Presentation Template (for External Use)
Download
Report
Transcript Presentation Template (for External Use)
Enterprise Risk Management
How Does ERM Apply to
your Credit Union?
Presented by
Louise Hanson, Partner, Moss Adams LLP
Shannon Haas, Senior Manager, Moss Adams LLP
1
MOSS ADAMS AT A GLANCE
•
Full service public accounting firm with
assurance, tax, and consulting services for
middle-market public and private companies
•
Largest accounting firm headquartered in the
West and one of the 15 largest in the United
States
•
21 offices in California, Arizona, New Mexico,
Oregon, Washington and Kansas
•
More than 230 partners and over 1,800 staff
•
Founded in 1913 and headquartered in
Seattle, Washington
•
A founding member of Praxity, a global
alliance of accounting firms
•
We are the 4th largest firm servicing credit
unions in the nation (based on assets)
2
TODAY’S DISCUSSION OBJECTIVES
• What is Enterprise Risk Management? – an Overview
of ERM
• What is Driving ERM?
• ERM & the Regulators
• How ERM Can Benefit My Institution
• How My Institution Can Build an ERM Strategy:
Implementation Overview
o Phase 1 – Planning
o Phase 2 – Implementing the Plan
o Phase 3 – Refining
• Summary
3
WHAT IS ENTERPRISE RISK
MANAGEMENT (“ERM”)?
4
4
QUESTIONS TO PONDER…
•
In today’s credit union environment what risks or
“watch out fors” would you suggest directors,
supervisory committees (or even executive
management) focus on?
•
What would you be looking for in Board Report
packages today?
•
Do we understand these issues enough to appropriately
report on them in each of our credit unions today?
5
AT THE CORE…
•
What is the Nature of Banking?
Risk Management
•
What should Credit Unions be doing?
Intermediate Risks
For Members and Borrowers
•
What are Directors Expected to do?
Create & Protect Member funds and opportunities
Governance Process and Risk Policies
•
How are Risks Portrayed in an Institution?
Via Financial Statements
Via Processes
6
ENTERPRISE RISK MANAGEMENT
“The decline and ultimate failure of some great
companies has been a historical fact. But such decline is
not inevitable. Rather, it results when corporate leaders
(CEO’s and directors alike) don’t anticipate and deal with
the long term threats facing their companies.”
Harvard Business Review (5/08), “Leading from the Boardroom”
7
WHAT IS “ENTERPRISE RISK MANAGEMENT”?
“Enterprise risk management (ERM) is a process, effected
by an entity’s board of directors, management and other
personnel, applied in a strategy setting and across the
enterprise, designed to identify potential events that
may affect the entity, and manage risk to be within its
risk appetite, to provide reasonable assurance regarding
the achievement of entity objectives.”
The Committee of Sponsoring Organizations (COSO) of the Treadway Commission, (Sept. 2004)
8
WHAT IS ERM?
•
•
•
•
•
A structured, consistent, and continuous risk management process
that is applied across the entire organization
Identifies, assesses, prioritizes, and manages the internal and external
risks that impact the organization
Driven by a decision-support process that is aligned with the
management and execution of strategic objectives
Enhanced by the assignment of roles and responsibilities,
reporting and communication,
policies and procedures, and
Measure,
Identify &
Monitor &
adoption of a risk-based culture
Assess
Report
Business
Objectives
Planning &
Management
9
ENTERPRISE RISK MANAGEMENT
“WHAT MIGHT GET IN THE WAY OF MY DUTY TO
DELIVER VALUE AND PROTECT THE MEMBERS?”
Risk
The potential that events, expected or unanticipated, may
have an adverse impact on capital or earnings.
Risk Management
The employment of systems and processes to manage the
critical tradeoff between risk and return in financial decisionmaking.
Enterprise-Wide Risk Management
The formal mechanism or structure for managing risks across
the entire institution on an integrated basis.
10
ENTERPRISE RISK MANAGEMENT (ERM)
COMPONENTS
Keys to a good ERM program – must include:
• Risk Identification
– What are our key risks?
– What level of risk are we willing to allow/accept
(“risk appetite”)?
• Risk Measurement
– Risk measurement models (ALM, Credit Stress)
– Guidelines and quantification tools (Credit Risk
Classification, Operational and Credit Losses)
11
ENTERPRISE RISK MANAGEMENT (ERM)
COMPONENTS
• Risk Control
– Policies (Required and Best Practice)
– System of risk limitations
– Authorities and oversight systems
• Risk Monitoring
– System of risk reporting – key measurements
Board driven assessments (internal and external
audits, monitoring reports)
Management Self assessments (management
generated reporting against pre-set standards)
12
IN A NUTSHELL…
ERM is a process for managing and
controlling risks across an entire
organization, both within and across
business lines and legal entities.
13
13
WHAT’S DRIVING ERM?
14
WHAT’S DRIVING ERM?
