how to build an enterprise risk management framework
TRANSCRIPT
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
1
JOIN. ENGAGE. LEAD.
HOW TO BUILD AN ENTERPRISE
RISK MANAGEMENT FRAMEWORK
ERM strategies from the Risk Management
Association’s ERM Council
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
2
JOIN. ENGAGE. LEAD.
THE RMA ERM COUNCIL DEFINES ERM
ERM is the management
capability to manage all
business risks in pursuit of
acceptable returns.
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
3
JOIN. ENGAGE. LEAD.
STRATEGIC STEPS
Risk appetiteBusiness strategy and
risk coverage
Governance and policiesRisk data and infrastructure
Measurement and evaluation
Control environment.
Response Stress testing
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
4
JOIN. ENGAGE. LEAD.
ERM CULTURE
At the center of the ERM
framework is culture.
If an institution lacks the right
culture and strong leadership at
the top, none of the other elements
will matter.
Organizations that comprehend
and adopt ERM as a “way of
thinking” typically outperform those
that do not.
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
5
JOIN. ENGAGE. LEAD.
ERM CAN ANSWER 3 BASIC BUSINESS
QUESTIONS
• Aligned with business strategy, risk appetite, culture, values, and ethics?
Should we do it?
• People, processes, structure, and technology capabilities?
Can we do it?
• Assessment of expected results, continuous learning, and a robust system of checks and balances?
Did we do it?
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
6
JOIN. ENGAGE. LEAD.
THE ERM FRAMEWORK
What is ERM? It is the capability to effectively answer these questions.
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
7
JOIN. ENGAGE. LEAD.
THE ERM FRAMEWORK (CONT.)
The framework
applies regardless of the size of the institution or
how it categorizes
risks.
The individual components
are a dynamic flow in both directions.
Culture is at the heart—without the
right culture, the other
components are somewhat
irrelevant.
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
8
JOIN. ENGAGE. LEAD.
THE ERM FRAMEWORK HELPS ANSWER
BUSINESS QUESTIONS
• What are all the risks to our business strategy and operations?
Coverage
• How much risk are we willing to takeRisk appetite
• How do we govern risk taking ?Culture, governance,
and policies
• How do we capture the information we need to manage these risks?
Risk data and infrastructure
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
9
JOIN. ENGAGE. LEAD.
THE ERM FRAMEWORK HELPS ANSWER
BUSINESS QUESTIONS (CONT.)
• How do we control the risks?Control environment
• How do we know the size of the various risks?
Measurement and evaluation
• What are we doing about these risks?Response
• What possible scenarios could hurt us?
• How are various risks interrelated?Stress testing
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
10
JOIN. ENGAGE. LEAD.
DETERMINE GOALS AND OBJECTIVES
Before an institution can
articulate its risk appetite,
it must first determine its
goals and objectives, i.e.,
its business strategy.
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
11
JOIN. ENGAGE. LEAD.
DETERMINE GOALS AND OBJECTIVES (CONT.)
The institution must define
what it wants to achieve in
terms of markets,
geographies, segments,
products, earnings, etc.
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
12
JOIN. ENGAGE. LEAD.
DETERMINE GOALS AND OBJECTIVES (CONT.)
From there, the institution
assesses the risk implied in
that strategy and
determines the level of risk
it is willing to assume in
executing that strategy.
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
13
JOIN. ENGAGE. LEAD.
ERM COMPETENCIES
Risk exposures Risk appetite
Culture,
governance,
and policies
Control
environment
Measurement
and evaluation
Scenario
planning and
stress testing
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
14
JOIN. ENGAGE. LEAD.
ERM COMPETENCIES:
RISK EXPOSURES
Credit LiquidityStrategic/Business/Reputation
Market OperationalCompliance/
Legal/Regulatory
FinancialCapital
Adequacy
Regardless of a specific business strategy, an institution
is exposed to the following risks:
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
15
JOIN. ENGAGE. LEAD.
ERM COMPETENCIES:
RISK APPETITE
RMA has defined risk appetite as
“the amount of risk (volatility of
expected results) an
organization is willing to accept
in pursuit of a desired financial
performance (returns).”
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
16
JOIN. ENGAGE. LEAD.
ERM COMPETENCIES:
RISK APPETITE (CONT.)
The concepts of risk appetite and risk tolerance are often used interchangeably, but they have distinct
differences in meaning.
Risk appetite represents the acceptance of volatility an institution is willing to assume in executing its business strategy.
Risk tolerance refers to day-to-day operational limits developed within the context of an organization’s stated risk appetite (for example, concentration limits).
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
17
JOIN. ENGAGE. LEAD.
ERM COMPETENCIES:
RISK APPETITE (CONT.)
