ENTERPRISE RISK MANAGEMENT FRAMEWORK WHAT IS ERM? JOIN. ENGAGE. LEAD.

Similar documents
Deriving Value from ORSA. Board Perspective

University of St. Gallen Law School Law and Economics Research Paper Series. Working Paper No June 2007

Principles for An. Effective Risk Appetite Framework

Internal Control Integrated Framework. May 2013

Enterprise Risk Management Process Improvement. Secure Banking Solutions, LLC

Policy : Enterprise Risk Management Policy

INTERNATIONAL ASSOCIATION OF INSURANCE SUPERVISORS

ENTERPRISE RISK MANAGEMENT POLICY

Subject ST9 Enterprise Risk Management Syllabus

UNITED STATES DEPARTMENT OF EDUCATION OFFICE OF INSPECTOR GENERAL

Exhibit 1: Structure of a heat map

The PNC Financial Services Group, Inc. Business Continuity Program

The Role of the Board in Enterprise Risk Management

STANDARDS OF SOUND BUSINESS AND FINANCIAL PRACTICES. ENTERPRISE RISK MANAGEMENT Framework

Sample Financial institution Risk Management Policy 2011

Remarks by. Carolyn G. DuChene Deputy Comptroller Operational Risk. at the

Board oversight of risk: Defining risk appetite in plain English

SUPERVISION GUIDELINE NO. 9 ISSUED UNDER THE AUTHORITY OF THE FINANCIAL INSTITUTIONS ACT 1995 (NO. 1 OF 1995) RISK MANAGEMENT

Matthew E. Breecher Breecher & Company PC November 12, 2008

Practice Guide COORDINATING RISK MANAGEMENT AND ASSURANCE

The Role of Internal Audit in Risk Governance

CRO Forum Paper on the Own Risk and Solvency Assessment (ORSA): Leveraging regulatory requirements to generate value. May 2012.

Applying Integrated Risk Management Scenarios for Improving Enterprise Governance

GUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012

Transforming risk management into a competitive advantage kpmg.com

COBIT 5 Introduction. 28 February 2012

Risk Profile, Appetite, and Tolerance: Fundamental Concepts in Risk Management and Reinsurance Effectiveness

THE GOVERNANCE OF RISK MANAGEMENT. Session 5

Framing the future of corporate governance Deloitte Governance Framework

fmswhitepaper Why community-based financial institutions should practice enterprise risk management.

RISK BASED AUDITING: A VALUE ADD PROPOSITION. Participant Guide

STANDARD. Risk Assessment. Supply Chain Risk Management: A Compilation of Best Practices

Financial Evolution and Stability The Case of Hedge Funds

Tailoring enterprise risk management strategies to the Main-Street insurer

A Risk-Based Audit Strategy November 2006 Internal Audit Department

Principles and Practices in Credit Portfolio Management

Enterprise risk management: A pragmatic, four-phase implementation plan

Saldanha Bay Municipality. Risk Management Strategy. Inclusive of, framework, procedures and methodology

PART B INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS (ICAAP)

Talent & Organization. Organization Change. Driving successful change to deliver improved business performance and achieve business benefits

RISK MANAGEMENT. Risk governance. Risk management framework MANAGEMENT S DISCUSSION AND ANALYSIS RISK MANAGEMENT

UNITED NATIONS OFFICE FOR PROJECT SERVICES. ORGANIZATIONAL DIRECTIVE No. 33. UNOPS Strategic Risk Management Planning Framework

How to achieve excellent enterprise risk management Why risk assessments fail

Enhancing Audit Technology Effectiveness Key Insights from TeamMate s 2014 Global Technology Survey

How to Develop Successful Enterprise Risk and Vendor Management Programs

EIOPACP 13/09. Guidelines on Forward Looking assessment of own risks (based on the ORSA principles)

Monetary Authority of Singapore THEMATIC REVIEW OF CREDIT UNDERWRITING STANDARDS AND PRACTICES OF CORPORATE LENDING BUSINESS

Risk management systems of responsible entities

The role of integrated requirements management in software delivery.

