Transcript Document

Oversight Management of Risk
May 2010
This report is solely for the use of FDHL-MT. No part of it may
be circulated, quoted or reproduced for distribution outside
FDHL-MT without prior written approval.
Agenda
 Broad overview of the Topic
 The Holistic Approach to Risk Management
 Process of risk management
 What the Board should question
Chart 1
Broad Overview of The Topic
 Definition of Enterprise Risk Management
 Traditional approach of many companies
 The need for Board surveillance and a specific Board Committee
 The role of the Chief Risk Officer (CRO)
Chart 2
Risk/Reward Tradeoff
Risk
Company
needs
to decide where
on this continuum
it wishes to sit.
This is a Board
Reward
decision
Chart 3
Definition Of Enterprise Risk Management
 ERM can be described as a risk-based approach to managing
an enterprise, integrating concepts of strategic planning,
operations and internal controls
 ERM is evolving to address the needs of various
stakeholders, who want to understand the broad spectrum of
Definition of Enterprise
risks facing complex organizations to ensure they are
Risk Management
appropriately managed
Chart 4
Definition Of Enterprise Risk Management../2
Definition of Enterprise Risk
Management
 Regulators and debt rating agencies have increased their
scrutiny on the risk management processes of companies
 Some high-profile failures of companies caused by ERM failure
have been:
•
Enron & Barings - Failure of control mechanisms
•
•
•
Lehman & LTCM - Failure to understand business
Union Carbide - Failure in remote part of company
General Motors - Failure to detect industry change
Chart 5
Definition Of Enterprise Risk Management../3
Definition of Enterprise Risk
Management
 Industries change and companies must be aware of such
changes. It is the Board responsibility to react and lead the
company through such changes
 Kodak is a good example
6 companies in the Dow Jones 30 of 1959 remain in the index
(3 from 1929)
•
•
•
General Electric
General Foods
Dupont
Exxon Mobil
Proctor & Gamble
Chevron
Chart 6
ERM – Traditionally Approach Of Many Companies
ERM - Traditional Approach of Many
 Companies
Most companies have not traditionally approached ERM
 Modern approach is build ERM into the strategy and budget
planning process
 Needs a disciplined approach aligning strategy; process;
people; technology and knowledge
ERM means the removal of traditional, functional, departmental
and cultural biases
Chart 7
ERM – Traditionally Approach Of Many Companies../2

ERM - Traditional Approach of Many
Companies
What risks are we facing
 Are these comparable to the risks of our competition
 How do they change with a change in business conditions
 What level of risk should we take
 How should we manage that risk
Chart 8
The
Need
Forfor
Board
Surveillance
& A Specific
The
need
Board
surveillance
and a Board Committee
specific Board Committee
 The main function of any corporation is to make profit for its
shareholders. To do this they must accept some level of risk
 Since the Board of Directors is the guiding body of a company it
falls to them to ensure that the company and therefore its RISK
is properly managed
 All companies are different and their risks and their complexity
will determine the manner in which a Board focus on Risk
Chart 9
The Role Of The Chief Risk Officer
The role of the Chief Risk Officer
(CRO)
The Chief Risk Officer is responsible for -
developing and managing the risk management structure
Should you have one??
Chart 10
The Role Of The Chief Risk Officer../2
 While financial services companies are embracing the CRO
position, other industries such as utilities and commodities-based
businesses are recognizing the power of knowing all their risks
from the top down
 James Lam, founder of ERisk, based in New York, and former
CRO for Fidelity Investments, has been watching the CRO trend
over the last several years and says there are two indicators that
CROs are here to stay: salaries are climbing, which
demonstrates their value, and CROs are beginning to report right
to the CEO, rather than to the CFO or Treasurer, putting them in
a more powerful position. Many CRO’s have a dotted line
reporting relationship to the Board
Chart 11
The Role Of The Chief Risk Officer../3
 In Nigeria the risk management role never got as far removed
from the CEO as it did in developed economies
 Therefore the CEO is effectively today’s CRO in most
companies in Nigeria
Is this healthy and can the CEO perform the executive functions
of a CEO and oversee the myriad of risks inherent in today’s
listed companies??
