Lines of defence

US Bancorp tasked internal auditors with evaluating the design and strength of the company’s enterprise risk management approach.
Lines of defence

Mark Sparano, CPA, CGMA

Assessing an enterprise risk management (ERM) programme can prove challenging, Mark Sparano, CPA, CGMA, chief audit executive at US Bancorp, has learned. But he also has developed ways to deal with the challenges.

US Bancorp, the Minnesota-based parent company of the fifth-largest commercial bank in the United States, formalised and updated an ERM framework in 2012 and has implemented and refined it ever since. This ERM framework serves as a guideline to perform ERM internal audits, and US Bancorp’s approach shows how companies can keep risk management relevant as risks emerge over the years.

ERM audits assess how well a business’s enterprise risk management works and include what the board of directors and senior management are doing. “Auditing has evolved well beyond control testing alone,” Sparano said. “Today, the third line of defence must be equipped and prepared to critically evaluate and report on the company’s ERM approach, which includes the role of the board and executive management.”

US Bancorp, which employs about 67,000 people — including at least 250 internal auditors — and has business lines in the Americas and Europe, developed its customised ERM audit framework by consulting established risk-management principles and key regulatory guidance.

Large financial institutions have dealt with increased regulations since the 2008 financial crisis sparked a global economic tailspin with lasting effects. Increased scrutiny — brought about by the US Dodd-Frank Wall Street Reform and Consumer Protection Act and the US Foreign Account Tax Compliance Act, as well as reforms developed by the European Commission and the Basel Committee on Banking Supervision in the past seven years — has caused many banks to bolster enterprise risk management.

The US Office of the Comptroller of the Currency and the Federal Reserve Board as well as the Basel committee were among the regulatory contributors to US Bancorp’s ERM audit framework. Key risk-management principles came from the Institute of Internal Auditors, the Committee of Sponsoring Organizations of the Treadway Commission, and public accounting firms.


Communicating frequently and across functions has been critical in developing, implementing, and refining the ERM audit framework at US Bancorp, but the internal audit team also had to learn other lessons to ensure collaboration across functions would be successful, according to Sparano. Among them:

1. Explain internal audit’s role

Talk to external and internal stakeholders, including senior management, board members, regulators, and independent public accountants, and tell them what you’re trying to do before you start auditing your company’s ERM efforts. Explaining internal audit’s role in enterprise risk management can clear up misconceptions and misunderstandings among key stakeholders and establish why an ERM audit is good for the business.

At US Bancorp, internal audit visualised the team’s role with a picture of a soccer pitch that shows players in red uniforms attacking from one half. In the picture, each player has a ball representing a risk, such as reputational risk, credit risk, and interest rates. The offence faces three lines of white-shirted defensive players on the other half of the pitch. The bank’s business managers are tackling the risks in the first line of defence. The chief executive, the board’s risk committee, and the chief risk officer and his team are setting policy, doing oversight, and monitoring key risk and key profit indicators in the second line of defence. In the third line of defence, internal audit is the goalkeeper, catching risks not appropriately defended by the first and second lines — whether as designed or as operating.

The result of an ERM audit is an opinion that lets the board of directors know whether the company’s risk-management approach is well-designed and functioning as intended, with recommendations as necessary to address areas needing improvement. The opinion matters because it affects what senior management and the board do. “So you’ve really got to do a lot of communicating upfront,” Sparano said.

2. Consider your company’s governing structures in designing audit processes

A company’s governing structure influences internal audit’s approach because an ERM audit should look beyond standard risk-management practices. What the board does and what senior management does to manage and monitor risk and key performance indicators should be within the scope of an ERM audit.

At US Bancorp, as at other companies, internal audit must stay away from setting policy to remain independent in its annual assessment to the board. The annual ERM audit opinion delivered to the board and its committees includes internal audit’s findings of what senior management and the board do right and what they need to do better in enterprise risk management. At US Bancorp, several board committees are interested in the findings, including the risk-management committee and the audit committee.

3. Define the actions and objectives of an ERM audit and make sure all stakeholders fully understand and support the definitions

US Bancorp has more than $400 billion in assets, but the enterprise risk is in the bank’s daily transactions reflected in treasury, capital, liquidity, and wire transfers.

It’s a view key stakeholders don’t necessarily share, Sparano said, because risk management means different things for different stakeholders. US Bancorp’s independent public accountants, for example, focus on reserves, losses, and disclosures reflected in the consolidated financial statement. Regulators, for their part, care less about consolidated financial statements. To them, processes, corporate governance, and documentation are more important measures to gauge risk.

“The stakeholders don’t closely align,” Sparano said. “So when you go out and audit enterprise risk management, you’ve got to do a lot of definitions and make sure it rings true with all your stakeholders.”

4. Establish yourself as the third line of defence in the business

Sparano established a five-member ERM internal audit team. The ERM auditors, who are within the broader internal audit team, co-ordinate the work with the second line of defence. As the head of internal audit, Sparano delivers the results of the ERM audits to the board of directors, where he presents to several committees and works closely with the chief risk officer.

“I try to make sure the first line of defence is doing their job and the second line of defence is doing their job,” Sparano said. “… The goal is to ensure each line of defence is functioning in a well-co-ordinated manner to maximise the efficiency and effectiveness of the overall risk-management programme.”

5. Acknowledge that developing, implementing, and refining an ERM audit framework and processes will take time

A risk-management audit assesses several elements, such as risk culture, risk appetite, risk governance and oversight, and risk reporting and escalation — all of which take time, technology, talent, and training to establish and bolster. As ERM matures across all business lines, so does the assessment. New regulations and business expansions may require changes, for example, to third-party risk-management procedures, which involve refining the audit design, Sparano said.

Maturation involves more documentation, processes are established and repeated, metrics are increasingly defined to allow for quality assurance, and management deepens its understanding of ERM. In the most advanced stage, ERM decision-making and continuous improvement projects are based on data, metrics, formal quality assurance, and self-assessment feedback.

A few years into refining ERM and the assessment of ERM at US Bancorp, Sparano said he has found it more productive to talk about the sustainability of ERM auditing rather than its maturity.

Sustainability implies an open-ended process that is understood to require improvements as needed to benefit the business. Maturity quickly triggers philosophical questions from board members, Sparano said, who wonder when maturity will be reached and whether trying to reach it is cost-beneficial.

6. Meet frequently with the person in charge of ERM and encourage ERM auditors to talk to their colleagues who are managing enterprise risk

Sparano considers US Bancorp’s chief risk officer his partner. The two see each other almost daily, meet one-on-one at least once a month, and frequently talk on weekends. “We’ve got to be joined at the hip,” Sparano said.

As a result of their close work relationship, the heads of US Bancorp’s internal audit and risk-management teams use the same terminology and concepts when they talk to the board of directors about risk management.

Sparano encourages his team members to talk daily to their colleagues in risk management. He said the daily interactions make it easier to integrate risk management and risk-management assessment, especially when ERM updates and changes are introduced and internal audit must recalibrate its processes.

7. Benchmark your audit results against your peers

To make sure US Bancorp is in line with the industry, Sparano benchmarks his ERM audit methodology against what other banks do.

“It’s a pretty hard audit approach,” Sparano said, adding that he networks with other bank chief audit executives, participates in various industry round tables, and uses benchmarking data provided by internal audit and financial services associations.