enterprise risk management james lam president phone: 781.772.1961 email: [email protected]...
TRANSCRIPT
Enterprise Risk Management
James LamPresidentphone: 781.772.1961Email: [email protected]: www.jameslam.com
ASSE Using Risk PrinciplesMarch 24th, 2005
2
Our president, James Lam, has spent 20 years in risk management
Professional President, James Lam &
Associates Founder and President, ERisk Partner, Oliver, Wyman &
Company CRO, Fidelity Investments CRO, Capital Markets Services
Inc., a GE Capital company
Industry Activities PRMIA Blue Ribbon Panel Member GARP Inaugural Financial Risk
Manager of the Year (1997) Published over 50 articles and
book chapters Quoted in Wall Street Journal,
Financial Times, Risk Magazine, and CFO Magazine
Academic Senior Research Fellow, Beijing
University Adjunct Professor, Babson College Lectured at Harvard Business
School as the subject of a HBS case study
MBA, UCLA School of Business BBA, Baruch College
Client Solutions
Consulting – ERM, strategic risk, financial risk, and operational risk
Software – Operational risk (with OpenPages) and ERM Dashboard (CXO Systems)
Training – board and management workshops
3
We are singularly focused on risk management
Areas of Expertise Enterprise risk management Market risk management Credit risk management Operational risk management KRIs and risk reporting
Client Solutions
Consulting services Software products
• CXO Systems• OpenPages
Training programs
4
As discussed in James’ recent book, we define ERM as a value added function
“An integrated framework for managing credit risk, market risk, operational risk, economic capital, and risk transfer in order to maximize firm value.”
Definition of ERM:
5
Key trends and requirements
Best practices and practical applications
ERM in the future
Discussion outline
6
ERM is useful because the risks faced by companies are highly interdependent
Business Risk
OperationalRisk
FinancialRisk
IT and business process
outsourcing
Derivatives documentation and counterparty risk
FX risk in a new foreign market
Enterprise-Wide Risks Financial Risks
MarketRisk
LiquidityRisk
CreditRisk
Credit Risk Associated with
Investments
Credit Risk Associated with Borrowers and Counterparties
Funding Liquidity
Asset Liquidity
7
Traditionally, risks were managed within organizational “silos”
StrategicRisk
BusinessRisk
FinancialRisk
OperationalRisk
Who
How
• Board of Directors
• CEO
• CFO
• Treasurer
• Business Managers
• Project Managers
• Internal Audit
• Compliance
• IT
• Strategic planning
• EVA
• Balanced scorecard
• Country and credit limits
• Trading and ALM Limits
• Financial derivatives
• Controls
• Audits
• Contingency planning
• Insurance
• Product plans
• Business reviews
• Project management
8
Benefits
ERM provides an integrated value-added approach
Financial InstitutionsBarclays
GE CapitalJP Morgan Chase
Fidelity Investments
Non-Financial CorporationsMicrosoft
BoeingDuke Energy
Ford
Enterprise Risk Management
Chief Executive Officer/Chief Fisk Officer
Strategic Risk
Board
CEO
Business Risk
Line managers
Project Managers
Financial Risk
CFO
Treasurer
Operational Risk
Internal Audit
Compliance
IT
Broadens risk
awareness
Aligns risk profile and strategy
Minimizes surprises
and losses
Rationalizes capital
requirements
Assures regulatory
compliance
Improves ROE and
shareholder value
9
• American software giant initiated its ERM program in 1994
• Mike Brown, CFO: “The web is an incredible opportunity to take costs out of your model, to provide higher quality services and to be much more informed about company issues.”
Background ERM Program
• Initiated ERM with a comprehensive inventory of risks
• Recognized that its insurance strategies only covered 30% of risks
• Applied advanced technologies to support risk analysis and communication
• Incorporated into product pricing of the expected litigation costs of “repetitive stress injuries” associated with a new keyboard
Case study: Microsoft’s risk intranet is central to their ERM program
10
The growing acceptance of ERM is driven by four key forces
Corporate Disasters
• Enron• WorldCom• Adelphia• Mutual Funds
IndustryInitiatives
• Treadway Report, US• Turnbull Report, UK• Dey Report, Canada
Best Practices
• Banks• Asset Managers• Energy Firms• Corporations
RegulatoryActions
• S.E.C.• Sarbanes-Oxley• Basel II
EnterpriseRisk
Management
11
Companies are faced with an influx of new requirements
• New accord consists of three pillars:– Minimum capital requirements– Supervisory review– Public disclosure
• Explicit treatment of operational risk
• More granular analyses of credit risk
• Section 404: Management assessment of internal controls for financial reporting attestation by auditor
• Section 302: CEO/CFO certification of financial statements
• Establish criminal penalties for executives and independence requirements of auditors
• SEC/NYSE/NASDAQ corporate governance rules
• State attorney general probes
• Patriot Act; anti-money laundering and bank secrecy act
Basel II
Sarbanes-Oxley Act of 2002
Other Requirements
12
A proactive approach to ERM is driven by best practices, not regulations
Reactive Approach Proactive Approach
Current state
New industry
standards
Sarbanes- Oxley
Basel II
Governance Requirements
Desired state (best practices or best-in-class
practices)
• Benchmarking • Gap analysis• Recommendations
• Common themes• Unique standards
Sarbanes- Oxley Basel II
New industry
standardsGovernance
Requirements
?
