It’s

Ours.

CFO & CRO

Interaction – a view

from the ‘dark side’New Zealand CFO Symposium

September 2013

New perspectives?

“Despite all the rhetoric and money invested in it, risk management is too often treated as a compliance issue that can

be solved by drawing up lots of rules and making sure that all employees follow them”

R.S. Kaplan & A. Mikes, Harvard Business Review, June 2012

Observable changes post GFC

- Risk v Reward Better understanding at both Corporate and consumer level

- What is the risk? Increased regulation around disclosure of risk

- Culture People matter as much as the rules

- Capital & Liquidity Basel I, II, II(b), III and Solvency I & II

- Better Governance Board sub committees (Risk & Audit), increased focus and awareness on risk management

- Expanded view of risk For financial institutions it is no longer just about credit

- Improved regulation Regulators are active and much more inclined to intervene. Focus shifting from compliance to assurance.

- Separation of duties The birth or re-birth of CRO’s

The role of a Chief Risk Officer

• Relatively new position that gained prominence in the late 1980’s after the Basel

Accord, the Sarbanes-Oxley Act, the Turnbull Report which suggested more

independence around the risk function was required.

• The CRO plays an important role in helping to develop and execute strategy:

– Establishing and communicating risk appetite and risk-management philosophy,

– Implementing appropriate infrastructure of policies, processes, personnel, reports, and

systems for managing and monitoring risk, and

– Integrating risk management with strategy-setting and business planning, and

establishing appropriate risk reporting to senior management and the board.

• The CRO needs to be both a trusted adviser and a control authority who can

articulate the risk and reward trade-offs. This latter responsibility gives an insight

into the need for a close working relationship with the CFO.

Why not the CFO?

• Although the CFO, like the CRO has an enterprise role, the view today is that Risk and Finance should have independence of one another so that the balance between profit/commerciality versus risk can be fully understood by the CEO and Board, but the relationship between the two should allow cohesion in their priorities.

• You cant be the accelerator and brake at the same time!

Chief Executive

Officer

Chief Operating

Officer

Chief Financial Officer

Chief Risk Officer

Managing risk at Kiwibank

• Enterprise risk management framework over 6 primary risk domains and 32 sub-domains

• Significant interdependency with finance exists.

Strategic Risk

Capital/Rating

Strategy, execution, delivery

& process

Regulatory environment

Strategic IT

Operational Risk

Internal fraud

External fraud

Employment practices & safety

Customers, products, business

practices

Business disruption

Physical damage to assets

Market Risk

Interest rate risk

Trading

Liquidity

Funding

Counterparty credit

Systemic Risk

Global environment

Domestic environment

Credit environment

Systemic liquidity

Financial markets

Business Risk

Growth

Profitability

Productivity

Reputational

Customer satisfaction

Customer service

Credit Risk

Portfolio concentration

Credit portfolio -Personal Markets

Credit Portfolio -Business Markets

Default and delinquency

Impaired assets

Provisions

Managing risk

• Management of risk depends on the risk that is being managed:1. Preventable risks

Internal risks that should be eliminated or avoided (e.g. internal fraud, miss-selling). Typically approached through rule based active prevention, monitoring and behavioural norming

2. Strategic risksThese are risks deliberately taken on in order to generate returns (e.g. credit risk). Risk management is about understanding the severity and probability of loss and managing to a risk reward horizon consistent with organisation risk appetite.

3. External risksThese are risks an organisation cannot manage (e.g. natural, political or economic disasters). Risk management here is about environmental scanning, stress testing and scenario planning.

How Risk Management Supports Strategy –

Risk Appetite

Source: Adapted from ‘Understanding and articulating risk appetite, KPMG, 2008

Design for compliance (The 3 ‘Cs’)

• Designing for compliance needs to be a core competency for any successful firm but it cannot be at the expense of the customer or cost. Smart design does not involve trade offs.

• Understanding and designing for the whole value chain at product build is critical.

Customer

CostCompliance

The CRO/CFO partnership

• The CFO and CRO are two sides of the same coin:

1. Data-quality. Finance is, and should remain the ultimate custodian of data, however data quality should be a shared responsibility.

2. Joint development of risk and capital models. Risk models are often developed by the risk function, but in close coordination with finance. Data fed into models often comes out of systems created by finance, and outputs from the models can, in turn, influence financial reporting (e.g. provisioning, ICAAP)

3. A greater use of risk analytics. More and more organizations are using sophisticated risk analytics, not only to support credit and financial decision making, but to provide a stronger foundation for operational strategy. The risk function often provides analytics services to all functions, including finance, which can further foster integration (e.g.. stress testing).

