leveraging erm to meet regulatory requirementsregulatory ......using stress testing to answer...

Leveraging ERM to meet regulatory requirementsregulatory requirements and create business value

Susan Hwang, National Leader, Enterprise RiskSusan Hwang, National Leader, Enterprise Risk ManagementFlora Do, Senior Manager, Enterprise Risk Management

March 27, 2012

With an introduction from With an introduction from Andy Andy PoprawaPoprawa, , CEO of DICOCEO of DICO

Discussion topics

• Background• Enterprise Risk Management (ERM) key components• Closing thoughts

© Deloitte & Touche LLP and affiliated entities.2 Leveraging ERM to meet objectives beyond meeting regulatory requirements2

BackgroundBackground

© Deloitte & Touche LLP and affiliated entities.© Deloitte & Touche LLP and affiliated entities.Leveraging ERM to meet objectives beyond meeting regulatory requirements3

DICO By-law #5: Standards of sound business and financial practice requires more robust ERMp q

Section C: Enterprise risk managementClass 2 only

Section B: Risk management policies

Class 1 & 2B d

Section A: Corporate governanceClass 1 & 2

Board• Establish responsibilities/

accountabilities, business objectives, etc

• Evaluate the CEO

• Implement policies surrounding: Capital management Credit risk Operational risk

Market risk

Overview of changes

Board• Establish risk appetite and

tolerances• Review results against plan• Oversee risk management • Obtain assurance on

adherence to risk policies

Market risk Structural risk Liquidity risk

Overview of changes

tolerances • Review risk exposures

Audit Committee • Oversee the identification of

i ifi t d i i kManagement• Implement risk management

processes• Provide reporting to the Board

• Monitoring and board reporting requirements

significant and emerging risks• Report to the board on risk

exposure levels

ManagementOverview of changes• Board training requirements• Board evaluation• Audit Committee Standard

D t il f l

a age e t• Identification, evaluation

monitoring, mitigation and reporting of significant strategic, business and process risk exposures

© Deloitte & Touche LLP and affiliated entities.

• Details of role• Monitoring the effectiveness

of risk management practices

exposures

4 Leveraging ERM to meet objectives beyond meeting regulatory requirements

Credit unions are working on ERM

• In 2010, Deloitte surveyed credit unions across Canada on their risk management practices

Survey participants: breakdown by asset base

Survey resultsSurvey results• 100% of credit unions said risk management has become more

important over the past twelve months• 74% of credit unions have formal ERM programs


• 74% of credit unions have formal ERM programs

55 Leveraging ERM to meet objectives beyond meeting regulatory requirements

Survey showed risk management was growing in importancep

Top reasons for growth in risk management importance to your organization

100%

60%

80%

20%

40%

0%New regulatory requirements or

expectations

Current economic

environment

Increased Board of Director

expectations around risk

Risk management

seen as a competitive

Other Recent lapse in risk

management

Greater counterparty risk


around risk management

competitive advantage

Leveraging ERM to meet objectives beyond meeting regulatory requirements6

What is ERM?

• A business process to continually evaluate and manage risks to business strategies and objectives on an entity-wide basis

• A common framework to manage all types of risk to achieve maximum risk-adjusted returns

© Deloitte & Touche LLP and affiliated entities.Leveraging ERM to meet objectives beyond meeting regulatory requirements7

ERM covers risk at different levels

There is a need to consider all levels of risk – those associated with the external environment and those from the internal environment relating to people, processes, technology and objectives.

Strategic plan includescomprehensive risk evaluation

St t i

Risks associated with strategic plans and objectives

Operating plans align

Readiness to seize opportunities and manage the associated risks

Strategic

Risks associated with operating and business

Risks associated with internal environment

Operating plans alignwith strategy and addresscritical operating and business risk issues

Businessoperating and business specific objectives

Key process risk issues are identified and appropriate controls embedded Process


Risks associated with processes and outputs to meet business objectives


There are different levels of ERM sophistication

Desired state

Current effort

akeh

olde

r va

lue

Integrated

Strategic

ComprehensiveFragmentedInitial

Interim stateCurrent state

Initial Fragmented Comprehensive Integrated StrategicStages of ERM capability maturity

