It would be a mistake to conclude that the only way to succeed in banking is through ever greater size and diversity. Indeed, better risk management may be the only truly necessary element of success in banking."

- Former Federal Reserve Board Chairman, Alan Greenspan

The prevailing wisdom is that risk is a bad thing. Just ask those bankers who suffered through the failures of the last banking crisis and the corporate credit union problems, or who are dealing with the current problems resulting from the energy sector downturn. Prevailing wisdom, however, is wrong.

It's difficult to be a high performing financial institution, to consistently exceed the performance of your peers, and meet the expectations of your shareholders, without taking risk. Risk is the essential element of the business of banking. It is, instead, the inadequate management of risk that is the problem.

Unfortunately, financial institution managers have not been as successful at managing risk as they'd hoped. That's where we come in. AppPax Risk Advisors represents an innovative approach to understanding and managing risks faced by today's financial institutions.

From strategic business threats like fintech start-ups, lending growth, and retaining deposits to tactical threats such as cyberrisk, robbery and fraud, AppPax's consultants and systems provide the tools executives need to manage and to take advantage of risk.

Enterprise Risk Management

Identifying and Managing Risk Throughout the Financial Institution

Risk is the essence of "banking." Financial institutions, banks, thrifts and credit unions, take risk every time they open the door, make a loan, accept a deposit, process a payment, hire or fire an employee. Risk is that integral part of the banking business that drives earnings. This does not mean a financial institution should take on extraordinary risk, however, or only make higher risk, higher yielding loans. High performing financial institutions are successful at both taking and managing risk.

Governance, Risk and Compliance Best Practices Review

Most financial institution CEOs will say, "we do manage risk". While this may be true, their risk management activities are often confined to organizational "silos". Their approaches to risk assessment, monitoring and control are often narrowly focused and tactically driven. Consequently, risk management, compliance and corporate governance efforts and costs may be duplicated throughout the institution. Worse still, this approach may result in significant gaps in the risk management process

AppPax's consultants aid financial institutions improve the effectiveness, and cost effectiveness, of their governance risk and compliance programs by:

  • Evaluating the GRC organizational structure, staffing and capabilities of Internal Audit, Compliance, Security, Loan Review and other
  • Assessing the role of the Board and its oversight committees in the GRC process
  • Reviewing the nature and quality of risk management information systems and report

Enterprise Risk Assessment and Plan

Risk management is all about effective business management. The overriding goals of risk management are to identify risk issues that might impair the financial institution's ability to achieve its strategic business objectives, and implement strategies, organizations, processes and controls to mitigate the negative impact they might have on the institution.

In many cases, however, the understanding between where a financial institution is trying to go strategically and how much risk it can afford to or must take to get there is not entirely clear. Far worse, many financial institutions sometimes fail to identify and track those events that might prevent achievement of their strategic business objectives.

AppPax's Enterprise Risk Assessment and Plan enables management to effectively evaluate the institution's current risk environment and the effectiveness of its risk mitigation.

  • Evaluate the level of the institution's inherent risk in each regulatory-defined category
  • Assess trends in and exposures to risk in each category
  • Evaluate existing methods for identifying, measuring, monitoring, and controlling risk
  • Create actionable plans to address identified risks or gaps in the risk management process
  • Align risk management reporting systems with risk management guidelines in the institution's policies and strategic objectives
  • Establish a risk management team with defined roles to govern the way the institution develops and manages Enterprise-wide Risk over time

Risk Intelligence, Monitoring and Reporting Systems

Perhaps the greatest enterprise risk management challenge is creating a consolidated and intelligent view of risk, compliance and internal controls. At many banks, this effort continues to be fragmented, expensive and inefficient, resulting from disconnected silos of analytical information, created using a variety of different solutions.

With so many disconnected systems, the institution cannot achieve an effective, enterprise-wide view of risk. It is left in a state of risk ignorance where interdependent risks are not anticipated, mitigated or managed. Threat to the business is exacerbated by aggregate risk exposure.

In contrast, risk-intelligent financial institutions have implemented integrated risk reporting solutions, developed in-house or acquired from vendors. AppPax helps financial institutions design, develop, acquire and/or implement these systems. We assist management in identifying key leading and lagging indicators of risk, focused on the strategic direction of the institution and linked to the institution's inherent risk profile to develop effective, enterprise-wide risk management dashboards.

Where Strategy Meets Execution

To learn more about how AppPax's experienced risk management consultants can guide your institution's team through the process of building an effective enterprise-wide risk management program, contact us today.


