Skip to Main Content

insightsarticles

CECL implementation: So, you've developed reasonable and supportable forecasts — now what?

02.14.17

When last we blogged about the Financial Accounting Standards Board’s (FASB) new “current expected credit losses” (CECL) model for estimating an allowance for loan and lease losses (ALLL), we reviewed the process for developing reasonable and supportable forecasts for use in establishing the ALLL. Once you develop those forecasts, how does that information translate into amounts to set aside for loan losses?

A portion of the ALLL will continue to be based on specifically identified loans you’re concerned about. For those loans, you will continue to establish a specific component of the ALLL based on your estimate of the loss ultimately expected on the loans.

The tricky part, of course, is estimating an ALLL for the other 99% of the loan portfolio. This is where the forecasts come in. The new rules do not prescribe a particular methodology, and banking regulators have indicated community banks will likely be able to continue with their current approach, adjusted to use appropriate inputs in a manner that complies with the CECL model. One of the biggest challenges is the expectation in CECL that the ALLL will be estimated using the institution’s historical information, to the extent available and relevant.

Following is just one of many ways  you can approach it. I’ve also included a link at the end of this article to an example illustrating this approach.

Step One: Historical Loss Factors

  1. First, for a given subset of the loan portfolio (e.g., the residential loan pool), you might first break down the portfolio by the number of years remaining until expected payoff (via maturity or refinancing). This is important because, on average, a loan with seven years remaining until expected payoff will have a higher level of remaining lifetime losses than a loan with one year remaining. It therefore generally wouldn’t be appropriate to use the same loss factor for both loans.
     
  2. Next, decide on a set of drivers that tend to correlate with loan losses over time. FASB has indicated it doesn’t expect highly mathematical correlation models will be necessary, especially for community banks. Instead, select factors in your bank’s experience indicative of future losses. These may include:
    • External factors, such as GDP growth, unemployment rates, and housing prices
    • Internal factors such as delinquency rates, classified asset ratios, and the percentage of loans in the portfolio for which certain policy exceptions (e.g., loan-to-value ratio or minimum credit score) were granted
       
  3. Once you select this set of drivers, find an historical loss period — a period of years corresponding to the estimated remaining life of the portfolio in question — where the historical drivers best approximate those you’re expecting in the future, based on your forecasts. For that historical loss period, determine the lifetime remaining loss rates of the loans outstanding at the beginning of that period, broken down by the number of years remaining until payoff. (This may require significant data mining, especially if that historical loss period was quite a few years ago.
     
  4. Apply those loss rates to the breakdown derived in (a) above, by years remaining until maturity.

    Step Two: Adjustments to Historical Loss Rates

    The CECL model requires we adjust historical loss factors for conditions that may not be adequately captured by the historical loss period analysis we’ve just described. Let’s say a particular geographical subset of your market area is significantly affected by the economic fortunes of a large employer in that area.  Based on economic trends or recent developments, you might expect that employer to have a particularly bright – or dim – future over the forecast period; accordingly, you forecast loans to borrowers in that area will have losses that differ significantly from the rest of the portfolio.

    The approach for these loans is the same as in the previous step. However:

    These loans would be segregated from the remainder of the portfolio, which would be subject to the general approach in step one. As you think through this approach, there are myriad variations and many decisions to make, such as:

    Our intent in describing this methodology is to help your CECL implementation team start the dialogue in terms of converting theoretical concepts in the CECL model to actual loans and historical experience.

    To facilitate that discussion, we’ve included a very simple example here that illustrates the steps described above. Analyzing an entire loan portfolio under the CECL model is an exponentially more complex process, but the concepts are the same — forecasting future conditions, and establishing an ALLL based on the bank’s (or, when necessary, peers’) lifetime loan loss experience under similar historical conditions.

    Given the amount of number crunching and analysis necessary, and the potentially significant increase in the ALLL that may result from a lifetime-of-loan loss model, it’s safe to say the time to start is now! If you have any questions about CECL implementation, please contact Tracy Harding or Rob Smalley.

    Other resources
    For more information on CECL, check out our other blogs:

    CECL: Where to Start
    CECL: Bank and Branch Acquisitions
    CECL: Reasonable and Supportable

    To sign up to receive notification of our next CECL update, click here.

    • In substep (c), you would focus on forecasted conditions (such as unemployment rate and changes in real estate values) in the geographical area in which the significant employer is located.
    • You would then select an historical loss period that had actual conditions for that area that best correspond to those you’ve just forecasted.
    • In substep (d), you would determine the lifetime remaining loss rates of loans outstanding at the beginning of that period.
    • In substep (e), you would apply those rates to loans in that geographic area.
    • How to break down the portfolio
    • Which conditions to analyze
    • How to analyze the conditions for correlation with historical loss periods
    • Which resulting loss factors to apply to which loans

Related Industries

Related Services

Consulting

Business Advisory

Related Professionals

Principals

BerryDunn experts and consultants

On June 16th the FASB issued the final standard for credit losses. We’ve analyzed the new standard and pulled together some key items you’ll need to know:

