Internal Audit's role in the risk assessment process at KeyCorp

Abstract

With the recent (at the time of this writing) financial crisis and the continued focus on a strong risk management culture at KeyCorp, the need to ensure that the lines of business (first line of defence), independent risk management (second line of defence) and internal audit (third line of defence) utilise a common risk framework has been paramount. This was driven by the desire for timely and accurate reporting to management and risk committees, as well as the Board of Directors. An opportunity to leverage a common governance, risk and compliance (GRC) approach across the institution arose in 2011 as KeyCorp began to leverage GRC software to implement the various risk related activities across the bank on a common platform. A variety of risk assessment tools existed that spanned business units and risk disciplines. However, KeyCorp recognised the need for risk convergence and a consistent approach to risk assessment. Over the next three years a plan was set in motion to implement a number of modules in the new platform including risk and control self assessment (RCSA), findings and remediation tracking, risk profiles, operational losses and others. From an internal audit perspective, the decision was made to re-evaluate the audit universe and risk assessments with an aim towards a common framework with the first and second lines of defence. This presented an array of opportunities and challenges. Additionally, Internal Audit recognised the need to utilise the company's new GRC software for its audit projects, workpapers, risk assessments and findings documentation to further serve these efforts and the journey towards risk convergence officially began.