Compliance Management Assessment and Plan

The objectives of the Compliance Assessment are to ensure that Bank’s consumer policies and procedures and supporting management, operational and information reporting systems are in place and meet regulatory compliance requirements. We will review the adequacy of the consumer compliance management function, including:

  • Organization and staffing
  • Methods used to monitor changing consumer compliance requirements and needs
  • Consumer compliance policies, including CRA, lending, electronic banking and others
  • Consumer compliance training programs

We will conduct appropriate tests of compliance with applicable compliance regulations in those areas specified by the Bank. Where compliance practice and/or procedures require improvement, AppPax will draft appropriate compliance procedures and develop recommendations for changes to supporting operating systems and management information reporting systems. The scope of the compliance audit tests will include all applicable regulations as well as the Compliance function.

We will review policies, observe operations in those areas governed by the regulations and interview appropriate management and staff, review existing compliance procedures documentation and related management information reports and other information, such as forms, templates, disclosures and worksheets, as appropriate. In each area, AppPax will determine whether existing procedures comprehensively address applicable compliance regulations. Where procedures require improvement, AppPax will provide appropriate recommendations for changes to policies, procedures, supporting operating systems, management information reporting systems, training and testing programs, and compliance organization and staffing.

Information Security

Information Security Assessment and Plan

AppPax's Consultants will:

  • Identify and document threats to the security, integrity, accessibility, and confidentiality of the Bank's information systems, both electronic and non-electronic
  • Establish appropriate security policies and procedures to mitigate the risks of such threats
  • Include appropriate security monitoring and incident response processes
  • Evaluate the risks of using third-party vendors for information processing
  • AppPax's report of the assessment will:

  • Document the current condition of the institution's compliance with the Gramm-Leach-Bliley Act and related regulations
  • Identify threats to the security of electronic and non-electronic information systems and those steps the organization has taken to mitigate the occurrence of these threats and exposure to them
  • Include a risk matrix that documents information security systems, risks, threats, exposures and administrative, technical and physical security controls.
  • Include recommend actions the institution can take to address information system security weaknesses

In addition, AppPax will provide security policy templates and other information, as appropriate, to ensure the Bank's information security policies meet regulatory requirements.

Network Vulnerability Assessments, Penetration Testing and Social Engineering

To ensure a financial institution's security systems function effectively, AppPax performs independent vulnerability assessments and internal/external penetration tests.

Vulnerability assessments include on and off-site assessments of security procedures, devices, methods, organization and staffing. While vulnerability testing provides the starting point for assessing information security controls, external security penetration testing provides financial institutions assurance security controls function as intended.

During these tests, AppPax's security professionals simulate attacks and attempts to login and gain access to a financial institution's servers and network. Methods include automated security test scripts and hands-on, live attempts to penetrate an institution's security controls.

The effectiveness of any penetration test is based on the skill of the security team performing it. Our security consultants are CISSP, NSA, and OPSA certified, and their understanding of how financial networks and applications transmit customer information allows the team to quickly and properly identify risks to the institution.

IT Audit

AppPax's IT Audit is a comprehensive assessment of risk and validation of key controls throughout the Bank's Information Technology function. Our approach complies with the FFIEC's Interagency Guidance on the Internal Audit Function and its Outsourcing and the IT Examination Handbook. AppPax has developed a customized IT risk assessment and audit approach, based on COBIT 5.1.

The Scope of the IT Audit includes:

  • Technology planning and implementation processes
  • Board and senior management controls
  • Regulatory exams and management responses
  • Information technology practices and procedures
  • General and specific IT control environments
  • Application controls
  • Technology acquisition and implementation processes
  • Business continuity planning
  • Vendor management practices

In addition to reviewing policies, procedures, and practices related to each these areas, AppPax will perform appropriate tests of key procedures and internal control attributes to ensure their operational effectiveness. The report of AppPax's IT Audit will include maturity ratings of the major IT governance elements, as defined in COBIT, and an overall rating and audit opinion of the IT function.

Bank Secrecy Act and Anti-Money Laundering Compliance

Managing the Risks and Costs of BSA/AML

Failure to comply with BSA/AML regulations can potentially devastate a financial institution. In response, many financial institutions have significantly increased staff in this area and invested heavily in technology systems to support the compliance effort. As a result, the day-to-day costs of compliance are almost as equally devastating.

With regulatory emphasis on BSA/AML expected to increase as the credit crisis wanes, now is the time for financial institutions to ensure their compliance efforts meet regulatory requirements.

