The Role of the Chief Risk Office and the Board s Role in Risk Oversight

Transcription

1 The Canadian Society of Corporate Secretaries 16th Annual Corporate Governance Conference Banff Springs Hotel Banff, AB August 24 27, 2014 The Role of the Chief Risk Office and the Board s Role in Risk Oversight John Fraser Senior Vice President, Internal Audit & former Chief Risk Officer Hydro One Network Inc. August 25, 2014

2 Objectives of this Session Provide some background on Enterprise Risk Management, how it evolved and why it is now a hot topic for board rooms Introduce the core fundamentals of Enterprise Risk Management, what it is, some of the tools and how to explain it to executive management and the board Explain the Chief Risk Officer s role and how it interacts with the board or a board sub-committee Address the board s role in risk oversight increased expectations and what to do

3 How Well is Risk Understood (2006)? In 2006, 60% of directors felt they had an understanding of their company s risks, while executives say that only 18% of directors understand their company s risks. Source: KPMG in Raising the Bar (April 2008) quoting the February 2006 McKinsey Quarterly Survey

4 How Well is Risk Understood (2013)? In 2013, directors surveyed said their knowledge of the risks that the company faced was as follows: 15% of directors said they have a complete understanding 54% said they had a good understanding, and 29% said they had a limited or no understanding McKinsey & Company in Improving board governance via an on line survey in April 2013 of 772 corporate directors, 34 % of whom were chairs. 22% were public companies78% were private companies.

5 What is risk management s contribution to your organization? 47% said It is essential for adding value to our overall business 34% said It can occasionally help us improve the way we do business 15% said Its contribution to our overall organization is only marginal 4% said It does not contribute to our overall business Source: Based on a December 2012 survey by the Economist Intelligence Unit and published by KPMG in 2013 in Expectations of Risk Management Outpacing Capabilities It s Time for Action

6 Some of the Challenges of Implementing ERM The Business Case: Regulatory or Effectiveness? Culture change Agreeing Risk Criteria (Appetite / Tolerances etc.) Staffing: who should lead, skills, workshops, how much data to analyse Level of detail (quantitative and/or qualitative) Software needs and selection

7 Benchmarking ERM Source: Current State of Enterprise Risk Oversight 5 th Edition (June 2014) AICPA & NCSU

8 Benchmarking ERM con: Source: Current State of Enterprise Risk Oversight 5 th Edition (June 2014) AICPA & NCSU

9 Benchmarking ERM con: 1 2 Source: Current State of Enterprise Risk Oversight 5 th Edition (June 2014) AICPA & NCSU

10 Benchmarking ERM con: Companies with a designated Chief Risk Officer Financials with a designated Chief Risk Officer 53 Separate Risk Committees Risk Inventories kept at an enterprise level all Risk Inventories kept at an enterprise level Large Co s 72 Risk Inventories kept at an enterprise level Public Co s 66 Risk Inventories kept at an enterprise level Financials 44 Source: Current State of Enterprise Risk Oversight 5 th Edition (June 2014) AICPA & NCSU

11 Integrating a Risk Framework into the Business 1. ERM Policy and Framework 2. Accountabilities (and the Chief Risk Officer role) 3. Risk Criteria (and appetite / tolerances) 4. Risk Identification (and the use of Risk Workshops) 5. Corporate Risk Profile 6. Business Planning

12 ERM Policy and Framework

13 ERM Policy and Framework ERM Policy: ERM provides uniform processes to identify, measure, treat and report on key risks. This is the umbrella policy under which all other risk policies fall. Key principles include: portfolios of ALL types of risks, integrated with strategic and business planning, annual risk assessments, everyone s responsibility. Key accountabilities: Board and/or board committee, the Chief Executive Officer, Chief Financial Officer, Management and Chief Risk Officer. Key definitions, e.g. of risk. ERM Framework: Establishes the basic process for all risk assessments etc.

