Enterprise Risk Management (ERM)Integrating Strategy, Capital and Risk

GARP 2008 Enterprise Risk Management Workshop

Presented by: Joe RizziCapGen Capital

February 28, 2008The views expressed are those of the author and do not necessarily reflect those of CapGen Capital

2CapGen Capital

Table of Contents

Enterprise Risk Management2

Current State of Risk Management1

Enterprise Risk Management at BU NA3

Integrating Strategy, Capital and Risk4

Conclusion5

3CapGen Capital

OverviewImportance of Risk Management is driven by four key forces

Risk Management

Complex and VolatileBusiness Environment

ShareholderExpectations

CompetitiveRivalry

RegulatoryEnvironment

Risk Management lies somewhere between astrology and alchemy

4CapGen Capital

Attitudes, Values and Objectives

Out with the old...

Line of Business

My job is: To grow earnings / do business

Risk is: A normal cost of doing business

Memory horizon: Short-term: What are the prevailing market conditions?

Stereotypical attitude: No risk, no return. Don’t handcuff me relative to the competition

Metrics: Volume in front-line positions; Profit for senior positions

Risk Management

My job is: To prevent losses/risky activity

Risk is: Volatility to be avoided

Memory horizon: Long-term: What’s the worst thing that has ever happened?

Stereotypical attitude: ‘The Cautious Librarian’: best way to keep books from being damaged is not to let anyone borrow them Metrics: Volume in front-line positions; Profit for senior positions

Business focuses on the center, while Risk Management focuses on the tails of the distribution

5CapGen Capital

Attitudes, Values and Objectives

...and in with the new.

Partnership

Our job is: To create shareholder value through earnings growth and appropriate returns to capital

Risk is: A potential source of competitive advantage as shareholders require us to manage risk prudently.

Memory horizon: Appropriately long to anticipate future cycles, informed by changes in the market over time

Metrics: RAROC; SVA

Line of Business

Manages the budget / P&L Acts as primary risk manager

Risk Management

Manages performance information Serves advisory and control function

Risk Management does not make you safer –just more efficient

6CapGen Capital

Risk Management Continuum

Silo-ed Approach

Aggregated Approach

Integrated Approach

ERM

According to recent RMA survey, most firms indicate that they have “closed in” on the integrated approach.

Moving beyond exposure accounting and control

7CapGen Capital

Table of Contents

Enterprise Risk Management2

Current State of Risk Management1

Enterprise Risk Management at BU NA3

Integrating Strategy, Capital and Risk4

Conclusion5

8CapGen Capital

Vision:

Manage all material risks and opportunities across the organization

Objective:

Improve decision making through portfolio management of interrelated risks

Result (Value Proposition):

Increase value by managing to objectives consistent with stakeholder expectations

Enterprise Risk Management (“ERM”)

Strategic not transaction focus

9

ERM is… ERM is NOT…

• Integrated view and awareness of risk across organizational disciplines

• Standardized risk-related information, metrics, and communication

• Common definitions

• Coordination of risk related projects

• Just Risk Management

• Just a centralized body for aggregation and translation of data

• Meant to discourage specialization

• Organizational restructuring

• ONLY for Control/Regulatory Compliance

Scope of ERM – Top level Risk view…

…as a strategic input, not an afterthought

10CapGen Capital

Analytical Solution: Economic Capital

Organizational Solution: Chief Risk Officer

Informational Solution: Dashboard

Management Solution: Governance actions

Cultural Solution: Communications

Enterprise Risk Management Big Ideas

It works in practice, but will never work in theory

11CapGen Capital

ERM – a work in progress

Source: Deloitte Global Risk Survey, 2006

35%

18%

32%

15%

Yes, program in place

No, but plan to create one

Yes, currently implementing one

No, and do not plan to create one

…need to tailor to your governance and operating philosophy

12CapGen Capital

Table of Contents

Enterprise Risk Management2

Current State of Risk Management1

Enterprise Risk Management at BU NA3

Integrating Strategy, Capital and Risk4

Conclusion5

13

The four pillars of BU NA’s ERM Program

Risk Foundation

Risk Philosophy

Value Creation

EnterpriseRisk Management

Program

Man

agem

ent

Info

rmat

ion

Ris

k O

vers

ight

an

d In

depe

nden

ce

Com

mun

icat

ions

and

Esc

alat

ion

I II III IV

Str

ateg

ic P

lann

ing

and

Alig

nmen

t

Value creation through RiskManagement not minimization

14

ERM Dashboard – make things as simple as possible

Com'l PFS GSTS Total

Business

Credit

Operational

Market

Interest

Liquidity

Strategic

Compliance

ALM - RWAALM - EC

Human Cap.

