acuia region one-nachand - enterprise risk... · business objectives planning ... the entire...
Post on 23-Sep-2020
0 Views
Preview:
TRANSCRIPT
B. Gabe Nachand, Partner
Moss Adams LLP
Presenting
ACUIA Region OneACUIA Region One Enterprise Risk Management
Today’s Discussion Objectives
• What is Enterprise Risk Management? – an Overview of ERM
• What is Driving ERM? • ERM & the Regulators• How ERM Can Benefit My Institution• How My Institution Can Build an ERM Strategy: Implementation OverviewImplementation Overview– Phase 1 – Planning– Phase 2 – Implementing the Plan– Phase 3 – Refining
• Summary
WHAT IS ENTERPRISE RISK MANAGEMENT (“ERM”)?
Questions to Ponder…
• In today’s banking environment what risks or “watch out fors” would you suggest directors,watch out fors would you suggest directors, supervisory committees, audit committees (or even executive management) focus on?
• What would you be looking for in Board Report packages today?packages today?
• Do we understand these issues enough toDo we understand these issues enough to appropriately report on them in each of our institutions today?
What is “Enterprise Risk Management”?
“Enterprise risk management (ERM) is a process, effected by an entity’s board of directors, management and other personnel,
li d i i d h iapplied in a strategy setting and across the enterprise,designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to
provide reasonable assurance regarding the achievement ofprovide reasonable assurance regarding the achievement of entity objectives.”
The Committee of Sponsoring Organizations (COSO) of the Treadway Commission, (Sept. 2004)
What is ERM?
• A structured, consistent, and continuous risk management process that is applied across the entire organization
• Identifies, assesses, prioritizes, and manages the internal and external risks that impact the organization
• Driven by a decision‐support process that is aligned with the management and execution of strategic objectivesexecution of strategic objectives
• Enhanced by the assignment of roles and
responsibilities,
• Reportin and omm ni ationIdentify &
Measure, Monitor & • Reporting and communication,
– policies and procedures, and
– adoption of a risk‐based culture
AssessReport
Business Objectives
Planning & Management
Enterprise Risk Management“What might get in the way of my duty to deliver value to stakeholders?”
Risk
Ri k M t
The potential that events, expected or unanticipated, may have an adverse impact on capital or earnings.
Risk ManagementThe employment of systems and processes to manage the critical tradeoff between risk and return in financial decision‐
Enterprise‐Wide Risk Management
making.
The formal mechanism or structure for managing risks across the entire institution on an integrated basis.
Enterprise Risk Management (ERM) Components
Keys to a good ERM program – must include:
• Risk Identification – What are our key risks? – What level of risk are we willing to allow/accept (“risk appetite”)?
• Risk Measurement– Risk measurement models (ALM, Credit Stress)– Guidelines and quantification tools (Credit Risk Classification Operational and– Guidelines and quantification tools (Credit Risk Classification, Operational and
Credit Losses)
Enterprise Risk Management (ERM) Components
• Risk Control– Policies (Required and Best Practice)
S f i k li i i– System of risk limitations– Authorities and oversight systems
• Risk Monitoring– System of risk reporting – key measurements
Board driven assessments (internal and external audits, monitoring reports) Management Self assessments (management generated reporting against pre set Management Self assessments (management generated reporting against pre‐set
standards)
In a Nutshell…
ERM is a process for managing and controlling risks across an entire organization, both within g ,and across business lines and legal entities.
WHAT’S DRIVING ERM?WHAT S DRIVING ERM?
