360 Degrees of Enterprise Risk Management

Transcription

1 360 Degrees of Enterprise Risk Management Monday, June 17, :00 PM 3:15 PM Presented by: Jennifer F. Burke Partner Crowe Horwath LLP 144 N. Broadway Lexington, KY (o) (c) slide 1

2 Goals Enterprise Risk Management (ERM) Fundamentals Challenges ERM Maturity Risk Appetite Statement Next Step Considerations Bringing ERM Full Circle Q&A slide 2

3 Why Now? ERM Drivers Today Constant Change in Global Business Environment Customers Investors Performance Transparency Active Shareowners Performance Transparency Security and Trust Economies Capital Cost Containment Globalization Growth Increasing Public Scrutiny Increasing Stakeholder Expectations Media and Public Accountability Transparency Security and Trust Employees Development Security and Trust Regulators New Legislation and Rules Heightened Expectations Scrutiny Transparency Increasing Compliance Requirements Company Viability More Vulnerable slide 3

4 Enterprise Risk Management Board of Directors & Committees Legal & Regulatory Monitoring Communication & Trust Business Practices & Ethics Enterprise Risk Management Disclosure & Transparency Enterprise Risk Management (ERM) is a process designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. Corporate Governance Framework slide 4

5 Regulatory Concerns Given the complexity of today s banking markets and the sophistication of technology that underpins it, it is no surprise that the OCC deems operational risk to be high and increasing. Indeed, it is currently at the top of the list of safety and soundness issues for the institutions we supervise. This is an extraordinary thing. Some of our most seasoned supervisors, people with 30 or more years of experience in some cases, tell me that this is the first time they have seen operational risk eclipse credit risk as a safety and soundness challenge. Rising operational risk concerns them, it concerns me, and it should concern you. --Comptroller of the Currency Thomas J. Curry May 16, 2012 slide 5

6 Potential Impact of Unmitigated Risks Qwest United Airlines External Risks: Regulatory / Legal Investor Relations Competitor Financial Markets Catastrophic Loss Sovereign / Political Information Risks: Product / Service Pricing Performance Measurement Budget & Planning Accounting Information Financial Reporting Technology Risks: Access Availability Infrastructure Hershey Foods External Strategic Information Integrity Technology Financial Strategic Operations Risks: Customer Human Resource Strategic Risks: Leadership Alignment Planning Communication Business Model Integrity Risks: Operations Authority/Limit Ethics Fraud Product Development Supply Chain Business Interruption Compliance Unauthorized Use Reputation Financial Risks: Price Liquidity Credit Global Crossing AOL Time Warner Enron Adelphia Arthur Andersen Ford (Firestone) slide 6

7 Purpose of ERM ERM provides a roadmap to enable management to effectively deal with uncertainty and associated risk and opportunity, enhancing the capacity to build value for stakeholders ERM helps the company continue to grow and prosper as more risk enters the company through: New customers New products, modified products or processes Changing markets New and changing systems New lines of business Velocity of change slide 7

8 ERM Challenges ERM is complex and nebulous Vast amount of information Various perspectives, views, and opinions No standard ERM template No industry standard roadmap for ERM implementation Various models/frameworks exist but need to be uniquely customized Terminology, concepts, components and levels of formality vary Variety of technology, applications, and platforms used slide 8

9 Key Definitions Risk Appetite Statement: describes level at which risks should be avoided and where strategies must be implemented to manage risk Risk Appetite: level of risk an organization is willing to take in pursuit of value, or to achieve a desired level of return or growth, or to achieve strategic objectives Risk Tolerance: how much risk the organization is prepared to take at a risk type and or business unit level Key Performance Indicators: identify underperforming aspects of the enterprise as well as those aspects of the business that merit increased resources and energy Key Risk Indicators: provide timely leading-indicator information about emerging risks slide 9

10 360 Degree View of Risks Top Down, Bottom Up, Across Silos Strategy--Enterprise Focus on Risks Strategic Market Risks Operations Risks Finance Risks Human Capital Risks IT Risks Legal Risks Reputation Risks slide 10

11 Holistic ERM Process Strategy Insights Monitoring Risk Universe Risk Assessment External Risk Response Strategic Information Integrity Operations Technology Financial Risk Framework 11

12 Moving Up the ERM Continuum Many organizations have started ERM process and are now moving to a more mature state Reactive Lack of Board or senior management emphasis on risk No common risk lingo Stove-pipe risk management Ad hoc approach Missing coverage of risk areas Aware Some board and senior management support Risk leader identified Periodic risk profiling Key risks defined in common vocabulary Recognized need for ERM Most companies straddle these two stages slide 12 Strategic Proactive board and senior management involvement Risk managed and assessed across entire organization Common language and approach used and understood Real-time analysis of risk portfolio