IT

Legal

SOX

Audit

Qu

anita

tive

Ris

kQ

ual

itativ

e R

isk

ALMAsset Mgmt. Services

GlobalMarkets

Global Clients

Transaction

Banking

Private Clients

Vision

Efficiency

Efficiency

Eff & Grow th

Grow th

Grow th

Grow th

Controls

Controls

People

People

Unacceptable Level Unknown - Need More Info Acceptable Level Un-Rated

Distribution of Risks by Probability and Impact

BE

F

G

H

IJK

L

M

0%

5%

10%

15%

20%

25%

30%

0 10 20 30 40 50 60

Average Expected Impact

Ave

rage

Pro

babi

lity

Client/Corporate Credit Default (6)

Legal Risk (4)

General Economy Decline (4)

Declining Employee Morale/Loss of Top Employees (5)

Failed Business Practices (4)

Real Estate Decline (6)

Data Loss/Vulnerability (11)

Supplier Failure (2)

Regulatory / Ethical Failure (7)Material Unpredicted External Event (6)

Model Risk / Failure (6)

System / IT (7)

Control Breakdown (13)

Fraud Loss (9)

LOW RISK

MEDIUM RISK

MEDIUM RISK

HIGH RISK

Unacceptable Level Unknown - Need More Info Acceptable Level Un-RatedUnacceptable Level Unknown - Need More Info Acceptable Level Un-Rated

Distribution of Risks by Probability and Impact

BE

F

G

H

IJK

L

M

0%

5%

10%

15%

20%

25%

30%

0 10 20 30 40 50 60

Average Expected Impact

Ave

rage

Pro

babi

lity

Client/Corporate Credit Default (6)

Legal Risk (4)

General Economy Decline (4)

Declining Employee Morale/Loss of Top Employees (5)

Failed Business Practices (4)

Real Estate Decline (6)

Data Loss/Vulnerability (11)

Supplier Failure (2)

Regulatory / Ethical Failure (7)Material Unpredicted External Event (6)

Model Risk / Failure (6)

System / IT (7)

Control Breakdown (13)

Fraud Loss (9)

LOW RISK

MEDIUM RISK

MEDIUM RISK

HIGH RISK

Key Risk Indicators 2007 BU NA Management Priorities

Key Performance IndicatorsTop 10 Risks – Heat Map

ComprehensiveRisk Assessment

Integrated Risk, Rewardand Strategy View

Forward looking, actionable, risk escalation tool

Executive sponsorship

…but no simpler

DRAFT

Under Re-evaluation

Overall BU NAFeb-07

YTD Target StatusEfficiency RatioRevenue Growth (YoY)Return on ARC

15

Governance Actions

ERM Governance Model defines three legs — Businesses that take and manage risk,

Risk Management to provide policy and analysis, and Audit to provide assurance.

Board of Directors

Business Areas ERM Committee

Risk identification

Risk assessmentsCRO & Risk Committees Internal Audit

Strategy & Action to address Risk

Within Policy

Policies, governance and

information flowValidation of controls

Provide assertions on risk

exposure for business / functionRisk assessment methods

Objective review of risk

management process

Ownership of risk and

responsibility for management and

mitigation

Measurement, aggregation

rules and tools Assurance to Senior

Executive management and

Board on assertions of risk

exposure

Monitor risk exposure

status and provide

reporting to Board

Governance allocates decision rights

16

ExternalConferences /

Communication

Develop Tactical

Communicationsplan

ERM Communications Strategy

Adopt theme: “Everyone is aRisk Manager”