AppPax will work with your institution to ensure that you have:

  • Developed appropriate product, service, location, customer and other risk assessments required by regulation
  • Documented board-approved BSA / AML policies appropriate to the Bank's risk environment
  • Implemented a system of internal controls, commensurate with the institution's risk profile
  • Designated individuals responsible for coordinating and monitoring day-to-day compliance and staffed accordingly
  • Provided training for appropriate personnel
  • Provided appropriate independent audit by in-house personnel or an independent outside party

Most importantly, AppPax will help ensure that the BSA/AML compliance function is both effective, and cost effective.

Other BSA/AML Risk Services

AppPax can also assist your financial institution in the following areas to improve the effectiveness and efficiency of your BSA/AML compliance effort:

  • Best Practice Reviews of BSA/AML Compliance staffing, organization, workflows and systems
  • Compliance GAP analyses
  • Compliance Testing and Audits
  • BSA/AML System Validations
  • Transaction Lookbacks and Forensic Auditing
  • Training for Directors, Management and staff

The regulatory message is clear. All financial institutions are expected to have a clearly defined, documented and effectively implemented Bank Secrecy Act and Anti-money Laundering program. AppPax's skilled consultants can help you ensure your bank's program meets or exceeds regulatory requirements.

Business Continuity Planning

Emergency Preparedness, Crisis Response and Response Management

AppPax's performance driven methodology balances each organization's unique risk profile with operational objectives in its unique approach to Business Continuity Planning. AppPax's approach includes:

  • Threat Assessment - Identifies most likely threat scenarios to guide preparation of a custom response program
  • Business Impact Analysis - A real-world impact analysis, keyed to most likely threats and business needs
  • Business Unit Documentation - Documentation of existing systems, including networks, core processing, Internet and mobile banking and electronic payment systems, key personnel
  • Life Safety Plans - Evacuation plans for each department, facility, and floor. Assigns emergency roles and compiles emergency contact lists for employees, officers, directors, and service providers
  • Crisis Response and Management - Organizing to respond to business emergencies, planning to manage notifications to regulators, customers and the media
  • Business Recovery - Identifies and prioritizes all business functions. Sets recovery objectives at the more detailed "function" level. Identifies "business as usual" resources and links business resources to the function and criticality of the resource relationship
  • Resource Documentation - Profiles and unlimited number of internal and external resources, including specific recovery strategies for each resource
  • Contingency Planning - Creates contingency strategies for a variety of resource outages for each critical function
  • Recovery Team Formation and Plan Documentation - Creates physical and electronic master reference documents, a crisis management team guide, and guides for each business unit team

Testing the Business Continuity Plan

According to regulators, testing is the most critical - and most overlooked - aspect of Business Continuity Planning. AppPax's methodology includes:

  • Managed training exercises for recovery and business unit teams
  • Test plans for key technology
  • Test plans for key information and transaction system interfaces
  • Life Safety program tests

Troubled Bank Assistance

Distressed Bank Assistance

Responding to a regulatory enforcement action is the most significant challenge a financial institution can face. It can also be an opportunity to implement important changes which many times have been a long time coming. If properly managed, objectively resolving enforcement proceedings can result in a stronger, more credible, and more viable institution, with enhanced potential for sustained long-term growth and earnings in a managed risk environment.

Addressing the requirements of the enforcement action, and correcting problems cited in the Report of Examination must be the critical priority for the board and management. The key lies in managing the process. The key objective is to get back to the business of banking as soon as possible.

To help financial institutions address regulatory enforcement actions, as well as earnings performance, lending and problem asset issues, AppPax offers the following services:

  • Board of Director Assessment
  • Management Assessment
  • Organizational and Staffing Studies
  • Earnings Evaluation and Improvement Planning
  • Strategic Business Planning
  • Capital Planning
  • Liquidity Management and Funding Planning
  • Credit Administration and Risk Management Reviews
  • Loan Diversification Plans
  • Problem Loan Workout and Credit Risk Mitigation Plans
  • Risk Management Assessment and Risk Organization Design
  • Internal Control Improvement
  • Internal Audit Review and Improvement
  • Compliance Management Review and Improvement
  • BSA/AML "Lookbacks"
  • Fraud investigation and Forensic Auditing

Loan Review and Credit Administration Assessment

Managing the Quality of the Loan Portfolio

The quality of a financial institution's loans impacts all components of its financial performance. Loan quality problems can diminish the liquidity inherent in the loan portfolio and have a negative impact on the adequacy of the institution's capital. Poor loan quality also reflects upon management's competence. Continued loan problems may also impair an organization's ability to generate quality new loans.