Management and the board of directors must understand the critical links among strategy, business plans, and risk.
• A risk appetite statement is one tool that facilitates this linkage.
• In this context, the risk management function is an integral part of the institution’s overall strategies and specific business objectives—an essential part of the institution’s success, returns, and value creation.
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
18
JOIN. ENGAGE. LEAD.
Culture can be described as
“what people do when they are not
being watched.”
Culture is
the most
important
aspect of
any good
ERM
competency.
ERM COMPETENCIES:
CULTURE, GOVERNANCE,
AND POLICIES
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
19
JOIN. ENGAGE. LEAD.
ERM COMPETENCIES:
CULTURE, GOVERNANCE,
AND POLICIES (CONT.)
Policies express the risk appetite of the company to the
masses.
Policies describe to all stakeholders what the company
is willing to do and not to do.
The statement of risk appetite is executed through policies (what to do?) and procedures (how to
do them?).
Culture, governance, and policies collectively help an
institution manage its risk-taking activities.
Culture, Governance, and
Policies
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
20
JOIN. ENGAGE. LEAD.
ERM COMPETENCIES:
CONTROL ENVIRONMENT (CONT.)
The internal control environment is
one the most important tools in the
management toolbox for
management of risks.
Internal controls help reduce the
level of inherent risk to a level
acceptable to management.
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
21
JOIN. ENGAGE. LEAD.
ERM COMPETENCIES:
CONTROL ENVIRONMENT (CONT.)
Culture Governance Policies
Preventive and detective controls
Scenario planning
The system of internal controls includes:
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
22
JOIN. ENGAGE. LEAD.
ERM COMPETENCIES:
CONTROL ENVIRONMENT (CONT.)
Management relies on internal controls to
manage residual risk to an acceptable level.
Residual risk is defined as the level of inherent
risks reduced by internal controls.
Building an effective internal control
environment allows management to control what can be controlled.
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
23
JOIN. ENGAGE. LEAD.
ERM COMPETENCIES:
MEASUREMENT AND
EVALUATION
The science and art of measurement
in ERM is about concluding which
risks are significant and which ones
are not, and where to invest time,
energy, and effort.
At any given
time, boards
of directors
and
management
must
manage a
portfolio of
risks
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
24
JOIN. ENGAGE. LEAD.
ERM COMPETENCIES:
MEASUREMENT AND EVALUATION (CONT.)
In order to accomplish the goal of
measurement and evaluation, an
institution may adopt:
• A simple model of color rating
(green, yellow, and red).
• A middle-of-the-road failure
mode and effect analysis
(FMEA) model.
• Or a highly sophisticated risk
adjusted return on capital
(RAROC)
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
25
JOIN. ENGAGE. LEAD.
ERM COMPETENCIES:
MEASUREMENT AND EVALUATION (CONT.)
Measurement and evaluation
help boards and
management answer the
question, “so what?”
The process of measurement and evaluation must :
Include the system of internal
controls and
Determine how well the risks
can be managed.
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
26
JOIN. ENGAGE. LEAD.
The art of ERM is the ability to answer
the question, “what can go wrong and,
hence, create deviation from expected
outcomes?”
Management
must
address
known,
knowable,
and
unknowable
risks.
ERM COMPETENCIES:
SCENARIO PLANNING AND
STRESS TESTING
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
27
JOIN. ENGAGE. LEAD.
ERM COMPETENCIES: SCENARIO PLANNING
AND STRESS TESTING (CONT.)
Scenario planning and stress testing are tools
that focus on the knowable and, perhaps, some unknowable risks.
A robust scenario planning and stress
testing discipline is a must from a capital
planning perspective.
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
28
JOIN. ENGAGE. LEAD.
To help you develop your ERM framework, RMA offers a
series of highly practical workbooks:
1. Risk Appetite Workbook, November 2010.
2. Scenario Analysis and Stress Testing for Community
Banks, February 2012.
3. Governance and Policies Workbook (includes
“Response”), November 2013.
4. Risk Measurement and Evaluation (in development).
5. Risk Data and Infrastructure (to be developed).
RMA members may download the workbooks for $0 (free!).
Not a member? Join today.
ENTERPRISE RISK MANAGEMENT
WORKBOOKS
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
29
JOIN. ENGAGE. LEAD.
SHARE THIS PRESENTATION
Visit http://www.rmahq.org for information on risk management
Visit our blog at http://rmablog.rmahq.org/
RMA is a member-driven professional association whose sole purpose is to
advance sound risk principles in the financial services industry.
RMA helps its members use sound risk principles to improve institutional
performance and financial stability, and enhance the risk competency of
individuals through information, education, peer sharing, and networking.
Become a member today.