ENTERPRISERISK WHY YOU NEED RISK COMMITTEE. 18 April 2014 The RMA Journal Copyright 2014 by RMA

Similar documents
Governance: Risk Committees

Ethics and Financial Reporting: Delivering on the Commitment

PRESENTING ERM TO THE BOARD

Advisor Industry Insights From Morningstar. 10 Tips for Advisors on Acing Client Check-Ins

ITC Committee Meeting February 17, 2017 Small Group Discussion

Small business guide to hiring and managing apprentices and trainees

Governance in a multidimensional environment

More than 2000 organizations use our ERM solution

Project Portfolio Management Assessment

7 TIPS TO HELP YOU ADOPT CONTINUAL SERVICE IMPROVEMENT, BY STUART RANCE 1

Initiating Client Succession in Your Law Firm

You ve met our apprentices. Now meet yours.

THE HR GUIDE TO IDENTIFYING HIGH-POTENTIALS

Board and Senior Management Reporting. Eric Holmquist Managing Principal Enterprise Risk Management

Governance Guideline SEPTEMBER 2013 BC CREDIT UNIONS.

Guest Concepts, Inc. (702)

Managing reputation risk. Laura Toni, Deloitte Romania November 28, 2014

Marketing Automation: One Step at a Time

RISK AND COMPENSATION COMMITTEE TERMS OF REFERENCE

Seven Key Success Factors for Identity Governance

unique? WHERE ARE WE heading? OUR IDENTITY WHAT QUALITIES DO WE share? WHAT MAKES VENTURA FOODS

The Parenting. Who doesn t want to be a good. How to Make It Work

REFRAMING OUR ASSUMPTIONS ABOUT SAFETY

Three Reasons Why Spend Analytics Is The CFO s Next Major Focus

A successful implementation of an ERM dashboard - Remko Riebeek

30 Course Bundle: Year 1. Vado Course Bundle. Year 1

Talent Acquisition Leader s Guide to Recruitment Agency Planning. Setting Your Agency Recruiting Strategy for 2017

TALKING AGILITY: EPISODE 1 PODCAST TRANSCRIPT

Achieving business objectives through successful transformation projects

Putting our behaviours into practice

Table of Contents. 2 Introduction: Planning an Audit? Start Here. 4 Starting From Scratch. 6 COSO s 2013 Internal Control Integrated Framework

What Is Coaching? Overview Guiding Church Leaders

How to Hire The Best Customer Service Reps

The Top 5 Reasons Successful Doctors Utilize Call Tracking & Call Recording to Boost Total Patient Appointments by 10-50%

PPM Assessment. Analyze Your PPM Practices In-Depth for Systematic Improvement

Farm Succession Planning

The Program Management Office

PPM Benefits for the Project Management Office

quality assurance our principles and approach

CRM-BRC-CH-01 - Risk Committee of the Board of Directors Charter

A Practical Guide to Conducting an HR Audit

NEW SKILLS AND PARTNERSHIPS IN IT ASSET MANAGEMENT

Project Management Assessment. Apply an In-Depth Approach to Project Management to Achieve Systematic Success

Growth transformation: Delivering on a diversified set of e-commerce growth strategies

Moving The Needle EXECUTIVE BRIEF

Research Report: Forget about engagement; let s talk about great days at work

Putting Workforce Analytics to Work: Achieving Objectives and Realizing Outcomes

Chapter 4 - Recommendations for an Enhanced Enterprise Information Technology Governance Structure

Attribution 101: The Savvy Marketer s Guide

The 10 Big Mistakes People Make When Running Customer Surveys

HOW BEST-IN-CLASS DEALERS ARE MAKING MORE CUSTOMER CONNECTIONS

Role of Internal Audit

PRESENTATION OUTLINE

PRESENTATION OUTLINE

developer.* The Independent Magazine for Software Professionals Automating Software Development Processes by Tim Kitchens

