the business case for enterprise risk management...the business case for enterprise risk management...
TRANSCRIPT
BA
NK
MA
NA
GE
ME
NT
The Business Case for Enterprise Risk Management
American Bankers AssociationOctober 7, 2007San Diego, CA
Mark S. BeasleyDeloitte Professor of Enterprise Risk
ManagementNorth Carolina State University
Melodye Mayes TomlinSenior Vice President & Enterprise
Risk Management CoordinatorBranch Banking &Trust Company
BA
NK
MA
NA
GE
ME
NT
Today’s Objectives
1. Determining the Strategic Focus for Enterprise Risk Management (ERM)
2. Identifying First Steps of ERM Launch
3. Achieving the ERM Value Proposition
BA
NK
MA
NA
GE
ME
NT
Huge Governance Challenge:Risks are Complex and Increasing
Competitive Marketplace Globalization
Legal requirements
Short Product Cycles
Explosion of Technology
Complex Business Transactions
BA
NK
MA
NA
GE
ME
NT
Risk Characteristics…Make Risk Management Difficult
Risks are…KnownUnknown, but knowableUnknown, Unknown
Despite that… Expectations for Management: 1. Shift more to the “known” status2. Have a plan for unknown, unknown
BA
NK
MA
NA
GE
ME
NT
Emerging Risks in Financial Services
• ALLL – accounting vs. regulatory expectation
• Stock options and insider trading
• Credit card practices
• Change in legislative environment
• Pandemic planning
• Payment strategies
• Sub-prime lending and Alt A
• Tax strategies
BA
NK
MA
NA
GE
ME
NT
Expectations for Oversight of Risk Management on the Rise
• NYSE Listing Standards:The audit committee has the duty and responsibility to “discuss policies with respect to risk assessment and risk management.”
• Rating agencies now focusing on ERM practicesStandard & PoorsMoody'sFitch
• SEC requirements to consider risk factor disclosures• Federal Sentencing Guidelines• Regulatory Expectations• Interpretations of Delaware case law
Additionally for Banks….Basel II
BA
NK
MA
NA
GE
ME
NT
ERM Evolution at BB&T• Enterprise risk management is not a new function (but it is a new
department).
• The proposed changes in Basel prompted us to evaluate our risk management structure.
• BB&T’s growth was largely through acquisitions ($ 10 billion in 1995 to $127 billion today).
• Expectations from the banking regulators changed as the organization became more complex.
• The development and communication of a corporate risk management policy clearly defines our approach.
• Annual reporting to the Boards of Directors began in August 2004 and ongoing reporting to the Risk Management and Executive Committee began in December 2005.
BA
NK
MA
NA
GE
ME
NT
Many Organizations Still Use a Traditional Risk Management Approach…
Strategic Market Risks
Operations Risks
Finance Risks
IT Risks Legal Risks
Reputation Risks
Human Capital Risks
“Silo” or “Stove-Pipe” Risk Management…
BA
NK
MA
NA
GE
ME
NT Reactive
-Lack of Board or senior management emphasis on risk
-No common risk lingo
-Stove-pipe risk management
-Ad hoc approach
-Missing coverage of risk areas
Aware
-Some board and senior management support
-Risk leader identified
-Periodic risk profiling
-Key risks defined in common vocabulary
-Recognized need for ERM
Strategic
-Proactive board and senior management involvement
-Risk managed and assessed across entire organization
-Common language and approach used and understood
-Real-time analysis of risk portfolio
…But are Seeking to Move Up the Risk Management Continuum
*Most companies straddle these two stages*
BA
NK
MA
NA
GE
ME
NT
Risk Management Direction – Other Banks*
*Source: Global Risk Management Survey; 5th Edition – Deloitte & Touche LLP - 2007
Key Findings from Respondents:
• 70% - Oversight responsibility w/BOD (57% in 2002)
• 84% - A Chief Risk Officer is in place (65% in 2002)
• 80% - Believe RM is extremely or very effective for credit/market risk (47% for business continuity/IT security, 43% operational/vendor risk and 35% for geopolitical risk)
• 35% - ERM program is in place (32% in process / 18% planning)
• 75% - ERM program’s value exceeded cost (only 4% quantify)
“Most institutions have an unfinished agenda when it comes to developing sophisticated risk management capabilities.”
