Enterprise Risk Management

James LamPresidentphone: 781.772.1961Email: jameslam@comcast.netWebsite: www.jameslam.com

ASSE Using Risk PrinciplesMarch 24th, 2005

2

Our president, James Lam, has spent 20 years in risk management

Professional President, James Lam &

Associates Founder and President, ERisk Partner, Oliver, Wyman &

Company CRO, Fidelity Investments CRO, Capital Markets Services

Inc., a GE Capital company

Industry Activities PRMIA Blue Ribbon Panel Member GARP Inaugural Financial Risk

Manager of the Year (1997) Published over 50 articles and

book chapters Quoted in Wall Street Journal,

Financial Times, Risk Magazine, and CFO Magazine

Academic Senior Research Fellow, Beijing

University Adjunct Professor, Babson College Lectured at Harvard Business

School as the subject of a HBS case study

MBA, UCLA School of Business BBA, Baruch College

Client Solutions

Consulting – ERM, strategic risk, financial risk, and operational risk

Software – Operational risk (with OpenPages) and ERM Dashboard (CXO Systems)

Training – board and management workshops

3

We are singularly focused on risk management

Areas of Expertise Enterprise risk management Market risk management Credit risk management Operational risk management KRIs and risk reporting

Client Solutions

Consulting services Software products

• CXO Systems• OpenPages

Training programs

4

As discussed in James’ recent book, we define ERM as a value added function

“An integrated framework for managing credit risk, market risk, operational risk, economic capital, and risk transfer in order to maximize firm value.”

Definition of ERM:

5

Key trends and requirements

Best practices and practical applications

ERM in the future

Discussion outline

6

ERM is useful because the risks faced by companies are highly interdependent

Business Risk

OperationalRisk

FinancialRisk

IT and business process

outsourcing

Derivatives documentation and counterparty risk

FX risk in a new foreign market

Enterprise-Wide Risks Financial Risks

MarketRisk

LiquidityRisk

CreditRisk

Credit Risk Associated with

Investments

Credit Risk Associated with Borrowers and Counterparties

Funding Liquidity

Asset Liquidity

7

Traditionally, risks were managed within organizational “silos”

StrategicRisk

BusinessRisk

FinancialRisk

OperationalRisk

Who

How

• Board of Directors

• CEO

• CFO

• Treasurer

• Business Managers

• Project Managers

• Internal Audit

• Compliance

• IT

• Strategic planning

• EVA

• Balanced scorecard

• Country and credit limits

• Trading and ALM Limits

• Financial derivatives

• Controls

• Audits

• Contingency planning

• Insurance

• Product plans

• Business reviews

• Project management

8

Benefits

ERM provides an integrated value-added approach

Financial InstitutionsBarclays

GE CapitalJP Morgan Chase

Fidelity Investments

Non-Financial CorporationsMicrosoft

BoeingDuke Energy

Ford

Enterprise Risk Management

Chief Executive Officer/Chief Fisk Officer

Strategic Risk

Board

CEO

Business Risk

Line managers

Project Managers

Financial Risk

CFO

Treasurer

Operational Risk

Internal Audit

Compliance

IT

Broadens risk

awareness

Aligns risk profile and strategy

Minimizes surprises

and losses

Rationalizes capital

requirements

Assures regulatory

compliance

Improves ROE and

shareholder value

9

• American software giant initiated its ERM program in 1994

• Mike Brown, CFO: “The web is an incredible opportunity to take costs out of your model, to provide higher quality services and to be much more informed about company issues.”

Background ERM Program

• Initiated ERM with a comprehensive inventory of risks

• Recognized that its insurance strategies only covered 30% of risks

• Applied advanced technologies to support risk analysis and communication

• Incorporated into product pricing of the expected litigation costs of “repetitive stress injuries” associated with a new keyboard

Case study: Microsoft’s risk intranet is central to their ERM program

10

The growing acceptance of ERM is driven by four key forces

Corporate Disasters

• Enron• WorldCom• Adelphia• Mutual Funds

IndustryInitiatives

• Treadway Report, US• Turnbull Report, UK• Dey Report, Canada

Best Practices

• Banks• Asset Managers• Energy Firms• Corporations

RegulatoryActions

• S.E.C.• Sarbanes-Oxley• Basel II

EnterpriseRisk

Management

11

Companies are faced with an influx of new requirements

• New accord consists of three pillars:– Minimum capital requirements– Supervisory review– Public disclosure

• Explicit treatment of operational risk

• More granular analyses of credit risk

• Section 404: Management assessment of internal controls for financial reporting attestation by auditor

• Section 302: CEO/CFO certification of financial statements

• Establish criminal penalties for executives and independence requirements of auditors

• SEC/NYSE/NASDAQ corporate governance rules

• State attorney general probes

• Patriot Act; anti-money laundering and bank secrecy act

Basel II

Sarbanes-Oxley Act of 2002

Other Requirements

12

A proactive approach to ERM is driven by best practices, not regulations

Reactive Approach Proactive Approach

Current state

New industry

standards

Sarbanes- Oxley

Basel II

Governance Requirements

Desired state (best practices or best-in-class

practices)

• Benchmarking • Gap analysis• Recommendations

• Common themes• Unique standards

Sarbanes- Oxley Basel II

New industry

standardsGovernance

Requirements

?