Chart 12
The Role Of The Chief Risk Officer../4
Strategic
Hedged/Insurable
Financial
Corporate
Property
Price
Customer needs
Business integrity
Liquidity
Demographic changes
Disaster recovery
Credit
Capital position
Information technology
Inflation
Legal/political
Geographic risks
Hedging/Position
Role
the
Chief Risk
This is anThe
example
of aof
Risk
Department’s
functional breakdown
Each company
will have
a different formation to align with its
Officer
(CRO)
strategy
Chart 13
The Holistic Approach to Risk Management
 Managing risk in silos
 View risk as a portfolio
 Risk is dynamic
 Risk is an opportunity
Chart 14
Managing
Risk inRisk
Silos
Managing
in Silos
 Risk needs to be managed both centrally and in silos
(decentralized)
 ERM is managed centrally
 Operational and financial risk should be managed locally as
that is where the business managers are and they should
understand their specific risks better than a central committee
This is an example of a Risk Department’s functional breakdown
Each company will have a different formation to align with its
strategy
Chart 15
Managing
Risk inRisk
Silos../2in
Managing
Silos
“Field decisions are best taken by the
most junior officer, in the field, allowed
to take such decisions”
General Andrew Stuart
Chart 16
Managing
Risk inRisk
Silos../3in
Managing
Silos
Bhophal incident -1984
 Union Carbide Corporation a Dow 30 stock owned 515 OF



Union Carbide India Limited
Dec 1984 an act of sabotage caused a gas leak and resulted in
3,800 deaths
Caused international incident
Chairman Anderson went to India with task force, was put under
house arrest and asked to leave the country
This is an example of a Risk Department’s functional breakdown
Each company will have a different formation to align with its strategy
Chart 17
Managing
Risk inRisk
Silos../4in
Managing
Silos
 The result was that UCC suffered a massive reputational hit,
was heavily fined
 The company fell out of the DJI in 1999 and was bought by
Dow Chemicals in 2001
 UCC is still fighting damage law suits in the USA to this day
Question is how many Directors of UCC even knew they had an
Indian plant?
Chart 18
Managing
Risk inRisk
Silos../5in
Managing
Silos
Bhophal incident -1984
Problems:
 Management of company was left solely to the Indian
management and as a 51% owned entity UCC management
took a hands off approach BUT it was UCC’s reputation at risk
 The cause of the leak and the fact that it was sabotage did not
protect UCC. They clearly had no ERM system in place to
protect the parent from regional catastrophic risk
 Only a comprehensive risk plan would have identified the
potential risk to the parent
Chart 19
Managing Risk in Silos
Managing Risk in Silos../4
Manage silo risk in conjunction with enterprise risk and ensure that it is global
Portfolio
Fixed
Equities
Income
Cash
GLOBAL RISK MANAGEMENT
Chart 20
View
Riskrisk
As A Portfolio
View
as a Portfolio
 The idea of having ERM at the top supervising all other risk
activities is to ensure that all risks are covered
 The concept of managing risks as a portfolio is not to treat all
risk in isolation
 If a company has a subsidiary gravel pit and a subsidiary
cement factory, you do not have to hedge the forward sales of
gravel or the purchase price of gravel since they are offsetting
risks at consolidation
This is an example of a Risk Department’s functional
breakdown
Each company will have a different formation to align
with its strategy
Chart 21
View risk as a Portfolio../2
 The art of managing a portfolio is to find uncorrelated asset
returns and buy both asset classes and leave both unhedged as
their volatility will partially offset each other
 The danger is that if these are treated in isolation excess cost
will be incurred by hedging both risks
