Course Materials ENTERPRISE RISK MANAGEMENT...3 5 Strong Corporate Governance? • Reduces overall...
Transcript of Course Materials ENTERPRISE RISK MANAGEMENT...3 5 Strong Corporate Governance? • Reduces overall...
Course Materials
ENTERPRISE RISK MANAGEMENT
Dwight R. Larsen National Bank Examiner
Office of the Comptroller of the Currency Minneapolis, Minnesota
[email protected] 202-597-1329
July 31, 2017
1
Enterprise Risk Management A Workable Process!
Dwight R. Larsen
Graduate School of Banking at the
University of Wisconsin, Madison, Wisconsin
ERM Session Objectives
• PART I - Understand why Risk Management(RM) and Enterprise Risk Management (ERM)are important.
• PART II - Gain a better understanding of whatRM and ERM is about. (definitions, process, etc.)
• PART III – Implementing (or enhancing) aneffective ERM at your institution. (how)
2
Who said it?
?
4
3
5
Strong Corporate Governance?
• Reduces overall risk.
• Enhances financial performance.
• Lower blood pressure (“peace ofmind”)– From 1/1/2009 through 4/24/15, the FDIC has asserted
individual claims against 1,195 directors and officers inconnection with failed banks.
– The FDIC’s claims generally consist of negligence, grossnegligence, can breach of fiduciary duty
– This does not include any civil money penalties!
4
PART I - Why is ERM Important?
1. Momentum for more formalization
2. Ongoing regulatory issues.
3. Part of many GSB presentations.
PART I - Why is ERM Important?(continued)
1. Momentum for more formalization
- Numerous Websites
- RMA changed their name!!!
- Corporate scandals have brought to the forefront theadequacy of “risk management systems” (corporategovernance, independence, etc.)
- Sarbanes-Oxley Act of 2002!!!
- Regulators, the Court Systems, and the general publicare looking for “ACCOUNTABILITY”
5
PART I - Why is ERM Important?(continued)
2. Ongoing regulatory issues (remember?)
a. “…lack of adequate risk mgmt systems” todescribe the root cause of identifiedweaknesses.
b. “…enhance the risk management processcovering…..”
c. FRB changed BOPEC ratings for Holding Comps:- “C” for composite rating- “R” for risk management- “F” for financial condition
PART I - Why is ERM Important? (continued)
3. Part of many GSB presentations
a. Many GSB presentation will cover variousaspects of risk management as they pertain tothat specific subject.
b. Examples include credit risk (Ruth, Wear, etc.),liquidity/funding risk (Farin, Larsen), interestrate risk (Koch, Larsen), etc.
c. This presentation is an overview of the conceptsof Risk Management, and how you canimplement an Enterprise Risk Managementprocess in your institution.
6
Adequate Risk Management?
Are you fullyaware of allof the majorrisks taking place in your institutiontoday?
7
PART II - What is ERM?(definitions, process, concept, structure, etc.)
1. Definitions, the Risk Management(RM) process, RM concept
2. A little history on formalizing ERM infinancial institutions
3. The Risk Governance Framework
3. A factor, situation, or course of action exposing one to danger;a hazard.
Definition – “Risk”
1. The potential for the occurrence of an adverse event.
2. The possibility of harm or loss.
8
Definitions
“Risk Management” (RM) – the ability to identify, measure, monitorand control RISKS impacting Earnings and Capital
16
Control;
Risk Management Process
RiskManagement
Process
Measure
MonitorControl
Identify
9
What Regulators Look for in the “Risk Mgmt Process”
(per Federal Reserve Bank’s SR 95-51)
• Active board and senior managementoversight;
• Adequate policies, procedures, andlimits;
• Adequate risk measurement,monitoring, and MIS; and
• Comprehensive internal controls.
Definitions
“Enterprise Risk Management” (ERM) – The process used to identify, measure, monitor, and control risks “across” the companythat could ultimately impact earnings and capital
10
Regulatory perspective and history on “Risk Management”
• In late 1980’s, Congress asked the Regulators tofind another way to identify and assess “risk” (inaddition to “CAMELS”)
• Not only looking at “financials,” look at “quality ofrisk management systems and internal controls.”
• Look behind financial numbers to see how thefinancial results are achieved (“forward looking”).
Regulatory Perspective on “Risk Management”(continued)
• Separate from CAMELS ratings, butimpacts “Management” rating (OCC)
• Federal Reserve has overall “RiskManagement” rating
11
Risk Assessment FactorsOCC FRB FDIC
Credit Credit
Price Market NONE
Liquidity Liquidity
Operational Operational Part of CAMELS
Compliance Legal
Reputation Reputational
Interest Rate
Strategic
“Risks” – FRB Definitions
• Credit – borrower or counterparty fails to perform.