- ENVIRONMENTAL • Growing size and organizational structure
• Increasing diversity of business lines and complexity of
products
• Increasing number of regulations
• Increasingly competitive marketplace
ERM can be the key for how to win
15
WHAT’S DRIVING ERM
- INSTITUTIONAL • Fragmented or “silo” risk management efforts
– fail to recognize interrelationships of risk across businesses or
products
• Lack of aggregation of common risks and reporting
– fail to keep Board and management informed of organization-wide
risks
• Lack of attention to how risks are correlated
– fails to identify how loans, securities, businesses, etc. might be
affected by common factors and create large exposures
16
POST DOWNTURN, ERM IS MORE
IMPORTANT THAN EVER
• Bankers, regulators, investors, members and counterparties will not soon
forget the near-collapse in late 2008
• So far, the new era in financial services is a very strong emphasis on
safety and risk management
• Those who can demonstrate superior risk management will have a
competitive advantage
– Greater opportunities in the market due to goodwill from regulators and investors
– More and better members
• Key ERM implementation challenges for most credit unions
–
–
–
–
Culture
Right expertise
Data and Measurement
Transparency/Reporting
17
DRIVERS OF ERM – A SUMMARY
Board of Directors
•
Demand increased financial disclosure
and transparency
Members as Stakeholders
•
Demand evidence that management
understands and manages risk
Regulators/Rating Agencies
•
Seek assurance around compliance and
risk assessment processes
Activists
•
Demand social awareness, safety &
environmental consciousness
Members as Customers
•
Make decisions based on differentiating
factors
Peers
•
Comparison with others drives industrywide practice
Competitors
•
Push innovation, drive leadership
18
ENTERPRISE RISK MANAGEMENT
AND THE REGULATORS
19
REGULATORY EXPECTATIONS FOR ERM
ERM STARTS WITH THE FUNDAMENTAL OF STRONG RISK
MANAGEMENT:
Active Board and
Senior
Management
Oversight
Adequate Policies,
Procedures, and
Limits
Adequate Risk
Measurement,
Monitoring, and
MIS
Comprehensive
Internal Controls
From “Rating the Adequacy of Risk Management Processes and Internal Controls at State Member Banks and Bank Holding Companies”
(SR95-51 (SUP))
20
NCUA ERM GUIDANCE
NCUA advises an effective system of Enterprise Risk
Management includes consideration of:
• Market Condition
• Field of Membership
• Credit Union Structure
– Size
– Complexity
– Geographic diversity
21
INCREASING EMPHASIS ON ERM
PERSPECTIVE
Basel Committee’s Core Principles for Effective Banking
Supervision (2006)
Principle 7 – Risk management process: “Supervisors must be satisfied that
banks and banking groups have in place a comprehensive risk management
process (including Board and senior management oversight) to identify,
evaluate, monitor, and control or mitigate all material risks and to assess
their overall capital adequacy in relation to their risk profile. These
processes should be commensurate with the size and complexity of the
organization.”
http://www.bis.org/publ/bcbs129.pdf
Principles for Effective Operational Risk Management (2003)
http://www.bis.org/publ/bcbs96.pdf
Principles for Sound Liquidity Risk Management and Supervision
(Sept. 2008) http://www.bis.org/publ/bcbs144.pdf
22
PRINCIPLES OF EFFECTIVE OPERATIONAL
RISK MANAGEMENT (BASEL COMMITTEE ON BANKING
SUPERVISION)
1.
2.
3.
4.
5.
Board should approve and periodically review the Operating Risk
Framework.
Board should ensure that Framework is subject to independent,
competent audit staff review.
Senior management responsible for implementation
Process to identify and assess operational risk inherent in products,
activities, processes and systems.
Process to monitor operational risk profiles and material exposure
to losses.
23
PRINCIPLES OF EFFECTIVE OPERATIONAL
RISK MANAGEMENT (BASEL COMMITTEE ON BANKING
SUPERVISION)
6.
Policies, processes and procedures should exist to control and/or
mitigate material operational risks.
7. A contingency and business continuity plan should exist.
8. The regulators should require that all banks, regardless of size, have
an effective framework in place to identify, assess, monitor and
control/mitigate material operational risk as part of an overall
approach to risk management.
9. Regulators should conduct regular, independent evaluation of
bank’s policies, procedures and practices related to operational
risks.
10. Banks should make sufficient public disclosure to allow market
participants to assess their approach to operational risk
management.
24
IT TAKES 3 TO FLY THIS PLANE
Time &
Activities
Time &
Activities
Audit
Past
Do we do as
we say?
Compliance
Present
Are we in
compliance?
Risk
Future
What can go
wrong?
•
Risk Manager – looks thru the cockpit window to identify and assess current
threats and future risks to the flight path and plane, and glances at the gauges
for reassurance
•
Compliance Manager – assists the pilot in maintaining the proper flight path
and plane operating procedures by using the manual and FAA regulations
•
Auditor – uses the cockpit gauges and controls to inform the pilot of how the
plane is operating relative to its predetermined flight path
25
IN SUMMARY
• Boards of Directors/Supervisory Committees are responsible for
ensuring that their credit unions are managed in a safe and sound
manner. (This hasn’t changed)
• In today’s environment (and increasingly in the future), safety an
soundness means that risks need to be well-managed given the
credit unions’ risk environment and business model.