It looks like you should be able to implement CECL without purchasing expensive third-party models, if your institution is able to get adequate historical data from your core system and has the personnel available to crunch the numbers. Following is one approach that should pass muster with regulators (and, hopefully, the PCAOB):

  1. Determine loans for which specific reserves are appropriate, much as you are currently doing. The notion of “impaired” loans goes away; a loan should be evaluated specifically if the institution becomes aware of loan-specific information indicating it has an exposure to loss that differs from other loans it would otherwise be pooled with. In practice, we think that’ll be largely the same loans that are currently being identified as impaired.
  2. For the rest of the portfolio: Group loans by common characteristics – same as you’re doing now.
    1. For each group, create subgroups for each origination year. It looks like current year and previous four years are the critical ones to focus on; anything older than five years could probably be lumped together.
    2. For each subgroup, establish economic and other relevant conditions for the average term of loans in the subgroup. This includes actual conditions from year of origination to the present, forecasted conditions for the near future, and long-term historical conditions for the remaining average loan term
      • Select an historical loss period that best approximates the conditions established in (b) above.
      • Determine average lifetime chargeoffs for that historical loss period for each loan type
      • Adjust that average for any current or expected conditions that you believe are different from this historical data.  Such adjustments should be based on the institution’s chargeoff experience when similar conditions occurred in the past.  An example might be an actual or expected decline in real estate values that you believe is more pronounced than in the historical loss period chosen.

While not specifically mentioned in the guidance, we believe a modest unallocated allowance is still supportable, especially since imprecision is certainly higher when factoring in expected losses in addition to incurred losses.
 

Other points that caught our eye:

  1. The guidance applies to purchased loans with credit deterioration, as well as originated loans. That will create more comparability in terms of the allowance as a % of loans for institutions that have done acquisitions vs. those who haven’t. An interesting twist, though – for acquired loans that have experienced a more-than-insignificant deterioration in credit quality since origination, the allowance established is simply an adjustment to (ultimately) the premium or discount, while for other loans acquired in the transaction, an allowance is established with an offset to loan loss expense at acquisition
  2. The guidance applies to held-to-maturity debt securities, and there’s specific guidance that affects the accounting for available-for-sale debt securities as well. These will likely only come into play for institutions with private-label mortgage-backed securities and/or corporate bonds. However, some of the CECL disclosure requirements apply to securities as well; in particular, the one that caught our eye was the requirement in ASC 326-20-50-5 to disclose credit quality indicators (e.g., S&P ratings) for securities as well as loans.
  3. Surprisingly, you continue to assume no change in future interest rates for purposes of establishing expected credit losses for specific variable rate loans. We think FASB may have missed the boat on this one, as resetting ARMs were one of the factors that led to the 2008 crisis that CECL is intended to be responsive to.
  4. There will obviously be much, much more dialogue about these new rules, and we’ll need to begin the process of helping you understand them and prepare for implementation sooner rather than later.

Please call us if you have any questions.

Article
Current Expected Credit Loss (CECL) final standard: Update

The Ramifications of Fraud and How You Can Prevent it

Welcome to part two of our article on nonprofit fraud. If you missed our first installment, you can read it here.

You’ve just become aware of a fraud that has occurred at a nonprofit in your community. As someone who cares about the community and the nonprofit sector, you start to wonder, “What is going to happen to that organization”?

While the ramifications can differ in each case, they probably will include some, if not all, of the following:

  • The board and management will want to understand how the fraud happened, and what management is doing to prevent it from ever happening again.
  • The community is going to look to the board for answers, and wonder why the organization didn’t have controls in place to prevent the fraud.
  • Management will be expected to explain to the board where the breakdown in controls occurred that allowed the employee to steal from the organization.
  • The board knows it has a fiduciary duty to oversee the organization and its internal controls and assets. They aren’t sure what they should have done differently, given that they’re volunteers doing this community service in addition to their “day jobs.”
  • The board and management will want to reach out to donors to assure them that their contributions to the organization are going to be recovered if possible, and that controls are being improved to help safeguard future gifts.

This organization could potentially lose major donors if they believe there are not enough controls in place to ensure their dollars are being spent according to their wishes. If enough donors are negatively affected by this event and choose not to support the organization, its very survival may be at stake, thus impacting those in the community the entity serves.

Management will now have to divert time and other resources not only to implement stronger internal controls to help ensure this does not happen again, but also to reassure the board and the public that the organization is well protected to prevent future fraud.

Fraud can be extremely costly to an organization, not only from a financial perspective, as often the organization will not recover the stolen funds, but also from the loss of an organization’s reputation as a trusted charity. This can be even more devastating. The organization may never recover in the public’s eye, risking their relationships with not only their long-time donors but also new and future donors.

What can you do?

So, what can you do to help prevent fraud from recurring, or to detect it quickly if it does? Here is a simple, yet effective three-step process:

  1. Consider the risks of fraud and determine where it is more likely to occur.
  2. Look closely at the internal controls the organization currently has in place and determine whether they address these risks sufficiently.
  3. Identify gaps where controls are inadequate, and identify controls to be put in place where they are most needed.