What’s Driving ERM?‐ Environmental ‐
• Growing size and organizational structure
• Increasing diversity of business lines and complexity of products
• Increasing number of regulations
• Increasingly competitive marketplace
ERM can be the key for how to win
What’s Driving ERM‐ Institutional ‐
• Fragmented or “silo” risk management efforts– fail to recognize interrelationships of risk across businessesfail to recognize interrelationships of risk across businesses
or products
L k f ti f i k d ti• Lack of aggregation of common risks and reporting– fail to keep Board and management informed of
organization‐wide risks
• Lack of attention to how risks are correlatedfails to identify how loans securities businesses etc– fails to identify how loans, securities, businesses, etc. might be affected by common factors and create large exposures
Post Downturn, ERM is More Important than Ever
• Bankers, regulators, investors, customers and counterparties will not soon forget the near‐collapse in late 2008
• So far, the new era in financial services is a very strong emphasis on safety and risk management
• Those who can demonstrate superior risk management will have a competitive advantage– Greater opportunities in the market due to goodwill from regulators and investorspp g g– More and better customers
• Key ERM implementation challenges for most institutions– Culture– Right expertise– Data and Measurement– Transparency/Reporting
Drivers of ERM – a Summary
Board of Directors • Demand increased financial disclosure and transparency
Stakeholders • Demand evidence that management understands and manages risk
Regulators/Rating Agencies • Seek assurance around compliance and risk assessment processes
Credit and Rating Analysts • Asking organizations to report risks in a forward‐looking context
Activists • Demand social awareness, safety & , yenvironmental consciousness
Customers • Make decisions based on differentiating factors
Peers • Comparison with others drives industry‐wide practice
Competitors • Push innovation, drive leadership
ENTERPRISE RISK MANAGEMENT AND THE REGULATORS
Regulatory Expectations for ERMERM starts with the fundamental of strong risk management:
Active Board and d lActive Board and Senior
Management Oversight
Adequate Policies, Procedures, and
Limitsg
Adequate Risk Measurement, Monitoring, and
Comprehensive Internal Controls
MIS
NCUA ERM Guidance
NCUA advises an effective system of Enterprise Risk Management includes consideration of:
• Market Condition• Field of Membership• Credit Union Structure
– Size– Complexity– Geographic diversity– Geographic diversity
Increasing Emphasis on ERM Perspective
Basel Committee’s Core Principles for Effective Banking Supervision (2006)
P i i l 7 Ri k “S i b i fi d h b kPrinciple 7 – Risk management process: “Supervisors must be satisfied that banks and banking groups have in place a comprehensive risk management process (including Board and senior management oversight) to identify, evaluate, monitor, and control or mitigate all material risks and to assess their overall capital adequacy in relation to their risk profile These processes should beadequacy in relation to their risk profile. These processes should be commensurate with the size and complexity of the organization.” http://www.bis.org/publ/bcbs129.pdf
i i l f ff i i l i k ( )Principles for Effective Operational Risk Management (2003) http://www.bis.org/publ/bcbs96.pdf
P i i l f S d Li idi Ri k M d S i i (SPrinciples for Sound Liquidity Risk Management and Supervision (Sept. 2008) http://www.bis.org/publ/bcbs144.pdf
Basel II Capital Accord
Three Pillars of Capital Adequacy
Minimum Capital Standards
Supervisory Review
Market Discipline
• Banks review own capital adequacy
• Supervisors evaluate bank assessment
• Enhanced disclosures given increased reliance on internal assessments
• Credit Risk• Operational Risk• Market Risk
Principles of Effective Operational Risk Management(Basel Committee on Banking Supervision)
1. Board should approve and periodically review the Operating Risk Framework.
2. Board should ensure that Framework is subject to independent, competent audit staff review.
3. Senior management responsible for implementationg p p4. Process to identify and assess operational risk inherent in
products, activities, processes and systems.5 Process tomonitor operational risk profiles and material exposure5. Process to monitor operational risk profiles and material exposure
to losses.
Principles of Effective Operational Risk Management(Basel Committee on Banking Supervision)
6. Policies, processes and procedures should exist to control and/or mitigatematerial operational risks.
7. A contingency and business continuity plan should exist.8. The regulators should require that all banks, regardless of size, have an
effective framework in place to identify, assess, monitor and control/mitigate material operational risk as part of an overall approachcontrol/mitigate material operational risk as part of an overall approach to risk management.
9. Regulators should conduct regular, independent evaluation of bank’s policies, procedures and practices related to operational risks.policies, procedures and practices related to operational risks.
10. Banks should make sufficient public disclosure to allow market participants to assess their approach to operational risk management.
It Takes 3 to Fly this Plane
Time &Time & Activities
Time & Activities
Audit Compliance RiskPast Present Future
Ri k M l k h h k i i d id if d h d
Do we do aswe say?
Are we incompliance?
What can go wrong?
• Risk Manager – looks thru the cockpit window to identify and assess current threats and future risks to the flight path and plane, and glances at the gauges for reassurance
• Compliance Manager – assists the pilot in maintaining the proper flight path and plane i d b i h l d FAA l ioperating procedures by using the manual and FAA regulations
• Auditor – uses the cockpit gauges and controls to inform the pilot of how the plane is operating relative to its predetermined flight path
In Summary
• Boards of directors are responsible for ensuring that their institutions are managed in a safe and sound manner. (This hasn’t changed)
• In today’s environment (and increasingly in the future), safety an soundness means that risks need to be well‐managed given the institution’s risk environment and business model.
d b bl “ ” h l “• You need to be able to answer “Yes” to this regulator question: “Do you have a program that appropriately identifies emerging risks in a timely manner?”
• Therefore:
Safety/Soundness = Risk Management
Consequently, the foundation for modern Corporate Governance is Enterprise Risk Management.
