how to build an enterprise risk management framework

Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending

1

JOIN. ENGAGE. LEAD.

HOW TO BUILD AN ENTERPRISE

RISK MANAGEMENT FRAMEWORK

ERM strategies from the Risk Management

Association’s ERM Council


2

JOIN. ENGAGE. LEAD.

THE RMA ERM COUNCIL DEFINES ERM

ERM is the management

capability to manage all

business risks in pursuit of

acceptable returns.


3

JOIN. ENGAGE. LEAD.

STRATEGIC STEPS

Risk appetiteBusiness strategy and

risk coverage

Governance and policiesRisk data and infrastructure

Measurement and evaluation

Control environment.

Response Stress testing


4

JOIN. ENGAGE. LEAD.

ERM CULTURE

At the center of the ERM

framework is culture.

If an institution lacks the right

culture and strong leadership at

the top, none of the other elements

will matter.

Organizations that comprehend

and adopt ERM as a “way of

thinking” typically outperform those

that do not.


5

JOIN. ENGAGE. LEAD.

ERM CAN ANSWER 3 BASIC BUSINESS

QUESTIONS

• Aligned with business strategy, risk appetite, culture, values, and ethics?

Should we do it?

• People, processes, structure, and technology capabilities?

Can we do it?

• Assessment of expected results, continuous learning, and a robust system of checks and balances?

Did we do it?


6

JOIN. ENGAGE. LEAD.

THE ERM FRAMEWORK

What is ERM? It is the capability to effectively answer these questions.


7

JOIN. ENGAGE. LEAD.

THE ERM FRAMEWORK (CONT.)

The framework

applies regardless of the size of the institution or

how it categorizes

risks.

The individual components

are a dynamic flow in both directions.

Culture is at the heart—without the

right culture, the other

components are somewhat

irrelevant.


8

JOIN. ENGAGE. LEAD.

THE ERM FRAMEWORK HELPS ANSWER

BUSINESS QUESTIONS

• What are all the risks to our business strategy and operations?

Coverage

• How much risk are we willing to takeRisk appetite

• How do we govern risk taking ?Culture, governance,

and policies

• How do we capture the information we need to manage these risks?

Risk data and infrastructure


9

JOIN. ENGAGE. LEAD.

THE ERM FRAMEWORK HELPS ANSWER

BUSINESS QUESTIONS (CONT.)

• How do we control the risks?Control environment

• How do we know the size of the various risks?


• What are we doing about these risks?Response

• What possible scenarios could hurt us?

• How are various risks interrelated?Stress testing


10

JOIN. ENGAGE. LEAD.

DETERMINE GOALS AND OBJECTIVES

Before an institution can

articulate its risk appetite,

it must first determine its

goals and objectives, i.e.,

its business strategy.


11

JOIN. ENGAGE. LEAD.

DETERMINE GOALS AND OBJECTIVES (CONT.)

The institution must define

what it wants to achieve in

terms of markets,

geographies, segments,

products, earnings, etc.


12

JOIN. ENGAGE. LEAD.

DETERMINE GOALS AND OBJECTIVES (CONT.)

From there, the institution

assesses the risk implied in

that strategy and

determines the level of risk

it is willing to assume in

executing that strategy.


13

JOIN. ENGAGE. LEAD.

ERM COMPETENCIES

Risk exposures Risk appetite

Culture,

governance,

and policies

Control

environment

Measurement

and evaluation

Scenario

planning and

stress testing


14

JOIN. ENGAGE. LEAD.

ERM COMPETENCIES:

RISK EXPOSURES

Credit LiquidityStrategic/Business/Reputation

Market OperationalCompliance/

Legal/Regulatory

FinancialCapital

Adequacy

Regardless of a specific business strategy, an institution

is exposed to the following risks:


15

JOIN. ENGAGE. LEAD.

ERM COMPETENCIES:

RISK APPETITE

RMA has defined risk appetite as

“the amount of risk (volatility of

expected results) an

organization is willing to accept

in pursuit of a desired financial

performance (returns).”


16

JOIN. ENGAGE. LEAD.

ERM COMPETENCIES:

RISK APPETITE (CONT.)

The concepts of risk appetite and risk tolerance are often used interchangeably, but they have distinct

differences in meaning.

Risk appetite represents the acceptance of volatility an institution is willing to assume in executing its business strategy.

Risk tolerance refers to day-to-day operational limits developed within the context of an organization’s stated risk appetite (for example, concentration limits).


17

JOIN. ENGAGE. LEAD.

ERM COMPETENCIES:

RISK APPETITE (CONT.)

Management and the board of directors must understand the critical links among strategy, business plans, and risk.

• A risk appetite statement is one tool that facilitates this linkage.

• In this context, the risk management function is an integral part of the institution’s overall strategies and specific business objectives—an essential part of the institution’s success, returns, and value creation.


