The bank with 100 risk managers: Zions Bancorporation's Strategy for Sarbanes-Oxley, Basel advanced management approach, and more

RMA Journal, The, Nov, 2003 by David Stone

The only thing more confusing than complying with seemingly overlapping regulations is having separate processes and systems directed toward each. The November 2002 issue of The RMA Journal gave readers an inside look at Zions Bancorporation's approach to operational risk. Now we see how Zions is adapting technology to manage risk and meet regulatory requirements.

For many institutions, the magnitude of work involved in complying with Sarbanes-Oxley Sections 302 and 404 is as daunting as the penalties faced for noncompliance. It is a significant challenge to identify all of the areas that affect financial reporting across an enterprise and to document and test controls quickly enough to meet stated deadlines. Compliance with 404 goes beyond mere documentation. A strong risk management culture, control framework, and systems must be in place for effective monitoring and maintenance.

The requirements of Sarbanes-Oxley combined with those of FDICIA, Basel II AMA, Gramm-Leach-Bliley, the USA PATRIOT Act, and other regulation led Zions Bancorporation to step back and consider how best to manage all of our risks. It didn't make sense to pursue separate approaches and systems to comply with each set of regulations:

* Multiple systems would make it much more difficult, if not impossible, to give executives a holistic view of risk across the enterprise.

* Business lines would need to learn multiple approaches and systems.

* Time would be used inefficiently as business lines addressed related, yet distinct, regulatory requirements.

In fact, Federal Reserve Board Governor Susan Bies recently stated that Sarbanes-Oxley, Basel II, and FDICIA are interrelated and should be addressed concurrently. The OCC has taken a similar position.

We knew we could benefit from a single framework and a consistent language across the enterprise to meet both immediate and long-term needs. All efforts would need to be focused on the same goals: to better manage risk, reduce loss, and to ensure exceptional service for our customers and consistent returns for our shareholders.

Requirements

Headquartered in Salt Lake City, Utah, Zions Bancorporation is a $26 billion holding company operating six bank charters and 400 full-service banking offices in the western U.S. Our decentralized structure and business complexity demanded a robust and enduring risk management solution.

In evaluating our options, we discovered that many approaches designed to support Sarbanes-Oxley were simply data capture tools that documented controls and gaps but were severely limited in reporting, action-tracking, and workflow capabilities. In addition, like many companies across the country, detailed information on our internal processes and controls did not exist in a central data warehouse or document management system. Rather, information existed within a myriad of policies, reports, and systems, as well as in the minds of business managers. Thus, it was critical to engage and empower our managers to identify, document, and assess their risks and controls.

Technology Choices

CEOs and CFOs across the country have been certifying for months that their financial statements are accurate and that their internal controls are effective. But without a transparent and comprehensive view of risks and controls, it is difficult for executives to be fully confident.

Compliance with Sarbanes-Oxley Sections 302 and 404 requires strengthened internal controls across business lines and across locations. With dozens of processes and hundreds of control points affecting transactions, application systems, the general ledger, and financial reporting activities, we simply couldn't do this by adding head count. We needed technology.

It was critical to choose a tool that would be easy to use and would benefit not only executives, board members, controllers, and auditors, but also business lines working to manage risk. We would need robust and flexible reporting, action-tracking capability, automatic alerts, and certification. Our approach would need to be scalable and contain an open architecture to allow feeds from other systems. It must support Basel II AMA guidelines for operational risk and other requirements. And, with the business lines carrying the primary responsibility for profits and shareholder return, our solution needed to be one businesses would embrace, not another tool forced upon them that distracted from their work.

When we evaluated our existing operational risk management solution--RiskResolve from Providus--we found we could quickly adapt the tool to meet the specific requirements under Sarbanes-Oxley. RiskResolve already had 200 users on the system who were assessing risk, tracking loss data, and monitoring key risk indicators (KRIs). Feedback from users was very positive, and many business managers requested the tool to help them meet the new demands of Sarbanes-Oxley. RiskResolve follows an ORCA (objectives, risks, controls, actions) risk assessment framework and evaluates controls based on the COSO elements of people, systems, processes, monitoring, and vendors. It also provides top-down structure with bottom-up assessment of risk and controls.