Journey of a Compliance Officer in ERM Implementation SCCE Regional Conference September 8, 2017 1 Introduction Is there a formal ERM program within your institution? Is their alignment/coordination between ERM and Compliance? Are roles and responsibilities between ERM, Legal and Compliance clear? 2 1
Scene 1 ERM Project Kick-Off Meeting 3 What is ERM? Strategic all about the strategy and better decision making An integrated process of identifying major risks of all types to achieving the specific goals and objectives of the organization in a changing environment Framework for establishing consistency and common approach An Everyone s a Risk Manager culture ERM forces leaders to talk and discuss risk becomes a natural part of doing business facilitates strategic decision making 4 2
ERM How it works Formal risk reporting includes the risk heat map and risk scorecards Reporting is ongoing to reflect risk changes in the risk profile that are provided to the Executive Team who holistically and routinely discuss results that are reflected on a risk heat map Board Committees have been assigned jurisdiction for oversight of each of the key risks, and discussions about Tier 1 risks are embedded within the meeting agendas, including the risk scorecards Including Risk Appetite Identify using multiple inputs Strategy/innovation discussions Internal Audit collaboration Compliance & IT risk assessments Questionnaires/surveys Environmental scans External sources like CEB, KPMG, Grant Thornton, industry networking groups Mitigation efforts are developed by risk owners that are supported by defined plans to reduce risk exposures and manage risks The Executive Team meets routinely to discuss changes in risk (either new emerging risks, or the escalation/recalibration of existing risks) and the mitigating activities Internal Audit includes the key business processes for mitigating enterprise risks in their annual audit plan Ongoing, the risks are monitored against the top risk areas as reported in the external environment as well as the not-for-profit sector which can influence the organization s risk posture Assessment criteria based on: Impact -If this risk event were to materialize, what would be the impact on the organization? Likelihood-What is the likelihood this risk event will occur? Velocity-If this risk event were to materialize, how rapidly would it impact the organization? Mitigation Effectiveness How well the risk is being managed; how much risk remains Via ongoing and formal annual survey Risk profile prioritized into Tier 1 and Tier 2 to provide focus 5 Compliance Officer Thoughts What does this mean for Compliance? 6 3
Compliance Perspective Value to Compliance of an ERM Program Greater visibility and attention to compliance risks Tools to facilitate business area involvement in compliance Integration of compliance activities with other risk management activities to increase efficiency and effectiveness Concerns ERM doesn t understand the details of compliance risk and therefore shouldn t be reporting on it ERM framework is built for operational risk and doesn t accommodate the low risk appetite for compliance risk Compliance will lose control if compliance risks are integrated into ERM procedures 7 CEO Thoughts What s the value to the organization? 8 4
CEO Perspective I m ultimately responsible my involvement is vital I need a holistic view of all risk types I need to integrate risk management with enterprise strategy I m accountable re: Governance/Board of Directors 9 Scene 2 Working out the Details Identifying Risk Roles and Responsibilities Risk Assessment & Scoring Risk Appetite 10 5
Roles and Responsibilities Roles between ERM, Compliance, and Legal are often unclear An effective ERM program must include all risks, including compliance Categories of risk are not mutually exclusive (e.g., a risk might have an operational risk cause and a compliance impact) ERM and Compliance must work together and develop common tools and methodology Change in perspective can facilitate cooperation ERM recognizes the low tolerance for compliance risk and works to integrate into program Compliance recognizes the need for the enterprise to have an integrated view of risk 11 Identifying/Assessing Risks AARP Risk identification happens in several ways (strategic planning, Internal Audit, Fraud and IT risk assessments, external scans) Compliance risk assessment is another way that becomes an input/subset to organization s overall risk environment Compliance Officer and legal team SME s identify and document a detailed inventory of legal and regulatory requirements Legal team assesses inventory of compliance risks based on ERM framework: likelihood and impact scoring criteria Top compliance risks are included in the enterprise-wide risk assessment For example, our private letter ruling with the IRS regarding our non-profit status is one of our top eight ERM risks 12 6
Sample format for a Compliance Risk Inventory 13 Identifying/Assessing Risks Banking Risks are identified and documented in a detailed inventory of legal and regulatory requirements Business assesses risks through a Risk and Control Self Assessment (RCSA) process or similar approach RCSA covers process level risks and controls Compliance risks are included in RCSA process Top enterprise risks are aggregated and reported through ERM Trend towards more quantitative process and less reliance on professional judgment Compliance typically conducts compliance focused risk-assessments and maintains inventory of legal and regulatory requirements Individual legal and regulatory requirements are evaluated. 14 7
Risk Appetite - AARP AARP s risk appetite journey Over nine month timeframe Created a risk working group consisting of board members and management Invited all board members to take annual risk assessment, separate but at the same time as the Executive Team CEB facilitated the results as well as a scenario workshop during a board meeting Risk appetite statement created and approved at next board meeting Risk appetite statement is more qualitative than quantitative Risk appetite keeps the board and management aligned around key strategic decisions 15 Risk Appetite/Risk Scoring Banking Enterprise-level risk appetite Typically qualitative such as low tolerance for compliance violations Risk appetite may be stated in terms of maintaining satisfactory examination ratings Best practices and regulatory pressure has lead to more specific and more quantitative risk appetites for sub-risks For example, maximum defect rating for compliance testing results Scoring of individual risks varies with trend towards more quantitative scoring methods Number of customers impacted Potential for regulatory/legal scrutiny Disruption to company 16 8
Scene 3 Presentation to Board on Successful Project ERM and Compliance are distinct yet complementary disciplines that when integrated and aligned provide a holistic view of risk types Risk management should be risk based at the end of day The maximum benefit is when the enterprise uses a standard and coordinated methodology At the end of the day, we all need to be managing risks to the organization 17 Contact Information Steven Pearlman Chief Risk Officer at Etrade Bank E*Trade Steven.pearlman@etrade.com Joe Pugh Director ERM at AARP jpugh@aarp.org 18 9