Leveraging ERM to meet. and create business value. Management Flora Do, Senior Manager, Enterprise Risk Management
|
|
|
- Horace Howard
- 5 years ago
- Views:
Transcription
1 Leveraging ERM to meet regulatory requirements and create business value Susan Hwang, National Leader, Enterprise Risk Management Flora Do, Senior Manager, Enterprise Risk Management March 27, 2012
2 With an introduction from Andy Poprawa, CEO of DICO
3 Discussion topics Background Enterprise Risk Management (ERM) key components Closing thoughts 2
4 Background 3
5 DICO By-law #5: Standards of sound business and financial practice requires more robust ERM Section A: Corporate governance Class 1 & 2 Board Establish responsibilities/ accountabilities, business objectives, etc Evaluate the CEO Review results against plan Oversee risk management Obtain assurance on adherence to risk policies Management Implement risk management processes Provide reporting to the Board Overview of changes Board training requirements Board evaluation Audit Committee Standard Details of role Monitoring the effectiveness of risk management practices Section B: Risk management policies Class 1 & 2 Implement policies surrounding: Capital management Credit risk Operational risk Market risk Structural risk Liquidity risk Overview of changes Monitoring and board reporting requirements 4 Section C: Enterprise risk management Class 2 only Overview of changes Board Establish risk appetite and tolerances Review risk exposures Audit Committee Oversee the identification of significant ifi and emerging risks Report to the board on risk exposure levels Management age e Identification, evaluation monitoring, mitigation and reporting of significant strategic, business and process risk exposures
6 Credit unions are working on ERM In 2010, Deloitte surveyed credit unions across Canada on their risk management practices Survey participants: breakdown by asset base Survey results 100% of credit unions said risk management has become more important over the past twelve months 74% of credit unions have formal ERM programs 5
7 Survey showed risk management was growing in importance Top reasons for growth in risk management importance to your organization 100% 80% 60% 40% 20% 0% New regulatory requirements or expectations Current economic environment Increased Board of Director expectations around risk management Risk management seen as a competitive advantage Other Recent lapse in risk management Greater counterparty risk 6
8 What is ERM? A business process to continually evaluate and manage risks to business strategies and objectives on an entity-wide basis A common framework to manage all types of risk to achieve maximum risk-adjusted returns 7
9 ERM covers risk at different levels There is a need to consider all levels of risk those associated with the external environment and those from the internal environment relating to people, processes, technology and objectives. Strategic plan includes comprehensive risk evaluation Risks associated with strategic plans and objectives Readiness to seize opportunities and manage the associated risks Strategict Risks associated with internal environment Operating plans align with strategy and address critical operating and business risk issues Business Risks associated with operating and business specific objectives Key process risk issues are identified and appropriate controls embedded Process Risks associated with processes and outputs to meet business objectives 8
10 There are different levels of ERM sophistication Current effort Desired state Sta akeholder value Initial Ad hoc/chaotic Fragmented Current state Comprehensive Interim state Integrated Stages of ERM capability maturity Strategic Initial Fragmented Comprehensive Integrated Strategic Enterprise takes minimal risks into consideration for determining the vulnerability to risks No formal procedures for risk assessment Risk is defined differently at different levels and in different parts of the organization Risk is managed in silos Limited focus on the linkage between risks Limited alignment of risk to strategies Disparate monitoring and reporting functions Risk universe is identified Common risk Risk management activities coordinated assessment/response across business areas approach developed and Risk analysis tools adopted developed and Organization-wide risk communicated assessment performed, Enterprise risk action plans implemented in monitoring, measuring, response to high priority and reporting risks Scenario planning Communication of top Opportunity risks strategic risks to the senior identified and exploited management team On-going risk assessment processes Risk discussion is embedded in strategic planning, capital /resource allocation, product development, vendor selection, etc. Early warning system to notify the risks above established thresholds to board and management Linkage to performance measures and incentives Risk modeling 9
11 ERM key components 10
12 Deloitte s ERM architecture Risk management activities across all levels, from the board and executive management to business units and supporting functions, are integrated into a systematic, enterprise-wide program, embedding a strategic view of risk into all aspects of business management. Stakeholder expectations Risk governance Tone at the top Risk appetite Strategy & performance Risk management enablers/infrastructure Policies Framework & methodology Culture & capabilities Information & reporting Technology Risk management processes Risk identification Risk measurement Risk assessment Risk response Escalation & monitoring Integration with the business 11
13 Establishing risk governance is one of the critical first steps of ERM Formally document roles, responsibilities and accountability: Board and management Board of directors Provide oversight to risk taking and risk management Set expectations and tone, elevate risk as a priority, and initiate the communication and activities that constitute intelligent risk management Executive management team Set direction and resolve significant/enterprise -wide risk issues Provide recommendation to the board on ERM policy, framework, practices and processes 2. ERM function 1. Business/Functional areas Supports board and management Provide policy, standards, coaching, analysis and reporting Takes risks Take, manage and monitor risks 3. Assurance (e.g., internal audit) Provides independent assurance Objectively assessing the ERM framework and risk management activities 12