?? ?

?

CEO

13

Early adopters of ERM have reported significant and tangible benefits

Benefit Company Actual Results

Market value improvement Top money center bank Outperformed S&P 500 banks by 58%

Early warning of risks Large investment bank Global risk limits cut by 1/3 prior to Russian crisis

Loss reduction Top asset management company

Loss-to-revenue ratio declined by 30%

Regulatory capital relief Large commercial bank $1 billion regulatory capital relief

Insurance cost reduction Large manufacturing company

20-25% reduction in insurance premium

14

Annualized total shareholder returns (1998-2003) for differing degrees of risk model sophistication and risk tool usage

Source: PA Consulting Survey of Global Banks

15

Key trends and requirements

Best practices and practical applications

ERM in the future

Discussion outline

16

An ERM framework should encompass seven key building blocks

2. Line Management

Business strategy alignment

3. Portfolio Management

Think and act like a “fund manager”

4. Risk TransferTransfer out

concentrated or inefficient risks

5. Risk Analytics

Develop advanced analytical tools

6. Data and Technology Resources

Integrate data and system capabilities

7. Stakeholders ManagementImprove risk transparency for key stakeholders

1. Corporate Governance

Establish top-down risk management

17

The enterprise risk management process

ERM Foundations

Risk Identification and

Assessment

Risk Measurement and Reporting

Risk Mitigation and Management

• Senior management and board participation (“tone from the top”)

• Governance structure

• Resource allocation

• Culture, principles, and values

• ERM framework and policies

• Linkage to strategy, performance measurement and incentives

• Organizational learning

• Top-down assessments– Barriers to strategic and

financial goals– Executive team CSAs

Bottom-up assessments– Barriers to business,

customer, and product goals

– Business unit CSAs– Functional unit CSAs

Independent assessments– Internal audit– External audit– Regulators– Customers– Other stakeholders

• ERM dashboard– Earnings volatility– Key risk metrics– Policy compliance– Real-time event

escalation– Drill-down

capabilities

• Scenario analysis– Historical– Managerial– Simulation-based

• Disclosure– Board reporting– External reporting

• Policy enforcement

• Value-based growth and restructuring strategies

• Risk transfer strategies

• Contingency planning and testing

• Event and crisis management

18

Data Mining

CREDIT RISK

MARKET RISK

BUSINESS RISK

OPERA-TIONAL

RISK

ERM Dashboard

RISK “PILLARS”

Internal and External Data

Basic ERM applications:

• Executive reporting

• Key risk indicators

• Loss/incident tracking

• Control self assessments

• Early warning indicators

• Risk mitigation projects tracking

• ERM content management

Advanced ERM applications:

• Risk transfer

• Economic capital

• Scenario analysis

• Shareholder value management

An ERM system should address all risk types, qualitative and quantitative data, and risk monitoring and management applications

19

1

Characteristics and sources of effective key risk indicators

Key Risk Indicators

Strategies/Objectives

Regulations & Policies

Losses & Incidents

Stakeholder Requirements

• Business plans• Management goals• Performance metrics

• Legal requirements• Regulatory standards• Policy limits

• Actual losses• Incidents• Industry data

• Customers• Vendors• Other

Reflect objective measurement

2Incorporate risk drivers:• Exposure• Probability• Severity• Correlation

3 Be quantifiable – $, %, #

4 Track in time

series against standards or limits

5 Tie to objectives, risk owners, and risk categories

6Balance of leading

and lagging indicators 7

Be useful – support business decisions and actions

8Can be benchmarked

internally or externally

9Timely and

cost effective

10Simplify risk without being simplistic

20

An ERM dashboard should address five key questions for senior management

1. Are any of our strategic, business, and financial objectives at risk?

2. Are we in compliance with policies, limits, laws, and regulations?

3. What risk incidents have been escalated by our risk functions and business units?

4. What key risk indicators and trends that require immediate attention?

5. What are the risk assessments that we should review?

21

Current YTD Operational LossesCredit LossesMarket LossesOther Losses

Sub-Total:Loss/Revenue Ratio:

Risk Incidents

Reporting of risk incidents, exposures,

and near misses

1._____________________________________________________________________

2.