Organizations can also consult their auditors to seek advice and guidance on how to implement these very important internal controls. It may be prudent to review previous audits to see if auditors have brought risks to management’s and the board’s attention, and if they provided recommendations on how to improve their current control structure.

The silver lining? The board and management now have a keener sense of the risks of fraud in the nonprofit environment, which should contribute to an engaged dialogue among the board, management and the auditors about how to develop and implement cost-effective controls that protect the organization’s assets.

As part of the audit, the auditors may point out one or more shortcomings in controls that they believe constitute a “material weakness.” While that may sound ominous, it merely means (in auditing jargon) a situation involving a reasonable possibility of a material misstatement of the financial statements. Auditors tend to set the bar low when it comes to classifying deficiencies that create fraud risks as material weaknesses, for the simple fact that users of the financial statements (donors, lenders, other funders) tend to have a lower materiality threshold with respect to misstatements caused by theft.

It is also important to remember that control deficiencies noted in previous audits that may not have been considered material weaknesses in the past may be considered that way today, as expectations of management’s actions regarding fraud prevention and detection go up every time a nonprofit fraud incident hits the media.

Every organization that has more than one person (including board members) associated with it has the opportunity to segregate incompatible duties at some level to help protect assets. At times, organizations don’t have such segregation in place, but instead have implemented compensating controls, such as detailed review of monthly financial statements by the appropriate level of management and/or the board. If this is the case, the organization should ask itself the following questions in order to avoid over-relying on this compensating control:

  • How does this compensating control work? Who reviews the financials, what is their experience level, and how do they document their review to confirm that it’s being done?
  • How often do you question expenditures, and are these questions and their answers evaluated and documented? It is important to remember here that a fraudster would be working hard to escape detection by this compensating control.
  • If the compensating control is a detailed review compared to budget:
    • Who is involved in building the budget?
    • What are the controls that would protect against a fraudster building their theft into budgeted expense line items?

Take a proactive fraud risk assessment and response like the one described here to give you reasonable comfort proper controls are in place to prevent and/or detect fraud. This isn’t about being paranoid – it’s simply a matter of prudently carrying out your fiduciary and management responsibilities to protect the organization you feel so strongly about.

Remember, the one characteristic that every financial theft in history shares—someone was trusted at some point.

Article
The ramifications of fraud and how you can prevent it

It’s Monday morning. You grab a cup of coffee and flip on the local morning news before you get ready for work. The lead story catches your attention “Local Accounts Payable Manager Steals Thousands.” Based on your experience as a board member of a nonprofit organization and the prior fraud you’ve heard about in the community, three things come into your mind:

  1. The fraud involves either a nonprofit organization or local government.
  2. The Board will come out and say how shocked they are – Fred has been here forever, and we trusted him!
  3. The Board will state they have now put in place proper controls to ensure this will never happen again.

And you may be close to the mark. Nonprofits and governmental organizations often have a higher risk of fraudulent behavior and theft due to their limited resources and ability to implement strict fraud prevention controls. What makes these organizations so susceptible?

  • They frequently run on tight or breakeven budgets, which means they have difficulty hiring enough people to implement strict internal controls.
  • They often have a salary structure that is lower than that of for-profit companies, creating incentive for employees to commit theft in order to make ends meet.
  • They are sometimes targeted by unscrupulous individuals who know that they likely lack the resources available to stop them.

In addition, nonprofits often seek to hire people who believe in the mission. While this can lead to tireless, dedicated employees, certain side effects of this approach may come into play and increase the risk of theft. For example:

  • The passion for, and shared commitment to, the mission at many nonprofits give rise to a culture of trust. This culture of trust may cause the organization to be less likely to implement checks and balances critical to sound internal controls.
  • New employees are sometimes drawn to a specific nonprofit organization because they have experienced some of the challenges which the organization was formed to address. Working for the organization may help them in some ways, but it may also create more financial strain for them or family members, increasing the chances of them committing illegal acts.

There are three elements that must be present for fraud to occur. These are the three sides of what is collectively called the fraud triangle: opportunity, incentive, and rationalization.

  • Opportunity: an employee working at a nonprofit may have opportunity if they are a trusted employee and resources are limited, causing the internal controls to be less robust than they should be.
  • Incentive: the incentive is in place when an employee, as mentioned above, has unexpected events happen in their life that may pressure them into committing fraud.
  • Rationalization: the employee rationalizes that they need the money for their family to survive. This often starts as “I’ll just borrow the money until payday”. Unfortunately, payday arrives and the funds aren’t available to be repaid; in fact, they need to “borrow” just a little more.

Let’s be clear, though – many nonprofits, regardless of size, have appropriately designed and implemented controls that properly protect the organization from the risks of fraud.

Soon we’ll look further at the ramifications frauds can have for nonprofits and how any organization—even small nonprofits, can put certain internal controls in place, to reduce the chances they’ll be the next organization in the headline story of the morning news.

