Read this if you are a financial institution.
Whether you think of New Year’s resolutions or goal setting, it’s that time of year where we traditionally take time for reflection (current state, desired state) in order to take action on the change we want to see. Understandably, as many institutions have been so focused on developing and understanding their CECL model and results, evolving the internal control environment may have, well, lagged a little. Which is why, in the spirit of starting the new year on the right foot, now is the perfect time to think about internal CECL controls.
CECL internal controls: Where to start?
Let’s acknowledge this right away: there is no “best” place to start. Some folks like to review what controls they already have in place and then think about how best to evolve or tweak them. Others may prefer to take a clean slate approach—map out the CECL workflows, identify risks, and then determine what controls are needed. One way to bridge these approaches is after you’ve mapped out the process, risks, and controls, then compare that to what you already have and make the necessary adjustments. We’ve seen all of these approaches work, but there are some pros and cons and pitfalls to consider for each.
Existing controls
If you choose to begin by reviewing and tweaking the controls you already have, one pitfall is that you may not challenge your thinking enough to recognize where new risks have been introduced with your CECL methodology. For example, how does the CECL calculation—and all the new data you are now relying on—impact controls? Is your area responsible for making choices about all those numbers, values, and codes, or are those calculations, choices, and decisions taking place in other areas where controls may need to be developed, or reviewed and enhanced for CECL?
Another good example: if you’ve invested in software, have you recognized the need for new controls over data flow in and out of that system, including the manual calculations you’re doing outside of the system and then keying those results into the system as model inputs? We have found that some people go into this approach thinking it will save them time—like a short-cut—only to realize later they’ve missed the opportunity to identify one or more key risks/controls.
Clean slate mapping
Speaking from experience, this approach can take some time but may be a great way to ensure your thinking is not limited by “what you’ve always” done or had in place. That said, we can appreciate that while staring at a blank page is energizing to some, it can feel overwhelming to others. Moreover, that overwhelmed feeling may be the underlying reason why it is tough to engage in this approach.
Here’s the big tip: put some sort of starting point on paper (maybe even the middle of the paper) understanding that as you think about it, you could be adding to the workflow before, above, under, or past that starting point. It’s okay that you don’t know all the related workflows because you’re identifying that there are related workflows whose risks/controls may be in other areas that need to be further explored. Maybe take this activity, initially, to a conference room with a big dry-erase board (there are online versions of this, too)!
Now, just like those new year’s resolutions for increased exercise that sometimes are easier to stick to when you have an accountability partner—is there someone in your organization that is particularly adept at creating workflows whose strengths and talents you can tap into to help you create this one?
Tips for helping ensure CECL internal control success
No matter which approach you end up taking, here are some of our top tips for helping ensure CECL internal control success:
Communicate: Outreach and awareness are foundational to engaging others in this process. It is so understandably easy for people not directly involved in the day-to-day CECL calculation to even realize they have a key role to play when it comes to CECL controls.
Cooperate: Invite others into the process, especially when it comes to helping you evaluate how changes under CECL relate to work they do day-to-day. Work together to simply understand or clarify how the pieces fit together.
Collaborate: There are lots of ways to design, test, and monitor internal controls. Lean into the strengths and talents of others to help create efficient and effective controls that can save you and others a lot of time and headache. I recommend this no matter how mature the control practice is—there may be ways to make it better and easier.
Coach, train, and support: I advise against the “control dump and run”—letting someone know they have one or two new controls, and then leaving them to it. Certainly, there is value in having to solve something from the ground up. However, helping others connect the dots between why controls are important, ways to evaluate and structure them, and who in the organization can collaborate with them to make them as easy and effective as possible, goes a long way toward getting the most value out of your control environment.
Seek advice: CECL is new for almost everyone, and controls are not a one-size fits all. Engaging someone experienced in both CECL and controls can help challenge your thinking, open your eyes to pitfalls, prevent over-engineering, provide perspective, and help you transition as you grow.
No matter your CECL challenge or pain point, our team of experts is here to help you navigate the requirements as efficiently and effectively as possible. For more information, visit the CECL page on our website. If you would like specific answers to questions, please visit our Ask the Advisor page to submit your questions.
For more on CECL, stay tuned for our next article in the series, or enjoy our CECL Radio podcasts. You can also follow Susan Weber on LinkedIn.