14 Accountabilities (and the Chief Risk Officer Role)

15 Accountabilities in ERM BOARD (OR COMMITTEE) CORPORATE RISK PROFILE POLICY & FRAMEWORK EXECUTIVE MANAGEMENT RISK CRITERIA (TOLERANCES) RISK PROFILES & BUSINESS PLANS MANAGE RISKS, $$ LINE MANAGEMENT

16 The Chief Risk Officer Role Alternative models, banks versus others Decision maker, facilitator or opinionator? Centralized/holistic view of the organization Some issues: Who does the CRO work for? Management or the Board? Is the CRO a facilitator or a policeman? Additional reading: Managing the Multiple Dimensions of Risk Part II: The Office of Risk Management by Anette Mikes, Assistant Professor, and Robert S. Kaplan, Baker Foundation Professor, Harvard Business School (2011) Becoming the Lamp Bearer: The Emerging Role of the Chief Risk Officer by Anette Mikes, Assistant Professor, Harvard Business School (2009) Enterprise Risk management From Incentives to Controls by James Lam, John Wiley & Sons (2003)

17 Accountabilities of Risk versus Internal Audit Core internal audit roles Roles with safeguards Audit should not undertake Source: The Role of Internal Auditing in Enterprise-wide Risk Management Institute of Internal Auditors (2004) Internal Auditing s Role in Risk Management Institute of Internal Auditors (2011)

18 The Chief Risk Officer and the Board Touch-points between the Board and the CRO: The ERM Policy and Framework approval Strategic Planning & Business Planning (Objectives) Risk Criteria (e.g. impact scale, tolerances etc) Formal Risk Profiles Frequent Updates Educator (e.g. best practices, benchmarking) Advisor (e.g. hot topics, emerging risks) Whistleblower (not recommended) To be determined (e.g. risk workshops)

19 Risk Criteria and appetite/tolerances

20 Appetite/Tolerances/Criteria Term < Appetite Tolerance Criteria Attitude Used Interchangeably COSO COSO ISO Canada* Canada* Canada* Canada* * = Implementation guide to CAN/CSA-ISO 31000, Risk management Principles and guidelines (2011)

21 Use of Risk Criteria (Appetite & Tolerances etc.) In order to run effective risk workshops In order to create a common understanding of risks by the leadership team, the board and managers Criteria for Business Planning / Resource Allocation prioritization Risk is the effect of uncertainty on objectives ISO 31000

22 Risk Criteria* Include: the nature and types of causes and consequences that can occur and how they will be measured; how likelihood will be defined; the timeframe(s) of the likelihood and / or consequence(s); how the level of risk is to be determined; the views of stakeholders; the level at which risk becomes acceptable or tolerable; and whether combinations of multiple risks should be taken into account and, if so, how and which combinations should be considered. * = Per ISO Note: Underlines for emphasis by John Fraser

23 Turning Strategy into Risk Criteria (inc. Tolerances) Strategic Planning Business Objectives How will we measure success for each Business Objective? How are we going to achieve our overall Corporate aims?? What 6-10 objectives do we want to factor in to decision-making? Key Performance Indicators What is our attitude toward failure for each Key Performance Indicator?? Risk Criteria (inc. Tolerances)

24 Example of Risk Tolerances (Criteria) Business Objectives Event Impact Description 5 Worst Case 4 Severe Risk Tolerances 3 Major 2 Moderate 1 Minor Financial Net Income shortfall (after tax, in one year) $>150M shortfall $75-150M shortfall $25-75M shortfall $5-25M shortfall <$5M shortfall Reputation Negative Media Attention; Opinion leader and Public Criticism National media attention; opinion leaders/customers nearly unanimous in public criticism Provincial media attention; most opinion leaders/customers publicly critical Significant local attention; Several opinion leaders/ customers publicly critical Credible letter(s) to Ministry of Energy, to Premier, to Chair of OEB, or to Minister of Environment, that require action Letter(s) to Senior Management Customer /Reliability Outages on the Hydro One system One of: >100,000 Customers Distribution or >1000MW Tx for more than 7 days One of: 40k-100k Customers Dx or MW Tx for 4-7 days One of: 10k-40k Customers Dx or MW Tx for 2-4 days One of: 1k-10k Customers Dx or MW Tx for 4-24 Hrs One of: <1000 Customers Dx or <10MW Tx for <4 Hrs Intolerable Tolerable