BENEFITS OF ERMBENEFITS OF ERM
Organizational Goals of ERM
• Protect/Enhance Stakeholder Value• Link Strategy and Risk ProfileLink Strategy and Risk Profile• Recognize and Manage integrated/cross organizational risks
• Enhance Risk Based Decisions• Capital Management• Seize Opportunities• Seize Opportunities• Disciplined Culture
For a director, do these sound familiar?
Benefits of Enterprise Risk Management
• Enhances integrated decision‐making better deal with the risk from growth, M&A, new products, etc.
li i k d• Better align risk and strategy.• Framework for identifying enhance return opportunities – improved risk
mitigation.• Improve deployment of capital resources – allocating capital to business areas to p p y p g p
achieve superior risk returns (RAROC).• Credibility and confidence in governance and risk management – investors,
regulators, rating agencies, external auditors.• Anti ipate risk sei e opport nities/minimi in ost• Anticipate risk – seize opportunities/minimizing cost.• Improved understanding and management of interactions and interrelationships
between risks.• Clear accountability and ownership of risk.• Regulatory compliance with safety and soundness guidelines, foundation for a
strong internal control environment.
Benefits of Enterprise Risk Management (continued…)
All the previous positively impact: • Protection of capital• Protection of capital.• Enhancement of earnings.• Reduction of losses (Fraud, Credit, Operational).• Greater efficiency in process flows.• Better defined/more efficient internal audit programs.• Better understanding of effect of market movements.Better understanding of effect of market movements.
What We are Observing: Industry ERM Themes so Far for 2012+
• ERM– Managing an acquisition (valuation, financial integration, change in risk profile, culture, data
integration, etc.)g )– Model validation– Incentive programs that incorporate risk and are better aligned with organizational performance
• Compliance and regulatoryp g y– Regulatory reform outcomes– Stress testing– Compliance: fair lending, BSA, AML
Credit• Credit– Provision and reserve going forward– Growing the loan portfolio– Diversifying away from risk concentrations in the portfolio
• Market Risk– The investments portfolio – understanding the risks going forward– Interest rate risk management
BUILDING AND ERM STRATEGY: IMPLEMENTATION OVERVIEW
ERM Implementation Phases
Proactive planning and i
D i
Preventative Controls and processes
improvement
Detective controls and processes
Compliance and Prevention
Operating Performance
Stakeholder Value Enhancement
GRADUAL EVOLUTION OF THE PROCESS
Developing ERM Capabilities is an Evolution, Not an Event
EARLY INTERMEDIATE ADVANCED• Minimal credit grading • No portfolio analysis • No operational risk
measurement • ROA as return measure
• Some risk quantification combined with seasoned judgment
• Operational and market risk in early stages
• An integrated risk management perspective
• Granular risk quantification ROA as return measure
• Efffective regulatory and investor relations
• Some RAROC calculations
• Portfolio analytics • Active portfolio
management function • Full RAROC across
bank
Add Capabilities as Risk/Complexity are Added
Linking ERM to Strategy
HighRisk appetite
Strategic Integration
Risk vs. Return Optimization
Level
articulated
Risk Management
Risk Measurementaturity
L
Loss Minimization
Compliance/Monitoring
M
Low
Time
ERM – Strengthening Focus on Strategic Risk Exposures
Increased Loan Risk
DriversRisk
Metrics?
Increased Revenues
Yield (Rate & Volume)
Non‐interest
Drivers
Risk Drivers
Risk Metrics?
Profitability
Income Products
Drivers
Risk Drivers
Metrics?
Risk Metrics?
Expense Savings
Reduce Head Count
Oth C t
Drivers
Risk Drivers
Risk Metrics?
Other Cost Savings
Measures –Vendor Mgmt.
Drivers
Risk Drivers
Risk Metrics? Drivers
The Moss Adams Phases to ERM Implementation
• STEP 1 – PLANNING – (a.k.a., “putting your best foot forward, knowing the process isn’t going to be perfect because it’s a new area of focus, and every institution is unique”)
STEP 2 IMPLEMENTING (a k a “executing on your plan making slight• STEP 2 – IMPLEMENTING – (a.k.a., executing on your plan, making slight adjustments as needed; saving significant revisions to the process for the “refining” stage”)
• STEP 3 – REFINING – (a.k.a., “fixing what needs to be fixed and/or what wasn’t addressed after implementing your plan”)
A simple 3step process for getting your ERM program off the ground
ERM IMPLEMENTATION PHASE 1 ‐PLANNING
Building Your ERM Roadmap/ Implementation Plan:STEP #1 – PLANNING
A. Gain Board/Committee/Executive level of support ‐ “Tone at the Top” might be the single biggest factor in being successful at implementing; start to build consensus/ buy‐in
B. Revisit/review your strategic plan – the ERM vision s/b aligned with your organization’s size/complexity
C. Start thinking about how you are going to identify (and categorize) risk TIPS:
• Define plan owners, roles and responsibilities for execution, timelines, resource alignment• Prioritize key tasks look for up‐front early wins• Prioritize key tasks – look for up‐front, early wins• Utilize existing management structures• Think about existing organizational design/structure• Other: degree of alignment with finance, specific control tools, etc?• Start to build consensus among key internal and external stakeholders (including
regulators*)• Preliminary risk assessment – work on the “completeness” of the risks inventory• Look for risk concentrations• Understand management’s current risk activities – functions, controls, what is tracked,
who does it, etc.?who does it, etc.?