The CRO/CFO Partnership cont..

4. Regulatory reporting. New regulatory approaches now make compliance the common responsibility of the CFO and CRO (e.g.. Capital adequacy, LVR speed limits). Risk-adjusted capital models are at the heart of both the latest Basel regulatory initiatives in banking, and the latest Solvency initiatives in insurance. Implementing such models often involves extensive coordination by risk and finance on inputs, and possibly also on decision-making.

5. M&A. Once almost the sole domain of Finance, Risk increasingly has a chair at the table, particularly during due diligence phases of an acquisition.

• Different perspectives, healthy disagreements, and vigorous debate are in the best interest of the company and fundamental to providing the CEO and Board with a balanced view.

• Both teams need to stand united and be wary of the “Go and ask your Mother” syndrome. It is important to remember that what makes financial sense does not necessarily make risk sense and vice versa.

Emerging trends

• Operational & conduct risk

– Operational risk, traditionally the ugly duckling of risk, is now very much to the fore with a wide range of new regulatory challenges related to privacy, anti-money laundering, financial advice and market conduct and fair trading. Conduct risk is now high on the risk agenda moving forward.

– Subtle shift in focus from regulators from compliance to assurance –the latter test being a much higher bar.

• Basel III and beyond

– Sector-specific regulatory packages such as Basel III and Solvency II are focussing not only on the establishment of regulatory capital and solvency minimas but on the quality of the measures.

– Stress testing and scenario planning will be a focus moving forward.

Emerging trends cont..

• IT security & privacy

– It is a world where information and transactions are almost always electronic, where customers are faceless and yet more vocal and demanding than ever. It also means that security risks in the form of cyber attacks, data breaches or malware can wreak substantial damage, financial or otherwise, on organisations within minutes.

– Resiliency is also a key issue. The Monetary Authority of Singapore (MAS), for example, in June announced new rules for banks and financial institutions which will come into effect July 2014. Organisations will be allowed only a maximum unscheduled downtime of four hours for critical systems within a year, and must also notify the central bank of all IT security incidents and major system malfunctions within an hour of discovery.

Keys to successful partnerships

In a survey conducted in December 2012 by Business Finance, six key actions were identified as be key to successful Risk/Finance collaboration:

1. Establish integrated and shared data sources. Solving data quality issues, including the development of shared data processes and systems, can be an effective way to reduce a common area of conflict and improve the risk-finance working relationship.

2. Jointly develop risk and capital models. Risk model development typically remains the responsibility of the risk function but data fed into models often comes out of systems created by finance, and outputs from the models can in turn influence financial reporting.

3. Strike the right balance to promote interdependence and cross-leverage risk management and finance. Independent CFO and CRO functions can actually provide a strong impetus for operational integration.

Keys to successful partnerships cont..

4. Give risk input into strategy. Even when working in close cooperation with other departments, allowing risk to retain its independent perspective can be essential.

5. Increase the value-added provided by the risk function. Risk should go beyond a compliance role to focus on adding value to the business.

6. Rotate personnel between risk and finance. Even if risk and finance personnel sometimes find themselves in opposition on an issue, speaking a common language and having common experiences can help enhance operational effectiveness.

References

• S. Johnson. June 29, 2011, ‘Who Owns Risk? First came chief accounting officers, now chief risk officers are making their mark’, CFO.com

• J. Bugalla & K. Narvaez. March 5, 2013, ‘The Importance of the CFO-CRO Partnership, Bringing together finance and risk management can help companies identify and exploit new opportunities for growth’, CFO Magazine

• P. Boulanger. December 1, 2012, ‘Six Ways to Improve the CFO-CRO Relationship’, Business Finance

• H. Chugh. August 8, 2013, ‘CFO-CIO collaboration crucial in enterprise risk management’

• R.S. Kaplan & A. Mikes. June 2012, ‘Managing Risks; A New Framework’, Harvard Business Review

• Board Risk Committees and the Roles of the CRO and CFO, http://deloitte.wsj.com

• Rethinking Risk in Financial Institutions - Making the CFO-CRO Partnership Work, Accenture 2012, http://www.accenture.com/us-en/Pages/insight-acn-2012-risk-analytics-studyinsights-banking-industry.aspx

• Global Risk Management Study, Accenture, 2011, http://www.accenture.com/globalriskmanagementresearch2011