2008 annual meeting assemblée annuelle 2008 2008 annual meeting assemblée annuelle 2008 2008...

21
2008 Annual Meeting Assemblée annuelle 2008 2008 Annual Meeting Assemblée annuelle 2008 Québec Canadian Institute of Actuaries L’Institut canadien des actuaires

Upload: asher-rogers

Post on 26-Dec-2015

257 views

Category:

Documents


11 download

TRANSCRIPT

Page 1: 2008 Annual Meeting Assemblée annuelle 2008 2008 Annual Meeting Assemblée annuelle 2008 2008 Annual Meeting ● Assemblée annuelle 2008 Québec 2008 Annual

2008

Ann

ual M

eetin

g

Ass

embl

ée a

nnue

lle 2

008

2008

Ann

ual M

eetin

g

Ass

embl

ée a

nnue

lle 2

008

2008 Annual Meeting ● Assemblée annuelle 2008

Québec

2008 Annual Meeting ● Assemblée annuelle 2008

Québec

Canadian Institute

of Actuaries

Canadian Institute

of Actuaries

L’Institut canadien desactuaires

L’Institut canadien desactuaires

Page 2: 2008 Annual Meeting Assemblée annuelle 2008 2008 Annual Meeting Assemblée annuelle 2008 2008 Annual Meeting ● Assemblée annuelle 2008 Québec 2008 Annual

2008

Ann

ual M

eetin

g

Ass

embl

ée a

nnue

lle 2

008

2008

Ann

ual M

eetin

g

Ass

embl

ée a

nnue

lle 2

008

Agenda

1. Risk Management Overview

2. Major Financial Institution Case Study

3. Best Practices for a Risk Assessment

4. Perform Risk Assessment with CIA

Page 3: 2008 Annual Meeting Assemblée annuelle 2008 2008 Annual Meeting Assemblée annuelle 2008 2008 Annual Meeting ● Assemblée annuelle 2008 Québec 2008 Annual

2008

Ann

ual M

eetin

g

Ass

embl

ée a

nnue

lle 2

008

2008

Ann

ual M

eetin

g

Ass

embl

ée a

nnue

lle 2

008

The iceberg of risk

3

Page 4: 2008 Annual Meeting Assemblée annuelle 2008 2008 Annual Meeting Assemblée annuelle 2008 2008 Annual Meeting ● Assemblée annuelle 2008 Québec 2008 Annual

2008

Ann

ual M

eetin

g

Ass

embl

ée a

nnue

lle 2

008

2008

Ann

ual M

eetin

g

Ass

embl

ée a

nnue

lle 2

008

The Value Killers

Deloitte identified the following in its research The Value Killers (2005):

– Almost 50% of global 1000 companies lost 20% or more in share price in less than a month during the past 10 years — some never recovered.

– 80% of losses were due to interaction of multiple risks.– Most major losses were as the result of a series of high-

impact but low-likelihood events.– Almost all organizations have risk management located

in specialist silos.

4

Page 5: 2008 Annual Meeting Assemblée annuelle 2008 2008 Annual Meeting Assemblée annuelle 2008 2008 Annual Meeting ● Assemblée annuelle 2008 Québec 2008 Annual

2008

Ann

ual M

eetin

g

Ass

embl

ée a

nnue

lle 2

008

2008

Ann

ual M

eetin

g

Ass

embl

ée a

nnue

lle 2

008

Case Study of a Successful Risk Assessment

TD Bank Financial Group

5

Page 6: 2008 Annual Meeting Assemblée annuelle 2008 2008 Annual Meeting Assemblée annuelle 2008 2008 Annual Meeting ● Assemblée annuelle 2008 Québec 2008 Annual

2008

Ann

ual M

eetin

g

Ass

embl

ée a

nnue

lle 2

008

2008

Ann

ual M

eetin

g

Ass

embl

ée a

nnue

lle 2

008

The Situation – A Top Down Approach

These are the risks in achieving the

corporate strategy, now what controls are in place or need to be

put into place?