THE ADVANTAGES AND DISADVANTAGES OF STRATEGIC MANAGEMENT

On-Site Examination Policy for Fiscal Examination Policy for Fiscal 2016" briefly reviews on-site examinations carried out in

International Association of Credit Portfolio Managers

Enterprise Risk Management: From Theory to Practice

Risk Management. Did you know? What is Risk Management?

Enterprise Risk Management in a Highly Uncertain World. A Presentation to the Government-University- Industry Research Roundtable June 20, 2012

Risk Based Internal Auditing & Enterprise Risk

Operational Risk Management Table of Contents

The Changing Landscape for Trade Compliance Enterprise Risk (and Opportunity) Management

Integrated Risk Management:

High level principles for risk management

Capital Management Standard Banco Standard de Investimentos S/A

GUIDELINES ON CORPORATE GOVERNANCE FOR LABUAN BANKS

SAI GLOBAL LIMITED Risk Management Policy

Improving Financial Performance, Governance and Compliance

Guideline. Operational Risk Management. Category: Sound Business and Financial Practices. No: E-21 Date: June 2016

RISK MANAGEMENT OVERVIEW 2011 RISK CONFERENCE SPONSORED BY THE FEDERAL RESERVE BANK OF CHICAGO AND DEPAUL UNIVERSITY

Insurance Enterprise Risk Management Practices

CFA Institute Contingency Reserves Investment Policy Effective 8 February 2012

MANAGING OPERATIONAL RISK IN BANKS

REINSURANCE RISK MANAGEMENT GUIDELINE

How To Understand The Role Of An Internal Audit

Department of Veterans Affairs VA Directive VA Enterprise Risk Management (ERM)

ENTERPRISE RISK MANAGEMENT SURVEY RIMS Enterprise Risk Management (ERM) Survey SPONSORED BY:

Envisioning a Future for Public Health Knowledge Management

Enterprise Risk Management & Information Technology

COSO Internal Control Integrated Framework (2013)

A. M. Best Company & The Rating Process

Implementing an Integrated City-wide Risk Management Framework

Supervisor of Banks: Proper Conduct of Banking Business [9] (4/13) Sound Credit Risk Assessment and Valuation for Loans Page 314-1

Scenarios and Strategies from an International Player Viewpoint. Gilles Benoist, CEO, CNP Assurances. Introduction

HSBC FINANCE CORPORATION CHARTER OF THE RISK COMMITTEE

Portfolio Management for Banks

Enterprise Risk Management A View. Clive Kelly CRO Zurich Insurance plc/zfs Europe (GI)

Talent & Organization. Organization Change. Driving successful change to deliver improved business performance and achieve business benefits

ENTERPRISE RISK MANAGEMENT POLICY

MISSION VALUES. The guide has been printed by:

RISK MANAGEMENT FRAMEWORK OKHAHLAMBA LOCAL MUNICIPALITYITY

The eight attributes. Delivering internal audit excellence as stakeholders expect more

Enterprise Security Tactical Plan

1 Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Successfully identifying, assessing and managing risks for stakeholders

Fourth generation techniques (4GT)

ORSA for Insurers A Global Concept

BUSINESS TOOLS. Understanding Financial Ratios and Benchmarks. Quick Definitions:

Transcription:

ENTERPRISE RISK MANAGEMENT FRAMEWORK WHAT IS ERM? JOIN. ENGAGE. LEAD. Enterprise Risk Credit Risk Market Risk Operational Risk Regulatory Compliance Securities Lending