Tone at the Top & Culture
• It’s that CULTURE thing!!• Mutual Expectations, Respect, RelianceMutual Expectations, Respect, Reliance• Model the Standard
Legally: Duty of Loyalty and CareBusiness JudgmentBusiness JudgmentDisclosure / Transparency
• Open Communications, Debate• Brainstorm risks at various management levels ‐ whatBrainstorm risks at various management levels what
risk is coming around the corner? • Welcome the Messenger• Welcome Dumb Questions• Welcome Dumb Questions• Draft Policies
ERM Policy
• Policy Statement• Purpose/objectives
Integrated mgmt of risk
• Risk Metrics and tools– Risk Assessments
Measures– Integrated mgmt of risk– Governance of risk oversight– Independent review and monitoring– Best practice risk control
• Responsibilities
– Measures• Controls & Monitoring• Risk Response• Communication & Responsibilities
– Board of Directors– Board Risk Committee– Management Risk Committee– CEO
Reporting• Policy Exceptions
– CRO– Internal Auditor– Department Heads
• Risk Categories• ERM Process• Policy Guidelines/Limits
ERM Charter
• Purpose/Objectives – Board delegation to:Identify and Manage risksy gAdhere to policies
• Committee Members and ChairChief Risk Officer direct reportChief Risk Officer direct report
• MeetingsFull Board reporting
• Duties and responsibilities• Duties and responsibilitiesAudit Committee interactionOversight of Management Risk Committees
P f E l ti• Performance Evaluation• Committee Resources
ERM is a Shared Responsibility: Typical Roles/Needs
Board of Directors
‐Governance
‐Reputational RiskReputational Risk
‐Board Training
CEO/COOCRO (L ) ‐Business Risk
‐Execution Risk
‐Strategy/Mergers
CFO‐SOX
‐Basel II/Economic Capital
‐Performance Measurement
CRO (Larger)‐ERM Roadmap
‐Policies/Limits/Appetite
‐Risk Quantification
‐Dashboards
Functional Risk Managers/Delegated Responsibilities:
‐Credit Risk‐Market RiskMarket Risk‐ Interest Rate Risk‐ Operational Risk‐Compliance Risk‐ Technology Risk‐Etc.
A Vision for ERM is Fundamentally Linked to Strategic Goals for Your Organization
• What are your core competencies? What is your market? What does your organization want to be? Who are the stakeholders?
• What are your return goals?What are your return goals? • (Risk vs. Reward = Credit & IRR; Capital Adequacy; Regulatory; Fraud;Other?)
• Identify Risks to your Institution – What risks do you take‐on to generate these t ? F “k ” i kreturns? Focus on “key” risks. – Credit risks in lending? – Credit risks in your investments portfolio?– Market risks through interest rates?– Market risks through your investments portfolio?Market risks through your investments portfolio?– Operational risks through providing processing/cash management services?– Operational risks through asset management services?– Compliance risks in highly regulated markets?– Other?H h f h i k ill k ? I l l f i k• How much of each risk type will you take on? Is your level of risk appropriate given your return goals (risk appetite)? Do you have sufficient capital and liquidity to support these risks?
ERM Risk Components
• Credit Risk and Market Risk are typically called ‘financial risks’ – return and risk are usually directly correlated here
• Greater risk will lead to higher returns in the long run, but will also result in significantly greater earnings volatility and require much more capital. A risk appetite is needed to decide how much risk and what types of risk are appropriate
• Operational Risks can also be financial risks, but the risk/return relationship can be very different – Some operational risks such as regulatory and compliance concerns are not related to returns, only protection against future loss or are a cost of doing business
– Fee‐based businesses such as asset management or payment processing are operational‐risk driven businesses with a direct relation to returns
• Regardless of the risk type, ERM practices can enable management and the board to:– Develop a consolidated view of their risk profile across all risk types and understand hot spots
– Measure risk exposure using quantitative and qualitative methods– Set a risk appetite and manage to it– Better understand where returns are generated
Regulatory Risk Categories (Risks Example 1)
OCC Risk Categories
di i k
Fed Risk Categories
FHLB Risk Categories
Credit Risk
Interest Rate Risk
Liquidity Risk
Credit Risk
Market Risk
Liquidity Risk
Credit Risk
Market Risk
Liquidity Risk
Price Risk
Foreign Exchange Risk
Transaction Risk
Operational Risk
Legal risk
Reputational Risk
Operational Risk
Business Risk
Compliance Risk
Strategic Risk
Reputation Risk
Regulatory Capital Rules Have Created a Framework for Classification of Risk Types(Risks Example 2)
Risk Type Definition
Credit Risk Loss due to a borrower’s inability to meet its financial obligations
Loss due to change in borrower’s credit quality
Market Risk Loss due to change in market value of traded positions
Loss due to impact of changes in cost to close accrual positions (primarily interest rate risk)
Operational Risk Loss resulting from inadequate or failed internal process, people and systems or from external events Thepeople and systems, or from external events. The definition includes legal risk. The definition does not include strategic or reputational risks.