Corporate Strategy

Segment StrategySegment Strategy

Business Unit-Level Strategy

Segment StrategySegment Strategy

Objectives to fulfill strategy

Segment StrategySegment Strategy

Business Unit-Level Strategy

Segment StrategySegment Strategy

Business Unit-Level Strategy

Segment Strategy

Segment Strategy

Segment Strategy

Segment StrategySegment Strategy

Objectives to fulfill strategy

Segment StrategySegment Strategy

Objectives to fulfill strategy

Strategic Risks

Credit Risks

Market Risks

Insurance Risk

Liquidity Risks

Regulatory /Legal Risk

Operational Risk

Reputation Risk

6

The Situation – A Top Down Approach

Entity Level Risks

Page 7: 2008 Annual Meeting Assemblée annuelle 2008 2008 Annual Meeting Assemblée annuelle 2008 2008 Annual Meeting ● Assemblée annuelle 2008 Québec 2008 Annual

2008

Ann

ual M

eetin

g

Ass

embl

ée a

nnue

lle 2

008

2008

Ann

ual M

eetin

g

Ass

embl

ée a

nnue

lle 2

008 The Risk Committee at TD Bank Financial Group was tasked

with the responsibility to satisfy itself that sound policies, procedures, and practices were implemented for the management of key risks.

The challenge facing TD Bank Financial Group was how to effectively and efficiently complete the risk assessment with the following factors involved:

• 60 RCSA workshops annually• Average of 10 attendees per session • Geographically separated: Canada, US, UK

 

The Challenge

7

Page 8: 2008 Annual Meeting Assemblée annuelle 2008 2008 Annual Meeting Assemblée annuelle 2008 2008 Annual Meeting ● Assemblée annuelle 2008 Québec 2008 Annual

2008

Ann

ual M

eetin

g

Ass

embl

ée a

nnue

lle 2

008

2008

Ann

ual M

eetin

g

Ass

embl

ée a

nnue

lle 2

008

Step 1:

Conduct risk assessment sessions with participants in the same location using Resolver*Ballot:

• Allowing TD Bank Financial Group to consider a set of risks with associated controls in a collaborative manner, and then to generate consensus on key areas of risk or control deficiency.

• Respondents given a wireless, hand-held, numeric keypad and results were presented immediately in sophisticated, real-time graphs and charts.

• Compared to previous method, this process allowed more meaningful discussion, faster report generation, and greater consensus on the results.

The Solution

8

The Solution

Page 9: 2008 Annual Meeting Assemblée annuelle 2008 2008 Annual Meeting Assemblée annuelle 2008 2008 Annual Meeting ● Assemblée annuelle 2008 Québec 2008 Annual

2008

Ann

ual M

eetin

g

Ass

embl

ée a

nnue

lle 2

008

2008

Ann

ual M

eetin

g

Ass

embl

ée a

nnue

lle 2

008

Step 2:

Introduced Resolver*Net, an online version for the risk assessment for groups that could not be in one location at the same time which:

• Allowed TD Bank Financial Group to gather input from a larger constituency

• Fewer attendees provided a time savings, but also the workshops themselves were reduced in length from 3 hours to 1 hour by doing the surveys from their desks.

• Allowed participants to submit written comments providing risk owners with a more comprehensive understanding of the impact and likelihood of risks occurring.

