Operational Risk---Managing and Measuring The Chief Risk Officer July 2002

[email protected]

860.543.7337

To better understand the evolution of risk management and the development of the Chief Risk Officer function To share our Point of View on emerging trends in Risk Management and the Risk Intelligent Organization

A large number of companies in search of similar ideas and solutions Share what we are hearing and incorporate our thoughts to validate or enhance direction that the financial services industry is pursuing CAS definition of ERM

The process by which organizations in all industries assess, control, exploit, finance and monitor risks from all sources for the purpose of increasing the organization’s short and long term value to it’s stakeholders

Deloitte & Touche

Introduction

2

Why is integration required?

• • • • • Risks are often interrelated but are being managed as single impact events.

Organizational complexity risks actually faced.

and ineffective communication processes result in an incomplete or incorrect understanding of Varying levels of risk appetites exist across an organization capacity to take on?

– Are managers taking on risk levels consistent with the expectations of executives? How much risk does the organization have the Opportunities to offset unrelated risks within the organization are not taken advantage of.

Lack of learning from common risk management practices and experiences.

Deloitte & Touche

3

What is Enterprise Risk Management?

A systematic and disciplined way to: Identify, assess and prioritize the major risks associated with the organization’s key values and corporate goals Gather risk intelligence about current operations and future growth opportunities within and across the extended enterprise Install a risk infrastructure that is appropriate to the enterprise and the volatility of its business Integrate risk intelligence into decision-making across the organization Identify inter-dependencies and correlations across risks and specializations Establish early warning and rapid response systems Provide assurance that key risks and exposures are understood, appropriately mitigated and cost-effectively controlled Deloitte & Touche

4

Common Needs Organizations today are challenged with a set of common needs as well as those unique to their organization.

All organizations must manage risk whether or not they choose to do so systematically Chaotic environment / post Sept 11 Risk and risk management are “top of mind” for everyone Board does not know what to expect from senior management re: risk management Need “Risk Intelligence” for better decision-making and governance Risk exposures increase as interconnectedness and interdependencies increase Organizations need to be able to understand interrelatedness, correlations and domino effects of risks Increasing scrutiny from key stakeholders A new approach is required because of weaknesses in traditional approaches – need to protect profitability from existing operations (Assets in Place) as well as grow future opportunities

Deloitte & Touche

5

CEO CFO Board/Audit General Counsel Chief Actuary Chief Underwriter Rating Agencies Deloitte & Touche Common Questions

What unforeseen events might disrupt our strategy?

What risks could materially impact our financial results?

How much capital do I need?

How are we managing business risks? How are we assured they are being managed appropriately?

What are the results? What assurance do we have?

What could we do to further minimize our legal liabilities?

How much risk am I allowed to take?

What is our corporate risk appetite?

How much aggregation risk am I exposed to?

Does the current risk management strategy adequately capture the key risks?

How well does senior management understand risk?

How great is management’s risk awareness?

What is their ability to manage risks as they emerge?

6

No big mistakes Avoid unrewarded risks Establish a common understanding and language of risk across business units No big surprises Establish safeguards against earnings-related surprises Prevent / rapidly respond to potential catastrophic failures No big missed opportunities Ensure strategic and tactical risks are both rewarded and appropriately mitigated Maximize chances of success of business plan goal achievement Improve ability to anticipate change

Early warning signals Everyone is alert to risk causes and effects Forward looking approach to managing risk

Accelerate ability to respond to change

Improved, faster decision-making Better informed choices, clear rationale and less uncertainty More organizational learning – less chance of repeat problems in other areas

Deloitte & Touche

D&T’s Point of View

Why Do It?

7

Evolution of Risk Management Economic Insurance Security Business Strategic Capital Markets/Treasury Risk Market Risk, Liquidity Risk Analytics & Modeling Strategic Risk Management Credit Analytics Property, Casualty, Liability Risk Management Physical & Information Operations Compliance Multi-line, Multi-risk Insurance Products Asset Protection Corporate Compliance Internal Audit Operational Risk Management Enterprise Risk Management Process Financial Internal Control Profit Recovery Culture Corporate Ethics Deloitte & Touche

D&T’s Point of View

Inter-dependencies Integration Offsets Correlations Domino Effects

8

Evolving Role and Responsibility of the Chief Risk Officer

“… risk management will begin to act as a kind of central nervous system for the financial institution, with ‘nerves’ relaying information back and forth and warning of potential hazards, as well as ‘brains’ performing high level risk calculations on enterprise-wide data. These functions will work tightly together - and be constantly aware of what is going on in the rest of the institution.”

Risk Professional March 2000

Deloitte & Touche

9

Why a Chief Risk Officer?

Assure continuity and consistency in risk management with a single organizational unit that bears direct responsibility for directing the organization’s entire risk management process.

Provide a solid foundation for developing and implementing a successful risk management strategy, process and culture.

Centralize risk management to ensure that a common risk framework, policies, and measurement methodologies are implemented and sustained:

Provide senior management and decision-makers a more clear, consistent and complete view of the organization’s risks and its readiness to manage them Enable the company to make better cost/benefit decisions in its risk management and mitigation efforts

Increase board and management confidence that its current operations and facilitates proactive thinking about future risks.

Deloitte & Touche

10

The role of the CRO Developing a common risk management strategy and instilling a consistent level of risk awareness throughout the company.