Article
Fraud – why it can happen to you and what to know when It does

I have to say, accountants have really been taking some uncalled-for heat for causing the 2008 financial crisis. I understand the need to identify scapegoats, but when people hire mortgage brokers to originate bad loans, sell interests in those bad loans to investors, and insure it all through AIG, is it really the accountants’ fault when those loans go bad? And if the federal bank examiners missed the fact that Fannie Mae and Freddie Mac were engaged in such shenanigans, what hope do we have of being able to adequately apprise investors of such details via financial statement disclosures?

Undaunted, FASB has taken a shot at developing new requirements for banks to report information in their financial statement footnotes about their exposure to liquidity and interest rate risk. I understand the pressure FASB is under, I really do. There’s something called the Group of Twenty, consisting of the top finance officials from the 20 largest industrialized countries, that’s been pressuring FASB to improve accounting rules in a manner that will somehow prevent future financial meltdowns. To me, the Group of Twenty sounds uncomfortably similar to the Gang of Four, which ran China with an iron fist back in the Sixties and Seventies, so, if I were FASB, this group would make me nervous, too.

On the surface, it seems reasonable to expect that more information about liquidity and interest rate risk experienced by banks would be a good thing, as these are probably the two risks you hear about most when banks fail. Dig deeper, though, and two points about these new proposed disclosures become apparent:

  1. Most of this information is already available to users, through SEC and bank regulatory filings.
  2. To the extent it isn’t, that’s because no one uses the information, not even management of the banks!

It would be interesting to look back at some of the banks that failed during the recent recession, identify which of the proposed disclosures weren’t already available to investors and regulators, and decide whether anyone would have reacted differently if they were. Or was it simply the case that bad business decisions were made, and, when that happens, companies go under? And when recessions hit, sometimes banks fail?

I remember a TV interview during the height of the 2008 crisis, in which the focus was on blaming stock analysts (they hadn’t gotten around to accountants yet). The interviewer asked, “How many stock analysts do we have to hang on Wall Street before they all get the message?” The expert he was interviewing said, “Probably just one.” I’m guessing that holds true for accountants, too. There are already rules in place to disclose significant risks, concentrations, obligations of the institution, and the like. If Lehman Brothers and AIG don’t follow them, appropriate sanctions (I’m not advocating hanging, mind you) should follow; we can pass more rules, but if they didn’t comply with the existing rules, what makes us think they’ll follow the new ones?

If you have questions, please reach out to Tyler Butler or Tracy Harding.

Article
The silver bullet for future financial crises–More footnotes!

Do you know what would happen to your company if your CEO suddenly had to resign immediately for personal reasons? Or got seriously ill? Or worse, died? These scenarios, while rare, do happen, and many companies are not prepared. In fact, 45% of US companies do not have a contingency plan for CEO succession, according to a 2020 Harvard Business Review study.  

Do you have a plan for CEO succession? As a business owner, you may have an exit strategy in place for your company, but do you have a plan to bridge the leadership gap for you and each member of your leadership team? Does the plan include the kind of crises listed above? What would you do if your next-in-line left suddenly? 

Whether yours is a family-owned business, a company of equity partners, or a private company with a governing body, here are things to consider when you’re faced with a situation where your CEO has abruptly departed or has decided to step down.  

1. Get a plan in place. First, assess the situation and figure out your priorities. If there is already a plan for these types of circumstances, evaluate how much of it is applicable to this particular circumstance. For example, if the plan is for the stepping down or announced retirement of your CEO, but some other catastrophic event occurs, you may need to adjust key components and focus on immediate messaging rather than future positioning. If there is no plan, assign a small team to create one immediately. 

Make sure management, team leaders, and employees are aware and informed of your progress; this will help keep you organized and streamline communications. Management needs to take the lead and select a point person to document the process. Management also needs to take the lead in demeanor. Model your actions so employees can see the situation is being handled with care. Once a strategy is identified based on your priorities, draft a plan that includes what happens now, in the immediate future, and beyond. Include timetables so people know when decisions will be made.  

2. Communicate clearly, and often. In times of uncertainty, your employees will need as much specific information as you can give them. Knowing when they will hear from you, even if it is “we have nothing new to report” builds trust and keeps them vested and involved. By letting them know what your plan is, when they’ll receive another update, what to tell clients, and even what specifics you can give them (e.g., who will take over which CEO responsibility and for how long), you make them feel that they are important stakeholders, and not just bystanders. Stakeholders are more likely to be strong supporters during and after any transition that needs to take place. 

3. Pull in professional help. Depending on your resources, we recommend bringing in a professional to help you handle the situation at hand. At the very least, call in an objective opinion. You’ll need someone who can help you make decisions when emotions are running high. Bringing someone on board that can help you decipher what you have to work with and what your legal and other obligations may be, help rally your team, deal with the media, and manage emotions can be invaluable during a challenging time. Even if it’s temporary. 