BA
NK
MA
NA
GE
ME
NT
Today’s Objectives
1. Determining the Strategic Focus for Enterprise Risk Management (ERM)
2. Identifying First Steps of ERM Launch
3. Achieving the ERM Value Proposition
BA
NK
MA
NA
GE
ME
NT
Many are Embracing an “Enterprise Risk Management” Approach to Oversight
ERM is a process, effected by an entity’s board of directors, management, and other personnel,
applied in strategy setting and across the enterprise,designed to identify potential events that may affect the entity, manage risks to be within its risk appetite,
to provide reasonable assurance regarding the achievement of entity objectives.
-Committee of Sponsoring Organizations of the Treadway Commission (COSO 2004) *
* See www.coso.org for more information
BA
NK
MA
NA
GE
ME
NT
ERM Brings Risks TogetherValuation Creation and Preservation
Enterprise Focus on Risks
Key Message: Senior Management is facilitating the aggregation and interactions of those risk exposures
Strategic Market Risks
Operations Risks
Finance Risks
IT Risks Legal Risks
Reputation Risks
Human Capital Risks
BA
NK
MA
NA
GE
ME
NT
The Role of ERM (today) Within BB&T is…
• Monitoring emerging risks,
• Reviewing cross-functional risk policies,
• Working with management to identify previously undetected cross-functional risks, and
• Developing enterprise-wide risk management processes.
Also included are independent oversight functions regarding operational, market, and credit risks, with no transfer of the ownership of risk. In total, the ERM Department skill sets have been selectively combined in order to provide subject matter experts that can enhance Executive Management’s oversight of traditional risk management practices.
BA
NK
MA
NA
GE
ME
NT
Today’s Objectives
1. Determining the Strategic Focus for Enterprise Risk Management (ERM)
2. Identifying First Steps of ERM Launch
3. Achieving the ERM Value Proposition
BA
NK
MA
NA
GE
ME
NT
Defining Key Initial Steps
Step 1:Assess ERM
Culture
BA
NK
MA
NA
GE
ME
NT
Recognizing Realities of Culture and ERM
• Embrace of ERM can threaten “organizational culture” Fear of exposing vulnerabilities –desire to hide risksERM – another fad?Correlations and aggregations of risks – easy in concept, hard in realityPressure to go from “0 to 60” overnightInadequate risk information systems for tracking and reporting risksResistance is rationalChange is disruptive – it will get worse before it gets better
• Top-down approach is critical
ERM Deployment requires “evolution” – not a flip of the switch
BA
NK
MA
NA
GE
ME
NT
Integrating ERM with the Culture
• ERM had the support of Executive Management
• Understanding the BB&T culture was a priority
• Education of ERM possibilities was important
• ERM developed into a collaborative initiative
• Early on ERM focused on the ‘value’; the structure followed
• ERM filled identified ‘gaps’
• ERM has evolved at its own pace
BA
NK
MA
NA
GE
ME
NT
Defining Key Initial Steps
Step 1:Assess ERM
Culture
Step 2: Identify Core People
BA
NK
MA
NA
GE
ME
NT
Creating an ERM Culture of Accountability• CEO viewed as ultimately responsible for ERM
Practically difficult for CEO to lead detailed risk management effort
• Most CEO’s are delegating to a “Risk Champion” to facilitate risk approaches
• Some pinpoint a C-level executive to leadRise of Chief Risk OfficersOthers assign dual titles to Other Officers
– General Counsel, VP Internal Audit, VP of Strategy
• Others create an Executive CommitteeExecutive Management Committees Separate Risk Committees
BA
NK
MA
NA
GE
ME
NT
BB&T ERM Committee Structure
Loan PolicyCommittee
BB&T Board of Directors
Executive Management
ORMCommittee
ComplianceOversightCommittee
Market Risk &Liquidity
Committee
ERMCommittee
StrategicRisk
All Employees
Credit Risk OperationalRisk
ComplianceRisk
LiquidityRisk
ReputationRisk
LegalRisk
MarketRisk
BA
NK
MA
NA
GE
ME
NT
BB&T ERM Department Organization
Enterprise Risk Manager
Corporate Business Recovery
ERM-Credit Risk Review
Corporate Bank
Investigations
Operational Risk
Management
ERM-Market Risk
Amendment
ERM Operations
BA
NK
MA
NA
GE
ME
NT
Defining Key Initial Steps
Step 1:Assess ERM
Culture
