes-Oxley were simply data capture tools that documented controls and gaps but were severely limited in reporting, action-tracking, and workflow capabilities. In addition, like many companies across the country, detailed information on our internal processes and controls did not exist in a central data warehouse or document management system. Rather, information existed within a myriad of policies, reports, and systems, as well as in the minds of business managers. Thus, it was critical to engage and empower our managers to identify, document, and assess their risks and controls.

Technology Choices

CEOs and CFOs across the country have been certifying for months that their financial statements are accurate and that their internal controls are effective. But without a transparent and comprehensive view of risks and controls, it is difficult for executives to be fully confident.

Compliance with Sarbanes-Oxley Sections 302 and 404 requires strengthened internal controls across business lines and across locations. With dozens of processes and hundreds of control points affecting transactions, application systems, the general ledger, and financial reporting activities, we simply couldn't do this by adding head count. We needed technology.

It was critical to choose a tool that would be easy to use and would benefit not only executives, board members, controllers, and auditors, but also business lines working to manage risk. We would need robust and flexible reporting, action-tracking capability, automatic alerts, and certification. Our approach would need to be scalable and contain an open architecture to allow feeds from other systems. It must support Basel II AMA guidelines for operational risk and other requirements. And, with the business lines carrying the primary responsibility for profits and shareholder return, our solution needed to be one businesses would embrace, not another tool forced upon them that distracted from their work.

When we evaluated our existing operational risk management solution--RiskResolve from Providus--we found we could quickly adapt the tool to meet the specific requirements under Sarbanes-Oxley. RiskResolve already had 200 users on the system who were assessing risk, tracking loss data, and monitoring key risk indicators (KRIs). Feedback from users was very positive, and many business managers requested the tool to help them meet the new demands of Sarbanes-Oxley. RiskResolve follows an ORCA (objectives, risks, controls, actions) risk assessment framework and evaluates controls based on the COSO elements of people, systems, processes, monitoring, and vendors. It also provides top-down structure with bottom-up assessment of risk and controls.

404 Rollout

Zions' CFO directs the Sarbanes-Oxley efforts, which formally began in the spring of 2003. The Zions Operational Risk Group is the lead department on the project and is closely supported by Zions' controller and internal audit director. Zions engaged Big Four accounting firms to provide guidance on project scope, planning, and documentation.

Our first tasks included defining our parameters:

* Project scope--determining which business units/processes impact financial reporting.

* Financial line items--determining balance sheet and income statement values for scope areas and the key accounts that roll into those line items.

* Accounting policies/disclosures--determining the policies, disclosures, and annual report footnotes associated with scope areas.

* Key systems--identifying core IT and other automated systems as well as the changes/upgrades being planned.

* Project team--determining team members and corporate versus business line responsibilities.

We modified RiskResolve's settings to include 404 drop-down selections on the Objectives, Risk, and Control tabs. For example, on the Risk tab we added risk categories and subcategories that covered financial assertions (completeness, accuracy, valuation, authorization, etc.), financial disclosures, and accounting policies. We also added a drop-down selection for financial line items.

The project team used a top-down approach to identify business objectives, process flows, and risk and control points. The team documented and attached Microsoft Visio[R] flow charts and narratives into the system, noting process inputs, outputs, and handoffs and how data is posted and reconciled to the general ledger (see Figure 1). This approach has proven effective in helping to predefine the controls required at the business level and has encouraged managers to think about the design of their controls and consider ways to strengthen and improve them.

[FIGURE 1 OMITTED]

A comprehensive approach should address risk management, accounting, and business process concerns to ensure that issues are identified, addressed, and resolved. We began deployment in our treasury group and expanded to our controller, credit, branch network, operations, and IT areas. Using a single system has allowed us to speed deployment across departments, and we are on schedule to complete all 404 areas by year-end.

Control Documentation and Online Certification

Once risks and processes were defined, business managers entered various details into the system, including:

* Control lists and descriptions.

* Control tags indicating "preventive," "detective," and/or "significant" controls.

* Management tests to demonstrate the design and operating effectiveness of significant controls.

* Management test results.

* Control scores for all relevant control areas.

* Measures, reports, or other attachments to substantiate control ratings.

* Action items to resolve control gaps.

* Specific individuals responsible for actions.

The system helps us to ensure accountability and to speed resolution of issues by actively monitoring progress on action items, providing automated alerts on risk exposures, and escalating issues.

Managers are required to review and approve risks, controls, and actions using an online sign-off before they are accepted into the system (see Figure 2). This generates higher levels of data integrity and guarantees greater management oversight as well as a level of certification beyond the requirements of Sarbanes-Oxley Section 302. With this approach, we also have a consistent, standardized method to capture all business processes impacting our financials and the confidence that business management has reviewed and signed off on them.

[FIGURE 2 OMITTED]

Analyzing Risks and Controls

RiskResolve provides a customized snapshot of a manager's:

* Risk exposure.

* New or modified risks, controls, and actions that need approval.

* Actions items coming due and overdue.

This snapshot and other reports help executives, business lines, and assurance groups to quickly discern where issues are occurring and gives them actionable information to research and resolve problems. Zions' managers use the system to analyze residual risk by category, business process, control type, and financial line item and to roll up and compare financial reporting exposures across the organization.

User-friendly reports with detailed graphics and drill-down capability can be individually customized, saved, and automatically updated with current data. For example, an executive may want to see the top 10 financial reporting issues for the company, or an auditor may want to see a list of system controls that impact the loan loss provision. Figure 3 is an example of the Top Ten Report; a Control Detail Report is also used.

[FIGURE 3 OMITTED]

The Role of Internal Audit

From the start, Internal Audit has played an instrumental role in operational risk and Sarbanes-Oxley deployment. The system is used to validate business risk assessments and to ensure that risks, controls, and actions have been properly identified and rated. Internal audit teams have access to the system and receive alerts on new risks, changing risk levels, and action item status.

Zions now has a common framework to discuss risks across departments and to provide greater disclosure to assurance groups earlier in the process. This allows us to uncover issues faster and minimize surprises. Over time, the system will have a greater influence on the Audit Plan, helping to drive Internal Audit's areas of focus.

Stronger Risk Culture

Last winter Zions had more than 100 users on RiskResolve; by the end of this year, we should have more than 300 throughout the bank. One unit has already cut its losses in half. Using one tool for multiple risk management and compliance purposes also has substantially reduced training time, enabling Zions' managers to stay focused on their business and their customers.

Adopting one tool and approach for Sarbanes-Oxley and operational risk has significantly minimized our resource investment in terms of cost, time, and confusion. We found it valuable to invest in a system that not only drives results today, but will be supported in years to come. Managing risk well leads to competitive strength, which is vital to an institution's success. Zions' efforts have allowed us to become the bank with 100 risk managers.

Stone can be reached by e-mail at dstone@zionsbank.com.

[c] 2003 by RMA. David Stone is senior vice president of Risk Management at Zions Bancorporation and a member of RMA's Operational Risk Council.

COPYRIGHT 2003 The Risk Management Association
COPYRIGHT 2005 Gale Group