The 5 Biggest Hurdles to Strategy Execution And How to Overcome Them

Mentoring Toolkit Additional Resources

How to Use Reporting to Grow and Manage Your Business

FIRST STEP TO GREAT LEADERSHIP CREATING A COMPELLING VISION

Risk-Based Environmental Auditing at Bulk Fuel Terminals

AUDIT COMMITTEE HANDBOOK

This Week in the Boardroom 12/04/14 Page 1

Managing When the Future Is Unclear

to Successful Non-profit Cloud ERP System Selection

Aligning and Integrating ERM and Business Process. Federal ERM Summit September 9, :00-12:00

Recruiting Leader s Guide to Direct Hire Agency Planning

Creative Sustainability (Part II)

Automating Invoice-to-Pay

Evaluating Treasury Management Systems

risk management ERM Roles & Responsibilities In Community Banks: Who is Responsible for What?

Stakeholder Survey Alex Cartwright (UB 2020) Audience/Desired Action. 1. Do you have a communication plan?

Rick Willson s new book, Parking Management for Smart Growth, is a how-to

Canadian Insurance Accountants Association

SMALL BUSINESS BANKING: A $56.9 BILLION OPPORTUNITY FOR THE TAKING

THE ADVANTAGES OF BEING HUMAN IN A CONSUMER WORLD. By Jim Chastain & Jim White

Agile-ish 5 Leadership Mistakes Diluting Your Transformation Jesse Fewell June 27, 2018

LeiningerCPA, Ltd. RISK MANAGEMENT POLICY STATEMENT

Emi I ve always loved animals. After graduating with a Masters Degree in Creative Writing in 2012, I went through a quarter-life crisis of not

ebooklet How to improve your CV and interview technique using your Belbin Team Role Report

THINKSAP THINK THINK. THE FUTURE OF SAP BW. by Andrew Rankin

Exceptional vs. Average: What Top Leaders Do Best

Risk Management Implementation Plan

the state of employee engagement: fall 2014

Agile Portfolio Management for a Fast- Paced World. Are you ready? Are you ready?

Six Steps to Improving Corporate Performance with a Communication Plan

Aegon Global Charter Framework

Audit the Future: Using Audit Analysis to Predictively Manage Future Risks. Dan Zitting, CPA, CISA, GRCA Chief Product Officer, ACL

Developing an Integrated Anti-Fraud, Compliance, and Ethics Program

Fundraising 101: Structuring and Developing an Effective Fund Raising Operation. Lawrence W. Reed President Mackinac Center for Public Policy

organize, automate & grow your life

A CLIENT S GUIDE WHERE TO START WHAT HAPPENS ON SITE WHAT ARE THE BENEFITS. 10 Advantages of. Design Build

The Board s Role in Compensation Oversight for Employed Physicians: AN INTERVIEW WITH DAN GRAUMAN, PRESIDENT AND CEO, DGA PARTNERS

UNLOCKING SALES EFFECTIVENESS

Deployment is Not the Finish Line. Success with Marketing Automation begins after implementation

THE WORKPLACE WORK BASED A GUIDE TO GETTING THE MOST OUT OF YOUR PART-TIME JOB LEARNING

The Seven Success Factors of Partner Marketing

The Current State of Risk Management Maturity for Belgian Organizations kpmg.com/be

Wendy Poirier, Director of Towers Watsons Canadian Health & Group Benefits Practice talks about the Canadian Rx Coalition

The 10 Core Values of Zappos

Transcription:

ENTERPRISERISK WHY YOU NEED A RISK COMMITTEE 18 April 2014 The RMA Journal Copyright 2014 by RMA