Many Institutions Have Adopted These Definitions for a Functional ERM Structure (Risks Example 2.1)
Enterprise Risk Management Functional Structure (Not
Credit Risk
p g (Organizational Structure)
Market Risk Operational Risk
Compliance Risk Int. and Ext. FraudBusiness Process Failure
Change in Fair Value
I t t R t Ri k
Commercial
HRLitigationData SecurityTechnology/SystemsN t l Di t
Interest Rate Risk
Currency Risk
Liquidity Risk
Retail
Counterparty
Natural DisasterEtc.
Liquidity Risk
Other Risk Category Possibilities: Business, Strategic, Concentrations, Reputation, etc.
ERM IMPLEMENTATION PHASE 2 –IMPLEMENTING THE PLAN
Building Your ERM Roadmap/Implementation Plan:STEP #2 – IMPLEMENTING
A. Identify and prioritize the RISKS‐ Keep it to the “TOP 5” for in‐depth Board reportingKeep it to the TOP 5 for in depth Board reporting ‐ Additional risks can be identified and listed, but don’t take away the
focus from the Top 5
B Si lt l d t li i i k f k d t liB. Simultaneously adopt a preliminary risk framework and conceptualize simple reporting
C. Identify gaps in the process and start to analyze (but don’t let them slow you y g p p y ( ydown!)
TIPS: • Identify strengths and weaknesses in existing risk management function• Identify strengths and weaknesses in existing risk management function• Re‐align existing capabilities with where you need to get to• Scope: risk controls, information technology, culture, expertise, policies,
risk quantification, reporting/transparency
ERM Implementation – Think about “Risk Awareness”
Difficult process – 3 levels of risk awareness
• Known – You lend money to various parties and someone isn’t going to pay (credit risk)p y ( )
• Unknown, but knowable – e.g., flood or other natural disaster that isn’t unusual for the area.
• Unknown, unknowable – would not ever know in advance, but is there a plan I can have if “something” takes me out of what I do?
This helps you to think beyond the everyday risks.
Focus on Key Enterprise Risks
• Risk issues that are most significant and deserve attention of executive management and the Board.g
• Issues identified through the risk assessment process ithi h f ti l i kwithin each functional risk area.
• Escalated to corporate level with mitigation andEscalated to corporate level with mitigation and action plans presented.
ERM Implementation – Risk Assessment
Ask each Board/Committee member:
“With our entity’s business model in mind what are the Top 5 emerging risks:”With our entity s business model in mind, what are the Top 5 emerging risks:
1. _________________________________________2. _________________________________________3. _________________________________________4. _________________________________________5. _________________________________________
Ask Management the same question. Will the results be similar?
How often does the Board and Senior Management engage in explicit discussions b t i k?about risk?
Reminder: Addressing risk in an advanced ERM process becomes strategic instead of defensive
Risk Assessment (continued)…
• For identified risk events:Wh t i th ti f t id ?– What is the time frame to consider?
– How likely is the event to occur?
– What would be the impact?What would be the impact?• On financial goals (cash flow, capital, reported earnings)
• On operational goals
• On reputation/brand
– Inherent vs. residual risks?
One Complication: Inherent vs. Residual Risk
• What risks are we assessing?– Ignore response to start: tendency to over value controls “100%Ignore response to start: tendency to over value controls 100%
under control” – red flag; nothing is foolproof.– Inherent risk: Risk to an entity in the absence of any actions
management might take to alter either the risk’s likelihood ormanagement might take to alter either the risk s likelihood or impact
– Residual Risk: Risk that remains after management responds to the risk identifiedthe risk identified
Back to some risk assessment examples….
