The Role of the Board in Enterprise Risk Management. James Lam President ph:

Transcription

1 The Role of the Board in Enterprise Risk Management RMA Annual Conference November 2, 2015 James Lam President ph: Filename

2 Professional Biography Professional Experience Industry Recognition President, James Lam & Associates Director and Chair of the Risk Oversight Committee, E*TRADE Senior Advisor, Workiva Former Chief Risk Officer of Fidelity Investments and GE Capital Market Services Inaugural Risk Manager of the Year, GARP, 1997 Author, Enterprise Risk Management, Wiley, 2003 Named 100 Most Influential People in Finance, in 2005, 2006, and 2008 by Treasury and Risk Magazine Named one of the world s top risk consultants, Euromoney, 2007 Academic Experience BBA, Summa Cum Laude, Baruch College (1983) MBA, UCLA Anderson School of Business (1989) Senior Research Fellow, Peking University (2004) Previously served as Adjunct Professor at Babson College and Hult International Business School 1

3 OCC Heightened Standards Five key standards for the risk governance structure: 1. Preserve the sanctity of the charter 2. Develop a personnel management program 3. Define and communicate an acceptable risk appetite 4. Establish a reliable oversight program for risk and internal audit 5. Provide credible challenge to bank management Covered banks defined as insured banks with average total assets of at least $50 billion The guidelines include key clarifications on the role of the board: Expected to provide oversight of talent management Not expected to ensure the results of the risk governance framework May rely on the risk assessments and reports from risk management and internal audit, and engage third-party experts 2

4 ERM Framework and Processes Governance Structure and Policies Who? How? (ex-post) Dashboard Reporting and Monitoring Enterprise Risk Management Risk Assessment And Quantification How? (ex-ante) What? Risk Management 3

5 Value Proposition of Effective ERM and Corporate Governance Standard & Poor s (2010). North American and Bermudan insurers with excellent ERM had better stock performance in 2008 (-30% vs. -60%) and 2009 (+10% vs. -10%) when compared to those with weak ERM Hoyt and Liebenberg (2009). ERM use among public US insurers was associated with an equity price premium of 16.5% Cheng and Wu (2005). Top decile companies in the ISS Corporate Governance Quotient ratings produced higher ROAs, higher ROEs, and higher P/E ratios Brown and Caylor (2004). Firms with effective governance produce higher ROE, higher profit margin, and greater dividend payout Gompers, Ishii, and Metrick (2003). Investment strategy of buying firms with strong shareholder rights and shorting firms with weak shareholder rights produced excess return of 8.5% Cremers and Nair (2003). Firms with strong governance mechanisms produced excess annualized returns of 8% McKinsey and Company (2002). Institutional investors in North America willing to pay an premium of 12-14% for effective corporate governance 4

6 Roles and responsibilities for risk management and oversight 1 st Line of Defense Business Units (and Operating Functions) Assume risk to generate profits and growth Execute customer management, product pricing, P&L plans Ultimately accountable for business/risk management 2 rd Line of Defense ERM Function (and Corporate Management) Establish and implement risk and compliance programs Execute risk policies and standards, risk appetite & tolerances, and reporting processes Accountable for ongoing risk monitoring and oversight 3 rd Line of Defense Board of Directors (and Audit) Establish board risk governance and oversight processes Approve risk policies; link strategy, risk, and compensation Accountable for periodic review and assurance of controls 5

7 Key ERM priorities as new E*TRADE Risk Oversight Committee Chairman 1. Establish a strong ERM agenda for the Risk Oversight Committee (ROC) Annual calendar to cover key risks and regulatory requirements A structure for all ROC meetings that includes (a) CRO report, (b) deep dives, (c) regulatory compliance monitoring, and (d) risk policy approvals Risk oversight beyond financial and regulatory risks to focus on strategic and operational risks 2. Strengthen independent risk oversight by formalizing the reporting relationships between the ROC and the Chief Risk Officer and Chief Compliance Officer 3. Enhance the process to review and approve risk policies, with a focus on the Risk Appetite Statement 4. Improve the quality and effectiveness of risk reports that go to the ROC 5. Establish an ERM performance feedback loop by linking ex-ante earnings-at-risk analysis (from the CRO) and ex-post earnings attribution analysis (from the CFO) 6

8 Establishing a feedback loop on ERM Earnings-at-Risk Analysis Earnings Attribution Analysis Expected EPS : $3.00 Actual EPS: $1.00 Difference: $2.00 Worst Case EPS = ($1.00) Expected EPS = $ Business Plan: $ Interest Rates: $ Credit Portfolio: $ Key Initiatives: $ Expense Control: $0.20 $4.00 Business Plan: $1.00 Interest Rates: $0.50 Key Initiatives: $0.10 Unforeseen Factors: $0.40 $2.00 Key Questions: 1. Did we identify the key risk factors? 2. Were our EPS sensitivity analyses accurate? 3. Did risk management impact our risk/return positively? 7