• You need to be able to answer “Yes” to this regulator question: “Do
you have a program that appropriately identifies emerging risks in
a timely manner?”
• Therefore:
Safety/Soundness = Risk Management
Consequently, the foundation for modern Corporate Governance is
Enterprise Risk Management.
26
BENEFITS OF ERM
27
ORGANIZATIONAL GOALS OF ERM
• Protect/Enhance Members’ funds and
opportunities
• Link Strategy and Risk Profile
• Recognize and Manage integrated/cross
organizational risks
• Enhance Risk Based Decisions
• Capital Management/Preservation
• Seize Opportunities
• Disciplined Culture
For a director/committee member, do these
sound familiar?
28
BENEFITS OF ENTERPRISE RISK
MANAGEMENT
•
•
•
•
•
•
•
•
•
Enhances integrated decision-making better deal with the risk from growth,
mergers, new products, etc.
Better align risk and strategy.
Framework for identifying enhance return opportunities – improved risk
mitigation.
Improve deployment of capital resources – allocating capital to business areas
to achieve superior risk returns (RAROC).
Credibility and confidence in governance and risk management – members,
regulators, external auditors.
Anticipate risk – seize opportunities/minimizing cost.
Improved understanding and management of interactions and
interrelationships between risks.
Clear accountability and ownership of risk.
Regulatory compliance with safety and soundness guidelines, foundation for a
strong internal control environment.
29
BENEFITS OF ENTERPRISE RISK
MANAGEMENT (CONTINUED…)
All the previous positively impact:
•
•
•
•
•
•
Protection of capital.
Enhancement of earnings.
Reduction of losses (Fraud, Credit, Operational).
Greater efficiency in process flows.
Better defined/more efficient internal audit programs.
Better understanding of effect of market movements.
30
WHAT WE ARE OBSERVING: INDUSTRY
ERM THEMES SO FAR FOR 2012+
• ERM
– Managing an acquisition (valuation, financial integration, change in risk profile, culture, data
integration, etc.)
– Model validation
– Incentive programs that incorporate risk and are better aligned with organizational performance
• Compliance and regulatory
– Regulatory reform outcomes
– Stress testing
– Compliance: fair lending, BSA, AML
• Credit
– Provision and reserve going forward
– Growing the loan portfolio
– Diversifying away from risk concentrations in the portfolio
• Market Risk
– The investments portfolio – understanding the risks going forward
– Interest rate risk management
31
BUILDING AN ERM STRATEGY:
IMPLEMENTATION OVERVIEW
32
ERM IMPLEMENTATION PHASES
Detective
controls and
processes
Compliance and
Prevention
Preventative
Controls and
processes
Operating
Performance
Proactive
planning and
improvement
Enhanced Member
Benefits
GRADUAL EVOLUTION OF THE PROCESS
33
DEVELOPING ERM CAPABILITIES IS AN
EVOLUTION, NOT AN EVENT
EARLY
INTERMEDIATE
• Minimal credit grading
• No portfolio analysis
• No operational risk
measurement
• ROA as return measure
• Some risk quantification
combined with seasoned
judgment
• Operational and market
risk in early stages
• Efffective regulatory and
investor relations
• Some RAROC
calculations
ADVANCED
• An integrated risk
management
perspective
• Granular risk
quantification
• Portfolio analytics
• Active portfolio
management function
• Full RAROC across
credit union
Add Capabilities as Risk/Complexity are Added
34
LET’S DO A QUICK SELF ASSESSMENT
• Go to the separate handout
• Complete the “Risk Oversight Self Assessment” survey
– There are no right or wrong answers
– Try to objectively answer each question for a credit union you
have in mind
35
SELF ASSESSMENT - IMPLICATIONS
Q 1-12
Yes
Q 13-28
No
Implications
Lots of focus on strategic planning,
lots of risks, but few risk management
processes
Yes
Yes
Strategic planning and risk management
are reasonably integrated and organization
making great ERM progress
No
Yes
Few perceived strategic risks but
overspending on ERM processes
No
No
Few perceived risks, but no system to be
sure or to identify risks-opportunities
36
LINKING ERM TO STRATEGY
Maturity Level
High
Risk
appetite
articulated
Strategic Integration
Risk vs. Return Optimization
Risk Management
Risk Measurement
Loss Minimization
Compliance/Monitoring
Low
Time
37
ERM – STRENGTHENING FOCUS ON
STRATEGIC RISK EXPOSURES
Risk
Metrics?
Risk
Drivers
Risk
Metrics?
Risk
Drivers
Risk
Metrics?
Risk
Drivers
Risk
Metrics?
Risk
Drivers
Risk
Metrics?
Risk
Drivers
Increased Loan
Yield (Rate &
Volume)
Non-interest
Income
Products
Reduce Head
Count
Increased
Revenues
Profitability
Expense
Savings
Other Cost
Savings
Measures –
Vendor Mgmt.