 The portfolio risk is that both assets may be structured to
achieve the same thing and thus not be as uncorrelated as at
first believed
This is an example of a Risk Department’s functional breakdown
Each company will have a different formation to align with its strategy
Chart 22
View
Riskrisk
As A Portfolio../3
View
as a Portfolio
Typical financial portfolio, can be replicated for any business grouping
Portfolio
Fixed
Equities
Income
Chart 23
Cash
View
Riskrisk
As A Portfolio../4
View
as a Portfolio
100%
90%
R
e
t
u
r
n
80%
70%
60%
Risk 2
50%
Risk 1
40%
30%
20%
10%
0%
1
2
3
4
5
6
7
8
9
10
11
Observations
This is an example of a Risk Department’s functional breakdown
Each company will have a different formation to align with its strategy
Chart 24
A Portfolio Approach
Involves creating a general understanding of:
 A company’s resources
 The business environments in which it operates




How value is created and stored
The key risk issues underlying its value propositions
How its business models are alike and dissimilar
Every important business dimension
Chart 25
A Portfolio Approach: Realigning the Internal Model
Mission, Vision & Values
Operational
Employees
Financial
Debt and Equity Holders
Employment Practices and Compensation Structure
Governance and Organizational Structure
Legal and Ownership Structure
Chart 26
Risk is Dynamic
As a mortgage banker your risk is clearly rising as house prices
rise same for the security forces as terrorism increases
Chart 27
Risk is Dynamic../2
 As risks increase the risk managers must find a way to
counteract the impact of risk incidents. This is usually
expensive and not thought out before
 Conversely when risk is lower the need for insurance is lower
and economic logic dictates that then you should take off
excessive insurance and maximize profits
Chart 28
Risk as an Opportunity
 Too many organisations see risk management as a compliance
issue, rather than developing approaches which add value and
competitive advantage and which reflect their own business
culture and stakeholder base
 Most approaches to risk management are therefore not driven
or inspired by enhancing opportunities (the upside of risk) but
by the fear of the ever greater penalties for doing something
wrong (the downside of risk)
Prof Martin Loosemore
Chart 29
Risk as an Opportunity../2
 When Jamie Dimon stepped up to the plate and bought 100%
of Bear Stearns for $2 per share, he used the fact that he had
preserved his cash for a rainy day and was able to use it to buy
a huge opportunity. So much so that he had to up the price a
week later to $10 per share to avoid an awkward law suit
 This was a financial example of risk management turning into
an opportunity. There are many less notable but equally
important examples of good risk management providing superb
gains in business
Chart 30
Risk as an Opportunity../3
Potential benefits of successful risk management
•
•
•
•
Improved performance and competitive advantage
•
•
•
•
•
Higher client satisfaction and retention
Greater resilience to unforeseen risks
Greater capacity to seize opportunities
Greater teamwork and collective responsibility for decisions
throughout all organizational levels and supply chains
Greater regulatory compliance
Less rework, disruption and conflict rework
Enhanced reputation
Higher quality information for making business decisions
Chart 31
Process of Risk Management
 Identify risk
 Quantify risk
 Mitigate risk
 Monitor risk
Chart 32
Identify Risk
Experienced-based approach
 Is dependent on corporate experience
 Search for bad outcomes and try to identify risk drivers
 Solicit staff for potential risk in processes etc.
Environmental approach
 Seeks to understand the business in the context of its
environment
 What is changing and how will it affect the business?
