The Role of the Chief Risk Office and the Board’s Role in Risk Oversight

John FraserSenior Vice President, Internal Audit

& former Chief Risk OfficerHydro One Network Inc.

August 25, 2014

The Canadian Society of Corporate Secretaries16th Annual Corporate Governance ConferenceBanff Springs Hotel | Banff, AB | August 24 ‐ 27, 2014

Objectives of this Session• Provide some background on Enterprise

Risk Management, how it evolved and why it is now a hot topic for board rooms

• Introduce the core fundamentals of Enterprise Risk Management, what it is, some of the tools and how to explain it to executive management and the board

• Explain the Chief Risk Officer’s role and how it interacts with the board or a board sub-committee

• Address the board’s role in risk oversight – increased expectations and what to do

How Well is ‘Risk’ Understood (2006)?

“In 2006, 60% of directors felt they had an understanding of their company’s risks, while executives say that only 18% of directors understand their company’s risks.”

Source: KPMG in “Raising the Bar” (April 2008) quoting the February 2006 McKinsey Quarterly Survey

How Well is Risk Understood (2013)?

In 2013, directors surveyed said their knowledge of the risks that the company faced was as follows:

• 15% of directors said they have a complete understanding

• 54% said they had a good understanding, and

• 29% said they had a limited or no understanding

McKinsey & Company in “Improving board governance” via an on line survey in April 2013 of 772 corporate directors, 34 % of whom were chairs. 22% were public companies78% were private companies.

What is risk management’s contribution to your

organization?• 47% said “It is essential for adding value to

our overall business”• 34% said “It can occasionally help us

improve the way we do business”• 15% said “Its contribution to our overall

organization is only marginal”• 4% said “It does not contribute to our

overall business”

Source: Based on a December 2012 survey by the Economist Intelligence Unit and published by KPMG in 2013 in “Expectations of Risk Management Outpacing Capabilities – It’s Time for Action”

Some of the Challenges of Implementing ERM

• The Business Case: Regulatory or Effectiveness?

• Culture change• Agreeing Risk Criteria (Appetite /

Tolerances etc.)• Staffing: who should lead, skills,

workshops, how much data to analyse• Level of detail (quantitative and/or

qualitative)• Software needs and selection

Source: Current State of Enterprise Risk Oversight – 5th Edition (June 2014) AICPA & NCSU

Benchmarking ERM

Source: Current State of Enterprise Risk Oversight – 5th Edition (June 2014) AICPA & NCSU

1

2

3 4

Benchmarking ERM – con:

Source: Current State of Enterprise Risk Oversight – 5th Edition (June 2014) AICPA & NCSU

1

Benchmarking ERM – con:

2

Source: Current State of Enterprise Risk Oversight – 5th Edition (June 2014) AICPA & NCSU

2009 2013

Companies with a designated Chief Risk Officer 18 31

Financials with a designated Chief Risk Officer 53

Separate Risk Committees 22 43

Risk Inventories kept at an enterprise level ‐ all 20 37

Risk Inventories kept at an enterprise level – Large Co’s 72

Risk Inventories kept at an enterprise level – Public Co’s 66

Risk Inventories kept at an enterprise level ‐ Financials 44

Benchmarking ERM – con:

Integrating a Risk Framework into the

Business1.ERM Policy and Framework 2.Accountabilities (and the Chief Risk

Officer role)3.Risk Criteria (and appetite / tolerances)4.Risk Identification (and the use of Risk

Workshops) 5.Corporate Risk Profile6.Business Planning

ERM Policy and

Framework

ERM Policy and Framework• ERM Policy:

• “ERM provides uniform processes to identify, measure, treat and report on key risks.”

• This is the umbrella policy under which all other risk policies fall.

• Key principles include: portfolios of ALL types of risks, integrated with strategic and business planning, annual risk assessments, everyone’s responsibility.

• Key accountabilities: Board and/or board committee, the Chief Executive Officer, Chief Financial Officer, Management and Chief Risk Officer.

• Key definitions, e.g. of “risk”.

• ERM Framework:• Establishes the basic process for all risk

assessments etc.