To aid financial institutions in managing credit risk, AppPax Risk Advisors will:

  • Provide comprehensive credit quality and loan documentation review, either on-site, or off-site
  • Evaluate credit administration and credit risk management policies, practices, systems, controls and reporting
  • Assist in developing loan workout and other troubled asset risk mitigation and liquidation plans

Loan Portfolio Quality Reviews

AppPax's proven loan review methodology provides management with a comprehensive, objective credit quality review. Information developed during the review enables management to better gauge risk and potential loss in the portfolio, address weaknesses in individual credits and improve credit risk management and correct documentation errors.

Loan reviews are performed by experienced lending and credit risk management professionals, employing sampling and analytical methods compliant with regulatory requirements.

Loan review engagements are completed through a combination of on and off-site effort. This combination of on and off-site work helps our clients manage the costs, while ensuring that the quality of the review is maximized.

A typical engagement involves an initial on-site visit to:

  • Evaluate aspects of the financial institutions lending program
  • Review availability and quality of credit documentation
  • Obtain agreement on sample size, selection methodology and workflow process
  • Complete the initial review work

Following the on-site visit, AppPax's loan review professionals will complete quarterly reviews of segments of the financial institutions loan portfolio off-site, reviewing scanned images of loan and credit file documentation.

For each loan relationship selected for review, AppPax will independently assess the quality and collectability of the loan and assign a risk rating, utilizing the Bank's existing risk rating criteria. Any changes in risk grades will be thoroughly reviewed with appropriate lending and credit administration staff.

AppPax will provide a report of our work including:

  • Risk ratings for each loan and loan relationship reviewed
  • Recommendations for downgrades or upgrades of loan grades previously assigned by the Bank
  • Conclusions regarding the overall quality of the loan portfolio
  • Details of loan documentation or policy and regulatory exceptions on a loan-by-loan basis

AppPax's loan review provides management and Directors with critical insights into the quality of the financial institutions credit portfolio.

Credit Risk Management Best Practices Review

The effective management of credit risk has never been more critical to the viability of today's financial institutions. AppPax will complete a comprehensive review of existing lending, loan operations and credit risk management policies, procedures and controls, systems, organization and staffing, and reporting processes. In connection with this diagnostic, AppPax will gain a thorough understanding of the organization's lending strategies and procedures, as well as its credit risk management processes. During this phase, AppPax's consultants will review the Bank's:

  • Lending policies, procedures and processes
  • Credit risk management organization, systems, monitoring, and reporting processes

A key objective of this phase will be to understand current loan origination, analysis, approval and operational processes. AppPax will evaluate the processes for originating various types of loans, including commercial, commercial real estate, construction, SBA and consumer loans, identifying and assessing the efficacy of key credit risk management procedures and controls and reporting systems. AppPax will review the Bank's lending and loan accounting policies in view of the inherent level of risk, risk trends, and strategic lending objectives (i.e., growth, quality, markets, products, delivery channels).

AppPax will develop a thorough understanding of the credit management processes within the Bank, including:

  • Existence and responsibilities of credit committees
  • Functions of Credit Administration, Collections, Loan Review and other related areas
  • Reporting for new loans
  • Ongoing portfolio quality and risk monitoring and reporting processes

Coincident with this phase, AppPax will identify loan quality and risk management information systems in use and the sources of information in such systems. AppPax will also develop an understanding of related aspects of loan collection and workout and credit review (i.e., information systems used, information sources available and information requirements). This review will enable AppPax's consultants to understand the lending processes and controls and related credit risk management processes.

The Bank must also implement appropriate processes for determining the adequacy of the Allowance for Loan and Lease Losses, in compliance with new CECL requirements. In this phase of the engagement, AppPax will evaluate:

  • Allowance for Loan and Lease Loss policies
  • Methods for calculating the ALLL, including identifying sources of appropriate information to support the evaluation and methodologies for preparing, checking and reporting the results of the ALLL evaluation
  • Sources and methods used to support the quantitative evaluation of the ALLL, particularly the aggregated pools
  • Appropriateness of qualitative data, including local and national economic data and bank and industry loss performance and loan default migration data, used to support ALLL calculations
  • Methods used to identify those events which "trigger" or are defined as an impairment of a loan and assess the current framework for monitoring these impairment "triggers" and taking appropriate action to determine related loan and collateral values
  • Reports to management and the Board to ensure they include appropriate qualitative, as well as quantitative, loan loss information

©2017-2018 AppPax. All Rights Reserved.