The Payments InstituteJuly 21-24, 2019 • Emory University, Atlanta GA

Understanding the Payments Risk Environment

Jen Wasmund, AAP, CTP, NCPEnterprise Payments Risk Manager, Capital One

Agenda

• Key terms and definitions

• The risk management lifecycle

• Payments risk management

– By channel

– Horizontal risk and control programs

• Best practices discussion

• Questions?

KEY TERMS AND DEFINITIONSUnderstanding the Payments Risk Environment

• Risk– Something that could negatively affect an

organization’s ability to meet its business objectives

• Internal control (per COSO)– A process, effected by an entity’s board of

directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives

– May be manual or automated

Key terms and definitions

• Risk appetite

– Amount of risk an entity is willing to accept in pursuit of value

– Reflects culture and philosophy of risk management and operating style

• Risk tolerance

– Acceptable level of variation, relative to the importance to a specific objective

Key terms and definitions

Key terms and definitions

• Inherent risk

– Risk to an entity in the absence of any actions management might take to alter either the risk’s likelihood or impact

Key terms and definitions

• Example of determining inherent risk

Like

liho

od

Impact

L

M

H

L M H

Key terms and definitions

• Residual risk

– Risk remaining after management’s response to the risk (e.g. application of controls based on risk tolerance)

Residual RiskInherent Risk Controls

Key terms and definitions

• What types of risk does your organization encounter and address in your risk management program?

• How would you define or give an example of each of these?

• Ancillary risks

– Consequences or byproducts of not managing the primary risks listed previously

– What are some examples?

Key terms and definitions

• Key controls

– Necessary or critical to mitigate risk

• Secondary (non-key) controls

– May be relied upon in the event of a failure of a key control

– May be important for process efficiency, but essential for risk mitigation

Key terms and definitions

• Preventive controls

– Intended to stop an adverse outcome before it occurs

• Detective controls

– Intended to detect errors or irregularities that may have already occurred

Key terms and definitions

Key terms and definitions

Source: “Leveraging COSO Across the Three Lines of Defense Model” (2015) https://www.coso.org/Documents/COSO-2015-3LOD.pdf

THE RISK MANAGEMENT LIFECYCLEUnderstanding the Payments Risk Environment

Risk management lifecycle

Source: https://www.rmahq.org/enterprise-risk-management-workbooks/

Risk identification

Risk analysis

Risk response and planning

Risk response execution

Monitoring and validation

Risk management lifecycle

• How can you respond to identified risks?

– Accept

– Mitigate

– Transfer/share

– Avoid

• Cycle is designed to be continuous to accommodate for new risks or changes in environment

Risk management lifecycle

PAYMENTS RISK MANAGEMENTUnderstanding the Payments Risk Environment

Payments risk management

• Each group will choose one type of risk defined earlier in this session

– The group will take 15 minutes to discuss examples of how its risk is inherent in the following types of payments

• ACH

• Wire

• Check

• Card

Payments risk management

• What are some types of risk and control programs or teams that might have a centralized program across all payment types?

Payments risk management

AC

H

Wir

e

Ch

eck

Car

d

Cas

h

Disaster Recovery and Business Continuity

Name some additional programs that may operate this way…

BEST PRACTICES DISCUSSIONUnderstanding the Payments Risk Environment

Best practices discussion

• How do your organizations manage risk? Are there centralized departments across the “lines of defense”?

• How do you manage risk throughout its lifecycle for payments? What about for new products or changes to software?

• What types of breakdowns worry you and your management team the most, either ones you have incurred or ones you have heard of?

• What are some of the biggest risk concerns across payments?• What are some of the most important controls that your

organization leverages?• Do you do any type of special risk reporting? If so, what types of

metrics do you use to measure your payments risk and how strong your controls are?

• How would you describe the maturity of your payments risk tolerance and appetite at your organizations?

QUESTIONS? THANKS AND DON’T FORGET TO COMPLETE YOUR EVAL!

Understanding the Payments Risk Environment