PRESENTATION TO CLASS 2 CREDIT UNIONS, BY DIRECTORS GLOBAL & BY BPS RESOLVER

Transcription

1 1

2 YOU CAN T MANAGE WHAT YOU CAN T MEASURE Increasingly, boards and senior executives are looking to develop metrics or indicators to help to better monitor potential future shifts in risk conditions or new emerging risks. Source: COSO December

3 REGULATORY- EMERGING NEW GLOBAL RULES ON RISK Can- Canadian Securities Administrators- new rules, summer (2011) regarding disclosure of risk management practices employed in determining i executive compensation; U.S.- the new Dodd-Frank Act requires public financial companies and bank holding companies with assets over $10 billion to form risk committees at the board level; UK- UK accounting regulator, the Financial Reporting Council, announced new reporting rules that, new rules if enacted, will require audit committees for all companies to file regular reports on key risks. 3

4 WHY SET APPETITE & TOLERANCE Following the collapse of major financial institutions in 2008, many regulatory bodies are imposing accountability on financial institution boards. Example Section C, UK Governance Code (Financial Reporting Council, 2010). Board became tasked with determining the nature and extent of the significant risks it (the board) is willing to take in achieving it s strategic objectives. This is risk appetite and tolerance, by any another name Source: UK Institute of Risk Management,

5 COMMONLY USED TERMS Risk Tolerance Risk Appetite Risk Capacity Risk Criteria Risk Limits Risk Measures 5

6 COSO DEFINITION OF RISK APPETITE Risk Appetite The broad-based amount of risk a company or other entity is willing to accept in pursuit of its mission (or vision). Key Principles The entity s risk appetite is a guidepost in strategy setting It guides resource allocation It aligns organization,,people, p,processes and infrastructure Source: COSO Framework September

7 COSO DEFINITION OF RISK TOLERANCE Risk Tolerance The acceptable variation relative to the achievement of an objective. Key Principles Risk tolerances are measurable, preferably in the same units as the related objectives. They align with risk appetite. Source: COSO Framework September

8 WHY ISO DID NOT USE THE TERMS RISK APPETITE AND RISK TOLERANCE (ISO) avoided getting ensnared in the debate about risk appetite and risk tolerance. These two misused terms reflect poor reasoning that has been sponsored by the ill-founded COSO ERM Framework. Even a recent review by the Basel Committee on Banking Supervision no consensus in that sector on what they mean and the difference between them. ISO has adopted a more pragmatic approach that requires the organization to adopt risk criteria as the basis for its decisions Source: ISO 31000:2009 Setting a New Standard for Risk Management by Grant Purdy in Risk Analysis, Vol. 30, No. 6, Page 885 ( 2010) 8

9 NEEDED: CONSISTENCY..DICO S DEFINITIONS RISK APPETITE & TOLERANCE Risk Appetite - the degree of risk, on a broad-based level, that a credit union is willing to accept or take in pursuit of its objectives. Risk Tolerance - the level of risk that the credit union is willing to accept in various risk areas. This can be measured in terms of both quantitative and qualitative dimensions. Source: DICO ERM Framework, 09/2011 9

10 INFLUENCES AND VARIANCES Tolerances & Appetite can: be influenced by capacity to: withstand adverse consequences are expected to vary based on: the effectiveness of risk management processes and structures the credit union s earnings capacity and the level and quality of capital Other Source: DICO ERM Guidance Note, 09/

11 HIGH & LOW APPETITE AND TOLERANCE A higher capacity to absorb adverse consequences =opportunity to adopt a higher risk appetite and set higher risk tolerances A lower capacity to absorb adverse consequences = indicative of a much lower risk appetite and risk tolerances. Source: DICO ERM Guidance Note, 09/

12 LINKAGE: STRATEGIES GOALS & RISK APPETITE Credit union s goals should align with its risk appetite 1) aggressive goals= higher appetite to take/accept risk, or 2) highly risk adverse= goals will be more conservative Positive experiences and/or effectiveness in managing certain risks will influence decisions High concentrations of risk in a particular area may reduce willingness to accept further risk in the same area. 12

13 LINKAGE: STRATEGIES/GOALS & APPETITE -SOME OTHER MAJOR FACTORS Capital availability, technological sophistication, employee competencies Some risks fall outside overall appetite, i.e. some risks have a different rating different risk tolerance levels for individual risk categories or subcategories Other factors: the level of control over the risk, or, impact of the risk, or, the Credit Union s experience and expertise in managing that risk. 13

14 EXAMPLE ERM RISK CATEGORIES/SIGNIFICANT RISKS Risk Category Sub Category/Significant Risks Strategic Risk Strategy Development and Implementation Competition Performance and Viability Member Demographics Economic/External Risk Credit Risk Default Risk Concentration Risk Financial Risk Market/Investment Risk Structural Risk (Asset/Liability Mismatch Risk) Liquidity and Funding Management Capital Management Operational Risk Fiduciary Risk Information Technology Risk Outsourcing Fraud Member Satisfaction Personnel Compliance Risk Regulatory (CU/CP Act) Other Legislative Requirements Source: DICO ERM Application Guide, 09/