3.

4.

Management discussion of major risk issues (“what

keeps me up at night”)

Gross Losses Management Assessment

1993 1994 1995 1996

Losses

1992 Q1 97

Incident Exposure Response

1.

2.

3.

4.

Example: monthly risk report

Accounting for actual losses

incurred

Current YTD

Operational Losses

Credit Losses

Market Losses

Other Losses

Sub-Total:

Loss/Revenue Ratio:

22

Core Risk Measures

Period

Credit Counterparty Exposure

Limit

Notional

Real Estate Index

Region

+

-

Period

Interest Rate ExposureLimit

Key Risk Trends

Improving Trends

Period

Other Trouble Indicators

Period

Operational Performance

Period

Goal

MAP

Key Risk Trends

Improving Trends

Period

Improving Trends

Period

Other Trouble Indicators

Period

Other Trouble Indicators

Period

Operational Performance

Period

Goal

MAP

Operational Performance

Period

Goal

MAP

Example: monthly risk report (cont’d)

23

Case study:

• $1 trillion of assets under management

• Private company

• Decentralized business culture

Background 3-Year ERM Program• Organized Global Risk Forum

• Implemented annual Global Risk Review

• Automated loss accounting

• Developed ERM framework

• Implemented intranet-based Global Risk MIS

• Experienced significant reduction in loss ratio

24

Risk Metrics

Risk Event Log

Event LossRoot

CausesControlsNeeded

Education

0%

20%

40%

60%

80%

100%

1995 1996 1997 1998

• New associates• Management• Business/Operational processes• Best practices• Lessons learned

Goal

MAP

Actual Loss Experience

85% Decline

Basic risk management processes can lead to significant improvements

25

ERM requires balancing the hard and soft side of risk management

Hard Side

Measures and reporting

Risk oversight committees

Policies & procedures

Risk assessments

Risk limits

Audit processes

Systems

Soft Side

Risk awareness

People

Skills

Integrity

Incentives

Culture & values

Trust & communication

26

Definitions of “risk culture”

– In a typical risk culture, people will do the right things when risk policies and controls are in place

– In a good risk culture, people will do the right things even when risk policies and controls are not in place

– In a bad risk culture, people will not do the right things regardless of risk policies and controls

An company’s “risk culture” provides the foundation of its ERM program

27

Case study:

New capital markets business

Traders hired from foreign bank

Aggressive business and growth targets

Background 2-Year ERM Program Established risk policies and

systems

Instilled risk culture

Survived “Kidder” disaster

Captured 25% market share with zero policy violations

Recognized as best practice

28

Engaged senior management and board of directors

Established policies, systems, and processes, supported by a strong risk culture

Clearly defined risk appetite with respect to risk limits and business boundaries

Robust risk analytics for intra- and inter-risk measurement, summarized in an “ERM dashboard”

Risk-return management via integration of ERM into strategic planning, business processes, performance measurement, and incentive compensation

Hallmarks of success in ERM

29

Key trends and requirements

Best practices and practical applications

ERM in the future

Discussion outline

30

1. ERM will become the industry standard

2. CROs prevalent in risk-intensive companies

3. Audit committees will evolve into risk committees

4. Economic capital in; VaR out

5. Risk transfer executed at enterprise level

6. Advanced technologies key to advancement

7. A measurement standard will emerge for operational risk

8. Risk-based or economic reporting becomes standard

9. Risk becomes part of corporate and college programs

10. Salary gap among risk professionals continues to widen

Ten predictions on the future of enterprise risk management

31

The role of a Chief Risk Officer

Evangelist Motivate

Leader Change

Steward Control

Consultant Help

Technician Teach

Must have!

Nice to have

32

Organizational and leadership skills to effect change

Communication skills – “to simplify without being simplistic”

Technical skills in credit, market, and operational risk

Judgment to balance business and risk requirements

Courage to push back and “say no”

High EQ (emotional quotient) in addition to high IQ

Ultimate CRO test: ability to integrate risk management into strategic planning and day-to-day business processes

What makes a good CRO?

33

Anticipate, identify and evaluate hazardous conditions and practices

Develop hazard control methods, procedures and programs

Implement, administer and advise others on hazard controls and hazard control programs

Measure, audit and evaluate the effectiveness of hazard controls and hazard control programs

ASSE defined functions for safety professionals

34

Promote awareness of hazard risks, as well as the interdependencies with other key risks

Integrate hazard risks into control self assessments and audit findings

Develop key risk indicators and management dashboards for hazard risk

Participate in ERM initiatives to mitigate and manage enterprise-wide risks

Role for safety professionals in enterprise risk management