38
THE MOSS ADAMS PHASES TO ERM
IMPLEMENTATION
• STEP 1 – PLANNING – (a.k.a., “putting your best foot forward, knowing
the process isn’t going to be perfect because it’s a new area of focus, and
every institution is unique”)
• STEP 2 – IMPLEMENTING – (a.k.a., “executing on your plan, making slight
adjustments as needed; saving significant revisions to the process for the
“refining” stage”)
• STEP 3 – REFINING – (a.k.a., “fixing what needs to be fixed and/or what
wasn’t addressed after implementing your plan”)
A simple 3-step process for getting your ERM program off the ground
39
ERM IMPLEMENTATION PHASE 1 PLANNING
40
BUILDING YOUR ERM ROADMAP/
IMPLEMENTATION PLAN: STEP #1 – PLANNING
A.
B.
C.
Gain Board/Committee/Executive level of support - “Tone at the Top” might be
the single biggest factor in being successful at implementing; start to build
consensus/ buy-in
Revisit/review your strategic plan – the ERM vision s/b aligned with your
organization’s size/complexity
Start thinking about how you are going to identify (and categorize) risk
TIPS:
•
•
•
•
•
•
•
•
•
Define plan owners, roles and responsibilities for execution, timelines, resource alignment
Prioritize key tasks – look for up-front, early wins
Utilize existing management structures
Think about existing organizational design/structure
Other: degree of alignment with finance, specific control tools, etc?
Start to build consensus among key internal and external parties (including regulators*)
Preliminary risk assessment – work on the “completeness” of the risks inventory
Look for risk concentrations
Understand management’s current risk activities – functions, controls, what is tracked, who
does it, etc.?
41
TONE AT THE TOP & CULTURE
• It’s that CULTURE thing!!
• Mutual Expectations, Respect, Reliance
• Model the Standard
Legally: Duty of Loyalty and Care
Business Judgment
Disclosure / Transparency
• Open Communications, Debate
• Brainstorm risks at various management levels - what
risk is coming around the corner?
• Welcome the Messenger
• Welcome Dumb Questions
• Draft Policies
42
ERM POLICY
•
•
Policy Statement
Purpose/objectives
o
o
o
o
•
Responsibilities
o
o
o
o
o
o
o
o
•
•
•
Integrated mgmt of risk
Governance of risk oversight
Independent review and monitoring
Best practice risk control
Board of Directors
Supervisory Committee
Board Risk Committee
Management Risk Committee
CEO
CRO
Internal Auditor
Department Heads
• Risk Metrics and tools
– Risk Assessments
– Measures
• Controls & Monitoring
• Risk Response
• Communication &
Reporting
• Policy Exceptions
Risk Categories
ERM Process
Policy Guidelines/Limits
43
ERM CHARTER
• Purpose/Objectives – Board/Committee delegation to:
Identify and Manage risks
Adhere to policies
• Committee Members and Chair
Chief Risk Officer direct report
• Meetings
Full Board reporting
• Duties and responsibilities
Supervisory Committee interaction
Oversight of Management Risk Committees
• Performance Evaluation
• Committee Resources
44
ERM IS A SHARED RESPONSIBILITY:
TYPICAL ROLES/NEEDS
Board of Directors
-Governance
-Reputational Risk
-Board Training
CRO (Larger)
CEO/COO
CFO
-ERM Roadmap
-Policies/Limits/Appetite
-Risk Quantification
-Dashboards
-Business Risk
-Execution Risk
-Strategy/Mergers
-Internal Controls
-Economic Capital
-Performance Measurement
Functional Risk Managers/Delegated Responsibilities:
-Credit Risk
- Market Risk
- Interest Rate Risk
- Operational Risk
-Compliance Risk
- Technology Risk
-Etc.
45
A VISION FOR ERM IS FUNDAMENTALLY
LINKED TO STRATEGIC GOALS FOR YOUR
ORGANIZATION
• What are your core competencies? What is your market? What does your credit
union want to be? Who are your members?
• What are your return goals?
• (Risk vs. Reward = Credit & IRR; Capital Adequacy; Regulatory; Fraud;
Other?)
• Identify Risks to your credit union – What risks do you take-on to generate these
returns? Focus on “key” risks.
–
–
–
–
–
–
–
Credit risks in lending?
Credit risks in your investments portfolio?
Market risks through interest rates?
Market risks through your investments portfolio?
Operational risks through providing processing/cash management services?
Compliance risks in highly regulated markets?
Other?
• How much of each risk type will you take on? Is your level of risk appropriate
given your return goals (risk appetite)? Do you have sufficient capital and
liquidity to support these risks?