INCREASED FOCUS ON ERM Although the concept of enterprise risk management (ERM) has existed for a number of years, it wasn t until the 2008 financial crisis that ERM gained significant prominence as an integral component of an institution s overall business strategy. Despite the increased focus on ERM, many in the industry struggle to precisely define it. As a result, the RMA ERM Council embarked on an effort to create highly practical guides for implementing a robust ERM framework that will help institutions (of any size) manage their risk holistically. The council defines ERM as the management capability to manage all business risks in pursuit of acceptable returns. With that definition as a guide, the council adopted a strategy that would help management and boards of directors answer relevant business questions pertaining to an institution s risk appetite, business strategy and risk coverage, governance and policies, risk data and infrastructure, measurement and evaluation, control environment, response, and stress testing. At the center of the ERM framework is culture. If an institution lacks the right culture and strong leadership at the top, none of the other elements will matter. Simply put, firms that comprehend and adopt ERM as a way of thinking typically outperform those that do not. The council defines ERM as the management capability to manage all business risks in pursuit of acceptable returns. Ultimately, ERM can provide answers to three basic business questions: 1. Should we do it (aligned with business strategy, risk appetite, culture, values, and ethics)? 2. Can we do it (people, processes, structure, and technology capabilities)? 3. Did we do it (assessment of expected results, continuous learning, and a robust system of checks and balances)? 1 - What is ERM?

ERM FRAMEWORK RMA S ENTERPRISE RISK MANAGEMENT FRAMEWORK The framework applies regardless of the size of the institution or how an institution wishes to categorize its risks. 1 The circular depiction of the framework is highly intentional. The individual components (such as coverage or risk appetite) are not meant to be sequential, but rather a dynamic flow in both directions. Additionally, culture is depicted as the center/heart/foundation since, without the right culture, the other components are somewhat irrelevant. The framework was designed to help management and boards of directors answer these relevant business questions: 1. What are all the risks to our business strategy and operations (coverage)? 2. How much risk are we willing to take (risk appetite)? 3. How do we govern risk taking (culture, governance, and policies)? 4. How do we capture the information we need to manage these risks (risk data and infrastructure)? 5. How do we control the risks (control environment)? 6. How do we know the size of the various risks (measurement and evaluation)? 7. What are we doing about these risks (response)? 8. What possible scenarios could hurt us (stress testing)? 9. How are various risks interrelated (stress testing)? 1 Although there are similarities between the RMA ERM framework and the COSO ERM, the RMA ERM framework is adapted to be highly specific to financial services with practical implementation guidance. What is ERM? - 2

The RMA ERM Council s approach for developing this ERM framework and associated ERM competencies is to develop a series of highly practical workbooks for risk management professionals. These workbooks are as follows: 1. Risk Appetite Workbook (published, November 2010) 2. Governance and Policies Workbook (published, November 2013) 3. Risk Data and Infrastructure (to be developed) 4. Measurement and Evaluation (in development) 5. Responses (addressed as part of the Governance and Policies Workbook) 6. Scenario Analysis and Stress Testing for Community Banks: A Basic Guide (published, February 2012) 3 - What is ERM?

DESCRIPTION OF ERM COMPETENCIES 1. BUSINESS STRATEGY AND RISK COVERAGE Risk management must function in the context of business strategy and answer the basic question, what is our business strategy and associated risks? Before an institution can articulate its risk appetite, it must first determine its goals and objectives, i.e., its business strategy. The institution must define what it wants to achieve in terms of markets, geographies, segments, products, earnings, and so on. From there, the institution assesses the risk implied in that strategy and determines the level of risk it is willing to assume in executing that strategy. Regardless of a specific business strategy, an institution is exposed to the following risks: Credit Liquidity Strategic/business/reputation Market Operational Compliance/legal/regulatory Financial Capital adequacy 2. RISK APPETITE RMA s Risk Appetite Workbook 2 provides a very detailed roadmap for explaining what a risk appetite is and how an institution can develop one. In this workbook, RMA has defined risk appetite as the amount of risk (volatility of expected results) an organization is willing to accept in pursuit of a desired financial performance (returns). The concepts of risk appetite and risk tolerance are often used interchangeably, but they have distinct differences in meaning. Risk appetite represents the acceptance of volatility an institution is willing to assume in executing its business strategy. Risk tolerance refers to day-to-day operational limits developed within the context of an organization s stated risk appetite (for example, concentration limits). It is important for management and the board of directors to understand the critical links among strategy, business plans, and risk. A risk appetite statement is one tool that facilitates this linkage. In this context, the risk management function is an integral part of the institution s overall strategies and specific business objectives an essential part of the institution s success, returns, and value creation. 3. CULTURE, GOVERNANCE, AND POLICIES Culture can be described as what people do when they are not being watched. As previously mentioned, culture is the most important aspect of any good ERM competency. RMA s Governance Workbook 3 is devoted to the full description of what a good risk management culture looks like and covers governance and policies as well as providing various examples of board and management level governance committees to oversee risk taking activities. Policies express the risk appetite of the company to the masses. They describe to all stakeholders what the company is willing to do and not to do. The statement of risk appetite is executed through policies (what to do?) and procedures (how to do them?). Simply put, culture, governance, and policies collectively help an institution manage its risk-taking activities. 2 Published November 2010. 3 Published November 2013. What is ERM? - 4