?? ?
?
CEO
13
Early adopters of ERM have reported significant and tangible benefits
Benefit Company Actual Results
Market value improvement Top money center bank Outperformed S&P 500 banks by 58%
Early warning of risks Large investment bank Global risk limits cut by 1/3 prior to Russian crisis
Loss reduction Top asset management company
Loss-to-revenue ratio declined by 30%
Regulatory capital relief Large commercial bank $1 billion regulatory capital relief
Insurance cost reduction Large manufacturing company
20-25% reduction in insurance premium
14
Annualized total shareholder returns (1998-2003) for differing degrees of risk model sophistication and risk tool usage
Source: PA Consulting Survey of Global Banks
15
Key trends and requirements
Best practices and practical applications
ERM in the future
Discussion outline
16
An ERM framework should encompass seven key building blocks
2. Line Management
Business strategy alignment
3. Portfolio Management
Think and act like a “fund manager”
4. Risk TransferTransfer out
concentrated or inefficient risks
5. Risk Analytics
Develop advanced analytical tools
6. Data and Technology Resources
Integrate data and system capabilities
7. Stakeholders ManagementImprove risk transparency for key stakeholders
1. Corporate Governance
Establish top-down risk management
17
The enterprise risk management process
ERM Foundations
Risk Identification and
Assessment
Risk Measurement and Reporting
Risk Mitigation and Management
• Senior management and board participation (“tone from the top”)
• Governance structure
• Resource allocation
• Culture, principles, and values
• ERM framework and policies
• Linkage to strategy, performance measurement and incentives
• Organizational learning
• Top-down assessments– Barriers to strategic and
financial goals– Executive team CSAs
Bottom-up assessments– Barriers to business,
customer, and product goals
– Business unit CSAs– Functional unit CSAs
Independent assessments– Internal audit– External audit– Regulators– Customers– Other stakeholders
• ERM dashboard– Earnings volatility– Key risk metrics– Policy compliance– Real-time event
escalation– Drill-down
capabilities
• Scenario analysis– Historical– Managerial– Simulation-based
• Disclosure– Board reporting– External reporting
• Policy enforcement
• Value-based growth and restructuring strategies
• Risk transfer strategies
• Contingency planning and testing
• Event and crisis management
18
Data Mining
CREDIT RISK
MARKET RISK
BUSINESS RISK
OPERA-TIONAL
RISK
ERM Dashboard
RISK “PILLARS”
Internal and External Data
Basic ERM applications:
• Executive reporting
• Key risk indicators
• Loss/incident tracking
• Control self assessments
• Early warning indicators
• Risk mitigation projects tracking
• ERM content management
Advanced ERM applications:
• Risk transfer
• Economic capital
• Scenario analysis
• Shareholder value management
An ERM system should address all risk types, qualitative and quantitative data, and risk monitoring and management applications
19
1
Characteristics and sources of effective key risk indicators
Key Risk Indicators
Strategies/Objectives
Regulations & Policies
Losses & Incidents
Stakeholder Requirements
• Business plans• Management goals• Performance metrics
• Legal requirements• Regulatory standards• Policy limits
• Actual losses• Incidents• Industry data
• Customers• Vendors• Other
Reflect objective measurement
2Incorporate risk drivers:• Exposure• Probability• Severity• Correlation
3 Be quantifiable – $, %, #
4 Track in time
series against standards or limits
5 Tie to objectives, risk owners, and risk categories
6Balance of leading
and lagging indicators 7
Be useful – support business decisions and actions
8Can be benchmarked
internally or externally
9Timely and
cost effective
10Simplify risk without being simplistic
20
An ERM dashboard should address five key questions for senior management
1. Are any of our strategic, business, and financial objectives at risk?
2. Are we in compliance with policies, limits, laws, and regulations?
3. What risk incidents have been escalated by our risk functions and business units?
4. What key risk indicators and trends that require immediate attention?
5. What are the risk assessments that we should review?
21
Current YTD Operational LossesCredit LossesMarket LossesOther Losses
Sub-Total:Loss/Revenue Ratio:
Risk Incidents
Reporting of risk incidents, exposures,
and near misses
1._____________________________________________________________________
2.