46
ERM RISK COMPONENTS
• Credit Risk and Market Risk are typically called ‘financial risks’ – return and risk are
usually directly correlated here
• Greater risk will lead to higher returns in the long run, but will also result in
significantly greater earnings volatility and require much more capital. A risk appetite
is needed to decide how much risk and what types of risk are appropriate
• Operational Risks can also be financial risks, but the risk/return relationship can be
very different
– Some operational risks such as regulatory and compliance concerns are not related
to returns, only protection against future loss or are a cost of doing business
– Fee-based businesses such as payment processing are operational-risk driven
businesses with a direct relation to returns
• Regardless of the risk type, ERM practices can enable management and the board to:
– Develop a consolidated view of their risk profile across all risk types and understand
hot spots
– Measure risk exposure using quantitative and qualitative methods
– Set a risk appetite and manage to it
– Better understand where returns are generated
47
REGULATORY RISK CATEGORIES
(RISKS EXAMPLE 1)
NCUA Risk
Categories
Fed Risk
Categories
FHLB Risk
Categories
Credit Risk
Credit Risk
Credit Risk
Interest Rate Risk
Market Risk
Market Risk
Liquidity Risk
Liquidity Risk
Operational Risk
Operational Risk
Legal risk
Business Risk
Liquidity Risk
Transaction Risk
Compliance Risk
Strategic Risk
Reputation Risk
Reputational Risk
48
REGULATORY CAPITAL RULES HAVE CREATED A
FRAMEWORK FOR CLASSIFICATION OF RISK TYPES
(RISKS EXAMPLE 2)
Risk Type
Credit Risk
Definition
Loss due to a borrower’s inability to meet its financial obligations
Loss due to change in borrower’s credit quality
Market Risk
Loss due to change in market value of traded positions
Loss due to impact of changes in cost to close accrual positions
(primarily interest rate risk)
Operational Risk
Loss resulting from inadequate or failed internal process, people and
systems, or from external events. The definition includes legal risk.
The definition does not include strategic or reputational risks.
49
MANY INSTITUTIONS HAVE ADOPTED THESE
DEFINITIONS FOR A FUNCTIONAL ERM STRUCTURE
(RISKS EXAMPLE 2.1)
Enterprise Risk Management Functional Structure (Not
Organizational Structure)
Credit Risk
Commercial
Retail
Counterparty
Market Risk
Change in Fair Value
Interest Rate Risk
Currency Risk
Liquidity Risk
Operational Risk
Compliance Risk
Int. and Ext. Fraud
Business Process Failure
HR
Litigation
Data Security
Technology/Systems
Natural Disaster
Etc.
Other Risk Category Possibilities: Business, Strategic, Concentrations, Reputation, etc.
50
ERM IMPLEMENTATION PHASE 2IMPLEMENTING THE PLAN
51
51
BUILDING YOUR ERM
ROADMAP/IMPLEMENTATION PLAN:
STEP #2 – IMPLEMENTING
A.
Identify and prioritize the RISKS
- Keep it to the “TOP 5” for in-depth Board reporting
- Additional risks can be identified and listed, but don’t take away the
focus from the Top 5
B.
Simultaneously adopt a preliminary risk framework and conceptualize
simple reporting
C.
Identify gaps in the process and start to analyze (but don’t let them slow you
down!)
TIPS:
•
•
•
Identify strengths and weaknesses in existing risk management function
Re-align existing capabilities with where you need to get to
Scope: risk controls, information technology, culture, expertise, policies, risk quantification,
reporting/transparency
52
52
ERM IMPLEMENTATION – THINK ABOUT
“RISK AWARENESS”
Difficult process – 3 levels of risk awareness
•
Known – You lend money to various parties and someone isn’t
going to pay (credit risk)
•
Unknown, but knowable – e.g., flood or other natural disaster
that isn’t unusual for the area.
•
Unknown, unknowable – would not ever know in advance, but
is there a plan I can have if “something” takes me out of what I
do?
This helps you to think beyond the everyday risks.
53
53
FOCUS ON KEY ENTERPRISE RISKS
• Risk issues that are most significant and deserve
attention of executive management and the Board.
• Issues identified through the risk assessment process
within each functional risk area.
• Escalated to upper levels with mitigation and action
plans presented.
54
54
ERM IMPLEMENTATION – RISK
ASSESSMENT
Ask each Board member:
“With our credit union’s business model in mind, what are the Top 5 emerging risks:”
1.
2.
3.
4.
5.
_________________________________________
_________________________________________
_________________________________________
_________________________________________
_________________________________________
Ask Management the same question. Will the results be similar?
How often does the Board and Senior Management engage in explicit discussions
about risk?
Reminder: Addressing risk in an advanced ERM process becomes strategic instead of defensive
55
55
RISK ASSESSMENT (CONTINUED)…
• For identified risk events:
– What is the time frame to consider?
– How likely is the event to occur?
– What would be the impact?
• On financial goals (cash flow, capital, reported
earnings)
• On operational goals
• On reputation/brand
– Inherent vs. residual risks?
56
56
ONE COMPLICATION: INHERENT VS.
RESIDUAL RISK
• What risks are we assessing?
– Ignore response to start: tendency to over value controls
“100% under control” – red flag; nothing is foolproof.
– Inherent risk: Risk to an entity in the absence of any actions
management might take to alter either the risk’s likelihood or
impact
– Residual Risk: Risk that remains after management responds
to the risk identified
Back to some risk assessment examples….
