leveraging erm to meet regulatory requirementsregulatory ......using stress testing to answer...
TRANSCRIPT
Leveraging ERM to meet regulatory requirementsregulatory requirements and create business value
Susan Hwang, National Leader, Enterprise RiskSusan Hwang, National Leader, Enterprise Risk ManagementFlora Do, Senior Manager, Enterprise Risk Management
March 27, 2012
With an introduction from With an introduction from Andy Andy PoprawaPoprawa, , CEO of DICOCEO of DICO
Discussion topics
• Background• Enterprise Risk Management (ERM) key components• Closing thoughts
© Deloitte & Touche LLP and affiliated entities.2 Leveraging ERM to meet objectives beyond meeting regulatory requirements2
BackgroundBackground
© Deloitte & Touche LLP and affiliated entities.© Deloitte & Touche LLP and affiliated entities.Leveraging ERM to meet objectives beyond meeting regulatory requirements3
DICO By-law #5: Standards of sound business and financial practice requires more robust ERMp q
Section C: Enterprise risk managementClass 2 only
Section B: Risk management policies
Class 1 & 2B d
Section A: Corporate governanceClass 1 & 2
Board• Establish responsibilities/
accountabilities, business objectives, etc
• Evaluate the CEO
• Implement policies surrounding: Capital management Credit risk Operational risk
Market risk
Overview of changes
Board• Establish risk appetite and
tolerances• Review results against plan• Oversee risk management • Obtain assurance on
adherence to risk policies
Market risk Structural risk Liquidity risk
Overview of changes
tolerances • Review risk exposures
Audit Committee • Oversee the identification of
i ifi t d i i kManagement• Implement risk management
processes• Provide reporting to the Board
• Monitoring and board reporting requirements
significant and emerging risks• Report to the board on risk
exposure levels
ManagementOverview of changes• Board training requirements• Board evaluation• Audit Committee Standard
D t il f l
a age e t• Identification, evaluation
monitoring, mitigation and reporting of significant strategic, business and process risk exposures
© Deloitte & Touche LLP and affiliated entities.
• Details of role• Monitoring the effectiveness
of risk management practices
exposures
4 Leveraging ERM to meet objectives beyond meeting regulatory requirements
Credit unions are working on ERM
• In 2010, Deloitte surveyed credit unions across Canada on their risk management practices
Survey participants: breakdown by asset base
Survey resultsSurvey results• 100% of credit unions said risk management has become more
important over the past twelve months• 74% of credit unions have formal ERM programs
© Deloitte & Touche LLP and affiliated entities.
• 74% of credit unions have formal ERM programs
55 Leveraging ERM to meet objectives beyond meeting regulatory requirements
Survey showed risk management was growing in importancep
Top reasons for growth in risk management importance to your organization
100%
60%
80%
20%
40%
0%New regulatory requirements or
expectations
Current economic
environment
Increased Board of Director
expectations around risk
Risk management
seen as a competitive
Other Recent lapse in risk
management
Greater counterparty risk
© Deloitte & Touche LLP and affiliated entities.
around risk management
competitive advantage
Leveraging ERM to meet objectives beyond meeting regulatory requirements6
What is ERM?
• A business process to continually evaluate and manage risks to business strategies and objectives on an entity-wide basis
• A common framework to manage all types of risk to achieve maximum risk-adjusted returns
© Deloitte & Touche LLP and affiliated entities.Leveraging ERM to meet objectives beyond meeting regulatory requirements7
ERM covers risk at different levels
There is a need to consider all levels of risk – those associated with the external environment and those from the internal environment relating to people, processes, technology and objectives.
Strategic plan includescomprehensive risk evaluation
St t i
Risks associated with strategic plans and objectives
Operating plans align
Readiness to seize opportunities and manage the associated risks
Strategic
Risks associated with operating and business
Risks associated with internal environment
Operating plans alignwith strategy and addresscritical operating and business risk issues
Businessoperating and business specific objectives
Key process risk issues are identified and appropriate controls embedded Process
© Deloitte & Touche LLP and affiliated entities.
Risks associated with processes and outputs to meet business objectives
Leveraging ERM to meet objectives beyond meeting regulatory requirements8
There are different levels of ERM sophistication
Desired state
Current effort
akeh
olde
r va
lue
Integrated
Strategic
ComprehensiveFragmentedInitial
Interim stateCurrent state
Initial Fragmented Comprehensive Integrated StrategicStages of ERM capability maturity
Sta
Ad hoc/chaotic Risk is defined differently at different
Risk universe is identified Common risk
Risk management activities coordinated
Risk discussion is embedded in strategic
Enterprise takes minimal risks into consideration for determining the vulnerability to risks
No formal procedures
differently at different levels and in different parts of the organization
Risk is managed in silos
Limited focus on the
Common risk assessment/response approach developed and adopted
Organization-wide risk assessment performed, action plans implemented in
activities coordinated across business areas
Risk analysis tools developed and communicated
Enterprise risk monitoring, measuring,
embedded in strategic planning, capital /resource allocation, product development, vendor selection, etc.