Step 2: Identify Core People
Step 3: Identify Key Risk Categories
BA
NK
MA
NA
GE
ME
NT
ERM Brings Risks Together
Key Message: Helpful to have some “buckets” for categorizing risks
Valuation Creation and Preservation
Enterprise Focus on Risks
Strategic Market Risks
Operations Risks
Finance Risks
IT Risks Legal Risks
Reputation Risks
Human Capital Risks
BA
NK
MA
NA
GE
ME
NT
ERM
Standard & Poor’s Example of Risk Categories
BA
NK
MA
NA
GE
ME
NT
Category Definition ExamplesCredit Risks that arise from a borrower’s or counterparties’ inability or
unwillingness to repay their financial obligations as agreed. Components of credit risk can include collateral, market conditions, concentration, cash flow, credit ratings, portfolio and product issues. Credit risk extends beyond traditional lending and includes both on and off balance sheet commitments.
•Loan Default (failure to meet the terms of the obligation)•Loan Losses and non-performing assets•Electronic Payments (ACH, Wire Transfers, and On-line Banking,) •Overdrafts and return items •Investment securities•Controlled disbursement accounts•Sub-prime lending•Off balance sheet (i.e. derivatives and letters of credit)•Official checks (issued for clients)
Legal/Compliance
Risks that arise from violations or nonconformance with laws, rules and regulations (federal, state or local), or prescribed practices which govern BB&T’s business activities. It encompasses all laws as well as prudent governance and ethical standards and contractual obligations and includes the exposure to litigation from all types of financial services activities, both bank and non-bank. Legal/compliance risk also arises in situations where the laws, regulations or rules governing certain products or services we offer or activities of our clients may be ambiguous or untested. These risks could expose BB&T to fines, damages, civil penalties or prosecution.
•Federal Reserve Bank, Federal Deposit Insurance Corporation and state banking regulations•Securities & Exchange Commission, New York Stock Exchange and National Association of Securities Dealers regulations and rules•Major US banking laws (including but not limited to the Bank Secrecy Act, Fair Credit Reporting Act, Real Estate Settlement Procedures Act, Privacy Act, Financial Institution Reform, Recovery and Enforcement Act, Federal Deposit Insurance Corporation Improvement Act, Gramm-Leach Bliley Act, USA PATRIOT Act, Sarbanes-Oxley Act, and Check 21)•Contract negotiations and disputes•Litigation and administrative proceedings•Fiduciary responsibilities •Generally Accepted Accounting Principles
Liquidity Risks that arise in meeting our commitments when they come due because of the inability to liquidate assets or obtain adequate funding or the inability to offset specific exposures due to inadequate market depth or market disruptions without incurring unacceptable consequences. Factors which should be considered include regulatory requirements, accounting treatment, market conditions and potential losses.
•Incorrect matching of assets and liabilities •Daylight overdrafts•Significant or unplanned loan growth •Over reliance on brokered deposits or run on deposits•Concentration ratios (i.e. public funds, clients, etc.)•Inability to make settlement payment•Funding limitations (investment portfolio, commercial paper)
BA
NK
MA
NA
GE
ME
NT
Category Definition ExamplesMarket Risks that arise from changes in the value of the portfolios of financial
instruments due to adverse movement in market rates or prices. Factors which should be considered include interest/exchange rate sensitive activities, accounting treatment, market conditions and potential losses.
•Portfolio (i.e. investment concentrations, durations, correlations) •Trading account or inventory risk•Hedge effectiveness (improper or lack of hedging) •Interest rate sensitive activities (i.e. BOLI, MSRs, value based fees)•Modeling errors (i.e. assumptions, values)•Foreign exchange rates (foreign letters of credit, forward contract)
Operational The risk of loss associated with inadequate or failed internal processes, people, systems or external events.