Accountabilities (and the Chief Risk Officer

Role)

Accountabilities in ERM

CORPORATE RISK

PROFILE

BOARD(OR COMMITTEE)

EXECUTIVEMANAGEMENT

POLICY &FRAMEWORK

RISK PROFILES & BUSINESS

PLANS

LINEMANAGEMENT

RISK CRITERIA

(TOLERANCES)

MANAGE RISKS, $$

The Chief Risk Officer Role• Alternative models, banks versus others• Decision maker, facilitator or “opinionator”?• Centralized/holistic view of the organization• Some issues:

• Who does the CRO work for? Management or the Board?

• Is the CRO a facilitator or a policeman?

Additional reading: “Managing the Multiple Dimensions of Risk—Part II: The Office of Risk Management” by Anette Mikes, Assistant Professor, and Robert S. Kaplan, Baker Foundation Professor, Harvard Business School (2011)“Becoming the Lamp Bearer: The Emerging Role of the Chief Risk Officer” by Anette Mikes, Assistant Professor, Harvard Business School (2009)“Enterprise Risk management – From Incentives to Controls” by James Lam, John Wiley & Sons (2003)

Accountabilities of Risk versus Internal Audit

Source: “The Role of Internal Auditing in Enterprise-wide Risk Management” Institute of Internal Auditors (2004) “Internal Auditing’s Role in Risk Management” Institute of Internal Auditors (2011)

Core internal audit roles Roles with safeguards Audit should not undertake

The Chief Risk Officer and the Board

• Touch-points between the Board and the CRO:• The ERM Policy and Framework approval• Strategic Planning & Business Planning

(Objectives)• Risk Criteria (e.g. impact scale, tolerances etc)• Formal Risk Profiles • Frequent Updates• Educator (e.g. best practices, benchmarking)• Advisor (e.g. hot topics, emerging risks)• Whistleblower (not recommended) • To be determined (e.g. risk workshops)

Risk Criteria and appetite/tolerances

Appetite/Tolerances/Criteria

Term < 2004 2004+ 2009 2011AppetiteToleranceCriteriaAttitude

* = Implementation guide to

CAN/CSA-ISO 31000, Risk

management — Principles

and guidelines (2011)

Used

Interchangeably

COSO

COSO

ISO

31000

Canada*

Canada*

Canada*

Canada*

Use of Risk Criteria (Appetite & Tolerances etc.)

• In order to run effective risk workshops• In order to create a common understanding

of risks by the leadership team, the board and managers

• Criteria for Business Planning / Resource Allocation prioritization

“Risk is the effect of uncertainty on objectives”ISO 31000

Risk Criteria* Include:• the nature and types of causes and consequences

that can occur and how they will be measured;• how likelihood will be defined;• the timeframe(s) of the likelihood and / or

consequence(s);• how the level of risk is to be determined;• the views of stakeholders;• the level at which risk becomes acceptable or

tolerable; and• whether combinations of multiple risks should be

taken into account and, if so, how and which combinations should be considered.* = Per ISO 31000 Note: Underlines for emphasis by John Fraser

Turning Strategy into Risk Criteria (inc. Tolerances)

StrategicPlanning

How are we goingto achieve our

overall Corporateaims??

Business Objectives

KeyPerformanceIndicators

Risk Criteria(inc.

Tolerances)

What is ourattitude towardfailure for each

Key Performance Indicator??

How will wemeasure successfor each Business

Objective?

What 6-10 objectives

do we want tofactor in to

decision-making?

Risk Tolerances Business Objectives

Event Impact Description 5

Worst Case 4

Severe 3

Major 2

Moderate 1

Minor

Financial

Net Income shortfall (after tax, in one year)

$>150M shortfall $75-150M shortfall $25-75M shortfall $5-25M shortfall <$5M shortfall

Reputation

Negative Media Attention; Opinion leader and Public Criticism

National media attention; opinion leaders/customers nearly unanimous in public criticism

Provincial media attention; most opinion leaders/customers publicly critical

Significant local attention; Several opinion leaders/ customers publicly critical

Credible letter(s) to Ministry of Energy, to Premier, to Chair of OEB, or to Minister of Environment, that require action

Letter(s) to Senior Management

Customer /Reliability

Outages on the Hydro One system

One of: >100,000 Customers Distribution or >1000MW Tx for more than 7 days

One of: 40k-100k Customers Dx or 400-1000MW Tx for 4-7 days

One of: 10k-40k Customers Dx or100-400MW Tx for 2-4 days

One of: 1k-10k Customers Dx or 10-100MW Tx for 4-24 Hrs

One of: <1000 Customers Dx or <10MW Txfor <4 Hrs

Example of “Risk Tolerances” (Criteria)