Chart 33
Quantify Risk
What risk measures are available to business managers
 Financial Indicators
 Liquidity
 P&L performance measures
Key Risk Indicators
 Customer complaints
 Lawsuits
 Plant failures
 Accidents
 Errors
Chart 34
Quantify Risk../2
 Many quantitative measures have been created to measure
risk
 One of the most important and mis-understood of these is
Value @ Risk or VAR
 A simplified definition of VaR is that it measures the amount of
loss one can expect for a given portfolio over a specified period
of time with a 95% or 99% degree of confidence
Chart 35
Quantify Risk../3
The problem with VaR
 VaR risk can be hedged away but adds to total book
 The data is usually too short term in nature to represent a full
economic cycle, thus there have been far more 100 year
events in the last 30 years than is feasible
 The data has no answer for how much one can lose in the
1% or 5% of events not covered by the confidence levels
 VaR tends to be used in isolation and it should not be. It does
not pretend to measure Liquidity Risk
Chart 36
Quantify Risk../4
Risk
Short-term Data
Chart 37
Quantify Risk../5
Risk
Long-term Data
For a good example see page 77 Exhibit 5.4 in “Bank Boards and the Financial Crisis”
by Nestor Associates
Chart 38
Quantify Risk../6
How serious was the overemphasis on VaR in 2008?
 UBS blames an over-dependance on VaR and an absence of
other risk measures in its mortgage book, as an overarching
cause for the horrendous losses they suffered in their fixed
income business
 Using VaR without liquidity limits allowed the book to grow to
proportions that could not easily be financed when market
liquidity dropped
 VaR is a useful tool but not in isolation
Chart 39
Quantify Risk../7
 Balanced scorecards and Key Performance Indicators tie
strategy to operations
 Credit losses or problems
 Audit problems and exceptions
Frequently too much time is spent trying to refine what risks are
being monitored and not enough time is spent fixing issues that
cause risk (80/20 Rule)
Chart 40
Risk/Mitigation Heatmap
F
r
e
q
u
e
n
c
y
Level of Risk
Chart 41
Mitigate Risk
 The process to mitigate risk will vary from one situation to
another, proper risk mitigation calls for understanding what you
currently have and what needs to be done in order to maintain
your status quo
 Don’t waste time and money mitigating non critical risks, you will
always have risk; identify the main causes of risk and manage
those causes
Chart 42
Monitor Risk
 In much the same way as decisions should be taken by the
most junior person permitted to take the decision; risk should
be monitored all the way through the organization, by the most
junior person able and permitted to monitor that risk
 No one person or department should be managing too many
risks as then most risks will not be properly monitored
Chart 43
Monitor Risk../2
 Set up a series of dashboards that are easy to read and
indicate the key risks to be monitored by the entity or person
and ensure that all of these functions are working properly
 The Board equally should have one dashboard the indicates
whether the systems are effective and that risk management
processes are consistently performed
 They need a separate dashboard that monitors catastrophic
risk and requires the Board’s action
Chart 44
What The Board Should Question
 Process
 Resources
 Is risk mitigation foolproof
 Does the company have sufficient capital maintain its risk
profile
Chart 45
Process
Must be:
 Simple process oriented and preferably automated
 Regularly performed
 Understandable to the operator
 If a risk is not handled immediately system must trigger risk
potential to the next level
 Performed consistently across all parts of the organization
Chart 46
Resources
 Insufficient resources will result in sub-optimal results (you get
what you pay for)
 If the company cannot afford the means to monitor its risk;
can it afford to take the risk?
 Resources must be consistent across all aspects of the
organization and be able to communicate
 Must be available at ALL TIMES
Chart 47
Is Risk Mitigation Foolproof?
 Risk must be ranked according to severity of the event and its
frequency
 It is too expensive to insure every event so a policy must be
designed that takes into account the risk/reward from mitigating
against the event
Certain events cannot be allowed to happen even once and
therefore must be protected against at all costs
Chart 48
Does Company have Sufficient Capital?
 If the company has lost capital it must lower its risk profile
otherwise the management is violating the risk budget that
was agreed with the Board
 If the Board leaves the same level of risk available to
management they must understand that they have moved the
company closer to potential disaster
This is Measurable
Chart 49
Financial Markets
CONSULTING TEAM
 FDHL-MT
A Financial Services
Strategic Transformation
Collaboration
Enterprise Diagnostics
Enterprise
Risk
Management
Regulators
Operators