Align withcompliance-

related policies and procedures

Standards of Conduct toinclude risk

issue escalation

Promote learningculture

Escalation

Clarification ofescalation

expectations

ERM Culture Development and Escalation

Culture as organizational DNA

17

Align Finance & Risk Strategic

Agendas

Performancecontract

process toembrace ERM

Agree ERM role and PfC

process

Enterprise Strategy

Risk Appetite

Strategic Risk Management

People do what you pay them to do, not what you tell them to do

18

Sponsorship

1. Successful Risk Management implementations require senior management and Board support.

Change Management

2. Significant effort will be required to overcome organizational inertia and change a mindset to a risk-reward culture

Sustainability

3. To sustain progress and momentum, maintain program team continuity.

Project Management

4. Do not underestimate launch complexities or cultural challenges.

5. Pilot programs prior to global roll outs.

66

Enterprise Risk Management

Program

Enterprise Risk Management

Program

Risk Management Framework

Lessons Learned

Risk as a senior management responsibilitynot a specialist function

19CapGen Capital

Table of Contents

Enterprise Risk Management2

Current State of Risk Management1

Enterprise Risk Management at BU NA3

Integrating Strategy, Capital and Risk4

Conclusion5

20CapGen Capital

ERM Value Creation Framework – if you can make money

InternalStakeholders

CEO

CFO CRO

ExternalStakeholders

Regulators

Shareholders Rating Agencies

Assets(Return)

CapitalRequired

(Risk)

CapitalAllocation

(Funding)

CapitalManagement

Value Creation

Portfolio ofEnterprise

Risks

Portfolio ofCapital

Resources

Capital Structure

Cost of Capital

Return onRisk

Risk Structure

Economic Capital

(Use)

Risk Appetite

…You can lose money

21CapGen Capital

Risk Appetite – Total risk exposure an organization is willing to accept and prepared to lose in the execution of its strategy.

Factors impacting Risk Appetite:

Financial Objectives

Competitive Situation

Market Conditions

Risk Appetite

Do you want to eat well...

...or sleep well?

22CapGen Capital

Risk types: Include hard to measure risks and interrelationships

Risk Appetite

Risk may be one word...

...but it is not one number

Risk Tolerance: Credit

Market

Liquidity

Operational

Reputation

Compliance

Strategic

23CapGen Capital

ERM involves moving Risk Management to an integrated Risk and Capital Strategy

Comprehensive

Earnings fluctuations from strategic or business factors can exceed those from financial risk exposures

Risk appetite for financial risk must reflect the current level of business risk

Business risks cannot be measured in the same manner as financial risk, and are largely ignored by economic capital

Interrelationships

Overcome silos: unintended consequences

Top down perspective: integrated one firm view

Enterprise Risk and Risk Appetite

Translate statistics into...

...shareholder value

24CapGen Capital

Enterprise-level Risk Appetite (RA)

Source: Deloitte Global Risk Survey, 2006

16%

6%

12%

29%

14%

23%No, we do not have a statement of ourRA

We are currently defining or seekingapproval for our RA

We have an informally defined or notapproved statement of RA

Yes, our RA is qualitatively definedand approved

Yes, our RA is quantitatively definedand approved

Yes, our RA is both quantitatively andqualitatively defined and approved

25CapGen Capital

Choose target debt rating based on financial distress considerations.

Maintain ability to access capital markets under most conditions

Requires high investment grade (A+/AA-) rating

Estimate asset risk based on investment decisions and risk appetite.

Estimate capital requirement to support asset risk and target rating.

Optimize capital and risk combinations to maximize shareholder value subject to target rating based on market considerations.

Reduce risk given fixed capital level

Hedging – direct cost

Underwriting selection - opportunity loss

Increase capital given fixed investment plan

Increased capital charge

ERM in Practice

Integrating strategy, capital and capital

Conservatism of risk principle – Risk never disappears

LG

D (

Se

veri

ty)

PD (Likelihood)

Cap

ital

Return

A

B

Out of Risk Appetite

Within Risk Appetite

26CapGen Capital

Value Implications of Risk Appetite Changes

Not all Risk is the sameE

xpec

ted

Pro

fita

bil

ity

Perceived Risks(Economic Capital)

A

C

B

Optimal Portfolios

A = Group’s actual portfolioB = Alternative portfolioC = Group’s Target portfolio

Efficient Frontierfor Group

Business Portfolio

Risk Management is not free

27CapGen Capital

Table of Contents

Enterprise Risk Management2

Current State of Risk Management1

Enterprise Risk Management at BU NA3

Integrating Strategy, Capital and Risk4

Conclusion5

28CapGen Capital

Conclusion – Things will improve

ERM:

Integrates risk, strategy and capital to create shareholder value

Risk Paradox:

Conservatism of risk principle - Risk never disappears

Risk Management does not make you safer – just more efficient

Risk Management is not free

Transaction Costs

Opportunity Costs

Direct Costs

Capital Costs

…despite our efforts to improve them