13 Questions to Determine Maturity What are our key risks? (credit, market, liquidity, operational, compliance and regulatory, legal, reputation, strategic, others) Who owns these risks? Is there a Board level risk management committee? Is there an independent and empowered risk management function? Do we have a clear definition of the firm s risk appetite and ongoing assessment of risk profile relative to stated tolerances? Is there routine monitoring and follow up actions for adherence to limits, policies etc.? Do we address the interconnectedness of risks? Is capital planning closely aligned to the level and trend of risk? Have we internalized culture of risk discipline fully into our everyday decision making? slide 13 CONFIDENTIAL - Internal

14 Capturing Risk Events What keeps you up at night? slide 14

15 Identifying Themes slide 15

16 Describing Risks Category Short Description Risk Description Strategic Business Model Our business model may not meet the needs of our customer and markets, nor achieve the profitability and growth goals that we have established. Market Product Innovation Competitors may introduce new solutions to the market that disrupt our value proposition significantly. We may not be able to identify and provide the products and solutions required by our customers and markets. Financial Margin We are unable to sell our products and solutions at a sufficient profit margin due to competitive pricing pressures and increased costs. Operations Contracting The contract demands from our customers may become more and more complex, impacting our ability meet their demands as well as properly bill and collect. Operations Customer Service We may not be able to fulfill our customers expectations and or provide quality customer service and value. Integrity Legal Potential litigation may disrupt business focus, strategy, employee morale, management attention and be expensive. Market Financing Customers may be unable to obtain financing for our solutions. Market Industry Consolidation Consolidation in our industry may allow our competitors to gain market share, reduce costs and hire talent from our company. The economy and our industry continues to contract impacting our customers, business partners and Market Economics ultimately our ability to grow and profit. Customers may not be able to justify the economic business case for our products and solutions. Operations Decision Making We may not be able to provide accurate, timely and relevant data to the right people for decision making. Financial Budget Our budget may drive behavior that is not in alignment with our business objectives. HR Incentives and Compensation Our performance measures, incentives and compensation may not drive the actions and behavior that we desire. Operations System Capabilities Our systems may not have the capability to support our business or we may have inefficiencies in our business processes, that may be resulting in increased costs and errors. HR Attract, Develop and Retain We are unable to attract, develop, train and retain the talented workforce required to support our Talent business. Financial Foreign Exchange We import and export products and services. These transactions are exposed to fluctuations in currency valuation. slide 16

17 Risk Appetite Statement Is the heart of an effective risk management program and is linked to the organization s overall risk management philosophy and strategic ambition Clearly states the amount and types of risks the organization is comfortable taking Specifies maximum tolerable limits and variability in relative parameters, both qualitative and quantitative, based on stakeholder expectations, constraints, and strategic objectives Is actionable by management so that it has a real effect on the organization s business strategy and risk profile There are no standard or regulated components or formats for a risk appetite statement slide 17

18 Risk Appetite Statement Should Discourage engaging in businesses not within competencies or within strategic/operating plans Restrict management s ability to undertake or pursue opportunities unless they understand and articulate risks Encourage capitalizing on opportunities to achieve strategy within risk tolerance Align risks and opportunities to achievement of strategic plan Strategic plans should be developed with tolerance for risk to operate within the corporate risk appetite Risk appetite sets a clear strategic direction and tolerances are set to manage key risk indicators slide 18

19 The Risk Appetite Statement forces us to ask Risk Appetite Statement How much risk do we want to take? How do we measure our risk? Does our level of risk still make sense? How will we compete? How will we align our risk with corporate priorities? Where are our key risk concentrations today and where will they be in three years? 19

20 Risk Appetite Key Elements Risk Appetite Statement KPIs and KRIs Risk Tolerance levels Mitigation plans Express risk appetite in qualitative and quantitative terms Clearly defined, concise, comprehensive Properly understood Define Key Risk Indicators (KRI) and Key Performance Indicators (KPI) Mix of historical and forward-looking, actionable measures Broadest expression of risk we are willing to assume in executing strategy Define acceptable levels of risk Established for KRIs If tolerances are breached, mitigation plan activates to bring KRIs into acceptable parameters slide 20

21 Risk Appetite & Tolerance Example Financial Institution Statement Risk Appetite Risk Tolerance ABC Bank is exposed to a variety of risks as it strives to achieve the objectives set out in its Strategic Business Plan (SBP). These risks will be identified, managed and assessed within a risk management framework known as our ERM Program. ABC s general risk appetite is a moderate, balanced one which allows us to maintain appropriate growth, profitability and earnings stability while ensuring regulatory compliance, being an employer of choice and serving the communities within out footprint. In addition to the general risk appetite statement, we ve identified our risk appetite within eight broad risk categories outlined in the Bank s ERM Program. Risk appetite and risk tolerances for the various risks are reviewed by the Audit Committee annually. Qualitative elements, quantitative measures and risk tolerances within the risk appetite framework are included. Risks are regularly measured and breaches reported when risk measures are exceeded. slide 21 Risk Tolerances identified and reported to Board: Capital adequacy Total capital to risk weighted assets Tier 1 capital to tangible assets Asset Quality Classified assets as % of capital and ALL ALL to non-performing assets ALL to total loans Higher Risk Loans Total Delinquency (Consumer and Commercial) Earnings Earnings % of assets Net Interest Margin Efficiency Ratio Non Interest Income/Average assets Non Interest Expense/Average assets Return on Equity Liquidity Usage vs. available Basic Surplus Sensitivity Interest rate sensitivity