TolerableIntolerable

Actual “Risk Criteria” Impact Scale

TolerableIntolerable

Risk Identification and Evaluation

• The use of Risk Workshops • The use of Interviews• The use of Surveys

Risk Workshops

Risk Workshops are Facilitated for:• Major Projects, e.g. construction, Information Technology, Mergers & Acquisitions

• Major Types of Risks, e.g. environmental• Lines of Business, e.g. for business planning• Executive Team• Board of Directors

“Risk Management is a contact sport.”Diana Del Bel Belluz

Note: Risk workshops will not work well in a dysfunctional organization

Risk Interviews• Based on the Strategic Objectives• List of major external events since the last

Risk Profile• Prior list of top risks: to capture trends

and ratings• Listings of all possible existing and

evolving risks• Identification and input of organizational

context and learning's• Recognizes difference styles of

communicating (e.g. blue sky versus detailed)

Corporate Risk Profiles

Corporate Risk Profiles• Purpose and Benefits• Frequency, e.g. semi-annual (?) • Based on:

• Interviews & Databases (e.g. risk workshop results)

• Trends & Emerging risks (e.g. media scans)• Reviewed by:

• Executive (Risk) Committee• Board or delegated board committee

• Input to Strategic & Business Planning (and internal audit plan)

Roll Up of Risk Interviews/Workshops

Human Resources

(R=2.6 / C=2.1)

RetainingExpertise

R=2.6 / R=2.0)

Training(R=2.5 /

C=2.8)

LabourAgreements

R=2.4 / C=2.0)

Commercial Culture

(R=3.4 / C=2.1)

Volatile WorkSchedule

(R=2.5 / C=2.1)

Budget(R=2.8 /

C=2.6)

Skills(R=2.5 /

C=2.6)

Demographics(R=3.5 /

C=2.3)

Competition(R=2.7 /

C=2.5)

Risk Source March 2001 Dec. 2001 Risk Trend

Cost Reduction Very High Very High

Regulatory Uncertainty High Very High

Initial Public Offering High High

Customer Relationships

High Medium

Human Resources Medium Medium

Safety High Medium

Risk Profile Top Ten Format

Note: Each risk category is explained witha half page analysis outlining the sources of the risk and the mitigants in place or planned.

Heat MapTopic Risk description Likelihood Impact

A Compensation Dissatisfaction leads to higher turnover

Possible Moderate

B Recognition If unrecognized leads to errors and less focus

Unlikely Minor

C Downsizing More overtime so staff leave for better work/life balance

Likely Moderate

D Demographics Changing demographics leads to more turnover

Almost Certain

Moderate

Source: COSO 2004 Application Techniques – Page 47

Risk Map

Business Planning

Business Planning: Making Choices Based on Value

Vehicles??

House??

Medical??

Travel??

Intolerable Risks

Highest “Risk Mitigation” Value for money

+

Summary - The Basic Approach to ERM

• Establish a policy and procedure (framework based on ISO 31000)

• Identify a champion and resources• Agree on Risk Criteria e.g. an impact scale• Create conversations via workshops and interviews• Prepare semi-annual risk profiles (based on

interviews and/or risk workshops)• Incorporate risk prioritization into business

planning• Include risk assessments in capital projects• Monitor and improve

Questions?

Additional Key ERM Techniques

0

1

2

3

4

5safety

customer

environment

revenue growth

shareholder return

corporate image

employee relationship

technical innovation

Target Risk Attitude"Target" Attitude

0

1

2

3

4

5safety

customer

environment

revenue growth

shareholder return

corporate image

employeerelationship

technical innovation

"Target" Attitude

Business development dept

Operations dept

Accounting dept

Risk Attitude Comparison

“Black Swans”

Velocity Voting ScaleInterval between the initiating event or condition (which is the point at which the risk becomes inevitable) and its “peak” impact on our business objectives

Resilience Voting Scale• Ability to detect occurrence of initiating event/condition, and secure/deploy resources (plans, organizations, testing)

• Availability of or access to resources required to cope with or mitigate the business impact (people, knowledge, liquidity, equipment, etc)

Additional Readings