An Introduction to Enterprise Risk Management

Transcription

1 An Introduction to Enterprise Risk Management Yousef A. Valine Risk Management Association, Enterprise Risk Management Council Chair Chief Risk Officer First Horizon National Corporation

2 Topics What is Enterprise Risk Management (ERM)? Risk Management Association ERM Framework Q/A 2

3 Introduction ERM new or not ERM can be defined as the management capability to manage all business risks in pursuit of acceptable returns An organic, living, and breathing capability (linked to specific ERM competencies), not a documentation exercise or compliance check list ERM should be comprehended and operationalized as a way of thinking A competitive advantage for those who get it right 3

4 Introduction (continued) ERM can help answer three very basic business questions: 1. Should we do it (aligned with business strategy, risk appetite, culture, values and ethics)? 2. Can we do it (people, processes, structure, and technology capabilities)? 3. Did we do it (assessment of expected results, continuous learning, and a robust system of checks and balances)? 4

5 RMA ERM Framework We wanted to develop an ERM framework that will help institutions manage their risk holistically, and manage it well. Objectives: 1. Be highly practical 2. Leverage existing frameworks 3. Create something that an be used by any size organization 5

6 Development of ERM Framework - Strategy We adopted a strategy that would help management and Boards of Directors answer the following relevant business questions: 1. What are all the risks to our business strategy and operations (coverage)? 2. How much risk are we willing to take (risk appetite)? 3. How do we govern risk taking (culture, governance, and policies)? 4. How do we capture the information needed to manage the risks (risk data & infrastructure)? 5. How do we control the risks (control environment)? 6. How do we know the size of the various risks (measurement and evaluation)? 7. What are we doing about these risks (response)? 8. What possible scenarios could hurt us (stress testing)? 9. How are various risks interrelated (stress testing)? 6

7 Development of ERM Framework Strategy (continued) Risk categories can be inventoried as follows: Credit Liquidity Strategic/Business/Reputation Market Operational Compliance/Legal/Regulatory Financial Capital Adequacy Framework is applicable regardless of the institution s size or how it categorizes its risks It s similar to COSO ERM, but adapted to be highly specific to the financial services industry, and we offer practical implementation guidance 7

8 Depiction of ERM & Importance of Culture Circular depiction is highly intentional Components are meant to be dynamic (reviewed back/forth in any sequence) Having the right culture is key 8

9 Introduction to Individual Capabilities 1. Business Strategy and Risk Coverage Risk management in the context of business strategy what is our business strategy, and therefore associated risks? Goals and objectives (strategy) are determined in terms of markets, geographies, products, earnings, etc. before a risk appetite is articulated Risk implied in the strategy is assessed, and the level of risk willing to be assumed in executing that strategy is determined Regardless of strategy, institutions are exposed to the 8 risk categories previously noted (Credit, Liquidity, etc.) 9

10 Introduction to Individual Capabilities 2. Risk Appetite Risk appetite is the amount of risk (volatility of expected results) an organization is willing to accept in pursuit of a desired financial performance (returns) Risk appetite vs. risk tolerance Management developed and board approved Covers all categories of risks, articulates escalation points Covered in a dedicated workbook The Risk Appetite Workbook released in November 2010 provides a detailed roadmap for explaining what a risk appetite is and how an institution can develop one 10

11 Introduction to Individual Capabilities 3. Culture, Governance, and Policies Culture is best described as what people do when they are not being watched Culture is the most important aspect of any good ERM competency Without the right culture, all other ERM competencies are somewhat irrelevant Policies express risk appetite to masses by describing what the company will/will not do Risk appetite is operationalized via policies (what to do?) and procedures (how to do?) 11

12 Introduction to Individual Capabilities 4. Risk Data and Infrastructure Board members and management require deep understanding of company risk profile Risk data and infrastructure is how information is collected, integrated, and analyzed and translated into a cohesive story One of most challenging aspects of ERM (more on this later) A good risk management infrastructure requires a highly robust Management Information System (MIS) You can not manage what you do not know 12

13 Introduction to Individual Capabilities (continued) 5. Measurement and Evaluation Measurement and evaluation are used to: Conclude which risks are significant, and which are not Conclude where to invest time, energy and effort Help Boards and management answer the question so what? Must include the system of internal controls (how well can the risks be managed)? 13

14 Introduction to Individual Capabilities 6. Control Environment and Responses Internal controls are used as one of the most important tool sets for managing risks Used to help reduce the level of inherent risk to a level acceptable to management The system of internal controls includes culture, governance, policies, preventive and detective control, and scenario planning Used to manage the level of residual risk to an acceptable level An effective environment is used to allow management to control what can be controlled 14

15 Introduction to Individual Capabilities 7. Scenario Planning and Stress Testing Answers what can go wrong and hence create deviation from expected outcomes? Addresses known, knowable, and unknowable risks Used to focus Board and management on knowable risks (perhaps some unknowable), and as a discipline to help discuss scenarios that can have an upside as well as down side Robust scenario planning and stress testing applied from a capital planning perspective 15

