operational risk---managing and measuring the chief risk officer july 2002 mcharron@deloitte.com...
Post on 19-Dec-2015
217 Views
Preview:
TRANSCRIPT
Operational Risk---Managing and Measuring
The Chief Risk Officer
July 2002Mcharron@deloitte.com860.543.7337
Deloitte & Touche 2
To better understand the evolution of risk management and the development of the Chief Risk Officer function
To share our Point of View on emerging trends in Risk Management and the Risk Intelligent Organization
A large number of companies in search of similar ideas and solutions
Share what we are hearing and incorporate our thoughts to validate or enhance direction that the financial services industry is pursuing
CAS definition of ERM
The process by which organizations in all industries assess, control, exploit, finance and monitor risks from all sources for the purpose of increasing the organization’s short and long term value to it’s stakeholders
Introduction
Deloitte & Touche 3
Why is integration required?
• Risks are often interrelated but are being managed as single impact events.
• Organizational complexity and ineffective communication processes result in an incomplete or incorrect understanding of risks actually faced.
• Varying levels of risk appetites exist across an organization – Are managers taking on risk levels consistent with the expectations of executives? How much risk does the organization have the capacity to take on?
• Opportunities to offset unrelated risks within the organization are not taken advantage of.
• Lack of learning from common risk management practices and experiences.
Deloitte & Touche 4
What is Enterprise Risk Management?A systematic and disciplined way to:
Identify, assess and prioritize the major risks associated with the organization’s key values and corporate goals
Gather risk intelligence about current operations and future growth opportunities within and across the extended enterprise
Install a risk infrastructure that is appropriate to the enterprise and the volatility of its business
Integrate risk intelligence into decision-making across the organization
Identify inter-dependencies and correlations across risks and specializations
Establish early warning and rapid response systems
Provide assurance that key risks and exposures are understood, appropriately mitigated and cost-effectively controlled
Deloitte & Touche 5
Common Needs
Organizations today are challenged with a set of common needs as well as those unique to their organization.
All organizations must manage risk whether or not they choose to do so systematically
Chaotic environment / post Sept 11
Risk and risk management are “top of mind” for everyone
Board does not know what to expect from senior management re: risk management
Need “Risk Intelligence” for better decision-making and governance
Risk exposures increase as interconnectedness and interdependencies increase
Organizations need to be able to understand interrelatedness, correlations and domino effects of risks
Increasing scrutiny from key stakeholders
A new approach is required because of weaknesses in traditional approaches – need to protect profitability from existing operations (Assets in Place) as well as grow future opportunities
Deloitte & Touche 6
CEO What unforeseen events might disrupt our strategy?
CFOWhat risks could materially impact our financial results?
How much capital do I need?
Board/Audit
How are we managing business risks?
How are we assured they are being managed appropriately?
What are the results? What assurance do we have?
General Counsel What could we do to further minimize our legal liabilities?
Chief ActuaryHow much risk am I allowed to take?
What is our corporate risk appetite?
Chief UnderwriterHow much aggregation risk am I exposed to?
Does the current risk management strategy adequately capture the key risks?
Rating Agencies
How well does senior management understand risk?
How great is management’s risk awareness?
What is their ability to manage risks as they emerge?
Common Questions
Deloitte & Touche 7
Why Do It?
