erm governance - acuia.org - risk governance.pdf · •enterprise risk management is a structure...

ERM GOVERNANCE

Presented by:

Eric Holmquist

Managing Director, Enterprise Risk Management

Association of Credit Union

Internal Auditors (ACUIA)

24th Annual Conference

June 19, 2014

Enterprise Risk Management

• Introductions

• What and where is risk management?

• Enterprise Risk Management

• Program governance

• Roles & responsibilities

• Program tools

• Understanding risk profiles

• Other program elements

• Q & A

© 2014 Accume Partners 2


The evolution of risk management Insurance / hedging

Risk avoidance

Risk identification

Risk alignment!



© 2014 Accume Partners

Risk represents the uncertainty of outcomes in the pursuit of objectives.

Risk Management is the process by which we align risk acceptance.

4


Two themes common to every organization:

• We manage risk in silos

• We don’t know what we don’t know


6

What ERM is Not

• Not a singular formula for addressing all risks

• Not just a list of risks common to the organization

• Not a “set it and forget it” program

• Not a compliance program

• Not a list of internal controls

• Not a crystal ball into the future

• Not regulatory window dressing

• Not an added layer of bureaucracy

• Not going to stop all bad things from happening

• Not going to uncover every conceivable risk

• Not easy

• Not very useful …if done badly


7

What is Enterprise Risk Management?

• A method for aligning risk with acceptable tolerance, starting at

the point of strategy

• A program that ensures that risk of all types is actively

identified, assessed and managed throughout all parts of the

organization

• A framework for establishing standards to ensure consistent

approaches are used for risk management

• A structure for gathering risk information from throughout the

organization and presenting it to the Board and senior

management in a format that is informative and actionable

• A culture that accepts that risk must be managed and does so

with transparency and accountability


8

Why Adopt an ERM Program?

• A more complete understanding of risk and controls – in other words, a portfolio view of risk

• Helps preserve capital and shareholder value

• Addresses uncertainty starting with strategy

• Allows for efficient risk alignment with acceptable tolerance

• Provides common language and a structured approach

• Enforces risk awareness and accountability

• Ensures proper pricing for risk

• Addressing risk types holistically rather than in silos

• Regulatory expectation

• Industry best practice


9

ERM Goals and Objectives

• Building a risk aware culture that incorporates risk

management into day-to-day activities

• Utilizing a clear framework and process for identifying and

assessing risk, starting from strategy and throughout

execution

• Ensuring a structure for establishing, communicating and

enforcing compliance with risk appetite and tolerance

• Creating a process for monitoring key risks and being

prepared with suitable response measures

• Provide management with a tool for evaluating new

initiatives with a methodology consistent with the ERM view

• Reporting to management and the Board on risk issues



Risk Governance


Governance Roles


Board of Directors

Supervisory Committee

Audit Director

CEO

CCO CFO CLO HR Etc.

Board Risk Committee

Chief Risk Officer

Compliance Officer

Mgmt Risk Committee

What happened?

What could

happen?

How are we going to get there?

Where are we going?


The Context of ERM

Enterprise Risk Management connects all of

the pieces.

Risk Appetite & Tolerance

Statements

Internal Audit Risk

Assessments

Inherent Risks

Internal Controls

Residual Risk ERM Risk

Assessment

12


The Context of ERM

Enterprise Risk Management connects all of

the pieces.

Inherent Risks

Internal Controls

Residual Risk

Internal Audit

Risk Management

13


The Tools

• The Strategic Plan

• Risk Appetite and Tolerance Statements

• Oversight (CRO, risk committees)

• Risk policy & program

• Risk assessments

• Risk monitoring

• Incident response

• Risk reporting


The Board of Directors

• Holds management accountable to ERM goals

• Stewards of risk appetite & tolerance

• Must provide credible challenge

• Is training needed? If so, get it.

• Push past credit and interest rate risk

• Ensures program is forward looking

• Sets the correct cultural tone


The Chief Risk Officer

• Independent, report to Board Risk Committee

• Cannot be Internal Audit II

• Help with “know” rather than “no”

• Approver of policy and process, not proposals

• They own the program, not the risk

• Subject matter expertise is extremely critical, but can also be supplemented

• Lives in the grey space between IA and business


Board Risk Committee (BRC)

• Membership: Selected board members

• Chairperson: Selected independent board member, preferably with some risk management experience

• CRO Role: Reports to BRC in order to provide independence from day-to-day operations. The CRO provides reporting and analysis on risk issues to this committee

• Charter: Responsible for overseeing the overall enterprise risk program, approving risk appetite and tolerance levels and monitoring risk levels within the credit union

• Focus: Forward looking view of the enterprise


Board Risk Committee (BRC)

Sample Agenda

• ERM risk reports

• Risk assessment updates

• ERM project task list

• New products

• New initiatives

• Periodic reports

• VM, IT, BCP, Info Sec, compliance, etc.