•Internal Processes (i.e. financial reporting misstatements, inadequate reconcilements, errors and omissions, missing/incomplete documentation, improper safeguarding of assets, inadequate internal controls, failed processor settlement, improper markups)•People (i.e. embezzlement and asset misappropriation, authorization/approval limits, keying/input error, management override, unethical acts (real or perceived))•Systems (i.e. IT systems failure, inappropriate information security access)•External Events (i.e. external fraud (real or perceived), legal liability, outsourcing, check kiting, counterfeit transactions, natural disasters)
Reputation Risks that arise due to negative publicity or public opinion (either real or perceived) that may adversely impact the BB&T brand image. Reputation risk can impact our clients, employees, communities or shareholders and is often a secondary result of one of the other six risk categories.
•Corporate scandals (i.e. accounting irregularities, governance)•Industry related risk (i.e. insurance, mutual funds) •Inherent nature of business (i.e. payday lending, embassy accounts)•Third party relationships (i.e. clients, service providers)•Employee morale (i.e. layoffs, corporate change) •Employee activities (i.e. e-mails, rogue trading)•Regulations (i.e. fines, violations, untested regulations)•Litigation •Client Service (i.e. system availability, processing errors)
Strategic Risk that our business strategy and objectives (i.e. the Corporate Plan) do not allow BB&T to achieve our Vision, Mission and Purpose. The responsibility for managing this risk rests with the Board of Directors, Executive Management and the Senior Leadership Team. Any inability to execute the corporate plan generally is a result of one of the other six risk categories.
•Integrated Relationship Management•Decathlon•Client Service Model•Financial goals•IT plans (i.e. outsourcing, hardware and software solutions)•Business, product, delivery channel or geographic directions•Succession Plan•Organizational Structure•Community Banking Model
BA
NK
MA
NA
GE
ME
NT
Defining Key Initial Steps
Step 4: Agree on Common Risk
Definitions
Step 1:Assess ERM
Culture
Step 2: Identify Core People
Step 3: Identify Key Risk Categories
BA
NK
MA
NA
GE
ME
NT
Clarification of Terminology is Key• “Risk” is in the eye of the beholder
Risk averse and risk seekers both claim they manage “risk”• Need to determine – is “risk” all bad?
Each entity needs to set some basic definition of key termsEarly steps can be merely a conversation
• COSO DefinitionsRisk – possibility that an event will occur and adversely affect the achievement of
objectivesOpportunities – possibility that an event will occur and positively affect the
achievement of objectivesRisk appetite – the amount of risk, on a broad level, an entity is willing to accept in
the pursuit of valueRisk tolerance – acceptable levels of variation relative to the achievement of
objectives• Over time – may lead to more formalization
BA
NK
MA
NA
GE
ME
NT
Common Risk Language Term
Definition
ACH Risk
The credit and/or operational risks inherent in the Automated Clearing House (ACH) Network. The ACH network is a processing and delivery system that enables the distribution and settlement of electronic batch transactions between financial institutions.
Application Controls Programmed procedures in application software, and related manual procedures, designed to help ensure the completeness and accuracy of information processing.
Automated Controls Internal controls which are built into computer systems and/or programs. Basis Risk The risk associated with changing rate relationships among different yield curves and products affecting bank
activities. Convexity The rate of change of the price/yield of a particular security relative to a general yield curve movement. Correlation Statistical measure of the degree to which the movements of two variables are related. Credit Loss The loss which results from a credit risk or the failure of lending personnel to properly execute a transaction. Credit Operational Loss A loss in the lending portfolio which results from an operational risk. Credit Risk Risks that arise from a borrower’s or counterparties’ inability or unwillingness to repay their financial obligations
as agreed. Components of credit risk can include collateral, market conditions, concentration, cash flow, credit ratings, portfolio and product issues. Credit risk extends beyond traditional lending and includes both on and off balance sheet commitments.
Common Risk Language The foundation for the discussion of risks across the BB&T organization and consists of seven risk categories and their associated definitions, relevant examples and a risk and control dictionary.
