4 core capabilities for building strong risk governance

Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending

1

JOIN. ENGAGE. LEAD.

4 CORE CAPABILITIES FOR

BUILDING STRONG RISK

GOVERNANCEEffectively manage risk-taking activities


2

JOIN. ENGAGE. LEAD.

CORE CAPABILITIES FOR STRONG RISK

GOVERNANCE

Culture

Structure

Policies and procedures

Internal control environment


3

JOIN. ENGAGE. LEAD.

CULTURE

A strong risk management

culture accomplishes two

organizational objectives.


4

JOIN. ENGAGE. LEAD.

CULTURE: ORGANIZATIONAL OBJECTIVES

1. It helps the company make well-informed decisions.

A company with a strong risk management culture promotes, encourages, and rewards

behaviors that avoid herd mentality, conformation bias, or groupthink.


5

JOIN. ENGAGE. LEAD.

CULTURE: ORGANIZATIONAL

OBJECTIVES (CONT.)

2. It helps the company identifies rogue individuals and/or groups.

It is said that 99.9% of people show up to work every day intending to do the right thing.

But, sometimes individuals or groups are more interested in their own personal gains than in

doing what is right.

In such cases, a strong governance and risk management culture identifies those individuals

and purges them.


6

JOIN. ENGAGE. LEAD.

CULTURE: ORGANIZATIONAL

OBJECTIVES (CONT.)

• Senior management comes to a consensus on what the company values are.

• And they live those values every day without exception.

Set company values

• Senior and executive management set the tone by what they say and do.Set the tone

• The board and senior management develop clearly articulated statements about risk appetite and tolerance that spell out, unequivocally, the company’s philosophy on risk acceptance.

Articulate


7

JOIN. ENGAGE. LEAD.

STRUCTURE

Although there are various models,

there is no right governance

structure.

Each institution must determine

which structure is best suited for

its organization, i.e., one that will

support information flow,

escalation, decision making, and

accountability.


8

JOIN. ENGAGE. LEAD.

TYPICAL GOVERNANCE STRUCTURE

Board of directors

Board’s risk committees

Chief risk officer

Management committees


9

JOIN. ENGAGE. LEAD.

POLICES AND PROCEDURES

Policies communicate the

company’s risk appetite to

all stakeholders.

They describe what the

company is willing to do

and not willing to do.


10

JOIN. ENGAGE. LEAD.

POLICIES AND PROCEDURES (CONT.)

The statement of risk appetite is

operationalized through policies

(“What should we do?”) and procedures

(“How should we do it?”).


11

JOIN. ENGAGE. LEAD.

POLICIES AND PROCEDURES (CONT.)

Policies should be brief (no more than two or three pages) and should express the following:

Policy

Overview

What is it intended to

accomplish?

Authority

Who is accountable

for implementing

policy?

Implementation

How will the policy be

implemented?

Exceptions

How should exceptions

be handled?


12

JOIN. ENGAGE. LEAD.

INTERNAL CONTROL ENVIRONMENT

Internal control is frequently

defined as the systems,

processes, and policies that

enable an organization to meet

its strategic goals.


13

JOIN. ENGAGE. LEAD.

INTERNAL CONTROL ENVIRONMENT (CONT.)

An internal control framework

exists to align the amount of risk

assumed by the company with its

accepted risk appetite and risk

tolerance. However, it’s not as

simple as it sounds.


14

JOIN. ENGAGE. LEAD.


A good internal control

environment is critical to ensuring

sound operations and achieving

the risk management goal

of “no surprises.”


15

JOIN. ENGAGE. LEAD.


A truly effective and efficient

internal control structure requires taking a

deliberate and fundamental approach to

the design, execution, and

monitoring of the controls,

rather than just creating them to

address perceived outcomes.


16

JOIN. ENGAGE. LEAD.

8 BENEFITS OF STRONG RISK GOVERNANCE

1. The risk appetite is appropriate for your

institution’s business model, strategy, and execution.

2. The expected risks are commensurate with the

expected rewards.

3. Management has implemented a system to

manage, monitor, & mitigate risk, & which is appropriate for the company’s business

model and strategy.

4. The risk management system informs the board of

the major risks facing the company and how they are

being managed.

Strong governance helps to ensure that:


17

JOIN. ENGAGE. LEAD.

8 BENEFITS OF STRONG RISK

GOVERNANCE (CONT.)

5. An appropriate culture of risk awareness exists

throughout your organization.

6. There is recognition that management of risk is

essential to the successful execution of your

company’s strategy.

7. A well-developed capital plan is in place to support

the established risk appetite and strategic plan.

8. A stress-testing program is in place to help determine sufficient capital availability

based on your bank’s strategic plan and risk

appetite.


18

JOIN. ENGAGE. LEAD.

RMA’s Governance and Policies Workbook further

examines the core capabilities required for a strong

risk governance culture, structure, policies and

procedures, and internal control environment.

The workbook provides detailed

examples of governance structures, risk

committee charters, and risk

dashboard in its appendix.

LEARN MORE

https://ebiz.rmahq.org/eBusPPRO/Default.aspx?TabId=392&_ga=1.238779712.1591264950.1431017968


19

JOIN. ENGAGE. LEAD.

ENTERPRISE RISK MANAGEMENT

WORKBOOKS

To help you develop your ERM framework, RMA offers a series

of highly practical workbooks:

1. Risk Appetite Workbook, November 2010.

2. Scenario Analysis and Stress Testing for Community Banks,

February 2012.

3. Governance and Policies Workbook (includes “Response”),

November 2013.

4. Risk Measurement and Evaluation (in development).

5. Risk Data and Infrastructure (to be developed).

RMA members may download the workbooks for $0 (free!).

Not a member? Join today.

http://www.rmahq.org/risk-management/enterprise-risk/workbooks

http://www.rmahq.org/risk-management/enterprise-risk/workbooks

https://landing.rmahq.org/membership


20

JOIN. ENGAGE. LEAD.

SHARE THIS PRESENTATION

Visit http://www.rmahq.org for information on risk management

Visit our blog at http://rmablog.rmahq.org/

RMA is a member-driven professional association whose sole purpose is to

advance sound risk principles in the financial services industry.

RMA helps its members use sound risk principles to improve institutional

performance and financial stability, and enhance the risk competency of

individuals through information, education, peer sharing, and networking.

Become a member today.

https://twitter.com/

http://www.facebook.com/

http://www.linkedin.com/

https://plus.google.com/

http://www.rmahq.org/

http://rmablog.rmahq.org/

http://landing.rmahq.org/membership

4 core capabilities for building strong risk governance

Business