No big mistakesAvoid unrewarded risks
Establish a common understanding and language of risk across business units
No big surprisesEstablish safeguards against earnings-related surprises
Prevent / rapidly respond to potential catastrophic failures
No big missed opportunitiesEnsure strategic and tactical risks are both rewarded and appropriately mitigated
Maximize chances of success of business plan goal achievement
Improve ability to anticipate changeEarly warning signals
Everyone is alert to risk causes and effects
Forward looking approach to managing risk
Accelerate ability to respond to changeImproved, faster decision-making
Better informed choices, clear rationale and less uncertainty
More organizational learning – less chance of repeat problems in other areas
D&T’s Point of View
Deloitte & Touche 8
Evolution of Risk Management
EnterpriseRisk
Management
Strategic
Economic
Insurance
Business
ProcessCulture
Strategic RiskManagementCapital Markets/Treasury Risk
Market Risk, Liquidity RiskAnalytics & Modeling Credit
Analytics
Property, Casualty,Liability
Risk ManagementMulti-line, Multi-riskInsurance Products
Asset ProtectionOperations
Compliance
FinancialInternalControl
ProfitRecovery
CorporateEthics
CorporateCompliance
Operational Risk
ManagementInternalAudit
Physical & InformationSecurity
Inter-dependenciesIntegration
OffsetsCorrelations
Domino EffectsD&T’s Point of View
Deloitte & Touche 9
Evolving Role and Responsibility of the Chief Risk Officer
“… risk management will begin to act as a kind of central nervous system for the financial institution, with ‘nerves’ relaying information back and forth and warning of potential hazards, as well as ‘brains’ performing high-level risk calculations on enterprise-wide data. These functions will work tightly together - and be constantly aware of what is going on in the rest of the institution.”
Risk Professional March 2000
Deloitte & Touche 10
Why a Chief Risk Officer?
Assure continuity and consistency in risk management with a single organizational unit that bears direct responsibility for directing the organization’s entire risk management process.
Provide a solid foundation for developing and implementing a successful risk management strategy, process and culture.
Centralize risk management to ensure that a common risk framework, policies, and measurement methodologies are implemented and sustained:
Provide senior management and decision-makers a more clear, consistent and complete view of the organization’s risks and its readiness to manage them
Enable the company to make better cost/benefit decisions in its risk management and mitigation efforts
Increase board and management confidence that its current operations and facilitates proactive thinking about future risks.
Deloitte & Touche 11
The role of the CRO
Developing a common risk management strategy and instilling a consistent level of risk awareness throughout the company.
Provide the focal point for risk management strategy development, deployment and communication.
Should have close reporting ties to the CFO, CEO and the board of directors and have direct reporting from the heads of the major risk management disciplines (e.g. Internal Audit, Ethics, Compliance, Legal, Health & Safety, Loss Prevention, etc.).
Risk committees developed within the organization typically report to the CRO. This includes the IT function, internal audit, market risk, credit risk, insurance, ethics, and strategy.
Deloitte & Touche 12
The role of the CRO
Responsible for:
maintaining an awareness of risk issues throughout the organization
developing a risk management strategy and setting risk policy
measuring risk, reporting exposures, and proactively thinking about operational and other related risk
Should not be responsible for the day to day performance of risk management activities or for directing or managing business operations or administrative areas.
Responsibility for actively managing and mitigating risk on a day to day basis remains the responsibility of each business unit manager and staff person.
Deloitte & Touche 13
The role of the CRO
The primary core functions necessary for success depend on the industry
Skills vary by corporate objectives and strategies.
Typically, CRO’s have strong skills and experience in market and credit risk. This is primarily due to the strong influence of CRO positions in the financial and utility industries.
A growing trend for CRO’s to posses a strong operational risk perspective.
The CRO typically is a member of risk governance and approval committees and has authority for specific risk management policies, such as strategic and operational risk.
The CRO is the one who is trusted to make decisions about how the organization’s various risks tie to its strategy and initiatives.