Early warning system to notify the risks above
for risk assessment linkage between risks Limited alignment of
risk to strategies Disparate monitoring
and reporting functions
response to high priority risks
Communication of top strategic risks to the senior management team
and reporting Scenario planning Opportunity risks
identified and exploited On-going risk
assessment processes
established thresholds to board and management
Linkage to performance measures and incentives
Risk modeling
© Deloitte & Touche LLP and affiliated entities.Leveraging ERM to meet objectives beyond meeting regulatory requirements9
ERM key componentsERM key components
© Deloitte & Touche LLP and affiliated entities.© Deloitte & Touche LLP and affiliated entities.Leveraging ERM to meet objectives beyond meeting regulatory requirements10
Deloitte’s ERM architecture
Risk management activities across all levels, from the board and executive management to business units and supporting functions, are integrated into a systematic, enterprise-wide program, embedding a strategic
Risk governance
view of risk into all aspects of business management. Stakeholder
expectations Risk appetite Strategy & performance
Tone at the top
Policies Framework & methodology
Culture & capabilities
Information & reporting Technology
Risk management enablers/infrastructure
Risk management processes
Risk measurement
Risk assessment
Risk response
Escalation & monitoring
Risk identification
© Deloitte & Touche LLP and affiliated entities.
Integration with the business
Leveraging ERM to meet objectives beyond meeting regulatory requirements11
Establishing risk governance is one of the critical first steps of ERM• Formally document roles, responsibilities and accountability:
Board and management
p
Board of directors • Provide oversight to risk taking and risk management
• Set expectations and tone, elevate risk as a priority, and initiate the communication and activities that constitute intelligent risk management
Executive management team• Set direction and resolve significant/enterprise-wide risk issues
• Provide recommendation to the board on ERM policy, framework, practices and processes
3. Assurance (e.g., internal audit)
2. ERM function 1. Business/Functional areas
practices and processes
audit)
“Provides independent assurance”
Objectively assessing the
“Supports board and management”
Provide policy, standards, coaching, analysis and
“Takes risks”
Take, manage and monitor
© Deloitte & Touche LLP and affiliated entities.Leveraging ERM to meet objectives beyond meeting regulatory requirements12
j y gERM framework and risk management activities
reporting , g
risks
Suggestions for risk governance implementation
• Clearly define risk management roles, responsibilities and accountability• Ensure effectiveness and proper segregation of duties, balancing with
h d f ffi ithe need for efficiency• Document in ERM policy documents• Communicate, train and reinforce
© Deloitte & Touche LLP and affiliated entities.Leveraging ERM to meet objectives beyond meeting regulatory requirements13
Risk appetite provides the context for risk management
Risk appetite is the nature and amount of risk an organization is willing to take on in pursuit of value while achieving its strategic intent
Why is defining risk appetite important?• Sets boundary for business risk takingy g• Helps management understand the scope of its authority in risk taking• Determines which risk(s) to focus on and report to the Board• Enables Board and management oversight of the organization’s risk• Enables Board and management oversight of the organization s risk
profile while conforming to the approved risk appetite• Helps prioritize mitigation actions for risks outside risk appetite
G id i k d i i ki ll j l f i k• Guides risk decision-making across all major classes of risks • Ensures alignment of risk limits and thresholds • Facilitates risk financing/insurance decisions
© Deloitte & Touche LLP and affiliated entities.Leveraging ERM to meet objectives beyond meeting regulatory requirements14
Risk appetite should be set within an institution’s risk taking capacity g p y
Risk capacity, appetite and limits (illustrative example)
Requires management and/or board
Capacity ‘buffer’= 50 and/or board
review
Risk capacityUnutilized risk appetite = 25
Risk limits/thresholds : Individual risk limits should be established for risks to ‘operationali e ’ the
Acceptable risk levels
Risk capacity = 500
Risk appetite = 450 Utilized risk
tit
appetite = 25
‘operationalize ’ the targeted risk appetite.
appetite = 425
© Deloitte & Touche LLP and affiliated entities.Leveraging ERM to meet objectives beyond meeting regulatory requirements15
Factors to consider while defining risk appetite
Governing objective
• Represents the value proposition of the organization to its key stakeholders
Risk capacity and constraints
Articulation of risk appetite (qualitative and
Establishment of risk tolerances (limits and
• Represents the organization’s ability to bear risk
Risk philosophy (attitude on risk taking) quantitative)(limits and thresholds)
Risk philosophy (attitude on risk taking)
• Represents the organization’s set of shared beliefs and attitudes on risk taking
Business strategy and objectives
• Embodies the strategic direction of the organization over the planned time horizon
© Deloitte & Touche LLP and affiliated entities.Leveraging ERM to meet objectives beyond meeting regulatory requirements16
Suggestions for risk appetite implementation
Considering factors to help define risk
Articulate risk appetite statements
Integration with other activities and
Determine whether the risk profile is
Defining risk appetite
Implementing risk appetite
Monitoring & reporting
Developing an approach
Updating risk appetite
Validate that risk appetite isto help define risk
appetiteappetite statements other activities and
cascading risk appetite down to risk tolerances
the risk profile is within the risk appetite
Governing
Board
appetite is appropriate and make enhancements
Risk capacity & constraints
objective
Risk appetite
BoardExternal stakeholders
Strategic planning Day-day-
operationsRisk
management
Risk philosophy
Business strategy & objectives
appetite
Management
Management
Risk appetite
Risk appetite
Internal audit planning
Risk management
management
Management
Business units (BU)
Resource allocation
management
Risk management
Business
© Deloitte & Touche LLP and affiliated entities.