• Flexibility for external stakeholders with same scales and comparable data

9

The Solution

Page 10: 2008 Annual Meeting Assemblée annuelle 2008 2008 Annual Meeting Assemblée annuelle 2008 2008 Annual Meeting ● Assemblée annuelle 2008 Québec 2008 Annual

2008

Ann

ual M

eetin

g

Ass

embl

ée a

nnue

lle 2

008

2008

Ann

ual M

eetin

g

Ass

embl

ée a

nnue

lle 2

008

• Business unit- and Segment-level understanding of their risks

• Consensus around ‘high’ risks, weaknesses in control environment and what actions are needed (internal control culture)

• Risk assessment results are used to analyze risks across the Business Units, Segments and the Bank -> can help with resource allocation

• “No surprise” environment

• Improved financial performance as we move from a reactive to a proactive management of risks -> risks feed into Key Risk Indicators (KRIs)

10

The Results

Page 11: 2008 Annual Meeting Assemblée annuelle 2008 2008 Annual Meeting Assemblée annuelle 2008 2008 Annual Meeting ● Assemblée annuelle 2008 Québec 2008 Annual

2008

Ann

ual M

eetin

g

Ass

embl

ée a

nnue

lle 2

008

2008

Ann

ual M

eetin

g

Ass

embl

ée a

nnue

lle 2

008

5 Best Practices for Designing and Conducting a Risk Assessment

11

Page 12: 2008 Annual Meeting Assemblée annuelle 2008 2008 Annual Meeting Assemblée annuelle 2008 2008 Annual Meeting ● Assemblée annuelle 2008 Québec 2008 Annual

2008

Ann

ual M

eetin

g

Ass

embl

ée a

nnue

lle 2

008

2008

Ann

ual M

eetin

g

Ass

embl

ée a

nnue

lle 2

008

1. Define Your Risk Assessment Goals

12

Are your risks and controls commonly named across your organization in order to integrate results with other divisions or look for efficiencies in assessment or mitigation?

Do you have responses from the most informed people?

Do you have responses from enough people to have an accurate view?

How quickly are you able to execute the assessment from launch to reports?

Are you involving a smaller team or many people across the organization?

Also, are your participants at one level (e.g. management) or across many levels?

Will your risk assessment focus on one area (e.g. fraud), or combine several (Operational, Strategic, Compliance…)?

Page 13: 2008 Annual Meeting Assemblée annuelle 2008 2008 Annual Meeting Assemblée annuelle 2008 2008 Annual Meeting ● Assemblée annuelle 2008 Québec 2008 Annual

2008

Ann

ual M

eetin

g

Ass

embl

ée a

nnue

lle 2

008

2008

Ann

ual M

eetin

g

Ass

embl

ée a

nnue

lle 2

008

2. Determine the scopeWhat is your goal in gathering risk assessment data :

– To look closely at one area or across the organization?

– To understand one risk area in detail (e.g. fraud) or examine many areas of risk?

13

e.g. many risk categories 1 location

e.g. 1 risk category,

all locations

e.g. 1 risk category, 1 location

e.g. many risk categories

all locationsD

epth

of

risk

s as

sess

ed

Reach across organization

Focused Broad

Broad

Page 14: 2008 Annual Meeting Assemblée annuelle 2008 2008 Annual Meeting Assemblée annuelle 2008 2008 Annual Meeting ● Assemblée annuelle 2008 Québec 2008 Annual

2008

Ann

ual M

eetin

g

Ass

embl

ée a

nnue

lle 2

008

2008

Ann

ual M

eetin

g

Ass

embl

ée a

nnue

lle 2

008

2. Determine the scope

2 strategies for including many risk categories:

2. Specific participants are asked to assess specific risks (pre-selected for them)

1. All participants review all risks and can “opt-out” of assessing those they are not familiar with

Strategic Risks

Credit Risks

Market Risks

Insurance Risk

Liquidity Risks

Regulatory/Legal Risk

Operational Risk

Reputation Risk

14

Page 15: 2008 Annual Meeting Assemblée annuelle 2008 2008 Annual Meeting Assemblée annuelle 2008 2008 Annual Meeting ● Assemblée annuelle 2008 Québec 2008 Annual

2008

Ann

ual M

eetin

g

Ass

embl

ée a

nnue

lle 2

008

2008

Ann

ual M

eetin

g

Ass

embl

ée a

nnue

lle 2

008

3. Choose the appropriate forum for the Risk Assessment

15

a) Individual risk owner evaluates risk in GRC application, combined results roll-up into a risk dashboard