Deloitte & Touche 14
Building Blocks for Effective Risk Management & Control
Assets-in-Place
FutureGrowth
Value
Operations
Strategy
Tactics
D&T’s Point of View
Deloitte & Touche 15
Intangibles Matter More Than Tangibles
Share value has two major components
Assets in Place
Profitability from current operations = tangible
Future Growth Opportunities
Intangibles – people, relationships, brands, reputation
Drive the multiples of valuation
Anything associated with the word “NEW”
The market disproportionately rewards Future Growth Opportunities
It under-rewards the growth of Assets in Place and severely punishes any deterioration
D&T’s Point of View
Deloitte & Touche 16
The Risk Intelligent Organization
Organizations are increasingly seeking risk as a source of competitive advantage to exploit the upside and protect the downside
Success demands excellent risk management as a core competency
More and more organizations are demonstrating a desire to become Risk Intelligent
Risk intelligence is the ability to think and learn about outcomes - it is how an organization gathers information, analyses, applies and then learns from the results
Risk intelligence requires effective systems, information and timely reporting to enable organizational learning and successful adaptation – a “risk nervous system”
D&T’s Point of View
Deloitte & Touche 17
The Risk Intelligent Organization
Characteristics of the Risk Intelligent Organization:
Risk analysis is built-in to the decision-making process
There is a systematic process for identifying, assessing and prioritizing business risks
There is an appropriate risk infrastructure to support sustainable risk management capability
D&T’s Point of View
Deloitte & Touche 18
Assessing Risk Intelligence
Our definition of risk includes strategic, tactical, and operational risks (not just financial and accounting or insurance)
Our risk identification process adequately addresses current operations as well as future growth opportunities
We make appropriate use of qualitative and quantitative assessment methods
We have established our risk tolerance policy applicable to all areas of the company
We apply a consistent company-wide risk–reward trade-off rule to all of our decisions
Risk assessment and prioritization are integral parts of the organization’s business planning, budgeting, capital allocation, and audit planning processes.
The Board, Audit Committee or Executive are asking broader questions about risk and exposure e.g., strategic and tactical not just operational
Senior management and board members are promptly informed of issues that may have a significant impact on risk management and control.
We have appropriate oversight of the key risks faced by the company.
Risks, controls, and exposures are systematically reviewed at intervals that are appropriate to the volatility of our organization’s business conditions.
Timely and reliable information is available to personnel to manage the risk inherent in current and future growth objectives.
Our disaster recovery plan enables us to be up and running within 24 hours or less.
We have clearly defined metrics and early-warning indicators to identify when risk thresholds are about to be exceeded.
We use appropriate risk-based valuation methodologies to assess current operations and future growth opportunities.
Credit risk is coordinated and integrated across the entire organization
Risk / reward calculations are an explicit part of our decision model.
Risk / reward trade-offs are systematically evaluated from a portfolio perspective
When a risk occurs, the organization systematically conducts reviews to identify and correct root causes.
The organization follows up to ensure that mitigation strategies and corrective actions are effective.
Risk-management and internal-control best practices are shared to accelerate organizational learning.
Risk management is accepted as an integral part of everyone’s job
There are effective processes in place for communicating and managing change
Authority, responsibility and accountability are clear.
We trust each other and communicate openly about our objectives and risks.
We understand what is expected of us and the scope of our freedom to act.
D&T’s Point of View
Deloitte & Touche 19
The Risk Intelligent Organization
Step 1. Building the Risk-based Decision Model
Risk Decision Analysis
Gap analysis between existing & required
Common process with local application
Migration Model
Step 2. Assessing Business Risks
Risk Prioritization Methodology
Risk Identification / Risk Assessment / Risk Prioritization
Risk Alignment to Corporate Strategy
Step 3. Assessing Risk Infrastructure
Governance / Control / Information Technology / Valuation and Risk Measurement / Credit / Accounting and Disclosure
Gap Analysis between existing and industry leading practices
D&T’s Point of View
Deloitte & Touche 20
Generic Risk Framework
Proprietary Information: This presentation contains concepts, ideas and materials which are proprietary and may not be used, copied, provided to others or referred to without the express written permission of Deloitte and Touche. This presentation is incomplete without the accompanying discussion.
Deloitte & Touche 21
Example Risk Categories
Business Strategy & Organization
General BusinessConditions
Operations
Financial
InformationTechnology
Asset Management
Regulatory& Legal
Political
StakeholderRelations
Human Resources
Public Safety & Environmental
Customer Value
Supplier Relations Distribution &
Dealer Relations Joint Ventures /
Alliances
Accounting & Disclosure
Credit Insurance
Safety & Security
Business Continuity
E-business
Competitors
Ethics
Compliance
D&T’s Generic Risk Framework
top related