Governing risk appetite
units (BU)
Leveraging ERM to meet objectives beyond meeting regulatory requirements17
What does building a risk aware culture mean?
• Are all cultural attributes to support ERM clearly defined, e.g. ownership and accountability, awareness, etc.?
• Does the environment support and promote the identification and escalation of issues, challenge the status quo and ask ‘what-if’ questions, where necessary?
• Does current behaviour support ERM?
© Deloitte & Touche LLP and affiliated entities.Leveraging ERM to meet objectives beyond meeting regulatory requirements18
Suggestions for risk culture implementation
• Conduct education and awareness activities • Clarify risk management expectations and requirements• Define and enforce risk ownership• Review end-to-end processes and cross-departmental reliance• Enforce risk management policiesEnforce risk management policies• Link performance management and risk management
© Deloitte & Touche LLP and affiliated entities.Leveraging ERM to meet objectives beyond meeting regulatory requirements19
Suggestions for risk identification and assessment
• Use a broad suite of techniques to identify and assess risk on an ongoing basis – developing annual ‘heat maps’ is not sufficientI l h i h k h ld• Involve the right stakeholders
• Think about inherent risks (potential risks that could occur), emerging risks and even Black Swans rather than just real issues and challenges
• Consider risk relationships • Embed in business decision-making processes
© Deloitte & Touche LLP and affiliated entities.Leveraging ERM to meet objectives beyond meeting regulatory requirements20
Using stress testing to answer “what-if” questions
Scenarios are not:• Forecasts they do not
The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again.
Forecast
Scenario 1n• Forecasts - they do not
predict the future
Scenarios are:• A method for
Scenario 2n
• A method for understanding possible future situations
• An approach for
t=3t=2
ppunderstanding the potential causes and consequences of extreme situations
t=0t=1
t 2 extreme situations
© Deloitte & Touche LLP and affiliated entities.Leveraging ERM to meet objectives beyond meeting regulatory requirements21
Stress testing serves many purposes
• Is an important tool for making risk management and capital management decisions Sh ld b b dd d i ERM h l i k i d• Should be embedded in ERM to help set risk appetite and exposure limits, risk analysis and quantification
• Facilitates the development of risk mitigation or contingency plans • Helps in evaluating strategic choices to support strategy setting and
longer term business planning
© Deloitte & Touche LLP and affiliated entities.Leveraging ERM to meet objectives beyond meeting regulatory requirements22
Suggestions for stress testing implementation
• Scenarios should include sufficient breadth and severity to include ‘plausible but not probable’ events
• Adopt an open mind while developing and challenging scenarios• Follow through with management actions• Conduct reverse stress testing to serve as early warningg y g
© Deloitte & Touche LLP and affiliated entities.Leveraging ERM to meet objectives beyond meeting regulatory requirements23
Closing thoughtsClosing thoughts
© Deloitte & Touche LLP and affiliated entities.© Deloitte & Touche LLP and affiliated entities.Leveraging ERM to meet objectives beyond meeting regulatory requirements24
ERM brings business value to credit unions
• Gives rise to shared understanding and enhanced communication re: risks and risk management
• Brings focus to the most significant risks and opportunities
• Formalizes risk management practices; visible demonstration of effortFormalizes risk management practices; visible demonstration of effort
• Provides early warning signs
St th t bilit i k• Strengthens accountability re: risks
• Improves understanding of risk interrelationships
• Reinforces objective prioritization of resources and capital
• Supports strategy setting and business decision making
© Deloitte & Touche LLP and affiliated entities.Leveraging ERM to meet objectives beyond meeting regulatory requirements25
Successful ERM implementation depends on several key success factors
• Get buy in • Customize • Develop an implementation plan • Identify strong leadership/sponsorship• Secure the needed resourcesSecure the needed resources• Integrate with business process• Communicate and reinforce culture
© Deloitte & Touche LLP and affiliated entities.Leveraging ERM to meet objectives beyond meeting regulatory requirements26
Contact information
Susan HwangNational Leader, [email protected]@deloitte.ca
Flora DoS i M E t i Ri kSenior Manager, Enterprise [email protected]
© Deloitte & Touche LLP and affiliated entities.Leveraging ERM to meet objectives beyond meeting regulatory requirements27