9 Effectiveness of your Board process and practices Do you periodically perform a gap analysis of your Board process and practices for overseeing risk and develop formal action plans when gaps are identified? A gap analysis could further examine process effectiveness in the following areas and more: The board process including meetings, materials and minutes Board composition such as diversity, skills and specific risk expertise Board evaluations via a self-assessment process Orientation for new Board members and ongoing training Board oversight of strategy and assumptions Board oversight of risk framework design and implementation Board s effectiveness with understanding key risk exposures and setting of risk appetites Board dialogue around risk tolerances and aggregation Board oversight of executive compensation and inclusion of risk objectives Board evaluation of financial reporting and key risk and control functions Board focus on key risks areas such as technology or fraud

10 Depiction of ERM & Importance of Culture Circular depiction is highly intentional Components are meant to be dynamic (reviewed back/forth in any sequence) Having the right culture is key

11 Key takeaways: 1. Culture is the most important part of an organization s ERM competency 2. Having the right culture is critical to achieving credible challenge (Board and management) 3. There are lots of barriers in creating and maintaining the right culture. Some are: A. Why shy away from conflict because it is uncomfortable (minimize pain/maximize comfort) B. We are trained to respect and defer to authority/experts (authority bias) C. We do not like to stand our against the group (conformity bias)

12 Characteristics of the right risk management culture The Board sets the right tone and expectations The CEO understands, supports, and is an advocate of risk management. In a practical sense, the CEO is the Chief Risk Officer Everyone in the company sees risk management as a part of their responsibilities and accountabilities and raise their hand when warranted Information systems and information flow support a shared understanding of risks and provide sufficient baseline for vigorous debate The company has a culture that values candor, transparency, and recognizes why/how bad decisions are made and ways to avoid them Incentive systems enforce the right behaviors, decisions, and actions A system of check and balances is understood and welcomed

13 Decision making/cognitive biases Why should you know this subject well? As an organization and as individuals we must manage risk. Risk Management is about answering three very basic business questions: 1. Should we do it? (aligned with strategy, risk appetite, culture, values, ethics)? 2. Can we do it? (people, processes, structure, and technology capabilities)? 3. Did we do it? (assessment of expected results, continuous learning, and a robust system of checks and balances)?

14 Decision making/cognitive biases The Challenge: But, answering these questions well and reaching a good decision is very, very hard because: 1. Information is flawed 2. Information is not shared 3. Information is simply not available 4. Information is misunderstood, manipulated, ignored, or misused due to cognitive biases So, if your job is to make sure the best decision is being made, then you need to understand how cognitive biases influence the decision making process

15 Decision making/cognitive biases What are cognitive biases? A cognitive bias is a pattern of deviation in judgment that occurs in particular situations, leading to perceptual distortion, inaccurate judgment, illogical interpretation, or what is broadly called irrationality. Band Wagon Effect the tendency to do (or believe) things because many other people do (or believe) the same. Related to groupthink, conformity, and herd behavior. Confirmation the tendency to search for or interpret information in a way that confirms one's preconceptions.

16 Conformity- the power of the herd!

17 What To Do? Awareness alone is not enough Be fact-based Prove yourself wrong Instead of asking can we manage this risk?, ask under what circumstances will we not be able to manage this risk? Reward provocative questioning Make a deal with your team that someone will play the role of challenger and ask how the idea may fail Promote a culture that rewards transparency, candor and constructive dialogue

18 ERM Resources Executive Education: - Executive Leadership and Risk Management Program, Chicago, RMA/Wharton Advanced Risk Management Program, Philadelphia, May & June RMA / Cass Advanced Risk Management Programme, London March 2016 Benchmarking services: - RMA/AFS CCAR - Consumer Loan Studies - CECL LGD/UGD Study for Community Banks - RMA/AFS Risk Analysis Service - Small Business Risk Management Study Open Enrollment programs: - ERM Forum, New Orleans, June Stress Testing Boot Camp, 2016 TBD - ERM for Community Banks, Boston, November Risk Management Discussion Group, various dates and locations - Ops Risk / ERM Audio conference series Round Tables: - ERM Round Table for banks under $10B, Boston, November ERM Round Table for Large Banks, Dallas, October Pre-Provision Net Revenue, Charlotte, October 2015 Surveys: - Accounting - Data Quality - CECL Workbooks: - Risk Management Workbooks: - Risk Appetite Workbook - Scenario Analysis and Stress Testing for Community Banks - Governance and Policies Workbook - Measurement, Evaluation and Communication Workbook in progress