4. Develop a timeline. Figure out how much time you have for the transition. For example, if your CEO is ill and will be stepping down in six months, you have time to update any existing exit strategy or succession plan you have in place. Things to include in the timeline: 

  • Who is taking over what responsibilities? 
  • How and what will be communicated to your company and stakeholders? 
  • How and what will be communicated to the market? 
  • How will you bring in the CEO's replacement, while helping the current CEO transition out of the organization? 

If you are in a crisis situation (e.g., your CEO has been suddenly forced out or asked to leave without a public explanation), you won’t have the luxury of time.  

Find out what other arrangements have been made in the past and update them as needed. Work with your PR firm to help with your change management and do the right things for all involved to salvage the company’s reputation. When handled correctly, crises don’t have to have a lasting negative impact on your business.   

5. Manage change effectively. When you’re under the gun to quickly make significant changes at the top, you need to understand how the changes may affect various parts of your company. While instinct may tell you to focus externally, don’t neglect your employees. Be as transparent as you possibly can be, present an action plan, ask for support, and get them involved in keeping the environment positive. Whether you bring in professionals or not, make sure you allow for questions, feedback, and even discord if challenging information is being revealed.  

6. Handle the media. Crisis rule #1 is making it clear who can, and who cannot, speak to the media. Assign a point person for all external inquiries and instruct employees to refer all reporter requests for comment to that point person. You absolutely do not want employees leaking sensitive information to the media. 
 
With your employees on board with the change management action plan, you can now focus on external communications and how you will present what is happening to the media. This is not completely under your control. Technology and social media changed the game in terms of speed and access to information to the public and transparency when it comes to corporate leadership. Present a message to the media quickly that coincides with your values as a company. If you are dealing with a scandal where public trust is involved and your CEO is stepping down, handling this effectively will take tact and most likely a team of professionals to help. 

Exit strategies are planning tools. Uncontrollable events occur and we don’t always get to follow our plan as we would have liked. Your organization can still be prepared and know what to do in an emergency situation or sudden crisis.  Executives move out of their roles every day, but how companies respond to these changes is reflective of the strategy in place to handle unexpected situations. Be as prepared as possible. Own your challenges. Stay accountable. 

BerryDunn can help whether you need extra assistance in your office during peak times or interim leadership support during periods of transition. We offer the expertise of a fully staffed accounting department for short-term assignments or long-term engagements―so you can focus on your business. Meet our interim assistance experts.

Article
Crisis averted: Why you need a CEO succession plan today

It’s one thing for coaching staff to see the need for a new quarterback or pitcher. Selecting and onboarding this talent is a whole new ballgame. Various questions have to be answered before moving forward: How much can we afford? Are they a right fit for the team and its playing style? Do the owners approve?

Management has to answer similar questions when selecting and implementing a cybersecurity maturity model, and form the basis of this blog – chapter 2 in BerryDunn’s Cybersecurity Playbook for Management.

What are the main factors a manager should consider when selecting a maturity model?
RG: All stakeholders, including managment, should be able to easily understand the model. It should be affordable for your organization to implement, and its outcomes achievable. It has to be flexible. And it has to match your industry. It doesn’t make a lot of sense to have an IT-centric maturity model if you’re not an extremely high-tech organization. What are you and your organization trying to accomplish by implementing maturity modeling? If you are trying to improve the confidentiality of data in your organization’s systems, then the maturity model you select should have a data confidentiality domain or subject area.

Managers should reach out to their peer groups to see which maturity models industry partners and associates use successfully. For example, Municipality A might look at what Municipality B is doing, and think: “How is Municipality B effectively managing cybersecurity for less money than we are?” Hint: there’s a good chance they’re using an effective maturity model. Therefore, Municipality A should probably select and implement that model. But you also have to be realistic, and know certain other factors—such as location and the ability to acquire talent—play a role in effective and affordable cybersecurity. If you’re a small town, you can’t compare yourself to a state capital.

There’s also the option of simply using the Cybersecurity Capability Maturity Model (C2M2), correct?
RG: Right. C2M2, developed by the U.S. Department of Energy, is easily scalable and can be tailored to meet specific needs. It also has a Risk Management domain to help ensure that an organization’s cybersecurity strategy supports its enterprise risk management strategy.

Once a manager has identified a maturity model that best fits their business or organization, how do they implement it?
RG: STEP ONE: get executive-level buy-in. It’s critical that executive management understands why maturity modeling is crucial to an organization's security. Explain to them how maturity modeling will help ensure the organization is spending money correctly and appropriately on cybersecurity. By sponsoring the effort, providing adequate resources, and accepting the final results, executive management plays a critical role in the process. In turn, you need to listen to executive management to know their priorities, issues, and resource constraints. When facilitating maturity modeling, don’t drive toward a predefined outcome. Understand what executive management is comfortable implementing—and what the business or organization can afford.