Sta

Ad hoc/chaotic Risk is defined differently at different

Risk universe is identified Common risk

Risk management activities coordinated

Risk discussion is embedded in strategic

Enterprise takes minimal risks into consideration for determining the vulnerability to risks

No formal procedures

differently at different levels and in different parts of the organization

Risk is managed in silos

Limited focus on the

Common risk assessment/response approach developed and adopted

Organization-wide risk assessment performed, action plans implemented in

activities coordinated across business areas

Risk analysis tools developed and communicated

Enterprise risk monitoring, measuring,

embedded in strategic planning, capital /resource allocation, product development, vendor selection, etc.

Early warning system to notify the risks above

for risk assessment linkage between risks Limited alignment of

risk to strategies Disparate monitoring

and reporting functions

response to high priority risks

Communication of top strategic risks to the senior management team

and reporting Scenario planning Opportunity risks

identified and exploited On-going risk

assessment processes

established thresholds to board and management

Linkage to performance measures and incentives

Risk modeling


ERM key componentsERM key components


Deloitte’s ERM architecture

Risk management activities across all levels, from the board and executive management to business units and supporting functions, are integrated into a systematic, enterprise-wide program, embedding a strategic

Risk governance

view of risk into all aspects of business management. Stakeholder

expectations Risk appetite Strategy & performance

Tone at the top

Policies Framework & methodology

Culture & capabilities

Information & reporting Technology

Risk management enablers/infrastructure

Risk management processes

Risk measurement

Risk assessment

Risk response

Escalation & monitoring

Risk identification


Integration with the business


Establishing risk governance is one of the critical first steps of ERM• Formally document roles, responsibilities and accountability:

Board and management

p

Board of directors • Provide oversight to risk taking and risk management

• Set expectations and tone, elevate risk as a priority, and initiate the communication and activities that constitute intelligent risk management

Executive management team• Set direction and resolve significant/enterprise-wide risk issues

• Provide recommendation to the board on ERM policy, framework, practices and processes

3. Assurance (e.g., internal audit)

2. ERM function 1. Business/Functional areas

practices and processes

audit)

“Provides independent assurance”

Objectively assessing the

“Supports board and management”

Provide policy, standards, coaching, analysis and

“Takes risks”

Take, manage and monitor


j y gERM framework and risk management activities

reporting , g

risks

Suggestions for risk governance implementation

• Clearly define risk management roles, responsibilities and accountability• Ensure effectiveness and proper segregation of duties, balancing with

h d f ffi ithe need for efficiency• Document in ERM policy documents• Communicate, train and reinforce


Risk appetite provides the context for risk management

Risk appetite is the nature and amount of risk an organization is willing to take on in pursuit of value while achieving its strategic intent

Why is defining risk appetite important?• Sets boundary for business risk takingy g• Helps management understand the scope of its authority in risk taking• Determines which risk(s) to focus on and report to the Board• Enables Board and management oversight of the organization’s risk• Enables Board and management oversight of the organization s risk

profile while conforming to the approved risk appetite• Helps prioritize mitigation actions for risks outside risk appetite

G id i k d i i ki ll j l f i k• Guides risk decision-making across all major classes of risks • Ensures alignment of risk limits and thresholds • Facilitates risk financing/insurance decisions


Risk appetite should be set within an institution’s risk taking capacity g p y

Risk capacity, appetite and limits (illustrative example)

Requires management and/or board

Capacity ‘buffer’= 50 and/or board

review

Risk capacityUnutilized risk appetite = 25

Risk limits/thresholds : Individual risk limits should be established for risks to ‘operationali e ’ the

Acceptable risk levels

Risk capacity = 500

Risk appetite = 450 Utilized risk

tit

appetite = 25

‘operationalize ’ the targeted risk appetite.

appetite = 425


Factors to consider while defining risk appetite

Governing objective

• Represents the value proposition of the organization to its key stakeholders

Risk capacity and constraints

Articulation of risk appetite (qualitative and

Establishment of risk tolerances (limits and

• Represents the organization’s ability to bear risk

Risk philosophy (attitude on risk taking) quantitative)(limits and thresholds)