Control Activities The policies and procedures, direct or through application of technology, to help ensure that management’s risk responses are carried out.
Control Environment The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values and competence of the entity's people; management's philosophy and operating style; the way management assigns authority and responsibility, and organizes and develops its people; and the attention and direction provided by the board of directors.
Corporate Governance The framework by which the board of directors and senior management establishes and pursues objectives while providing effective separation of ownership and control. It includes processes within the organization that ensure the reliability of the system of controls to monitor compliance with adopted strategies and risk tolerance.
Management Override Management's overruling of prescribed policies or procedures for illegitimate purposes with the intent of personal gain or an enhanced presentation of an entity's financial condition or compliance status (contrast this term with Management Intervention).
Manual Controls Controls performed manually, not by a computer. Market Liquidity Risk The potential that an institution cannot easily unwind or offset specific exposures without significantly lowering
market prices because of inadequate market depth or market disruptions. Market Risk Risks that arise from changes in the value of the portfolios of financial instruments due to adverse movement in
market rates or prices. Factors that should be considered include interest/exchange rate sensitive activities, accounting treatment, market conditions and potential losses.
Material Weakness A significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected.
Minimum Regulatory Capital
The minimum amount of capital imposed by the regulator.
Operational Incident One of three types of operational risk events (issue, incident, loss). The identification of circumstances, if left unattended, may lead to a future incident and/or loss.
Operational Issue One of three types of operational risk events (issue, incident, loss). The occurrence of circumstances that resulted in no loss. It may or may not lead to a future loss.
Operational Loss One of three types of operational risk events (issue, incident, loss). The occurrence of circumstances that resulted in a loss.
Operational Risk The risk of loss associated with inadequate or failed internal processes, people, systems or external events. Operational Risk Event An operational event that may or may not lead to a loss. Opportunity The possibility that an event will occur and positively affect the achievement of objectives. Options Risk The risk associated with interest-related options embedded in financial products. Outsourcing The use of an independent contractor to provide services that would otherwise be performed by employees. Potential Loss The estimated loss that could occur based on current information and events. Preventive Control The processes and risk management strategies that deter an error or exception from occurring. Probable Loss The estimated loss that will likely occur based on current information and events. Probability of Default (PD)
The likelihood that a debt instrument will default within a stated timeframe.
BA
NK
MA
NA
GE
ME
NT
Defining Key Initial Steps
Step 4: Agree on Common Risk
Definitions
Step 1:Assess ERM
Culture
Step 2: Identify Core People
Step 3: Identify Key Risk Categories
Step 5: Begin Building Risk
Inventory
BA
NK
MA
NA
GE
ME
NT
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Cash Flow•
Collateral•
Commodities•
Concentration•
Counterparty•
Credit•
Default•
Equity•
Financial Instruments•
Foreign Exchange•
Interest Rate•
Liquidity•
Modeling•
Opportunity Cost
Brand/Reputation
Business Model
Business Portfolio
Delivery Channels
Intellectual Property
Marketplace
Organization Structure
Planning
Product Life Cycle
Resource Allocation
Social Responsibility
• Capital Availability • Disease • Industry • Regulatory • Technological Innovation
• Competitor • Economy • Legal • Shareholder Relations • Terrorism
• Customer Needs • Financial Markets • Natural Hazard/Catastrophe • Sovereign/Political
•Capital Availability • Disease • Industry • Regulatory • Technological Innovation• Competitor • Economy • Legal • Shareholder Relations • Terrorism• Customer Needs • Financial Markets • Natural Hazard/Catastrophe • Sovereign/Political