STEP TWO: Identify leads who are responsible for each domain or subject area of the maturity model. Explain to these leads why the organization is implementing maturity modeling, expected outcomes, and how their input is invaluable to the effort’s success. Generally speaking, the leads responsible for subject areas are very receptive to maturity modeling, because—unlike an audit—a maturity model is a resource that allows staff to advocate their needs and to say: “These are the resources I need to achieve effective cybersecurity.”

Third, have either management or these subject area leads communicate the project details to the lower levels of the organization, and solicit feedback, because staff at these levels often have unique insight on how best to manage the details.

The fourth step is to just get to work. This work will look a little different from one organization to another, because every organization has its own processes, but overall you need to run the maturity model—that is, use the model to assess the organization and discover where it measures up for each subject area or domain. Afterwards, conduct work sessions, collect suggestions and recommendations for reaching specific maturity levels, determine what it’s going to cost to increase maturity, get approval from executive management to spend the money to make the necessary changes, and create a Plan of Action and Milestones (POA&M). Then move forward and tick off each milestone.

Do you suggest selecting an executive sponsor or an executive steering committee to oversee the implementation?
RG: Absolutely. You just want to make sure the executive sponsors or steering committee members have both the ability and the authority to implement changes necessary for the modeling effort.

Should management consider hiring vendors to help implement their cybersecurity maturity models?
RG: Sure. Most organizations can implement a maturity model on their own, but the good thing about hiring a vendor is that a vendor brings objectivity to the process. Within your organization, you’re probably going to find erroneous assumptions, differing opinions about what needs to be improved, and bias regarding who is responsible for the improvements. An objective third party can help navigate these assumptions, opinions, and biases. Just be aware some vendors will push their own maturity models, because their models require or suggest organizations buy the vendors’ software. While most vendor software is excellent for improving maturity, you want to make sure the model you’re using fits your business objectives and is affordable. Don’t lose sight of that.

How long does it normally take to implement a maturity model?

RG: It depends on a variety of factors and is different for every organization. Keep in mind some maturity levels are fairly easy to reach, while others are harder and more expensive. It goes without saying that well-managed organizations implement maturity models more rapidly than poorly managed organizations.

What should management do after implementation?
RG: Run the maturity model again, and see where the organization currently measures up for each subject area or domain. Do you need to conduct a maturity model assessment every year? No, but you want to make sure you’re tracking the results year over year in order to make sure improvements are occurring. My suggestion is to conduct a maturity model assessment every three years.

One final note: make sure to maintain the effort. If you’re going to spend time and money implementing a maturity model, then make the changes, and continue to reassess maturity levels. Make sure the process becomes part of your organizations’ overall strategic plan. Document and institutionalize maturity modeling. Otherwise, the organization is in danger of losing this knowledge when the people who spearheaded the effort retire or pursue new opportunities elsewhere.

What’s next?
RG: Over the next couple of blogs, we’ll move away from talking about maturity modeling and begin talking about the role capacity plays in cybersecurity. Blog #3 will instruct managers on how to conduct an internal assessment to determine if their organizations have the people, processes, and technologies they need for effective cybersecurity.

Read our next cybersecurity playbook article, Tapping your internal capacity for better results: Cybersecurity playbook for management #3, here.

Article
Selecting and implementing a maturity model: Cybersecurity playbook for management #2

For professional baseball players who get paid millions to swing a bat, going through a slump is daunting. The mere thought of a slump conjures up frustration, anxiety and humiliation, and in extreme cases, the possibility of job loss.

The concept of a slump transcends sports. Just glance at the recent headlines about Yahoo, Equifax, Deloitte, and the Democratic National Committee. Data breaches occur on a regular basis. Like a baseball team experiencing a downswing, these organizations need to make adjustments, tough decisions, and major changes. Most importantly, they need to realize that cybersecurity is no longer the exclusive domain of Chief Information Security Officers and IT departments. Cybersecurity is the responsibility of all employees and managers: it takes a team.

When a cybersecurity breach occurs, people tend to focus on what goes wrong at the technical level. They often fail to see that cybersecurity begins at the strategic level. With this in mind, I am writing a blog series to outline the activities managers need to take to properly oversee cybersecurity, and remind readers that good cybersecurity takes a top-down approach. Consider the series a cybersecurity playbook for management. This Q&A blog — chapter 1 — highlights a basic concept of maturity modeling.

Let’s start with the basics. What exactly is a maturity model?
RG
: A maturity model is a framework that assesses certain elements in an organization, and provides direction to improve these elements. There are project management, quality management, and cybersecurity maturity models.

Cybersecurity maturity modeling is used to set a cybersecurity target for management. It’s like creating and following an individual development program. It provides definitive steps to take to reach a maturity level that you’re comfortable with — both from a staffing perspective, and from a financial perspective. It’s a logical road map to make a business or organization more secure.

What are some well-known maturity models that agencies and companies use?
RG
: One of the first, and most popular is the Program Review for Information Security Management Assistance (PRISMA), still in use today. Another is the Capability Maturity Model Integration (CMMI) model, which focuses on technology. Then there are some commercial maturity models, such as the Gartner Maturity Model, that organizations can pay to use.