4. RISK DATA AND INFRASTRUCTURE Boards of directors and management accomplish their risk management responsibilities through a deep understanding of the company s risk profile. The risk data and infrastructure refers to how the information is collected, integrated, analyzed, and translated into a cohesive story. This area is probably the most challenging aspect of ERM. Some companies have spent $200 to $300 million without yielding the appropriate business results. Any good risk management infrastructure requires a highly robust management information system. Given its importance, the ERM Council plans to devote an entire workbook to this topic. 5. CONTROL ENVIRONMENT The internal control environment is one of the most important tools in the management toolbox for the management of risks. Internal controls help reduce the level of inherent risk to a level acceptable to management. The system of internal controls includes culture, governance, policies, preventive and detective controls, and scenario planning. Management relies on internal controls to manage residual risk to an acceptable level. Residual risk is defined as the level of inherent risks reduced by internal controls. Building an effective internal control environment allows management to control what can be controlled. 6. MEASUREMENT AND EVALUATION At any given time, boards of directors and management must manage a portfolio of risks (from asset quality, liquidity, interest rate, to business continuity, information security, privacy, etc.). The science and art of measurement in ERM is about concluding which risks are significant and which ones are not, and where to invest time, energy, and effort. In order to accomplish the goal of measurement and evaluation, an institution may adopt a simple model of color rating (green, yellow, and red) to a highly sophisticated risk adjusted return on capital (RAROC), or perhaps a middle-of-the-road failure mode and effects analysis (FMEA) model. Regardless of method used, measurement and evaluation help boards and management answer the question, so what? The process of measurement and evaluation must include the system of internal controls and must determine how well the risks can be managed. Given the importance and complexity of this subject, an entire workbook will be devoted to this topic in order to help risk management professionals choose the right methodology for their company. 7. SCENARIO PLANNING AND STRESS TESTING: The art of ERM is the ability to answer the question, what can go wrong and, hence, create deviation from expected outcomes? In that pursuit, management must address known, knowable, and unknowable risks. Scenario planning and stress testing are tools that focus on the knowable and, perhaps, some unknowable risks. A robust scenario planning and stress testing discipline is a must from a capital planning perspective. RMA published The Scenario Analysis and Stress Testing Workbook for Community Banks a workbook dedicated to this subject. 4 4 Published February 2012. 5 - What is ERM?

SUMMARY Enterprise Risk Management, essential for any financial institution, encompasses all relevant risks. An ERM framework supports a management competency to manage risks well, comprehensively, and with an understanding of the interrelationship/correlation among various risks. The successful institution incorporates a robust ERM capability as part of its culture by integrating what already exists to create a comprehensive and integrated view of the institution s risk profile in the context of its business strategy. You can access RMA s Enterprise Risk Management Workbooks on our website at http://www.rmahq.org/workbooks. What is ERM? - 6

5/14/15 ABOUT RMA Founded in 1914, The Risk Management Association (RMA) is a not-for-profit, member-driven professional association whose sole purpose is to advance the use of sound risk management principles in the financial services industry. RMA promotes an enterprise-wide approach to risk management that focuses on credit risk, market risk, and operational risk. Headquartered in Philadelphia, PA, RMA has 2,500 institutional members that include banks of all sizes as well as nonbank financial institutions. They are represented in the Association by 16,000 risk management professionals who are chapter members in financial centers throughout North America, Europe, and Asia/Pacific. Visit RMA on the Web at www.rmahq.org. JOIN. ENGAGE. LEAD.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information