Banking Risk Categories within ERM (Risks Example #3)
Strategic Credit Interest Rate Liquidity
Product OfferingMerger & Acquisition
Payment DefaultLoan Concentration
Interest RatesYield Curve
Funding SourcesOn/off Balance Sheet
CompetitionRevenue Growth
ProfitabilityCapital
Loan ConcentrationLoan Quality
Collateral Valuation
Yield CurveInvestment VolatilityForeign Exchange
On/off Balance SheetContingency
LegalComplianceOperationalReputation
Image & Branding ID Theft & Fraud Consumer Employment LawEmployee RelationsCustomer RelationsRegulatory RelationsPublic Relations
Stakeholder Relations
ID Theft & FraudSecurity & PrivacyBusiness ContinuityPhysical Security
VendorsProcess Errors
ConsumerCommercialFiduciary
Money Laundering
Employment LawContracts
Intellectual PropertyLitigation
Financial Reporting
ABC Institution Simple Enterprise Risk Assessment Example (Risks Example #4).
Operatons
Reporting
Compliance
Safeguard of Assets
Risk Impact (AVG.)
Vulnerability
Control Environment
Control Monitoring
Risk Likelihood (AVG.)
Inherent Risk
(Impact x Vulnerability)
sidual Risk (risk after controls)
(Impact x Likelihood)
Test?
Residual Risk
Risk
Tested?
Risk Universe
(Resid
PRIOR YEARLoans Lns 5 5 4 3 4.25 5 2 2 3.00 21.25 H 12.75 M Yes (I/A) 20.00 H Yes
ALLL ALLL 4 3 4 5 4.00 5 3 2 3.25 20.00 H 13.00 M ‐ 19.00 H Yes
Investments Inv 3 4 3 3 3.25 4 2 3 3.25 13.00 M 10.56 M ‐ 16.00 M ‐
Deposits Dep 5 5 4 3 4 25 2 1 2 1 75 8 50 L 7 44 L 9 00 M
PRIOR YEAR
Deposits Dep 5 5 4 3 4.25 2 1 2 1.75 8.50 L 7.44 L ‐ 9.00 M ‐Internet Banking IntBk 5 4 3 4 4.00 4 2 3 2.75 16.00 H 11.00 M Yes (I/A) 12.00 L ‐
Debit Cards Debit 4 3 3 4 3.50 4 2 4 3.25 14.00 H 11.38 M ‐ 13.00 M ‐
ACH ACH 3 3 3 3 3.00 2 2 3 2.50 6.00 L 7.50 L ‐ 5.00 M YesWire Transfers Wires 3 2 4 4 3.25 3 1 3 2.50 9.75 M 8.13 L Yes (I/A) 8.00 H ‐Debit Cards 4 3 3 4 3.50 3 1 2 2.00 10.50 M 7.00 LItem Proc., Br Cap IP 3 2 2 3 2.50 2 1 3 2.25 5.00 L 5.63 L ‐ 4.00 H ‐
General Ledger GL 4 4 3 4 3.75 4 2 3 2.75 15.00 H 10.31 M ‐ 11.00 H ‐
ALM/IRR ALM 4 4 4 3 3.75 4 3 3 3.50 15.00 H 13.13 M Yes (Ext.) 16.00 H ‐
AVP, Punch & Disb AP 4 3 3 74 3.50 3 2 3 2.75 10.50 M 9.63 M ‐ 10.00 M ‐
EDP EDP 5 3 4 3 3.75 3 1 2 2.25 11.25 M 8.44 L ‐ 12.00 M ‐
BSA BSA 5 3 5 4 4.25 4 1 3 2.75 17.00 H 11.69 M ‐ 16.00 H ‐Compliance Comp 4 3 4 4 3.75 3 1 2 2.00 11.25 M 7.50 L Yes (Ext.) 12.00 M ‐
Collections Coll 4 2 3 2 2.75 3 2 3 2.75 8.25 L 7.56 L ‐ ‐ ‐ ‐
Impact Risk Likelihood (vVulnerability/Control) From To RiskNegligible 1 Remote / Excellent 1 8.99 Low
Low 2 Unlikely / Good 9 13.99 ModModerate 3 Possible / Fair 14 25.00 High
High 4 Probable / Needs ImprovementExtreme 5 Certain / Does Not ExistExtreme 5 Certain / Does Not Exist
Risk Management Continuum
Strategic
• Proactive board and senior t i l t
Reactive
Aware
• Some board and senior
management involvement
• Risk managed and assessed across entire organization
Reactive• Lack of Board or senior
management emphasis on risk
• No common risk lingo
management support
• Risk leader identified
• Periodic risk profiling
• Common language and approach used and understood
• Real time analysis of risk• Stove‐pipe risk management• Ad hoc approach• Missing coverage of risk
areas
• Key risks defined in common vocabulary
• Recognized need for ERM
• Real‐time analysis of risk portfolio (real‐time KRIs)
• Recognized need for ERM
Most companies straddleGoal
Risk Assessment Cycle
Identify risk & t l
*Shows a snapshot of the pulse of enterprise risk management at –
a‐glance
controls
Assess exposures and
control ff ti
Board of Directors
*Report; reassess risks &
ratings
effectiveness
Risk Assessment
Determine corrective action(s)