15 SAMPLE RISK APPETITE DEFINITIONS Appetite Level Risk Appetite Descriptor Definition 1 Avoid Not willing to accept risks in most circumstances 2 Modest Willing to accept some risks in certain circumstances 3 Moderate Willing to accept risks 4 Aggressive Willing to accept opportunities having high inherent risk Source: DICO ERM Application Guide, 09/

16 SAMPLE RISK TOLERANCES FOR IDENTIFIED SIGNIFICANT RISK AREAS Risk Risk Category Sub-Category Risk Element Risk Tolerance Risk 1 Credit Commercial Loans Borrower default Modest Risk 2 Credit Commercial Loans Concentration Risk Low Risk 3 Credit Retail Loans Borrower default Modest Risk 4 Operational Technology System Outage Low Risk 5 Strategic Member Demographics Loss of Market Share Modest Risk 6 Operational Personnel Qualified Staff Low Risk #2- tolerance is low, i.e. minimal desire to accept any material concentration risk in a particular industry segment; Risk #4- the credit union is unwilling to have a significant system outage due higher impact on its members and based on past experience; Risk #6- lack of experienced staff is seen as a major threat to planned growth. Source: TABLE 3: From DICO ERM Application Guide, 09/

17 RISK CATEGORY, KEY RISK INDICATORS AND TOLERANCE LEVELS Source: Table abe 14: DICO ERM Application Guide, September

18 RISK MANAGEMENT- WHERE DOES APPETITE & TOLERANCE FIT IN? Monitoring & Improvement Reporting Objectives Centralized Repository Risk Response & Action Risk Identification Risk Assessment & Measurement Determine risk tolerance & if risks are above tolerance levels Establish Strategy and Framework Start simply Get commitment from senior management and the board (tone from the top); Assign accountabilities Communicate to all stakeholders on a regular basis Determine risk appetite 18 18

19 ROLES IN SETTING AND MANAGING APPETITE AND TOLERANCE The Board is responsible for: setting risk appetite levels Management is responsible for: setting risk tolerance levels in line with the board s approved risk appetite. DICO- to review: risk appetite and risk tolerances in relation to actual and projected earnings and capital. Source: DICO guidance, September

20 RISK APPETITE AND RISK TOLERANCES- PARTNERSHIP: SENIOR MANAGEMENT & BOARD Senior management works in partnership with the board of the credit union to define what risk tolerances should be for particular risk categories based on the credit union s overall risk appetite. Source: DICO ERM Application Guide, 09/

21 SAMPLE EXCERPT FROM ERM POLICY The risk appetite of the credit union is [i.e. MODEST, should be defined by the credit union including quantitative and/or qualitative attributes.] Significant risks must have Board approved risk management policies and/or risk management strategies. Risk tolerances will be developed for each identified significant risk that reflect the level of risk appetite elected by the Board and management [indicate what these are or how and where these are to be set out.] Source: DICO ERM Framework, 09/

22 EXCERPT FROM HYDRO ONE S ERM POLICY Risks are identified, analyzed, and consciously accepted or mitigated within approved risk tolerances. ERM will continue to evolve to reflect industry best practices and Hydro One Inc. s needs. This policy will be reviewed annually by the Investment Review Committee and the Audit & Finance Committee of the Board. Source: J. Fraser, SVP Internal Audit, Chief Risk Officer, Hydro One 22

23 REPORTING TO THE BOARD- RESIDUAL RISK HEAT MAP Source: DICO ERM Application Guide, 09/

24 REPORTING TO THE BOARD- ALL SIGNIFICANT RISKS Source: DICO ERM Application Guide, 09/

25 CONCLUSIONS/ SUMMARY Metrics or indicators help to better monitor potential future shifts in risk conditions or new emerging risks Institutions with more than $250 million in assets will need to address this issue starting in All other Class 2 institutions will need to address this requirement in

26 CREDENTIALS Directors Global Risk Consulting Steve Mallory-sits on CSA Canadian Risk Management Committee- advisory and technical advice to Canadians on ISO 3100 and other risk standards. Also, on Board/Audit committee of Federal Crown Corporation Clients include major Canadian organizations BPS Resolver Automated Governance, Risk and Compliance Management Systems Extensive experience with Financial Institutions Over 300 clients worldwide Used by all of the big 4 accounting firms: Deloitte, PwC, E&Y, KPMG Canadian owned and operated 26

27 THE DIRECTORS GLOBAL/BPS RESOLVER PROGRAM A simple ERM solution which meets DICO s ERM requirements including: Customizable & scalable for each institution A guided self-management offering A combination of group work with (peers) & individual work (including one on one) Facilitated with consulting guidance - group & one-on-one (by Directors Global) Automated via standardized system created for Credit Unions (by BPS Resolver) Program works in groups of 5-10 Credit Unions Attractive cost $5,000 set up (to create a Risk Management Policy Statement) $18,000 annually (to manage Risk Management program including annually renewable software license) Monitoring & Improvement Reporting Objectives Centralized Repository Establish Strategy and Framework Risk Identification Risk Assessment & Measurement Risk Response & Action 27

28 QUESTIONS? For Further Information on Risk Tolerances or Appetite, call: Steve Mallory, Directors Global Contact Info. Phone Toll Free