The model I prefer is the Cybersecurity Capability Maturity Model (C2M2), developed by the U.S. Department of Energy. I like C2M2 because it directly maps to the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) compliance, which is a prominent industry standard. C2M2 is easily understandable and digestible, it scales to the size of the organization, and it is constantly updated to reflect the most recent U.S. government standards. So, it’s relevant to today’s operational environment.

Communication is one of C2M2’s strengths. Because there is a mechanism in the model requiring management to engage and support the technical staff, it facilitates communication and feedback at not just the operational level, but at the tactical level, and more significantly, the management level, where well-designed security programs start.

What’s the difference between processed-based and capability-based models?
RG
: Processed-based models focus on performance or technical aspects — for example, how mature are processes for access controls? Capability-based models focus on management aspects — is management adequately training people to manage access controls?

C2M2 combines the two approaches. It provides practical steps your organization can take, both operationally and strategically. Not only does it provide the technical team with direction on what to do on a daily basis to help ensure cybersecurity, it also provides management with direction to help ensure that strategic goals are achieved.

Looking at the bigger picture, what does an organization look like from a managerial point of view?
RG
: First, a mature organization communicates effectively. Management knows what is going on in their environment.

Most of them have very competent staff. However, staff members don’t always coordinate with others. I once did some security work for a company that had an insider threat. The insider threat was detected and dismissed from the company, but management didn’t know the details of why or how the situation occurred. Had there been an incident response plan in place (one of the dimensions C2M2 measures) — or even some degree of cybersecurity maturity in the company, they would’ve had clearly defined steps to take to handle the insider threat, and management would have been aware from an early stage. When management did find out about the insider threat, it became a much bigger issue than it had to be, and wasted time and resources. At the same time, the insider threat exposed the company to a high degree of risk. Because upper management was unaware, they were unable to make a strategic decision on how to act or react to the threat.

That’s the beauty of C2M2. It takes into account the responsibilities of both technical staff and management, and has a built-in communication plan that enables the team to work proactively instead of reactively, and shares cybersecurity initiatives between both management and technical staff.

Second, management in a mature organization knows they can’t protect everything in the environment — but they have a keen awareness of what is really important. Maturity modeling forces management to look at operations and identify what is critical and what really needs to be protected. Once management knows what is important, they can better align resources to meet particular challenges.

Third, in a mature organization, management knows they have a vital role to play in supporting the staff who address the day-to-day operational and technical tasks that ultimately support the organization’s cybersecurity strategy.

What types of businesses, not-for-profits, and government agencies should practice maturity modeling?
RG
: All of them. I’ve been in this industry a long time, and I always hear people say: “We’re too small; no one would take any interest in us.”

I conducted some work for a four-person firm that had been hired by the U.S. military. My company discovered that the firm had a breach and the four of them couldn’t believe it because they thought they were too small to be breached. It doesn’t matter what the size of your company is: if you have something someone finds very valuable, they’re going to try to steal it. Even very small companies should use cybersecurity models to reduce risk and help focus their limited resources on what is truly important. That’s maturity modeling: reducing risk by using approaches that make the most sense for your organization.

What’s management’s big takeaway?
RG
: Cybersecurity maturity modeling aligns your assets with your funding and resources. One of the most difficult challenges for every organization is finding and retaining experienced security talent. Because maturity modeling outlines what expertise is needed where, it can help match the right talent to roles that meet the established goals.

So what’s next?
RG
: In our next installment, we’ll analyze what a successful maturity modeling effort looks like. We’ll discuss the approach, what the outcome should be, and who should be involved in the process. We’ll discuss internal and external cybersecurity assessments, and incident response and recovery.

You can read our next chapter, Selecting and implementing a maturity model: Cybersecurity playbook for management #2here.

Article
Maturity modeling: Cybersecurity playbook for management #1

Recently, federal banking regulators released an interagency financial institution letter on CECL, in the form of a Q&A. Read it here. While there weren’t a lot of new insights into expectations examiners may have upon adoption, here is what we gleaned, and what you need to know, from the letter.

ALLL Documentation: More is better

Your management will be required to develop reasonable and supportable forecasts to determine an appropriate estimate for their allowance for loan and lease losses (ALLL). Institutions have always worked under the rule that accounting estimates need to be supported by evidence. Everyone knows both examiners and auditors LOVE documentation, but how much is necessary to prove whether the new CECL estimate is reasonable and supportable? The best answer I can give you is “more”.

And regardless of the exact model institutions develop, there will be significantly more decision points required with CECL than with the incurred loss model. At each point, both your management and your auditors will need to ask, “Why this path vs. another?” Defining those decision points and developing a process for documenting the path taken while also exploring alternatives is essential to build a model that estimates losses under both the letter and the spirit of the new rules. This is especially true when developing forecasts. We know you are not fortune tellers. Neither are we.

The challenge will be to document the sources used for forecasts, making the connections between that information and its effect on your loss data as clear as possible, so the model bases the loss estimate on your institution’s historical experience under conditions similar to those you’re forecasting, to the extent possible.