Provide the focal point for risk management strategy development, deployment and communication. Should have close reporting ties to the CFO, CEO and the board of directors and have direct reporting from the heads of the major risk management disciplines (e.g. Internal Audit, Ethics, Compliance, Legal, Health & Safety, Loss Prevention, etc.). Risk committees developed within the organization typically report to the CRO. This includes the IT function, internal audit, market risk, credit risk, insurance, ethics, and strategy. Deloitte & Touche

11

The role of the CRO Responsible for:

maintaining an awareness of risk issues throughout the organization developing a risk management strategy and setting risk policy measuring risk, reporting exposures, and proactively thinking about operational and other related risk

Should not be responsible for the day to day performance of risk management activities or for directing or managing business operations or administrative areas. Responsibility for actively managing and mitigating risk on a day to day basis remains the responsibility of each business unit manager and staff person.

Deloitte & Touche

12

The role of the CRO The primary core functions necessary for success depend on the industry Skills vary by corporate objectives and strategies.

Typically, CRO’s have strong skills and experience in market and credit risk. This is primarily due to the strong influence of CRO positions in the financial and utility industries. A growing trend for CRO’s to posses a strong operational risk perspective.

The CRO typically is a member of risk governance and approval committees and has authority for specific risk management policies, such as strategic and operational risk.

The CRO is the one who is trusted to make decisions about how the organization’s various risks tie to its strategy and initiatives.

Deloitte & Touche

13

Strategy Tactics

Building Blocks for Effective Risk Management & Control

Future Growth Value

Deloitte & Touche

Operations

D&T’s Point of View

Assets -in-Place

14

Intangibles Matter More Than Tangibles Share value has two major components Assets in Place

Profitability from current operations = tangible

Future Growth Opportunities

Intangibles – people, relationships, brands, reputation Drive the multiples of valuation Anything associated with the word “NEW”

The market disproportionately rewards Future Growth Opportunities It under-rewards the growth of Assets in Place and severely punishes any deterioration Deloitte & Touche

D&T’s Point of View

15

The Risk Intelligent Organization

Organizations are increasingly seeking risk as a source of competitive advantage to exploit the upside and protect the downside Success demands excellent risk management as a core competency More and more organizations are demonstrating a desire to become Risk Intelligent Risk intelligence is the ability to think and learn about outcomes - it is how an organization gathers information, analyses, applies and then learns from the results Risk intelligence requires effective systems, information and timely reporting to enable organizational learning and successful adaptation – a “risk nervous system”

Deloitte & Touche

D&T’s Point of View

16

The Risk Intelligent Organization

Characteristics of the Risk Intelligent Organization: Risk analysis is built-in to the decision-making process There is a systematic process for identifying, assessing and prioritizing business risks There is an appropriate risk infrastructure to support sustainable risk management capability

Deloitte & Touche

D&T’s Point of View

17

Our definition of risk includes strategic, tactical, and operational risks (not just financial and accounting or insurance) Our risk identification process adequately addresses current operations as well as future growth opportunities We make appropriate use of qualitative and quantitative assessment methods We have established our risk tolerance policy applicable to all areas of the company We apply a consistent company-wide risk –reward trade-off rule to all of our decisions Risk assessment and prioritization are integral parts of the organization’s business planning, budgeting, capital allocation, and audit planning processes.

The Board, Audit Committee or Executive are asking broader questions about risk and exposure e.g., strategic and tactical not just operational Senior management and board members are promptly informed of issues that may have a significant impact on risk management and control.

We have appropriate oversight of the key risks faced by the company.

Risks, controls, and exposures are systematically reviewed at intervals that are appropriate to the volatility of our organization’s business conditions.

Timely and reliable information is available to personnel to manage the risk inherent in current and future growth objectives.

Deloitte & Touche

D&T’s Point of View

Assessing Risk Intelligence

Our disaster recovery plan enables us to be up and running within 24 hours or less.

We have clearly defined metrics and early-warning indicators to identify when risk thresholds are about to be exceeded.

We use appropriate risk-based valuation methodologies to assess current operations and future growth opportunities.

Credit risk is coordinated and integrated across the entire organization Risk / reward calculations are an explicit part of our decision model.

Risk / reward trade-offs are systematically evaluated from a portfolio perspective When a risk occurs, the organization systematically conducts reviews to identify and correct root causes.

The organization follows up to ensure that mitigation strategies and corrective actions are effective.

Risk-management and internal-control best practices are shared to accelerate organizational learning.

Risk management is accepted as an integral part of everyone’s job There are effective processes in place for communicating and managing change Authority, responsibility and accountability are clear.

We trust each other and communicate openly about our objectives and risks.

We understand what is expected of us and the scope of our freedom to act.

18

The Risk Intelligent Organization Step 1. Building the Risk-based Decision Model

Risk Decision Analysis Gap analysis between existing & required Common process with local application Migration Model

Step 2. Assessing Business Risks

Risk Prioritization Methodology Risk Identification / Risk Assessment / Risk Prioritization Risk Alignment to Corporate Strategy

Step 3. Assessing Risk Infrastructure

Governance / Control / Information Technology / Valuation and Risk Measurement / Credit / Accounting and Disclosure Gap Analysis between existing and industry leading practices

Deloitte & Touche

D&T’s Point of View

19

Generic Risk Framework

Proprietary Information: This presentation contains concepts, ideas and materials which are proprietary and may not be used, copied, provided to others or referred to without the express written permission of Deloitte and Touche. This presentation is incomplete without the accompanying discussion.

Deloitte & Touche

20

General Business Conditions Business Strategy & Organization Customer Value Financial Stakeholder Relations Information Technology Human Resources Public Safety & Environmental Operations Asset Management Regulatory & Legal Political Supplier Relations Distribution & Dealer Relations Accounting & Disclosure Credit Deloitte & Touche Joint Ventures / Alliances Insurance

D&T’s Generic Risk Framework

Example Risk Categories Safety & Security Business Continuity E-business Competitors Ethics Compliance

21