14 Suggestions for risk governance implementation Clearly define risk management roles, responsibilities and accountability Ensure effectiveness and proper segregation of duties, balancing with the need for efficiency i Document in ERM policy documents Communicate, train and reinforce 13
15 Risk appetite provides the context for risk management Risk appetite is the nature and amount of risk an organization is willing to take on in pursuit of value while achieving its strategic intent Why is defining risk appetite important? Sets boundary for business risk taking Helps management understand the scope of its authority in risk taking Determines which risk(s) to focus on and report to the Board Enables Board and management oversight of the organization s risk profile while conforming to the approved risk appetite Helps prioritize mitigation actions for risks outside risk appetite Guides risk decision-making i across all major classes of risks Ensures alignment of risk limits and thresholds Facilitates risk financing/insurance decisions 14
16 Risk appetite should be set within an institution s risk taking capacity Risk capacity, appetite and limits (illustrative example) Requires Capacity buffer management = 50 and/or board review Risk capacity = 500 Unutilized risk appetite = 25 Risk appetite = 450 Utilized risk appetite = 425 Risk limits/thresholds : Individual risk limits should be established for risks to operationalize e the targeted risk appetite. Acceptable risk levels 15
17 Factors to consider while defining risk appetite Governing objective Represents the value proposition of the organization to its key stakeholders Risk capacity and constraints Represents the organization s ability to bear risk Risk philosophy (attitude on risk taking) Represents the organization s set of shared beliefs and attitudes on risk taking Articulation of risk appetite (qualitative and quantitative) Establishment of risk tolerances (limits and thresholds) Business strategy and objectives Embodies the strategic direction of the organization over the planned time horizon 16
18 Suggestions for risk appetite implementation Developing an approach Defining risk appetite Implementing risk appetite Monitoring & reporting Updating risk appetite Considering factors to help define risk appetite Articulate risk appetite statements Integration with other activities and cascading risk appetite down to risk tolerances Determine whether the risk profile is within the risk appetite Validate that risk appetite is appropriate and make enhancements Board Risk capacity & constraints Governing objective Risk appetite External stakeholders Board Strategic planning Day-dayoperations Risk management Business strategy & objectives Risk philosophy Management Risk appetite Risk appetite Resource allocation Internal audit planning Risk management Management Risk management Business units (BU) Business units (BU) Governing risk appetite 17
19 What does building a risk aware culture mean? Are all cultural attributes to support ERM clearly defined, e.g. ownership and accountability, awareness, etc.? Does the environment support and promote the identification and escalation of issues, challenge the status quo and ask what-if questions, where necessary? Does current behaviour support ERM? 18
20 Suggestions for risk culture implementation Conduct education and awareness activities Clarify risk management expectations and requirements Define and enforce risk ownership Review end-to-end processes and cross-departmental reliance Enforce risk management policies Link performance management and risk management 19
21 Suggestions for risk identification and assessment Use a broad suite of techniques to identify and assess risk on an ongoing basis developing annual heat maps is not sufficient Involve the right stakeholders Think about inherent risks (potential risks that could occur), emerging risks and even Black Swans rather than just real issues and challenges Consider risk relationships Embed in business decision-making processes 20
22 The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again. Using stress testing to answer what-if questions Scenario 1 n Scenarios are not: Forecasts - they do not predict the future t=0 t=1 t=2 Forecast Scenario 2 n t=3 Scenarios are: A method for understanding possible future situations An approach for understanding the potential causes and consequences of extreme situations 21
23 Stress testing serves many purposes Is an important tool for making risk management and capital management decisions Should be embedded d in ERM to help set risk appetite and exposure limits, risk analysis and quantification Facilitates the development of risk mitigation or contingency plans Helps in evaluating strategic choices to support strategy setting and longer term business planning 22
24 Suggestions for stress testing implementation Scenarios should include sufficient breadth and severity to include plausible but not probable events Adopt an open mind while developing and challenging scenarios Follow through with management actions Conduct reverse stress testing to serve as early warning 23
25 Closing thoughts 24
26 ERM brings business value to credit unions Gives rise to shared understanding and enhanced communication re: risks and risk management Brings focus to the most significant risks and opportunities Formalizes risk management practices; visible demonstration of effort Provides early warning signs Strengthens th accountability re: risks Improves understanding of risk interrelationships Reinforces objective prioritization of resources and capital Supports strategy setting and business decision making 25
27 Successful ERM implementation depends on several key success factors Get buy in Customize Develop an implementation plan Identify strong leadership/sponsorship Secure the needed resources Integrate with business process Communicate and reinforce culture 26
28 Contact information Susan Hwang National Leader, ERM Deloitte Flora Do Senior Manager, Enterprise Risk Deloitte
29