25 Actual Risk Criteria Impact Scale Intolerable Tolerable

26 Risk Identification and Evaluation The use of Risk Workshops The use of Interviews The use of Surveys

27 Risk Workshops Risk Management is a contact sport. Diana Del Bel Belluz Risk Workshops are Facilitated for: Major Projects, e.g. construction, Information Technology, Mergers & Acquisitions Major Types of Risks, e.g. environmental Lines of Business, e.g. for business planning Executive Team Board of Directors Note: Risk workshops will not work well in a dysfunctional organization

28 Risk Interviews Based on the Strategic Objectives List of major external events since the last Risk Profile Prior list of top risks: to capture trends and ratings Listings of all possible existing and evolving risks Identification and input of organizational context and learning's Recognizes difference styles of communicating (e.g. blue sky versus detailed)

29 Corporate Risk Profiles

30 Corporate Risk Profiles Purpose and Benefits Frequency, e.g. semi-annual (?) Based on: Interviews & Databases (e.g. risk workshop results) Trends & Emerging risks (e.g. media scans) Reviewed by: Executive (Risk) Committee Board or delegated board committee Input to Strategic & Business Planning (and internal audit plan)

31 Roll Up of Risk Interviews/Workshops Human Resources (R=2.6 / C=2.1) Volatile Work Schedule (R=2.5 / C=2.1) Commercial Culture (R=3.4 / C=2.1) Retaining Expertise R=2.6 / R=2.0) Labour Agreements R=2.4 / C=2.0) Training (R=2.5 / C=2.8) Competition (R=2.7 / C=2.5) Demographics (R=3.5 / C=2.3) Skills (R=2.5 / C=2.6) Budget (R=2.8 / C=2.6)

32 Risk Profile Top Ten Format Risk Source March 2001 Dec Risk Trend Cost Reduction Very High Very High Regulatory Uncertainty High Very High Initial Public Offering High High Customer Relationships High Medium Human Resources Medium Medium Safety High Medium Note: Each risk category is explained with a half page analysis outlining the sources of the risk and the mitigants in place or planned.

33 Heat Map Topic Risk description Likelihood Impact A Compensation Dissatisfaction leads to higher turnover B Recognition If unrecognized leads to errors and less focus C Downsizing More overtime so staff leave for better work/life balance D Demographics Changing demographics leads to more turnover Possible Unlikely Likely Almost Certain Moderate Minor Moderate Moderate Source: COSO 2004 Application Techniques Page 47

34 Risk Map

35 Business Planning

36 Business Planning: Making Choices Based on Value Vehicles?? Intolerable Risks House?? Medical?? + Highest Risk Mitigation Value for money Travel??

37 Summary - The Basic Approach to ERM Establish a policy and procedure (framework based on ISO 31000) Identify a champion and resources Agree on Risk Criteria e.g. an impact scale Create conversations via workshops and interviews Prepare semi-annual risk profiles (based on interviews and/or risk workshops) Incorporate risk prioritization into business planning Include risk assessments in capital projects Monitor and improve

38 Questions?

39 Additional Key ERM Techniques

40 Target Risk Attitude safety 5 "Target" Attitude technical innovation 4 3 customer 2 1 employee relationship 0 environment corporate image revenue growth shareholder return

41 Risk Attitude Comparison safety 5 "Target" Attitude technical innovation 4 3 customer Business development dept Operations dept Accounting dept 2 1 employee relationship 0 environment corporate image revenue growth shareholder return

42 Black Swans

43 Velocity Voting Scale Interval between the initiating event or condition (which is the point at which the risk becomes inevitable) and its peak impact on our business objectives

44 Resilience Voting Scale Ability to detect occurrence of initiating event/condition, and secure/deploy resources (plans, organizations, testing) Availability of or access to resources required to cope with or mitigate the business impact (people, knowledge, liquidity, equipment, etc)

45 Additional Readings