Top 5 Risk Management and Governance issues for CECL
The advent of Current Expected Credit Loss (CECL) reporting as an additional accounting requirement for US credit lending institutions is widely recognized as a significant technical, operational and compliance challenge for many institutions. The combination of complex modelling, the use of large and changing volumes of portfolio and market data, and the need for consistent, accurate and auditable results means that institutions are already under pressure to implement CECL, even with an implementation date of December 2019.
A CECL management framework will be closely scrutinized by both auditors and regulators who will want to see evidence of the management controls and data governance, to assure the transparency and accuracy of the results. Institutions will need to consider how best to achieve this, as part of delivering a complex and challenging CECL implementation project.
Applying the lessons of helping institutions implement many complex compliance frameworks, these are the top 5 risk management and governance issues of implementing Current Expected Credit Loss.
1. Extensive use of Uncontrolled Spreadsheets
The historical, current and future credit models, data and assumptions used within CECL will reside on multiple systems and data bases across the enterprise. Re-configuring, testing and validating these systems to deliver Current Expected Credit Loss will require more time and resource than institutions can spare. They may well resort to using complex spreadsheets, whose power, flexibility and easy availability will allow CECL project team to make rapid progress on their project. However, unlike their existing enterprise applications, these spreadsheets will not be controlled, tested or validated. This increases the likelihood of errors, missing data and flaws that generate inaccurate results, as well as raising audit issues.
2. Reliance on External Data Sources
The models used to calculate Current Expected Credit Loss make significant use of credit risk data, including probability of default (PD) and loss given default (LGD) metrics, as well economic metrics such as GDP and inflation metrics for example. These will come from a range of external sources, and will be regularly updated to ensure the CECL models remain current. If this data is embedded in a CECL spreadsheet model, these data links have the potential for errors. There may be an absence of a robust data integration capability to manage the export, transform, load (ETL) process, and to flag errors if there is a failure, causing stale or missing data for example. This will again give rise to issues of accuracy and transparency.
3. Widespread use of Integrated Spreadsheets, Macros and Formulas
The final CECL results are based on credit loss models covering historical, current and future models, which will likely be spreadsheet-based. These will feature highly complex models, with extensive use of formulas, powerful macros and integrated spreadsheets, with extensive data lineage for example. Errors, omissions and changes to these can present risks than can materially impact the accuracy and auditability of the final CECL results.
4. Business, Reputational and Regulatory Impact of Errors
Underpinning CECL is the need to more realistically assess the loss provisions institutions must put in place to cover potential non-performing loans. The nature of loans portfolios can mean that small changes in the economy can have significant impact on the risks of a loan over its lifetime, and so can impact the overall level of loan provisions an institution must have in place. CECL will impact the volatility of profits for many institutions. The use of uncontrolled spreadsheets, with their inherent risks, could generate errors that could drive greater volatility, or even the need to re-state earnings, potentially causing a range of business, reputational and regulatory headaches that institutions would want to avoid.
5. Audit and Regulatory Risk
The models, data, assumptions and the results are all auditable, to be published in the annual report. Auditors will review the results, as well as the assumptions, models and data to ensure they are accurate and reasonable for the business. They will also seek evidence of the data and model governance and controls, to ensure full transparency. Regulators will likely do likewise, even though Current Expected Credit Loss remains an accounting standard. Given the complexity of calculating CECL, demonstrating this this governance and control to external stakeholders, in a timely and cost effective fashion will be challenging. The cost of achieving this manually would be prohibitive.
A Spreadsheet Risk Management Solution
Given the likely pervasiveness of spreadsheets in implementing and calculating CECL, institutions will need to develop a capability that allows them to identify errors in data, formulas, links and so forth that are at the core of CECL calculations. The ideal would be to proactively monitor spreadsheets so that issues can be identified swiftly, with minimal impact on the business. Implementing this capability, alongside the overall Current Expected Credit Loss framework will allow CECL project teams to test, review and report on their progress, helping to reduce the cost, risk and timescales of their Current Expected Credit Loss project.