With schedules already crammed with committee meetings, it s tempting to reject the idea of forming yet another committee, even one devoted to risk. Don t. Properly executed, it will be one of your bank s most important governance bodies. BY ERIC HOLMQUIST Let s face it: The last appointment anybody wants is another committee meeting. It could be argued that management spends way too much time in committees that fail to contribute to bank performance, instead consuming large quantities of executives scarce time. Forming a risk committee is a different matter. It can be one of the most significant steps a bank can take in advancing the scope, impact, and value proposition of its risk management program. Properly structured, staffed, organized, and moderated, these committees can play a substantial role in ensuring sound governance and maximizing the bank s return on investment. The idea of a risk committee is fairly logical. As the bank continues to develop and expand its enterprise risk management (ERM) program, it follows that a governing body should be formed to oversee and direct the program, working with management and the chief risk officer (where one exists). But banks are often unsure of how to structure these committees for maximum effectiveness and, more importantly, how to properly focus them. We ve all heard the questions and concerns that typically come up. Why do we need another committee? What would we possibly talk about that isn t already being addressed by an existing committee? Our people are already too busy to make time for more meetings. Do I really want a committee specifically chartered to document issues that could be used against us by an examiner? All are valid questions, with equally valid answers. Regrettably, without a clear understanding of the committee s purpose and charter, banks often focus the agendas for these committees on the same items already being discussed in other committees, which, while informative, is not only inefficient, but can drastically undermine perceptions about the value of the risk management program. April 2014 The RMA Journal 19

This article discusses how to properly design, structure, and charter risk committees within the institution so they have a distinct mission and provide unique value. Properly executed, these committees will soon be perceived as one of the most significant governance bodies within the bank if not the most significant. What Makes Them Unique? The committees that manage risk and performance generally focus on one slice of the business, and they focus on what has already happened. Risk management, on the other hand, is entirely about context and discovery, and in this way risk committees are unique. Everything we do exists within a certain context. For financial institutions, the two most important points of context are the strategic plan and the risk appetite statements. Risk management, when properly done, is not about speed bumps. It s about guardrails. And the strategic plan and risk appetite statements are the two most important guardrails. They allow the bank to move faster and with more certainty. Everything else must exist between these two governance documents (in other words, within these contexts). The discovery process comes as we step back and ask ourselves introspective questions about where risks exist (both macro and micro). Are we are in step with the strategic plan? What does the big picture look like? Are we aligned with our risk appetite? This is the role these committees play. In other words, their charter and focus, unlike that for most other committees, is almost entirely forward looking. All committee discussions (risk included) start with what happened because it s generally best to start from what we know. Unfortunately, the discussions tend to stay there. Risk exists within the assumptions, and one of the most dangerous is to assume that people interpret information about the past and its implications for the future in the same way. I have attended countless meetings of the ALCO committee or credit committee (or, sadly, even a risk committee) where a report is presented on some portfolio aspect, an operational incident, or other past event. The group discusses what happened, maybe asks some questions about any planned changes in response, and then the chair thanks the presenter of the report. Often, these logical follow-up questions are not asked: What does this incident or activity tell us about our risk profile going forward? Do we still believe we are moving forward within our established risk appetite framework? By not asking these questions outright, we are assuming Risk management, when properly done, is not about speed bumps. It s about guardrails. that the members are all interpreting the information in the same way and somehow coming to the same conclusion. By creating an agenda that is primarily forward-looking, we force ourselves to ask these questions and contemplate the answers. This is the discovery part. Looking at the past is easy; it already happened. But looking at the future and considering whether we are headed in the intended direction is much more difficult and also more critical to effective risk management. The second unique aspect is one of silos versus comprehensive views. Again, most of our committees and other governance mechanisms are focused on one specific aspect of the bank, and that s as it should be. ALCO looks at financial risks. The credit committee looks at credit risk and the lending process. The compliance committee focuses on the state of the compliance program and regulatory risk. But where does it all come together, particularly at a management level? Who looks at the big picture? Often, the bank has regular senior management meetings where the overall environment is discussed along with whatever operational issues are at hand. While this is a good practice, these meetings are typically unstructured and informal, often lacking any minutes of the discussion. The benefit of a risk committee is that it provides a structured, documented, and deliberate forum for asking, Where are we going, and are we still in line with both the strategic plan and our risk appetite? ERM should support a hub-and-spoke model with risk committees as one of the hub elements. This idea is reinforced below in the discussion about the committee s agenda and charter. Other hub elements include the bank s risk appetite statements, which should cover all risk types, not just credit and interest rate risk. Risk management policy and enterprise risk assessment are also hub elements. Each focuses on a macro view of the bank, while pointing to other, more detailed elements that address one specific aspect. If common themes for why banks want to implement an ERM program exist, they are: We manage risk, but we manage it in silos and We don t know what we don t know. A well-structured risk committee helps address both concerns. Let s look at the two most common forms of risk committees, after which we ll consider one alternative form. Board Risk Committee The board risk committee (BRC) is formed using independent directors of the board as its voting members, with the chief risk officer (where one exists) and other executive management as participating members. The BRC is typically chaired by one of the independent directors and oversees the management of the bank s ERM program. on previous spread: istock/thinkstock 20 April 2014 The RMA Journal