57
RISK CATEGORIES WITHIN ERM
(RISKS EXAMPLE #3)
Strategic
Product Offering
Merger & Acquisition
Competition
Revenue Growth
Profitability
Capital
Credit
Interest Rate
Liquidity
Payment Default
Loan Concentration
Loan Quality
Collateral Valuation
Interest Rates
Yield Curve
Investment Volatility
Foreign Exchange
Funding Sources
On/off Balance Sheet
Contingency
Reputation
Operational
Compliance
Image & Branding
Employee Relations
Customer Relations
Regulatory Relations
Public Relations
Shareholder Relations
ID Theft & Fraud
Security & Privacy
Business Continuity
Physical Security
Vendors
Process Errors
Financial Reporting
Consumer
Member Business
Fiduciary
Money Laundering
Legal
Employment Law
Contracts
Intellectual Property
Litigation
58
ABC INSTITUTION
SIMPLE ENTERPRISE RISK ASSESSMENT
EXAMPLE (RISKS EXAMPLE #4).
i
Un
sk
Ri
ls)
tro
)
)
g
d)
nt
ity c on
.)
G.
l
n
i
e
i
V
G
r
b
r
oo
(A
isk era afte
ih
ity
nm
to
AV
As
l
l
ns ing ance
i
(
i
R
d
o
f
e
n
o
r
t
b
n
t
i
o
o
c
r t pli
ik
st?
at
oo
ul
ra
d
isk
nv
en
pa
po
er
xL
lih
Te
lM
ar
ne
er
x V k (r
t
lE
e
l
o
m
u
I
h
Re Com
c
r
t
k
u
o
Op
g
r
Li
V
In pac l Ris
nt
sk
pa
fe
nt
sk
Ri
Co
a
Sa
Co
(Im
Ri
(Im idu
s
Re
ts
se
rse
ve
isk
lR
sk
ua
Ri
Lns
5
5
4
3
4.25
5
2
2
3.00
21.25
H
12.75
M
ALLL
ALLL
4
3
4
5
4.00
5
3
2
3.25
20.00
H
13.00
M
-
19.00
H
Yes
Investments
Inv
3
4
3
3
3.25
4
2
3
3.25
13.00
M
10.56
M
-
16.00
M
-
Deposits
Internet Banking
Dep
IntBk
5
5
5
4
4
3
3
4
4.25
4.00
2
4
1
2
2
3
1.75
2.75
8.50
16.00
L
H
7.44
11.00
L
M
9.00
12.00
M
L
-
Debit Cards
Debit
4
3
3
4
3.50
4
2
4
3.25
14.00
H
11.38
M
13.00
M
-
ACH
ACH
Wire Transfers
Wires
Debit Cards
Item Proc., Br Cap IP
3
3
4
3
3
2
3
2
3
4
3
2
3
4
4
3
3.00
3.25
3.50
2.50
2
3
3
2
2
1
1
1
3
3
2
3
2.50
2.50
2.00
2.25
6.00
9.75
10.50
5.00
L
M
M
L
7.50
8.13
7.00
5.63
L
L
L
L
5.00
8.00
M
H
Yes
-
-
4.00
H
-
General Ledger
GL
4
4
3
4
3.75
4
2
3
2.75
15.00
H
10.31
M
-
11.00
H
-
ALM/IRR
ALM
4
4
4
3
3.75
4
3
3
3.50
15.00
H
13.13
M
16.00
H
-
AVP, Punch & Disb AP
4
3
3
74
3.50
3
2
3
2.75
10.50
M
9.63
M
-
10.00
M
-
EDP
EDP
5
3
4
3
3.75
3
1
2
2.25
11.25
M
8.44
L
-
12.00
M
-
BSA
Compliance
BSA
Comp
5
4
3
3
5
4
4
4
4.25
3.75
4
3
1
1
3
2
2.75
2.00
17.00
11.25
H
M
11.69
7.50
M
L
16.00
12.00
H
M
-
Collections
Coll
4
2
3
2
2.75
3
2
3
2.75
8.25
L
7.56
L
-
-
-
To
8.99
13.99
25.00
Risk
Low
Mod
High
Risk
1
2
3
4
5
Likelihood (vVulnerability/Control)
Remote / Excellent
Unlikely / Good
Possible / Fair
Probable / Needs Improvement
Certain / Does Not Exist
From
1
9
14
Yes (I/A)
Yes (I/A)
Yes (Ext.)
Yes (Ext.)
-
s
Te
d?
te
PRIOR YEAR
20.00
H
Yes
Loans
Impact
Negligible
Low
Moderate
High
Extreme
Yes (I/A)
sid
Re
59
RISK MANAGEMENT CONTINUUM
Strategic
• Proactive board and senior
management involvement
Aware
• Some board and senior
management support
Reactive
• Lack of Board or senior
management emphasis on
risk
• No common risk lingo
• Stove-pipe risk management
• Ad hoc approach
• Missing coverage of risk
areas
• Risk leader identified
• Periodic risk profiling
• Risk managed and assessed
across entire organization
• Common language and
approach used and
understood
• Key risks defined in
common vocabulary
• Real-time analysis of risk
portfolio (real-time KRIs)
• Recognized need for ERM
• Recognized need for ERM
Most companies straddle
Goal
60
RISK ASSESSMENT CYCLE
Identify risk &
controls
*Report;
reassess
risks &
ratings
*Shows a
snapshot of the
pulse of
enterprise risk
management at –
a-glance
Assess
exposures and
control
effectiveness
Board of
Directors
Risk
Assessment
Determine
corrective
action(s)
Management
Certification
*Record testing scope,
conclusion and
recommendation(s)
Test Controls
*Track Project
& Task priority,
status, due
dates, hours
61
GOVERNANCE AND MANAGEMENT STRUCTURE
RISK VIEW
Interest
Rate
Risk
Risk
Categories
Credit
Risk
Board of
Directors
Board
Credit
Committee
Finance Committee
Risk
Management
Policies
Credit
Polity
Funds Management
Policy
Senior
Management
Committees
Executive
Loan
Committee
ALCO
Security &
Cont. Plan &
Mgt.