• Annually: approve the ERM Policy & Program along with the Risk Appetite and Tolerance Statements


Management Risk Committee (MRC)

• Membership: Executive and selected senior management

• Chairperson: Chief Risk Officer

• CRO Role: Coordinating the agenda, directing the ERM program, facilitating the enterprise risk assessment, overseeing the ERM program and its strategic objectives

• Charter: Responsible for overseeing execution of the enterprise-wide risk management program, including strategic initiatives, emerging risk issues and risk oversight

• Focus: Forward looking view of the operation


Management Risk Committee (MRC)

Sample Agenda

• Loss or other major events

• Risk assessment updates

• ERM project task list

• New products and services

• New initiatives

• Other new business

• Periodic reports (VM, IT, BCP, Info Sec, compliance, etc.)

• Report preparation for BRC and BOD



Risk Appetite and Tolerance



• Effective risk management is about establishing guardrails, not speed bumps

• The two most important guardrails are:

• The Strategic Plan

• Risk Appetite Statements

• Everything else should exist in the middle

• The “make or break” factors:

• Clarity

• Consensus

• Communication © 2014 Accume Partners 22

Risk Appetite And Tolerance

• One of the most important risk management tools we have right now.

• Should provide context for everything the credit union does, from strategy to operations.

• The process of coming to agreed upon statements forces you to address issues about culture, ethics, tolerance and capacity.

• Risk management is about so much more than the “life ending events.” It’s all the other stuff that is actually harder to manage.


Establishing Risk Tolerance



Risk Assessment, Monitoring and Reporting


Assessing Risk



Assessing Risk

27

Risk Analysis

• Enterprise risk assessment should include information on:

• The business model (macro level risks)

• Operations (process level risks)

• Risk monitoring and analysis (risk trends)

• Risk specific assessments, where applicable, continue to support these assessments

• The context for all risk assessments is your risk appetite and tolerance statements & metrics



• Questions

• Do you know what your risks really are?

• Can you connect the dots from risk appetite to strategy to operations?

• Can you connect the dots from corporate strategy to IT strategy?

• Do you have the right level of controls to align?

• Is there a culture of risk awareness, transparency and accountability?


Risk Types

• Typical risk types include: credit, interest rate, liquidity, operational, compliance, strategic, price/market & reputation, but can include many other types of risk.

• Risk types tell us more about the scope and nature of risk, but very little about how to manage it

• They are all a type of lens, but only looking through one lens can give a distorted view

• All risk is a function of processes, and that is how we must manage it


Managing Change

• The seeds of risk are sewn in change

• Risk management is largely change management

• For any strategic or operational change:

• What is the benefit?

• What is the cost?

• What is the risk?

• Reporting should also contain a summary of lessons learned from completed change initiatives


Risk Monitoring

• KRI’s (or equivalent) are one of the most important tools a risk manager has – the are specifically designed to monitor the moving parts

• What is being monitored? How? And why?

• What key risk indicators are in place, and why?

• Any report of “what happened” should generally include “how do we feel about it?”

• The context for all risk monitoring is your risk appetite and tolerance statements & metrics


Risk Response

• Understanding how management will respond to unexpected events is one of the most important risk management tools you have

• Response happens at three levels

• Operational (departmental)

• Limited scope (incident response)

• Broad scope (BCP/DR)


Summary

• Risk management is about aligning risk with acceptable risk tolerance levels

• Enterprise risk management is a structure for managing risks across the entire credit union on an integrated basis

• Use risk types, but manage risk holistically

• Create risk ownership and accountability

• Focus is on the purpose and presence of controls

• In every way make a part of the organizational fabric


QUESTIONS?


Presented by:

Eric Holmquist


For more information please contact:

Eric Holmquist


341 New Albany Road

Moorestown, New Jersey 08057

Mobile Phone: 215.817.2107

[email protected]


erm governance - acuia.org - risk governance.pdf · •enterprise risk management is a structure...

Documents