Bigger Role for Internal Auditors Would Slash Risk of Big Banks

Recent findings by regulators that living wills for several institutions were "not credible" have once again put the riskiness of the big banks in the spotlight. The continued doubts over ending "too big to fail" should force bank managers to put more faith in underappreciated staff whose primary job is to attack oncoming risk. I'm talking chiefly about internal auditors.

The glory, not to mention bonuses, often goes to other senior executives, traders and investment bankers. It is shortsighted if banks view their risk managers, compliance officers and auditors merely as pesky cost centers, especially in light of the Federal Reserve and Federal Deposit Insurance Corp.'s negative assessments of resolution plans. Empowering internal bank auditors with better-aligned incentives and additional skills can help banks improve corporate governance and adherence to new risk management guidelines and capital regulations.

In the process of complying with several Dodd-Frank Act provisions — including new capital and liquidity standards, stress testing, living wills and the Volcker Rule — not to mention Basel III, auditors are considered the third line of defense behind compliance officers and business line managers. However, what auditors write about their own banks' deficiencies and recommended corrective action is often what bank regulators, not to mention bank examiners, want to see first. If bank examiners detect a problem with the internal audit process, this is a red flag for them to probe deeper into banks' challenges.

Since the 2007-08 financial crises, the Basel Committee has released three very important guidance and principles that are particularly relevant for all internal bank auditors in all facets of their work. I recommend that banks' board of directors memorize each of them. They set the risk management philosophy and processes for the entire organization.

Last summer, the Basel Committee released "Corporate Governance Principles for Banks." The philosophy behind the 13 principles is that effective corporate governance is critical to the proper functioning of the banking sector and the economy as a whole. Among the principles are recommendations for steps the board and senior management should take to create an effective, independent internal audit function. According to the document, auditors are required to provide "independent assurance to the board of directors and senior management on the quality and effectiveness of a bank's internal control, risk management and governance systems and processes, thereby helping the board and senior management protect their organization and its reputation."

A separate Basel publication, meanwhile, is devoted to the internal audit function. It discusses how to assess the effectiveness of a bank's internal audit function. The central message is banks cannot have sound corporate governance without an independent and effective internal audit function. When auditors do their job correctly and if allowed to do so, they are critical in reducing banks' losses and helping minimize reputational damage to the bank.

Finally, boards, senior management and internal auditors should become familiar with the Basel Committee's "Principles for Effective Risk Data Aggregation and Risk Reporting, commonly known as BCBS 239. The Basel Committee released these principles in 2013, because during the financial crisis banks could not quickly and accurately measure their exposures to Bear Stearns, Lehman or AIG. By applying these principles to any regulation or business line they audit, auditors can verify the accuracy, completeness and timeliness of data and the quality of risk and regulatory reporting.

In addition to determining whether data in capital ratios, living wills and the Volcker Rule is reliable, it is essential that internal auditors review management's process for stress testing capital and liquidity levels. Auditors are instrumental in making sure that a bank holding company's internal control framework covers the bank's entire capital planning process. That includes the risk measurement and management systems used to produce input data, the models and other techniques used to generate loss and revenue estimates, the aggregation and reporting framework used to produce reports to management and boards, and the capital adequacy decision-making process.

Auditors should take into account the purpose and frequency of ratio calculations and any type of portfolio or enterprise-wide stress test, evaluate whether scenarios are reasonable, and thoroughly question the assumptions employed in any credit, market, and operational risk models. Additionally, auditors are also responsible for evaluating whether the bank's systems and processes for measuring and monitoring liquidity positions are appropriate, especially in times of economic or market stress.

It is easy for the media and pundits to be too focused on living wills, CCAR and stress tests. The fact that someone passed or failed makes a good headline. Yet improving banks' risk management in the hopes of protecting taxpayers is not about enormous and dense documents, or opaque models. It is still about people. Internal bank auditors are not authorized to speak to the media, so the public will not hear from them. Yet boards and senior managers should elevate auditors to where they belong. If every bank did, we wouldn't be reading their regulatory challenges and failures as often as we do.

Mayra Rodríguez Valladares is managing principal at MRV Associates, a New York-based capital markets and financial regulatory consulting and training firm.