The bank with 100 risk managers: Zions Bancorporation's Strategy for Sarbanes-Oxley, Basel advanced management approach, and more

RMA Journal, The, Nov, 2003 by David Stone

404 Rollout

Zions' CFO directs the Sarbanes-Oxley efforts, which formally began in the spring of 2003. The Zions Operational Risk Group is the lead department on the project and is closely supported by Zions' controller and internal audit director. Zions engaged Big Four accounting firms to provide guidance on project scope, planning, and documentation.

Our first tasks included defining our parameters:

* Project scope--determining which business units/processes impact financial reporting.

* Financial line items--determining balance sheet and income statement values for scope areas and the key accounts that roll into those line items.

* Accounting policies/disclosures--determining the policies, disclosures, and annual report footnotes associated with scope areas.

* Key systems--identifying core IT and other automated systems as well as the changes/upgrades being planned.

* Project team--determining team members and corporate versus business line responsibilities.

We modified RiskResolve's settings to include 404 drop-down selections on the Objectives, Risk, and Control tabs. For example, on the Risk tab we added risk categories and subcategories that covered financial assertions (completeness, accuracy, valuation, authorization, etc.), financial disclosures, and accounting policies. We also added a drop-down selection for financial line items.

The project team used a top-down approach to identify business objectives, process flows, and risk and control points. The team documented and attached Microsoft Visio[R] flow charts and narratives into the system, noting process inputs, outputs, and handoffs and how data is posted and reconciled to the general ledger (see Figure 1). This approach has proven effective in helping to predefine the controls required at the business level and has encouraged managers to think about the design of their controls and consider ways to strengthen and improve them.

[FIGURE 1 OMITTED]

A comprehensive approach should address risk management, accounting, and business process concerns to ensure that issues are identified, addressed, and resolved. We began deployment in our treasury group and expanded to our controller, credit, branch network, operations, and IT areas. Using a single system has allowed us to speed deployment across departments, and we are on schedule to complete all 404 areas by year-end.

Control Documentation and Online Certification

Once risks and processes were defined, business managers entered various details into the system, including:

* Control lists and descriptions.

* Control tags indicating "preventive," "detective," and/or "significant" controls.

* Management tests to demonstrate the design and operating effectiveness of significant controls.

* Management test results.

* Control scores for all relevant control areas.

* Measures, reports, or other attachments to substantiate control ratings.

* Action items to resolve control gaps.

* Specific individuals responsible for actions.

The system helps us to ensure accountability and to speed resolution of issues by actively monitoring progress on action items, providing automated alerts on risk exposures, and escalating issues.