Committees
Chief
Credit
Officer
Chief Financial
Officer
Senior
Operations
Officer
Senior
Management
Officers
Liquidity
Risk
Operatio
nal Risk
Information
Technology
Risk
Supervisory Committee
Operation
al Risk
Policy
Human
Capital
Ethics
Committee
Compliance
Risk
Legal
Risk
BSA/Compliance
Committee
Human
Capital
Risk
Policy
Compliance
Program
Technology
Steering
Committee
HR/
Compensation
Committee
Management Committee
Chief
Information
Officer
SVP,
Human
Resources
Director of
Regulatory
Risk Mgt.
IT
Policies
Legal
Policy
Legal
Director
Strategic
Risk
Reputation
Risk
Strategic Planning
Committee
Strategic
Risk
Policy
Reputation
Risk Policy
ERM
Supervisory Committee
ERM
Policy
Internal
Audit
Charter
Management Committee
Enterprise Risk
Management
Committee
Chief Risk Officer
Chief Risk Officer
*Supervisory Committee sole committee composed of strictly outside individuals
62
ASSESSED RISK REPORTING: RISK
MAPPING
• Heat Maps are a valuable tool for
communicating/reporting risks
• Chart both likelihood/probability and severity/impact
63
HEAT MAP PORTRAYAL OF INHERENT
RISKS
9
Impact
Not
Mitigated
7
1
(Severity)
Mitigation Risk
4
2
10
3
Marginal
Mitigation
8
Sufficient/
Acceptable
5
6
Risk Event:
1.
----2.
----3.
----4.
----5.
-----
Likelihood (Probability
of Occurrence)
64
ERM IMPLEMENTATION PHASE 3 REFINING
65
BUILDING YOUR ERM
ROADMAP/IMPLEMENTATION PLAN:
STEP
#3 – REFINING
A.
Plan for Remediation of Gaps/Execution
• What are you doing to address the immediate risks? (What’s the risk response – Tolerate,
Terminate, Transfer, or Treat?)
• What controls will be in place going forward to monitor the risks?
• Develop recommendations to remediate gaps
• What Key Risk Identifiers (KRI’s) have you identified (or intend to indentify) going forward?
• Cement consensus, buy-in among key parties
• Further define plan owners, roles and responsibilities for execution, timelines, resource
alignment
• Memorialize project plan
B.
Enhance Definition of “Risk Appetite” for credit union
• Quantifying risk
C.
Enhance Reporting
• What will reporting to executive management and the Board look like going forward?
• Ongoing monitoring of implementation progress with board-level accountability
• Benchmark vs. industry leaders in this area as well as peers
66
SELF EVALUATION APPROACH FOR
IDENTIFYING GAPS TO REMEDIATE
• Organize subject-matter experts in each of the credit
union’s risk categories and at the ERM level.
– Facilitate a discussion of the credit union’s risk
categories.
• Comprehensive evaluation of credit union’s risk
management processes.
• Prepare detailed report with findings, observations and
recommendations in respective risk categories.
• Major conclusions and recommendations to create final
report.
• Recommendations/Action Plan/Implementation
– Management Risk Comm.
– Board Risk Comm.
67
ELEMENTS OF RISK APPETITE
Existing Risk
Profile
The existing level and distribution of risks
across risk categories (e.g. financial risk, market
risk, operational risk, reputation risk, etc.
Risk Capacity
The Maximum risk a firm may bear and remain
solvent
Risk Tolerance
Acceptable levels of variations an entity is
willing to accept around specific objectives
Desired Level
of Risk
What is the Desired risk / return level
Determination
of Risk
Appetite
(the amount of risk an
entity is willing to
accept in the pursuit
of value)
68
WAYS TO DEFINE RISK APPETITE
Quantitative
Clearly defined measure
Can be cascaded to business units
For example, loss of capital or degree
of volatility in earnings
Qualitative
Not all risks can be accurately/credibly
measured
For example, risk of damage to
reputation
Zero Tolerance
A subset which can be very clearly
defined
For example, loss of life or violation of
laws
69
CREATE AN IDEAL ROSTER OF RISK
REPORTS
EXAMPLES:
• A high-level summary of the top risks for the enterprise as a
whole; broken down by operating unit, geographic locations,
product group, etc., along with significant gaps in risk
management capabilities
• Report of emerging issues or risks that warrant immediate
attention
• Summary of risk events, e.g., significant exceptions versus
policies or established limits
• Summary of significant changes in key variables beyond
management’s control (e.g. interest rates, exchange rates,
etc.) and the effect on earnings, cash flows, capital, and the
business plan.