22 Risk Appetite & Tolerance Example Financial Institutions Statements Criteria Risk Appetite Statement Metric Risk Tolerance Statement Strategy / Growth Maintain and reinvent our competitive advantage in response to industry, economic, technology and competitive influences Maintain and plan for proper capital levels resulting in adverse actions from the regulators Number of new products in current period compared to prior period NPA as percentage of equity capital. Revenue from new products in current period / revenue from new products in prior period will increase by X% Capital and Management CAMELS rating 2 or better Credit Risk Minimize lending losses while growing the bank profitably Liquidity Risk Maintain Net Available Liquidity (NAL) to adequately cover an X month period after price stresses and net of reserve for potential downgrade to sub investment grade NPA % compared to peers Delinquency ratio % charge offs to total loans Usage vs. availability Rate shocks Trend on change in NIM Trend in earnings NPA % will exceed the midpoint of competitors % Delinquency ratio will not exceed x% % charge offs to total loans will not exceed x% Availability no less than X% Rate shocks impact earnings no more than X% at 100 basis points, etc. NIM no lower than x% ROA above X% ROE above x% Regulatory Risk Comply with all laws and regulations, low tolerance for regulatory breaches slide 22 Audit reports and regulatory findings Compliance rating No more than X significant compliance findings in audit report Compliance exam rating 2 or above No MRAs 800-ASK-4FMS

23 Risk Treatment Strategy Step 1 Determine Root Causes for the critical risks Analyze Root Causes to determine commonalities among the risks and emerging themes Step 2 Select the most appropriate response strategy to address the Root Causes and critical risks Step 3 Determine current risk management practices and capabilities (including resources) Step 4 Establish implementation plan to effect change in mitigation strategy Root Cause Analysis Risk Response Selection Current Capabilities Implement Change Risk Treatment Root Cause Analysis Risk Response Strategy Current Practices and Required Capabilities Implementation Contingency Plan Step 5 Develop the contingency plan and required actions that will be executed in the event that the Response Plan does not meet the established objectives slide 23 Contingency Plan

24 Risk Response Strategy Determine Risk Response Strategy(s) Avoid Reduce Share Accept Exploit Not starting or exiting activities that gives rise to unacceptable risk. Divest, Prohibit, Stop, Screen, Eliminate Action taken to reduce inherent risk and/or residual risk for the organization. Disperse, Control, Re-organize, Re-engineer Transfer and/or share the risk burden with a 3 rd party. Insure, Reinsure, Hedge, Outsource, Indemnify Retain the risk and no action taken to affect impact or likelihood. Accept, Re-price, Self Insure, Plan, Offset Leveraging the risk to pursue an opportunity to increase market share and improve competitive advantage. Expand, Create, New Product/Service, New Markets slide 24 24

25 MEASURE PROGRESS-- SCORECARDS Tolerance levels within defined range; no action required Issues presented; monitor closely, mitigation plan may take effect Tolerance levels out of range, action required slide 25

26 Sample Consolidated Bank Risk Dashboard Random data for illustration only Priority Unfavorable Watch Stable Acceptable Favorable

27 Reporting - Examples slide 27

28 Board Governance Key questions Directors should ask: What are the company s top risks, how big are they and how often are they likely to occur? (Probability and magnitude) How often is the list of top risks updated? (Velocity of change) What is management doing about the top risks? Who owns key risks? What size quarterly operating or cash loss has management and the board agreed is tolerable? (Risk appetite) How do you measure the success of the risk management team and their activities? (Qualifications, empowerment, independence) What discussions about risk management have taken place at the board level or among top management when strategic decisions were made in the past? Communication. slide 28 CONFIDENTIAL - Internal

29 ERM Is Successful When There is a clear understanding that Risk is owned by everyone Chief Risk Officer/Risk team does not own risk they facilitate risk management, mitigation, identification, monitoring and reporting Roles of internal audit and risk management teams are understood and the teams work closely together Board and senior management support is evident and strong An elevator speech regarding risk is consistent through organization Information gathered through ERM process is used to measure success in achieving strategic goals Risk management focus is strategic vs. tactical ERM is successful when there is documented consideration of risk in every-day business decisions which supports and enhances the organization culture and is a part of the fabric of how we do business 29

30 Questions Jennifer F. Burke, Partner Crowe Horwath LLP 144 N. Broadway Lexington, KY / (o) 859/ (c) 30