16 Summary ERM is not an option for financial institutions Have been required to manage all relevant risks for some time A robust ERM capability should not be something extra an institution needs to do ERM is about a competency to manage risks well, comprehensively, and to understand the interrelationship and correlation between various risks ERM is the art of integrating what already exists so management and the Board have a comprehensive and integrated view of the risk profile in the context of its business strategy ERM is a way of thinking, and when implemented correctly, can be a competitive advantage 16

17 Deep Dive - Risk Data and Infrastructure 17

18 Deep Dive - Risk Data and Infrastructure Business objectives = Accountability, Accessibility, Accuracy, and Aggregation Data Warehouse Retail Typical Sources: Credit Wholesale Typical Uses: Origination Servicing Loss Recovery Financials Economic Data (external) Market Price Data (external) Regulatory Capital Engine Economic Capital Engine Grades/Scores Client Information Securitization & Traded Products Etc. Traded Products Market Compliance Operational Other Functional Capabilities -Analytical Source Layer -Reference Data -Metadata -Data Stewardship -Data Auditing -Business Intelligence Tools Concentration Analysis Portfolio Health/Trends Capital Analysis Assets for Sale Hedging (portfolio) Industry/Sector/Regional Analysis Renewal Analysis Stress Testing Pricing/Risk Return Analysis Development of Scorecards ALLL Delinquency Customized Management Reporting 14

19 Deep Dive - Risk Data and Infrastructure (Do s and Don ts) Average cost is between $150 to $400 million. Most efforts are failures I know of four failures including one that I tried to rescue Pick the right risk leader to lead the effort. This is not an easy job. Should have someone who possesses strategic thinking, has a deep risk management background, knows modeling, is capable of running a massive project, and can talk the technology talk. We don t have too many people like that in risk management. Start with the end in mind (be clear on what problems you are trying to solve, how will this infrastructure facilitate better decision making and performance? Get specific and passed pretty PowerPoint presentations/mom and apple pie ideas) Don t let quants drive the requirements. Again, start with a leadership/managerial perspective Don t allow the initiative to become a technology endeavor. Don t let consultants lead the effort. You own it and you lead it. Decide on your operating model (centralized, decentralized, federated). Be precise about what is optional and what is not. Be clear on roles, responsibilities, accountabilities, and standards Keep it simple. Don t try to boil the ocean (evolution vs. revolution) 19

20 Measurement & Evaluation: Failure Mode & Effect Analysis Impact Direct financial impacts company could incur based on the event being evaluate Consider: expenses, losses, reserve, market capitalization, inherent exposure, etc. Probability Probability the risk could result in a loss of the $ Impact amount in next 6-12 months Consider: internal & external historical experience, and those based upon the control environment at that time; the go forward probability is not a worse case scenario; consider reasonable expectations of control environment Control Effectiveness How well controls are working that mitigate the probability of the risk; financial planning (i.e. repurchase reserves, loss reserves, etc) that mitigates impact is considered a control Consider: current risk and control assessments performed by assurance groups, regulator s feedback, management discussions, and understanding of the control environment Total Risk Score is calculated by multiplying the Impact x Probability x Control Effectiveness Building The Measurement Tool A set of measures should be identified to gauge Impact, Probability and Control Effectiveness (C/E) for risks. Use same number of measures (if using a 1-10 scale, use 10 measures for Impact, Probability, and C/E) Breakpoints in the measuring scale for low, moderate, and high levels of Impact, Probability and C/E are needed Total Risk score-ranges to distinguish low, moderate and high risk also need to be established Examples of scoring (using a 1-10 scale): An event rated with Impact (10), Probability (10), Control Effectiveness (10) has a Total Risk Score = 1,000 An event rated with Impact (8), Probability (5), Control Effectiveness (3) has a Total Risk Score = 120 Total Risk Rating (Low, Moderate, High) depends on the ranges set to distinguish such for your company 20

21 Measurement & Evaluation: Quantifying the Company s Risk Profile IMPACT (I)* PROBABILITY (P)** CONTROL EFFECTIVENESS (C) TOTAL 10 Catastrophe Very serious impact (> $500M) 10 Virtually Certain Occurs all the time (approaching 100%) 10 No Controls No controls to mitigate risks LOW MODERATE HIGH 9 description & $ limits 8 description & $ limits 7 description & $ limits 6 description & $ limits 5 description & $ limits 4 description & $ limits 3 description & $ limits 2 description & $ limits 9 description & % range 8 description & % range 7 description & % range 6 description & % range 5 description & % range 4 description & % range 3 description & % range 2 description & % range 9 description & degree 8 description & degree 7 description & degree 6 description & degree 5 description & degree 4 description & degree 3 description & degree 2 description & degree = 1-?? Y?? -??? R >??? 1 Negligible Impact 1 Highly Unlikely Would require highly unusual circumstances (<1%) 1 Perfectly Mitigated Extremely high probability of mitigating all risks G * IMPACT includes direct financial impacts including those that can result from reputational issues, compliance issues, regulatory criticism, and/or negative customer impacts ** PROBABILTY should be considered within the next 6-12 month time horizon (the risk window ), given reasonable controls 21

22 Measurement & Evaluation: Communicating a Composite Risk Profile 22