3.
4.
Management discussion of major risk issues (“what
keeps me up at night”)
Gross Losses Management Assessment
1993 1994 1995 1996
Losses
1992 Q1 97
Incident Exposure Response
1.
2.
3.
4.
Example: monthly risk report
Accounting for actual losses
incurred
Current YTD
Operational Losses
Credit Losses
Market Losses
Other Losses
Sub-Total:
Loss/Revenue Ratio:
22
Core Risk Measures
Period
Credit Counterparty Exposure
Limit
Notional
Real Estate Index
Region
+
-
Period
Interest Rate ExposureLimit
Key Risk Trends
Improving Trends
Period
Other Trouble Indicators
Period
Operational Performance
Period
Goal
MAP
Key Risk Trends
Improving Trends
Period
Improving Trends
Period
Other Trouble Indicators
Period
Other Trouble Indicators
Period
Operational Performance
Period
Goal
MAP
Operational Performance
Period
Goal
MAP
Example: monthly risk report (cont’d)
23
Case study:
• $1 trillion of assets under management
• Private company
• Decentralized business culture
Background 3-Year ERM Program• Organized Global Risk Forum
• Implemented annual Global Risk Review
• Automated loss accounting
• Developed ERM framework
• Implemented intranet-based Global Risk MIS
• Experienced significant reduction in loss ratio
24
Risk Metrics
Risk Event Log
Event LossRoot
CausesControlsNeeded
Education
0%
20%
40%
60%
80%
100%
1995 1996 1997 1998
• New associates• Management• Business/Operational processes• Best practices• Lessons learned
Goal
MAP
Actual Loss Experience
85% Decline
Basic risk management processes can lead to significant improvements
25
ERM requires balancing the hard and soft side of risk management
Hard Side
Measures and reporting
Risk oversight committees
Policies & procedures
Risk assessments
Risk limits
Audit processes
Systems
Soft Side
Risk awareness
People
Skills
Integrity
Incentives
Culture & values
Trust & communication
26
Definitions of “risk culture”
– In a typical risk culture, people will do the right things when risk policies and controls are in place
– In a good risk culture, people will do the right things even when risk policies and controls are not in place
– In a bad risk culture, people will not do the right things regardless of risk policies and controls
An company’s “risk culture” provides the foundation of its ERM program
27
Case study:
New capital markets business
Traders hired from foreign bank
Aggressive business and growth targets
Background 2-Year ERM Program Established risk policies and
systems
Instilled risk culture
Survived “Kidder” disaster
Captured 25% market share with zero policy violations
Recognized as best practice
28
Engaged senior management and board of directors
Established policies, systems, and processes, supported by a strong risk culture
Clearly defined risk appetite with respect to risk limits and business boundaries
Robust risk analytics for intra- and inter-risk measurement, summarized in an “ERM dashboard”
Risk-return management via integration of ERM into strategic planning, business processes, performance measurement, and incentive compensation
Hallmarks of success in ERM
29
Key trends and requirements
Best practices and practical applications
ERM in the future
Discussion outline
30
1. ERM will become the industry standard
2. CROs prevalent in risk-intensive companies
3. Audit committees will evolve into risk committees
4. Economic capital in; VaR out
5. Risk transfer executed at enterprise level
6. Advanced technologies key to advancement
7. A measurement standard will emerge for operational risk
8. Risk-based or economic reporting becomes standard
9. Risk becomes part of corporate and college programs
10. Salary gap among risk professionals continues to widen
Ten predictions on the future of enterprise risk management
31
The role of a Chief Risk Officer
Evangelist Motivate
Leader Change
Steward Control
Consultant Help
Technician Teach
Must have!
Nice to have
32
Organizational and leadership skills to effect change
Communication skills – “to simplify without being simplistic”
Technical skills in credit, market, and operational risk
Judgment to balance business and risk requirements
Courage to push back and “say no”
High EQ (emotional quotient) in addition to high IQ
Ultimate CRO test: ability to integrate risk management into strategic planning and day-to-day business processes
What makes a good CRO?
33
Anticipate, identify and evaluate hazardous conditions and practices
Develop hazard control methods, procedures and programs
Implement, administer and advise others on hazard controls and hazard control programs
Measure, audit and evaluate the effectiveness of hazard controls and hazard control programs
ASSE defined functions for safety professionals
34
Promote awareness of hazard risks, as well as the interdependencies with other key risks
Integrate hazard risks into control self assessments and audit findings
Develop key risk indicators and management dashboards for hazard risk
Participate in ERM initiatives to mitigate and manage enterprise-wide risks
Role for safety professionals in enterprise risk management