Management Certification
Test Controls *Track Project & Task priority, status, due dates hours
*Record testing scope, conclusion and
recommendation(s)
dates, hours
Governance and Management StructureRisk View
HCredit Risk
Interest Rate Risk
Liquidity Risk
Operational Risk
Information Technology
Risk
Human
Capital
Compliance Risk
Legal Risk
Strategic Risk
Reputation Risk
Board Credit Finance Committee Audit Committee
Ethics Committee
BSA/ComplianceCommittee
Strategic Planning Committee
ERM
Audit Committee
Risk Categories
Board of Di t Committee
Credit Polity
Funds Management Policy
Operational Risk Policy
IT Policies
Human Capital Risk Policy
Committee
Compliance Program
Legal Policy
Committee
Strategic Risk Policy
Reputation Risk Policy
ERM Policy
Internal Audit Charter
Directors
Risk Management
Policies
Executive Loan
Committee
Chief
ALCO
Chief Financial
Security & Cont. Plan &
Mgt. Committees
Technology Steering
Committee
Senior Chief
HR/Compen‐sation
Committee
SVP,
Management Committee
Director of Legal
Management CommitteeEnterprise Risk ManagementCommittee
Senior Management Committees
Senior Credit Officer
Chief Financial Officer
Senior Operations Officer
Chief Information
Officer
,Human
ResourcesRegulatory Risk Mgt.
Legal Director Chief Risk Officer Chief Risk OfficerManagement
Officers
*Audit Committee sole committee composed of strictly outside directors
Assessed Risk Reporting: Risk Mapping
l bl l f• Heat Maps are a valuable tool for communicating/reporting risks• Chart both likelihood/probability and severity/impact• Chart both likelihood/probability and severity/impact
Heat Map Portrayal of Inherent Risks
92 4 Mitigation Risk
Not Mitigated
Impact(Severity)
10
1 7
38
Marginal Mitigation
6
5
8
Sufficient/Acceptable
Likelihood (Probability of Occurrence)
Risk Event:1. ‐‐‐‐‐2. ‐‐‐‐‐3. ‐‐‐‐‐44. ‐‐‐‐‐5. ‐‐‐‐‐
ERM IMPLEMENTATION PHASE 3 –REFINING
Building Your ERM Roadmap/Implementation Plan: STEP #3 – REFINING
A. Plan for Remediation of Gaps/Execution• What are you doing to address the immediate risks? (What’s the risk response – Tolerate, Terminate Transfer or Treat?)Terminate, Transfer, or Treat?)
• What controls will be in place going forward to monitor the risks? • Develop recommendations to remediate gaps• What Key Risk Identifiers (KRI’s) have you identified (or intend to indentify) going forward?• Cement consensus, buy‐in among key stakeholders• Further define plan owners, roles and responsibilities for execution, timelines, resource alignment
• Memorialize project plan
B E h D fi iti f “Ri k A tit ” f I tit tiB. Enhance Definition of “Risk Appetite” for Institutions• Quantifying risk
C. Enhance Reportingf• What will reporting to executive management and the Board look like going forward?
• Ongoing monitoring of implementation progress with board‐level accountability• Benchmark vs. industry leaders in this area as well as peers
Self Evaluation Approach for Identifying Gaps to Remediate
• Organize subject‐matter experts in each of the institution’s risk categories and at the ERM level.
Facilitate a discussion of the bank’s risk categories– Facilitate a discussion of the bank s risk categories.• Review factors underlying the seven elements of a risk management
process* in each risk category relative to best practices.• Comprehensive evaluation of bank’s risk management processes.p g p• Prepare detailed report with findings, observations and recommendations
in respective risk categories.• Major conclusions and recommendations to create final report.
R d ti /A ti Pl /I l t ti• Recommendations/Action Plan/Implementation– Management Risk Comm.– Board Risk Comm.