Risk philosophy (attitude on risk taking)

• Represents the organization’s set of shared beliefs and attitudes on risk taking

Business strategy and objectives

• Embodies the strategic direction of the organization over the planned time horizon


Suggestions for risk appetite implementation

Considering factors to help define risk

Articulate risk appetite statements

Integration with other activities and

Determine whether the risk profile is

Defining risk appetite

Implementing risk appetite

Monitoring & reporting

Developing an approach

Updating risk appetite

Validate that risk appetite isto help define risk

appetiteappetite statements other activities and

cascading risk appetite down to risk tolerances

the risk profile is within the risk appetite

Governing

Board

appetite is appropriate and make enhancements

Risk capacity & constraints

objective

Risk appetite

BoardExternal stakeholders

Strategic planning Day-day-

operationsRisk

management

Risk philosophy

Business strategy & objectives

appetite

Management

Management

Risk appetite

Risk appetite

Internal audit planning

Risk management

management

Management

Business units (BU)

Resource allocation

management

Risk management

Business


Governing risk appetite

units (BU)


What does building a risk aware culture mean?

• Are all cultural attributes to support ERM clearly defined, e.g. ownership and accountability, awareness, etc.?

• Does the environment support and promote the identification and escalation of issues, challenge the status quo and ask ‘what-if’ questions, where necessary?

• Does current behaviour support ERM?


Suggestions for risk culture implementation

• Conduct education and awareness activities • Clarify risk management expectations and requirements• Define and enforce risk ownership• Review end-to-end processes and cross-departmental reliance• Enforce risk management policiesEnforce risk management policies• Link performance management and risk management


Suggestions for risk identification and assessment

• Use a broad suite of techniques to identify and assess risk on an ongoing basis – developing annual ‘heat maps’ is not sufficientI l h i h k h ld• Involve the right stakeholders

• Think about inherent risks (potential risks that could occur), emerging risks and even Black Swans rather than just real issues and challenges

• Consider risk relationships • Embed in business decision-making processes


Using stress testing to answer “what-if” questions

Scenarios are not:• Forecasts they do not

The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again.

Forecast

Scenario 1n• Forecasts - they do not

predict the future

Scenarios are:• A method for

Scenario 2n

• A method for understanding possible future situations

• An approach for

t=3t=2

ppunderstanding the potential causes and consequences of extreme situations

t=0t=1

t 2 extreme situations


Stress testing serves many purposes

• Is an important tool for making risk management and capital management decisions Sh ld b b dd d i ERM h l i k i d• Should be embedded in ERM to help set risk appetite and exposure limits, risk analysis and quantification

• Facilitates the development of risk mitigation or contingency plans • Helps in evaluating strategic choices to support strategy setting and

longer term business planning


Suggestions for stress testing implementation

• Scenarios should include sufficient breadth and severity to include ‘plausible but not probable’ events

• Adopt an open mind while developing and challenging scenarios• Follow through with management actions• Conduct reverse stress testing to serve as early warningg y g


Closing thoughtsClosing thoughts


ERM brings business value to credit unions

• Gives rise to shared understanding and enhanced communication re: risks and risk management

• Brings focus to the most significant risks and opportunities

• Formalizes risk management practices; visible demonstration of effortFormalizes risk management practices; visible demonstration of effort

• Provides early warning signs

St th t bilit i k• Strengthens accountability re: risks

• Improves understanding of risk interrelationships

• Reinforces objective prioritization of resources and capital

• Supports strategy setting and business decision making


Successful ERM implementation depends on several key success factors

• Get buy in • Customize • Develop an implementation plan • Identify strong leadership/sponsorship• Secure the needed resourcesSecure the needed resources• Integrate with business process• Communicate and reinforce culture


Contact information

Susan HwangNational Leader, [email protected]@deloitte.ca

Flora DoS i M E t i Ri kSenior Manager, Enterprise [email protected]


leveraging erm to meet regulatory requirementsregulatory ......using stress testing to answer...

Documents