18

JOIN. ENGAGE. LEAD.

Culture can be described as

“what people do when they are not

being watched.”

Culture is

the most

important

aspect of

any good

ERM

competency.

ERM COMPETENCIES:

CULTURE, GOVERNANCE,

AND POLICIES


19

JOIN. ENGAGE. LEAD.

ERM COMPETENCIES:

CULTURE, GOVERNANCE,

AND POLICIES (CONT.)

Policies express the risk appetite of the company to the

masses.

Policies describe to all stakeholders what the company

is willing to do and not to do.

The statement of risk appetite is executed through policies (what to do?) and procedures (how to

do them?).

Culture, governance, and policies collectively help an

institution manage its risk-taking activities.

Culture, Governance, and

Policies


20

JOIN. ENGAGE. LEAD.

ERM COMPETENCIES:

CONTROL ENVIRONMENT (CONT.)

The internal control environment is

one the most important tools in the

management toolbox for

management of risks.

Internal controls help reduce the

level of inherent risk to a level

acceptable to management.


21

JOIN. ENGAGE. LEAD.

ERM COMPETENCIES:


Culture Governance Policies

Preventive and detective controls

Scenario planning

The system of internal controls includes:


22

JOIN. ENGAGE. LEAD.

ERM COMPETENCIES:


Management relies on internal controls to

manage residual risk to an acceptable level.

Residual risk is defined as the level of inherent

risks reduced by internal controls.

Building an effective internal control

environment allows management to control what can be controlled.


23

JOIN. ENGAGE. LEAD.

ERM COMPETENCIES:

MEASUREMENT AND

EVALUATION

The science and art of measurement

in ERM is about concluding which

risks are significant and which ones

are not, and where to invest time,

energy, and effort.

At any given

time, boards

of directors

and

management

must

manage a

portfolio of

risks


24

JOIN. ENGAGE. LEAD.

ERM COMPETENCIES:

MEASUREMENT AND EVALUATION (CONT.)

In order to accomplish the goal of

measurement and evaluation, an

institution may adopt:

• A simple model of color rating

(green, yellow, and red).

• A middle-of-the-road failure

mode and effect analysis

(FMEA) model.

• Or a highly sophisticated risk

adjusted return on capital

(RAROC)


25

JOIN. ENGAGE. LEAD.

ERM COMPETENCIES:

MEASUREMENT AND EVALUATION (CONT.)


help boards and

management answer the

question, “so what?”

The process of measurement and evaluation must :

Include the system of internal

controls and

Determine how well the risks

can be managed.


26

JOIN. ENGAGE. LEAD.

The art of ERM is the ability to answer

the question, “what can go wrong and,

hence, create deviation from expected

outcomes?”

Management

must

address

known,

knowable,

and

unknowable

risks.

ERM COMPETENCIES:

SCENARIO PLANNING AND

STRESS TESTING


27

JOIN. ENGAGE. LEAD.

ERM COMPETENCIES: SCENARIO PLANNING

AND STRESS TESTING (CONT.)

Scenario planning and stress testing are tools

that focus on the knowable and, perhaps, some unknowable risks.

A robust scenario planning and stress

testing discipline is a must from a capital

planning perspective.


28

JOIN. ENGAGE. LEAD.

To help you develop your ERM framework, RMA offers a

series of highly practical workbooks:

1. Risk Appetite Workbook, November 2010.

2. Scenario Analysis and Stress Testing for Community

Banks, February 2012.

3. Governance and Policies Workbook (includes

“Response”), November 2013.

4. Risk Measurement and Evaluation (in development).

5. Risk Data and Infrastructure (to be developed).

RMA members may download the workbooks for $0 (free!).

Not a member? Join today.

ENTERPRISE RISK MANAGEMENT

WORKBOOKS

http://www.rmahq.org/risk-management/enterprise-risk/workbooks

http://www.rmahq.org/risk-management/enterprise-risk/workbooks

https://landing.rmahq.org/membership


29

JOIN. ENGAGE. LEAD.

SHARE THIS PRESENTATION

Visit http://www.rmahq.org for information on risk management

Visit our blog at http://rmablog.rmahq.org/

RMA is a member-driven professional association whose sole purpose is to

advance sound risk principles in the financial services industry.

RMA helps its members use sound risk principles to improve institutional

performance and financial stability, and enhance the risk competency of

individuals through information, education, peer sharing, and networking.

Become a member today.

https://twitter.com/

http://www.facebook.com/

http://www.linkedin.com/

https://plus.google.com/

http://www.rmahq.org/

http://rmablog.rmahq.org/

http://landing.rmahq.org/membership

how to build an enterprise risk management framework

Economy & Finance

policies risk data

risk coverage governance

erm erm

erm framework

erm culture

business risks

rma erm council

answer business questions