Aspect Board Risk Committee Management Risk Committee Charter Overseeing the management of the Bank s ERM program. Implementing and managing the Bank s ERM program. Members Independent directors as voting members, executive management as attending members. Senior and executive management as voting members, other management as attending members. Chairperson Selected director Chief risk officer or other senior executive Suggested Meeting Freq. Quarterly Monthly Relationship to Risk Appetite Provides input and approves the bank s risk appetite and tolerance statements. Evaluates all reports against these statements. Drafts and recommends the bank s risk appetite and tolerance statements. Evaluates all decisions against these statements. This committee starts with the approval of the bank s risk management policy, followed by the risk appetite and tolerance statements, after which everything this body does is in relation to those statements. This committee ensures that the bank is, at all times, operating within the two guardrails of the strategic plan and the risk appetite statements. Information presented to the BRC should be in summary form, but supporting materials should be available to enable the board to drill down deeper. Materials that represent past activities should only be used to discuss what these activities represent in terms of the risk profile going forward. Early-generation committees find that they do, at times, struggle to keep the conversation forward looking. It is much easier to talk about the past. As much as 80% of the discussions are still backward looking. Over time, the goal is to reverse this percentage so that 60-70% of the time is spent looking ahead. In thinking about the agenda for the committee, these suggested items naturally focus the discussion around the direction of risk and risk profiles, rather than operational results. Risk assessments: Summaries of risk assessments completed during the prior period, including any indications that risks may be close to, or outside of, established risk tolerances. Proposed new products and services: Presentations by management on new, or significantly expanded, products and services, including a cost/benefit analysis and related risk assessments. Proposed significant initiatives: Analysis around major new initiatives, including strategic acquisitions, new markets, and core system conversions, each of which could represent a material amount of risk to the institution. Stress tests: Stress tests and other scenario analyses are, by definition, forward looking, as they consider the future path based on a certain set of modified assumptions and often lead to very fruitful conversations about possible action steps. Periodic functional reporting: Periodic reports on the state of various risk management programs, including risk assessment summaries and policy renewals where appropriate. The important thing is to receive and digest the respective reports, but make the discussion be about the forward-looking risk profile. Examples may include the following: Vendor management. Information-security program. Business-continuality planning. Information technology. The committee may also consider scheduling periodic presentations from outside authorities on topics such as local, regional, and national market conditions, fraud trends, legal and regulatory issues, and so on. Finally, the committee serves an important challenge role as the ultimate owner of and point of accountability for the bank s risk appetite statements. Management Risk Committee The second form of risk committee would be the management risk committee (MRC). The MRC is made up of senior and executive management as voting members and is typically chaired by the CRO (where one exists) or other senior executive. Other middle management may be invited to participate and to provide input as nonvoting members. Typically, the voting members should be the ones in management you want setting the bank s risk appetite. This is typically the C-suite plus a select few others. Whereas the BRC is mostly consuming information and serving in a challenge role, the MRC is where risk is thoroughly evaluated. This should be the last Early-generation committees find that they do, at times, struggle to keep the conversation forward looking. It is much easier to talk about the past. stop before information goes to the board (either to a BRC or main board) and where management collectively needs to decide if the actions it is taking, and the direction it is pursuing, remain squarely within the guardrails of the strategic plan and the risk appetite statements. An MRC will often have a series of subcommittees that report up to it. These would include operational April 2014 The RMA Journal 21