StrategicStrategic OperationalOperational FinancialFinancial
Process
Alignment Business InterruptionCapacity Change ResponseCompliance Contract CommitmentCustomer SatisfactionCycle Time
Accounting Information Budgeting & Forecasting Completeness/Accuracy Investment EvaluationPension Fund Regulatory ReportingTaxation Sarbanes Oxley
Conflict of InterestEmployee FraudEthical Decision Making Illegal ActsManagement FraudThird-Party FraudUnauthorized Acts
Access AvailabilityCapacityData Integritye-CommerceInfrastructureRelevanceReliability
Often Start by Building Business Risk Inventory
•Performance Gap•Physical Security•Product Development•
Product Liability•
Product/Service Failure•
Product/Service Pricing
AccountabilityChange ReadinessCommunications Competencies/SkillsEmpowermentHiring/RetentionLeadershipOutsourcingPerformance IncentivesSuccession PlanningTraining/Development
\Turnbull 030117vb.ppt
Relationship Mgmt Strategy ImplementationSourcingSupply ChainTransactionProcessing
EfficiencyEnvironmentalHealth & SafetyKnowledge ManagementMeasurementPartnering
INTERNAL RISKSINTERNAL RISKS
EXTERNAL RISKSEXTERNAL RISKS
Human Capital Integrity TechnologyManagement Information
INDUSTRY-
SPECIFIC RISKS
BA
NK
MA
NA
GE
ME
NT
Risk & Control Self-Assessment ProcessLibrary
ManagementAssessment
DefinitionRisk
Assignment Assessment Issue Action Plan
Assessment, Issue & Action Plan
Approval
Process Owner
ERM Facilitator
LOB Owner
Process Assessor
Create & Maintain
LOB Information
Create and Distribute
Assessment
Assign Risk
Categories
Review and Approve
Assessment and Issue(s) (if identified)
Approve Action Plan
Complete Risk & Control Assessments
Identify and Define Issues
Accept Risk(Issue closed)
Identify and Define Action
Plans
Edit/Close Action Plans
Participate with Process Assessor in Completion of Risk & Control Assessments
BA
NK
MA
NA
GE
ME
NT
ERM Objective
Portfolio of Risks
Stakeholder Risk Appetite
BA
NK
MA
NA
GE
ME
NT
Some Express in Relation to a Heat Map
1 3 5 8 10Probability of Occurrence
Impa
ct of
Occu
rrenc
e
BA
NK
MA
NA
GE
ME
NT
Today’s Objectives
1. Determining the Strategic Focus for Enterprise Risk Management (ERM)
2. Identifying First Steps of ERM Launch
3. Achieving the ERM Value Proposition
BA
NK
MA
NA
GE
ME
NT
Business Case for ERM1. Better information about risks
All entities face risks and risks constantly change – a huge information need
2. Opportunities to take risk Some risks create opportunities for returnsOther risks are over-managed
3. Partnering on risk responsesCapture efficiencies of coordinated risk responses
4. Consistency in approachWork off same “score sheet”Avoid offsetting risk “gains” with inefficient risk management
5. Strategic advantageNot all strategies bear same level of risksEnsure return is commensurate with riskRisk intelligence leads to competitive advantage – beat competition in
response
BA
NK
MA
NA
GE
ME
NT
Have to Help Connect ERM Activities to ValueIncreased Shareholder
Value
Increase in Revenues
Decrease in Overall Costs
Regulators Congress
Management
ERM ActivitiesIncreased productivity
Continuity of operations
Better work environment
Enhanced reputation
Partnering on risk solutions
Better resource allocation
Response to risks in early stage
Compliance with regulations
Decrease cost of capital
BA
NK
MA
NA
GE
ME
NT
The ‘Value-add’ Proposition• Qualitative vs. quantitative
• Cross-functional risk discussions
• Identification of gaps in ‘risk ownership’
• Common risk language
• Consolidated issues tracking (audit, compliance, regulatory, SOX)
• Consistent review of risk related policies
• Coordinated risk discussion related to new product/initiatives
• Integrated risk assessments
• Regulatory coordination
BA
NK
MA
NA
GE
ME
NT
Company Perspective:
“I think the point to risk management is not to try and operate your business in a risk-free environment. It’s
to tip the scale to your advantage. So it becomes strategic rather than just defensive.”
– Peter Cox, CFO, United Grain Growers Ltd.
BA
NK
MA
NA
GE
ME
NT
NC State’s ERM InitiativeWeb Site ResourcesSummaries and links to ERM resources:
- ERM conceptual frameworks- Business press articles- Books- Best practice documents- Conferences and other programs
www.erm.ncsu.edu