• Summary of the status of improvement initiatives
70
SOME EXAMPLES OF EXTERNAL KEY
RISK INDICATORS
Industry and Competitor Trends
Economic Trends
Number of Competitors
Unemployment forecasts
New product or service announcements Consumer spending trends
Pricing Trends
Trade and foreign policy
Risk events realized by competitors
Shifts in customer tastes/trends
Supply Chain Issues
Regulatory Changes
Financial health of suppliers
Risk events at suppliers
Pricing trends
Anticipated changes in tax policy
New regulations/restrictions
Changes in key political offices
Liquidity/Capital Markets
Interest rate trends/forecasts
Credit spreads in debt and credit markets
Stock market trends and forecasts
71
SOME EXAMPLES OF INTERNAL KEY
RISK INDICATORS
Business Operations
Information Technology
Compliance
Transactions, output
Sales volume, failed deals
Operational performance issues
Supply chain/logistics
Disasters, outages, disruption
Help desk metrics
Security metrics
Project metrics
IT incidents/investigations, complaints
IT audit issues
State of controls
Regulatory inquiries/investigations
Litigation cases
Discovery requests
Human Resources
Accounting/Finance
Audit
Turnover
Headcount
Corporate training: policies,
procedures, ethics
Vacancies
Sick days
Disciplinary actions
Adjustments
Unsubstantiated balances
Missed deadlines
Write-offs
High-risk issues/material weak.
Past-due audit issues
72
KEY RISK INDICATORS GUIDANCE FOR DEVELOPING
YOUR ERM DASHBOARD (THE METRIC/DATA IS…)
Based on established practices or benchmarks
Developed consistently across the organization
Provide an unambiguous and intuitive view of the highlighted risk
Allow for measurable comparisons across time and business units
Provide opportunities to access the performance of risk owners on a timely basis
Consumes resources efficiently (not overly burdensome to get the info)
•
•
•
•
•
Loan Delinquencies
Portfolio Stress Tests
Interest Rate Thresholds
Profitability Goals
Regulatory Concerns
•
•
•
•
•
Information Security Incidents
IT Changes
New Products
Failed Customer Interactions
Business Continuity Tests
•
•
•
•
•
Operational Losses
Process Errors
Policy Exceptions
Audit Issues
Staff Turnover
73
RISK REPORT EXAMPLE (KRI REPORT)
Target Key
Better Than expected
Expected
Worse Than Expected
Human Resources
Credit Quality
1st
qtr
1st
qtr
2nd 3rd
qtr qtr
4th
qtr YTD
Average Daily Census
Assets per FTE
etc.
etc.
Financial
1st qtr 2nd qtr 3rd qtr 4th qtr
YTD
Net Interest Margin
ROA
ROE
Efficiency Ratio
Tangible Book Value
N/A etc.
N/A etc.
etc.
etc.
etc.
etc.
2nd 3rd
qtr qtr
N/A
4th
qtr YTD
Past due over 30 days
Past due over 60 days
Past due over 90 days
Over 90 days and accruing
ALLL/Loans
Net charge-off %, annualized
TDR's/Loans
etc.
etc.
etc.
etc.
74
IN SUMMARY…
75
NO ERM AT YOUR CREDIT UNION?
• It’s happening already
…this is the business of banking
• Start simply
…joint Board/Committee and Management
adventure
• Focus on Business and Regulators
…how to use it to improve processes and
performance
…a continuous improvement perspective
76
GREAT DUMB QUESTIONS
What happens if…?
Seems like that market is…could that impact us?
I heard about…do we have risk exposure here?
Does our policy explain what to do if…?
Who is responsible for making sure we don’t…?
Do we have a limit on…?
What does our strategic plan say about…?
Do you think senior management knows how the
Board feels about that risk?
• Are there any other Board members who didn’t
understand that; I’m not clear about…?
• Has anyone around here read the COSO template for
risk management?
•
•
•
•
•
•
•
•
77
RECOMMENDATIONS FOR ERM
•
Develop ERM Policy
– Define Risk categories, roles,
Measure, monitor, and reports
•
Develop ERM Committee Charter
– Define members, roles, scope, reporting relationship
to other committees
•
Publish ERM Board Packet
– Key risk indicators (KRI) dashboard
– ALCO, Credit, Compliance, Operational Risk
summaries
78
RECOMMENDATIONS FOR ERM
•
Prepare a glossary for risk, compliance, audit
–
•
Arrange all risk, compliance, audit, regulatory
activities on a calendar
–
•
Common terminology is part of culture
change and education
Show the full scope of ERM activities
Use a standard set of risk categories
–
Assess and monitor these exposures and
tolerances across business units
79
QUESTIONS?
Louise Hanson
425-303-3037
[email protected]
Shannon Haas
415-677-8314
[email protected]
80