Elements of Risk Appetite
Existing RiskThe existing level and distribution of risks
i k t i ( fi i l i k k tExisting Risk Profile
across risk categories (e.g. financial risk, market risk, operational risk, reputation risk, etc. Determination
of Risk Appetite (the amount of risk an
Risk Capacity The Maximum risk a firm may bear and remain solvent
(the amount of risk an entity is willing to
accept in the pursuit of value)
Risk ToleranceAcceptable levels of variations an entity is willing to accept around specific objectives
Desired Level of Risk What is the Desired risk / return level
Ways to Define Risk Appetite
Quantitative Clearly defined measureCan be cascaded to business units
l l f i l d fFor example, loss of capital or degree of volatility in earnings
Qualitative Not all risks can be accurately/crediblymeasuredmeasuredFor example, risk of damage to reputation
Zero Tolerance A subset which can be very clearly defineddefinedFor example, loss of life or violation of laws
Create An Ideal Roster of Risk Reports
EXAMPLES: • A high‐level summary of the top risks for the enterprise as a whole;
b k d b h l dbroken down by operating unit, geographic locations, product group, etc., along with significant gaps in risk management capabilities
• Report of emerging issues or risks that warrant immediate attention• Report of emerging issues or risks that warrant immediate attention• Summary of risk events, e.g., significant exceptions versus policies
or established limits• Summary of significant changes in key variables beyondSummary of significant changes in key variables beyond
management’s control (e.g. interest rates, exchange rates, etc.) and the effect on earnings, cash flows, capital, and the business plan.
• Summary of the status of improvement initiatives
Some Examples of External Key Risk Indicators
Industry and Competitor TrendsNumber of CompetitorsNew product or service announcementsPricing Trends
Economic TrendsUnemployment forecastsConsumer spending trendsTrade and foreign policy
Liquidity/Capital MarketsInterest rate trends/forecastsCredit spreads in debt and credit marketsStock market trends and forecasts
Risk events realized by competitorsShifts in customer tastes/trends
Supply Chain Issues Regulatory ChangesSupply Chain IssuesFinancial health of suppliersRisk events at suppliersPricing trends
Regulatory ChangesAnticipated changes in tax policyNew regulations/restrictionsChanges in key political offices
Some Examples of Internal Key Risk Indicators
Business OperationsTransactions, outputSales volume, failed dealsOperational performance issues
Information TechnologyDisasters, outages, disruptionHelp desk metricsSecurity metricsP j i
ComplianceState of controlsRegulatory inquiries/investigationsLitigation cases
Supply chain/logistics Project metricsIT incidents/investigations, complaintsIT audit issues
Discovery requests
Human Resources Accounting/Finance AuditHuman ResourcesTurnoverHeadcountCorporate training: policies,
procedures, ethics
Accounting/FinanceAdjustmentsUnsubstantiated balancesMissed deadlinesWrite‐offs
AuditHigh‐risk issues/material weak.Past‐due audit issues
VacanciesSick daysDisciplinary actions
Risk Report Example (KRI Report)
Target KeyBetter Than expected Expected Worse Than Expected N/A
1st qtr
2nd qtr
3rd qtr
4th qtr YTD
1st qtr
2nd qtr
3rd qtr
4th qtr YTD
Average Daily Census Past due over 30 daysAssets per FTE Past due over 60 daysetc Past due over 90 days
Human Resources Credit Quality
etc. Past due over 90 daysetc. Over 90 days and accruing
ALLL/LoansNet charge‐off %, annualized
1st qtr 2nd qtr 3rd qtr 4th qtr YTD TDR's/LoansNet Interest Margin etc
Financial
Net Interest Margin etc.ROA etc.ROE etc.Efficiency Ratio etc.Tangible Book Value
N/A etc.N/A etc.N/A etc.
etc.etc.etc.etc.
IN SUMMARYIN SUMMARY…
No ERM at your Institution?
• It’s happening alreadythis is the business of banking…this is the business of banking
• Start simplyp y…joint Board and Management adventure
l• Focus on Business and Regulators…how to use it to improve processes and performanceperformance…a continuous improvement perspective
Great DUMB Questions
• What happens if…?• Seems like that market is…could that impact us?p• I heard about…do we have risk exposure here?• Does our policy explain what to do if…?• Who is responsible for making sure we don’t ?Who is responsible for making sure we don t…?• Doe we have a limit on…?• What does our strategic plan say about…?• Do you think senior management knows how the Board• Do you think senior management knows how the Board
feels about that risk?• Are there any other Board members who didn’t
understand that; I’m not clear about ?understand that; I m not clear about…?• Has anyone around here read the COSO template for
risk management?
QUESTIONS?
Gabe Nachand
Moss Adams LLP
(503)471‐1277QUESTIONS? (503)471‐1277
gabe.nachand@mossadams.com
Disclaimer Statement
The material appearing in this presentation is for i f i l l d i l l iinformational purposes only and is not legal or accounting advice. Communication of this information is not intended to create, and receipt does not constitute, a legal relationship, including, but not limited to, an accountant‐client relationship. Although these materials may have been prepared by professionals they should not be used asbeen prepared by professionals, they should not be used as a substitute for professional services. If legal, accounting, or other professional advice is required, the services of a
f i l h ld b htprofessional should be sought.
top related