Page 16: 2008 Annual Meeting Assemblée annuelle 2008 2008 Annual Meeting Assemblée annuelle 2008 2008 Annual Meeting ● Assemblée annuelle 2008 Québec 2008 Annual

2008

Ann

ual M

eetin

g

Ass

embl

ée a

nnue

lle 2

008

2008

Ann

ual M

eetin

g

Ass

embl

ée a

nnue

lle 2

008

16

b) Risk & Control Self Assessment Workshop. Team of 5-25 people assess risks and average is calculated (same time/place)

3. Choose the appropriate forum for the Risk Assessment

Page 17: 2008 Annual Meeting Assemblée annuelle 2008 2008 Annual Meeting Assemblée annuelle 2008 2008 Annual Meeting ● Assemblée annuelle 2008 Québec 2008 Annual

2008

Ann

ual M

eetin

g

Ass

embl

ée a

nnue

lle 2

008

2008

Ann

ual M

eetin

g

Ass

embl

ée a

nnue

lle 2

008

17

c) Risk & Control Self Assessment Online Survey. Unlimited participants across the organization assess risks and average is calculated in aggregate or down to location (different time/place)

3. Choose the appropriate forum for the Risk Assessment

Page 18: 2008 Annual Meeting Assemblée annuelle 2008 2008 Annual Meeting Assemblée annuelle 2008 2008 Annual Meeting ● Assemblée annuelle 2008 Québec 2008 Annual

2008

Ann

ual M

eetin

g

Ass

embl

ée a

nnue

lle 2

008

2008

Ann

ual M

eetin

g

Ass

embl

ée a

nnue

lle 2

008

4. Clarify Your Likelihood & Impact Criteria

18

LIKELIHOOD:If you are scoring residual likelihood (considering all controls currently in place), it is critical that participants understand the controls that ARE and ARE NOT in place.

Risk 1Control 1.1Control 1.2Control 1.3

Risk 2Control 2.1Control 2.2Control 2.3

IMPACT:Clarify ALL impact metrics. Consider building an Impact Matrix. Write the definition for each intersection.

Page 19: 2008 Annual Meeting Assemblée annuelle 2008 2008 Annual Meeting Assemblée annuelle 2008 2008 Annual Meeting ● Assemblée annuelle 2008 Québec 2008 Annual

2008

Ann

ual M

eetin

g

Ass

embl

ée a

nnue

lle 2

008

2008

Ann

ual M

eetin

g

Ass

embl

ée a

nnue

lle 2

008

5. Create a Productive Workshop Environment

a) Responses should be anonymous – reported in aggregate

b) Reduce the influence of the “Loudest voice” in the room

19

The use of voting software with wireless keypads is an

effective technique.

Participants enter their scores and the anonymous

results are shown at the front of the room

You “see what they are thinking”

Page 20: 2008 Annual Meeting Assemblée annuelle 2008 2008 Annual Meeting Assemblée annuelle 2008 2008 Annual Meeting ● Assemblée annuelle 2008 Québec 2008 Annual

2008

Ann

ual M

eetin

g

Ass

embl

ée a

nnue

lle 2

008

2008

Ann

ual M

eetin

g

Ass

embl

ée a

nnue

lle 2

008

5. Create a Productive Workshop Environment

c) 3. Show levels of agreement around risk scores, discuss those where agreement is low and re-score

20

Represents low level of agreement

Represents high level of agreement

Page 21: 2008 Annual Meeting Assemblée annuelle 2008 2008 Annual Meeting Assemblée annuelle 2008 2008 Annual Meeting ● Assemblée annuelle 2008 Québec 2008 Annual

2008

Ann

ual M

eetin

g

Ass

embl

ée a

nnue

lle 2

008

2008

Ann

ual M

eetin

g

Ass

embl

ée a

nnue

lle 2

008

5. Create a Productive Workshop Environment

d) 4. Share results with RCSA participants

21