risk, compliance, information security, and new products and services. However and this is extremely important the detailed work done in these subcommittees must not be duplicated in the MRC. If the work is done in subcommittees, the MRC serves an oversight role, providing the entire executive management team with an opportunity to see and weigh in on exactly what is happening throughout the bank. This is enterprise risk management. It s not added bureaucracy; it s solid management in a centralized, controlled way. This is where it all comes together. It could also come together under a hybrid risk committee composed of both directors and executive management. A hybrid committee can work well in a smaller institution, but it can pose a dilemma for the bank when it is providing oversight only (like the BRC) or wrestling through the should we do it? questions (more like the MRC). In an environment where some directors are more active in day-to-day activities, a hybrid committee could work, but this structure is not optimal in the long run. Frequently Asked Questions In establishing board and management risk committees, the following questions frequently come up and are worth addressing: Can t I just combine these into other committees (ALCO, audit, etc.) rather than create a whole new committee? No. These committees already have full agendas. If you go to the chair and say you would like to add an hour and a half to each meeting for risk management, what do you think the answer will be? Again, the purpose of a risk committee is unique and needs its own forum to be effective. It is the only body that is predominantly forward-looking. And it looks at the whole bank (all risk types), not just one aspect. What if my board isn t strong enough? Regrettably, this is a bigger issue than just committee involvement. At a minimum, provide training through internal or external resources. Odds are, with some training and time, directors will get it and be very engaged. My board only cares about credit and interest rate risk, and we re already covering those elsewhere. Unfortunately, that can happen. To address this problem, create a risk management program that articulates all sorts of risks that need to be managed, even if they will never end the bank. To some extent, we ve lost sight of the fact that risk is managed in strategy and operations, not in risk types. Risk committees help reinforce this eternal truth. We will never, ever back off of managing credit and interest rate risk. But these efforts alone do not represent enterprise risk management. How often should they meet? Typically, management risk committees meet monthly, and board risk committees meet quarterly or more often as needed. Why would I want a forum to document issues that a regulator can just use against me? Regulators are much more interested in seeing evidence that you are addressing tough risk issues including when you make mistakes. They want to see a focus on what you did about it, or are going to do about it, and what you feel it says about your risk profile going forward. It is much more likely a regulator would criticize an institution for having an incident or key risk and not addressing it through a senior committee. Making the Most of These Committees Don t assume your members (either at the MRC or BRC) are comfortable evaluating risk and risk appetite. Some of it is obvious, and some of it is very complex. Be brutally, ruthlessly honest with yourselves about your capabilities and then supplement that with training and an open dialogue about how you can get stronger and more capable as a group. Risk management lives and breathes on our willingness and ability to be honest with ourselves. If it doesn t start at the risk committee, where else will it start? Make information digestible. Putting a 200-page report in front of your BRC and asking it for an opinion is, frankly, a waste of time. Present the information in summary form (dashboards, executive summaries, etc.) and offer access to the details if needed. The value is in the conversation, not the stack of paper. This is where tablet-based reports can be more useful than paper. A good interface gives you a lot of capabilities to present information that is both informative and actionable, but is supported by drill-downable detail when necessary. Finally, success for any committee comes down to how well it is managed. Meetings should adhere to clear, established agendas; materials should be distributed well in advance of the meeting to give members time to digest them; and management must be held accountable for arriving prepared. In most organizations, just eliminating agenda creep could more than make up the time needed for an additional meeting. Creating new committees is not a trivial proposition, and unquestionably institutions need to be judicious in how they allocate the time of board members and executives. But as we seek to move toward true enterprise risk structures and away from siloed risk management, these are truly powerful governance tools that the board and management should find very helpful in taking their risk management to a whole new and powerful level. v Eric Holmquist is managing director of enterprise risk management advisory services, Accume Partners, Moorestown, New Jersey. He can be reached at eholmquist@ accumepartners.com. 22 April 2014 The RMA Journal

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback