XX Bank. Enterprise Risk Management. Policy. Date

Transcription

1 XX Bank Enterprise Risk Management Policy Date 1

2 TABLE OF CONTENTS PURPOSE OF ENTERPRISE RISK MANAGEMENT PROGRAM... 3 PROGRAM OVERVIEW... 3 ERM FUNCTIONAL ALIGNMENT... 5 Defined Positions... 5 Defined Committees... 7 INTERRELATIONSHIP OF RISK MANAGEMENT FUNCTIONS... 8 RISK APPETITE AND TOLERANCE... 9 ERM CALENDAR APPENDIX A: ERM CATEGORIES

3 PURPOSE OF ENTERPRISE RISK MANAGEMENT PROGRAM The Board of Directors recognizes the importance of on- going identification and management of risk in order to maintain a sound financial and reputational condition. The Board adopts this risk management policy to affirm its awareness of the need to establish a program for enterprise risk management (ERM). The Board further commits to providing sufficient personnel and other resources to ensure full implementation of an enterprise risk management program. Sample Bank will maintain an Enterprise Risk Management policy and framework to coordinate the many aspects of risk. This ERM policy does not replace any existing risk and compliance program, but serves to provide a cohesive umbrella for all of the risk management programs currently in place. PROGRAM OVERVIEW Risk is an inherent component of Sample Bank s activities. The ability to effectively identify, assess, measure, respond, monitor and report on risk in activities is critical to the achievement of the Company s mission and strategic objectives. This risk management approach reflects our values, influences our culture and guides our operations. It is captured in policy statements, Board and management directives, operating procedures, training programs, and is demonstrated in daily activities by management and staff. Enterprise Risk Management is a group of structured and consistent risk management processes that are applied across the organization. An ERM program identifies, assesses, prioritizes, and provides a formal structure for the internal and external risks that impact the organization. These activities are categorized under commonly accepted categories of risk. The Company has elected to adopt the categories currently identified by the Office of the Comptroller of the Currency (OCC) which are defined in Appendix A. The ERM program is driven by a formal approach that is aligned with the organization s profile and strategic objectives. It is enhanced by formalizing roles within the organization, active committees, policies and procedures, reporting, communication, and technology. The ERM program produces various risk mitigation activities within the business units. The resulting strategic, financial, and operational risk mitigation activities implemented 3

4 strengthen the organization, reduce the potential for unexpected losses, and manage the volatility experienced by the organization. 4

5 The general objectives of this ERM policy are to: Identify the activities the Company participates. Define the various types of risk categories. Identify functional roles within the ERM program. Define the various risk assessment processes. Define how the organization sets risk tolerances. Other policies, standards, risk assessments, controls, training, reporting, and systems used within the various risk and compliance programs at the organization are not addressed herein but are documented and managed by the various risk and compliance managers in the organization. ERM FUNCTIONAL ALIGNMENT This section of the policy defines the functional relationship of the Board, risk managers and committees within the ERM program. DEFINED POSITIONS There are many defined risk managers at Sample Bank. While their titles may change over time, it is the expectation of the Board and management that these roles will be assumed by qualified individuals during any future employee turnover or organizational changes. 1. Board of Directors have direct responsibility for the risk profile of the organization, as defined by the requirements of the shareholders. The Board assigns responsibilities to the Chief Executive Officer, who creates the infrastructure for managing risk. 2. CEO/President oversees ERM governance, delegate s policy and day- to- day oversight to senior leaders and committees, and monitors key risk indicators. The CEO utilizes the ERM structure and process to provide a global view of risks across the Company and to assess whether the aggregate risk profile has the potential to impact its viability. 3. Chief Financial Officer manages interest rate and liquidity risks, sets policy, and monitors key risk indicators. The CFO chairs the Asset / Liability Committee. 5

6 4. Chief Credit Officer measures credit risk across portfolios, sets credit policy, sets and monitors key risk indicators, and is a member of Loan Committee. This position is responsible for ensuring that an independent loan review program is in place. 5. Loan review serves as an independent validation of the credit risk ratings on portfolios by assessing the quality and collectability of loans. In addition, the loan review function reviews credit and collateral files to identify any missing or incomplete documentation, and tracks policy violations and regulatory violations. 6. Chief Risk Officer coordinates the risk management activities of the Company. This position also. 7. Compliance Officer coordinates compliance activities across the business units. This position sets policy, coordinates the assessments, monitors and researches new and changing regulations and industry trends, updates documentation, and contributes to employee training. This position works with Department Managers on a regular basis. 8. Chief Information Officer coordinates network security, server and desktop controls, and participates in the management of data privacy, vendor risk, and business continuity planning programs, and independent 3 rd party scans of the network. This position sets policy, coordinates the assessments, researches new and changing regulations and industry trends, updates documentation, sets and monitors key risk indicators, and contributes to employee training. 9. Bank Security Officer coordinates security of the physical bank locations including the selection and maintenance of intrusion devices (e.g., alarms, cameras), performing investigations of all internal and external security issues, and working with other department leaders to develop loss- control measures to protect general assets. This position is also responsible for employee access to bank and customer data as well as compliance with the Bank Secrecy Act (including related regulations like OFAC, CIP, AML). 10. Department Managers represent their business units. They are responsible for understanding policies, processes, systems, products, members, and personnel within their units. Duties include participating in risk/control assessments, monitoring key risk indicators, responding to changes in industry issues, working on cross- functional projects, and implementing corrective actions and new controls. 6

7 11. Internal Audit serves as an independent validation of the risk management and compliance programs, and departmental control activities. They leverage risk assessment information as input to annual audit planning, identify and report risk, compliance, and control issues that require resolution, monitor key risk indicators, and are the independent link to the Board through the Audit Committee. Internal Audit also coordinates the audits of compliance activities. The Internal Audit Manager coordinates this function by using internal and external sources. DEFINED COMMITTEES 1. Board of Directors is responsible for approving new and changes to all policies; participating in committees with managers, reviewing status; providing guidance on strategies and risk appetite; staying apprised of significant risk exposures; and ensuring that risks are managed within tolerance. 2. Audit Committee is a Board level committee and is responsible for providing assistance to the Board of Directors in fulfilling their responsibility to the shareholders and investment community related to corporate accounting, reporting practices, the quality and integrity of financial reports, and the quality and effective administration of the controls and procedures of all systems and work processes. 3. Asset / Liability Committee is chaired by the Chief Financial Officer, and oversees liquidity and interest rate risk programs, shock tests, monitors key risk indicators, develops and agrees on policies and procedures, sets limits, prioritizes activities and investments, prepares for exams, and provides input to the senior management and the Board regarding the direction of risks and the status of the programs. 4. Loan Committee is chaired by the?? and oversee oversees credit risk activities, assessments and stress tests, develops and agrees on policies and procedures, set limits, monitors key risk indicators, prioritizes activities and investments, prepares for exams, and provides input to the senior management and the Board regarding the direction of risks and the status of the programs. 5. Trust Committee is a Board committee and oversees the acceptance and closing of fiduciary accounts and is responsible for the policies and procedures for the investing of trust funds and reviewing such accounts. They are also responsible for approving policy and monitoring of key risk indicators. 7

8 6. ERM Management Committee is chaired by the Chief Risk Officer, and oversees compliance and operational risk programs, assessments, develops and agrees on policies and procedures, sets limits, monitors key risk indicators, prioritizes activities and investments, prepares for exams, and provides input to the senior management and the Board regarding the direction of risks and the status of the programs. INTERRELATIONSHIP OF RISK MANAGEMENT FUNCTIONS The interaction between the Business Units and three primary control functions of Risk, Compliance, and Audit must be in place for the ERM program to be effective and efficient. All three roles are needed: the Auditor to test operating effectiveness of controls and adherence to policy and procedures; the Compliance Manager to ensure that current policies, products, processes, and systems are in compliance; and the Risk Manager and Department Managers to look forward to identify exposures to the organization. 8

9 RISK APPETITE AND TOLERANCE The Board of Directors and management use a balanced approach in determining acceptable levels of risk to undertake. The organization will only tolerate those risks which permit it to: Achieve its stated strategic business objectives, Provide a return that meets or exceeds expectations Comply with all applicable laws and regulations Conduct its business in a safe and sound manner. The Board will approve and Management will set general risk appetite levels annually through several means. The overall internal and external risk environments will be considered in conjunction with the strategic planning process. 9

10 Key strategic business objectives and their financial and non- financial risk appetite levels will be set annually and expressed in the strategic plan and policies. Within the scope of their authority and guidelines established in business plans, policies, and procedures, business unit managers will make decisions regarding acceptable levels of risk. Managers will also be responsible for implementing risk mitigation strategies of retention, control, avoidance and transfer. For monitoring and reporting purposes, Management and the Board will use a set of Key Risk Indicators of inherent risk across the predefined risk categories, if they are within tolerances, and if the trend is increasing, stable, or decreasing. These are tracked by the various risk managers in a common reporting format. High risk indicators and action plans are tracked by the various committees with update reporting to the Board at least annually or as requested. Internal audit reviews these indicators and uses the risk profile to help establish its audit schedule for the year. ERM CALENDAR An ERM Calendar is used to plan and organize all risk, compliance, and audit activities under the ERM program. It is managed within the primary risk committee to maintain control over additions and changes, and to reflect the broad nature of activities across all business units. The ERM activities can include: risk assessments, compliance reviews, internal audits, federal examinations, internal control tests, 3 rd party assessments and audits, loan reviews, stress tests of portfolios and interest rates, policy updates, committee meetings, industry conferences and webinars, new regulations, employee compliance training, and any other activity that falls under ERM and has a need to be planned and communicated. 10

11 APPENDIX A: ERM CATEGORIES The bank is exposed to these forms of risk in strategic, tactical and daily activities: The Office of the Comptroller of the Currency (OCC) provides definitions for the following categories of risk. Credit Risk The current and prospective risk to earnings or capital arising from an obligor s failure to meet the term of any contract with the bank or otherwise perform as agreed. Credit risk is found in all activities where success depends on counterparty, issuer or borrower performance. Interest Rate Risk The risk to earnings or capital arising from movements in interest rates. Interest rate risk arises from differences between the timing of rate changes and the timing of cash flows (re- pricing risk); from changing rate relationships among different yield curves affecting organization activities (basis risk); from changing rate relationships across the spectrum of maturities (yield curve risk); and from interest- related options embedded in products (options risk). Liquidity Risk The current and prospective risk to earnings or capital arising from incurring unacceptable losses. Liquidity risk includes the inability to manage unplanned decreases or changes in funding sources. Liquidity risk also arises from failure to recognize or address changes in market conditions that affect the ability to liquidate assets quickly and with minimal loss in value. Price Risk The risk to earnings or capital arising from changes in the value of traded portfolios of financial instruments. This risk arises from market- making, dealing and position- taking in interest rate, foreign exchange, equity and commodities markets. Compliance Risk The current and prospective risk to earnings or capital arising from violations of, or nonconformance with, laws, rules, regulations, prescribed practices, internal policies and procedures, or ethical standards. Compliance risk also arises in situations where the laws or 11

12 rules governing certain bank products or activities of the bank s clients may be ambiguous or untested. This risk exposes the institution to fines, civil money penalties, payment of damages and the voiding of contracts. Compliance risk can lead to diminished reputation, reduced franchise value, limited business opportunities, reduced expansion potential and lack of contract enforceability. Strategic Risk The current and prospective impact on earnings or capital arising from adverse business decisions, improper implementation of decisions or lack of responsiveness to industry changes. This risk is a function of the compatibility of an organization s strategic goals, the business strategies developed to achieve those goals, the resources deployed against those goals and the quality of implementation. The resources needed to carry out business strategies are both tangible and intangible. They include communication channels, operating systems, delivery networks and managerial capacities and capabilities. The organization s internal characteristics must be evaluated against the impact of economic, technological, competitive, regulatory and other environmental changes. Reputation Risk The current and prospective impact on earnings and capital arising from negative public opinion. This affects the institution s ability to establish new relationships or services, or continue servicing existing relationships. This risk may expose the institution to litigation, financial loss or a decline in its customer base. Reputation risk exposure is present throughout the organization and includes the responsibility to exercise an abundance of caution in dealing with customers and the community. Operational Risk The risk of loss resulting from inadequate or failed internal processes, people and systems from external events. This includes legal risk. These are the types of non- credit and non- interest rate exposures that can lead to financial loss fraud, anti- money laundering, business outages, IT failures, vendor outages or failures, financial statement control issues and processing errors. 12