Software may make this easier… or harder.               

The leading allowance software applications allow for virtually instantaneous switching between different models, permitting users to test various assumptions in a painless environment. These applications feature collection points that enable users to document the basis for their decisions that become part of the final ALLL package. Take care to try and ensure that the support collected matches the decisions made and assumptions used.

Whether you use software or not there is a common set of essential controls to help ensure your ALLL calculation is supported. They are:

  • Documented review and recalculation of the ALLL estimate by a qualified individual(s) independent of the preparation of the calculation
  • Control over reports and spreadsheets that include data that feed into the overall calculation
  • Documentation supporting qualitative factors, including reasonableness of the resulting reserve amounts
  • Controls over loan ratings if they are a factor in your model
  • Controls over the timeliness of charge-offs

In the process of implementing the new CECL guidance it can be easy to focus all of your effort on the details of creating models, collecting data and getting to a reasonable number. Based on the regulators’ new Q&A document, you’ll also want to spend some time making sure the ALLL number is supportable.  

Next time, we’ll look at a lesser known section of the CECL guidance that could have a significantly negative impact on the size of the ALLL and capital as a result: off-balance-sheet credit exposures.

Article
CECL: Reasonable and supportable? Be ready to be ALLL in

Financial fraud by the numbers

In a June 2016 Gallup poll, 72 percent of respondents said they had “very little” or only “some” confidence in banks.1 This lack of confidence lives alongside recent headlines—including major fraud schemes revealed at Deutsche Bank this summer—and the fact that the financial services industry is the most affected sector in the world when it comes to occupational fraud.

Financial institutions account for 16.8% of all occupational fraud worldwide, with a median loss of $192,000 per case.2 Longer running, complex schemes can cost organizations much more—overall, 23% of fraud cases in 2015 caused losses of $1 million or more.3

What does a fraudster looks like, and how do they commit their crimes? How do you prevent fraud from happening at your organization? And how can you strengthen an already robust anti-fraud program?

Profile of a fraudster

One of the most difficult tasks any organization faces is identifying and preventing potential cases of fraud. This is especially challenging because the majority of employees who commit fraud are first-time offenders with no record of criminal activity, or even termination at a previous employer.

The 2016 report from the Association of Certified Fraud Examiners (ACFE) reveals a few commonalities between fraudsters:4

  • 3% of fraudsters had no criminal background
  • Men committed 69% of frauds and women committed 31%
  • More than half of fraudsters were between the ages of 31 and 45
  • 3% of fraudsters were an employee, 31% worked as a manager and 20% operated at the executive/owner level

Employees who committed fraud displayed certain behaviors during their schemes. The ACFE reported these top red flags:5

  • Living beyond means – 45.8%
  • Financial difficulties – 30.0%
  • Unusually close association with vendor/customer – 20.1%
  • Control issues, unwillingness to share duties – 15.3%

These figures give us a general sense of who commits fraud and why. But in all cases, the most pressing question remains: how do you prevent the fraud from happening?

Preventing fraud: A two-pronged approach

As a proactive plan for preventing fraud, we recommend focusing time and energy on two distinct facets of your operations: leadership tone and internal controls.

Leadership tone

The Board of Directors and senior management are in a powerful position to prevent fraud. By fostering a culture of zero-tolerance for fraud at the top of an organization, you can diminish opportunity for employees to consider, and attempt, fraud.

It is crucial to start at the top. Not only does this send a message to the rest of the company, but in the United States, frauds committed at the executive level had a median loss of $500,000 per case, compared to a median loss of $54,000 when a lower level employee perpetrated the fraud.6

A specific action plan for the Board of Directors is outlined in our free white paper on financial institution fraud.

Internal controls

Every financial institution uses internal controls in its daily operations. Yet over half of all frauds could be prevented if internal controls were implemented or more strongly enforced.7

The importance of internal controls cannot be overstated. Every organization should closely examine its internal controls and determine where they can be strengthened – even financial institutions with strong anti-fraud measures in place. 

The experts at BerryDunn have created a checklist of the top 10 internal controls for financial institutions, available in our white paper on preventing fraud. This is a list that we encourage every financial leader to read. By strengthening your foundation, your company will be in a powerful place to prevent fraud.

Read more to prevent fraud

Employees are your greatest strength and number one resource. Taking a proactive, positive approach to fraud-prevention maintains the value employees bring to a financial institution, while focusing on realistic measures to discourage fraud.

In our free whitepaper on preventing financial institution fraud, we take a deeper look at how to successfully implement a strong anti-fraud plan.

Commit to strengthening fraud prevention and you will instill confidence in your Board, employees, customers and the general public. It’s a good investment for any financial institution.

1http://www.gallup.com/poll/1597/confidence-institutions.aspx 2-7Report to the Nations on Occupational Fraud and Abuse: 2016 Global Fraud Study, The Association of Certified Fraud Examiners, p. 34-35

Article
Preventing fraud at financial institutions: An anti-fraud plan is the best investment you can make