• Market – bank condition suffers from adversechange in market rates or prices (interest rates, FX,equity, etc.).
• Liquidity – unable to meet obligations due toinability to liquidate assets or obtain funding.
(per Federal Reserve Bank’s SR 95-51)
12
“Risks” – FRB Definitions(continued)
• Operational – potential that inadequate infosystems, operational problems, breaches in internalcontrols, fraud, and catastrophes result in losses.
• Legal – potential that unenforceable contracts,lawsuits, or adverse judgments can negatively affectthe operations or condition of the bank.
• Reputational – potential that negative publicity of thebank’s business practices, whether true or not, will causedecline in customers, costly litigation, or revenue reductions.
(per Federal Reserve Bank’s SR 95-51)
24
InherentRisk
RiskControls
ResidualRisk- =
Risk Assessment Concepts
Risk in the Activity! Policies, Procedures, Audits, etc. Risk left after controls- =
13
…have different perspectives on risk and risk management!
Different people, and different organizations….
Risk Governance Framework
Shared values, attitudes, competencies, and behaviors throughout the bank that shape decisions.
Written document that articulates the bank’s risk appetite and serves as the basis of risk governance framework.
Most banks have some type of this risk management system in place, but formality varies
14
Risk Culture
•Risk culture is theshared values, attitudes,competencies, andbehaviors throughout thebank that shape andinfluence governancepractices and riskdecisions.
•As a subset ofcorporate culture, riskculture pertains to thebank’s risk approach andis critical to a sound riskgovernance framework.
27
Risk Appetite•The bank’s risk appetite is theaggregate level and types of riskthat the board and managementare willing to assume to achievethe bank’s goals, objectives, andoperating plan, consistent withapplicable capital, liquidity, andother requirements.
•The development of a riskappetite should be driven by bothtop-down Board leadership andbottom-up managementinvolvement.
•Successful implementationdepends on effective interactionsamong the board, seniormanagement, IRM, and frontlineunits.
28
15
Risk Appetite Statement• Written document that provides for the common
understanding and communication of riskthroughout the bank.
• Includes both qualitative and quantitative limits.
– Qualitative – describes the general culture, howthe bank will assess and accept those risks thatare hard to quantify.
– Quantitative – risk limits from various internalpolicies
• Helpful to have a “Scoreboard” or “Dashboard” thatrecaps the various limits in the major risk areas(Credit, IRR, Liquidity, Compliance, Operational,etc.).
First Line of Defense
•The first line of defense is the frontline units, business units, or functions that create risk.
•These groups are accountable for assessing and managing that risk.
•These groups are the bank’s primary risk takers and are responsible for implementing effective internal controls and maintaining processes for identifying, assessing, controlling, and mitigating the risks associated with their activities consistent with the bank’s established risk appetite and risk limits.
30
16
Second Line of Defense
•The second line of defense is commonly referred to as Independent Risk Management (IRM), which oversees risk taking and assesses risks independent of the first line of defense.
•IRM complements the frontline unit’s risk-taking activities through its monitoring and reporting responsibilities, including compliance with the bank’s risk appetite.
•IRM also provides input into key risk decisions. Additionally, IRM is responsible for identifying, measuring, monitoring, and controlling aggregate and emerging risks enterprise-wide.
31
Third Line of Defense
The third line of defense is internal audit, which provides independent assurance to the Board on the effectiveness of governance, risk management, and internal controls.
32
• Independent of front and second lines units• Reports directly to the Board of Directors or Board committee• May be in-house, outsourced, or co-sourced• Maintains a complete/current inventory of material processes, product
lines, services, and functions (audit universe)• Uses the audit universe to develop and execute a risk-based audit
plan
17
PART III – An effective ERM system in your institution
1. Guidance on ERM
2. ERM Structure at Large Banks
3. Implementing ERM at smallerinstitutions.
Guidance on ERM
• Regulatory - Comptroller’s Handbook“Corporate & Risk Governance” (July 2016)
• Numerous sources on the Internet!!!
18
ERM at Large BHC’s/Banks
• Chief Risk Officer (or Chief “Worry” Officer)
• Structure of ERM varies– Part of audit, part of business line, etc.
• Measurement process is both quantitative andqualitative
• Most have ERM process for new products andservices
Implementing “ERM”at Small Institutions
• Most important point – need B.O.D. andManagement commitment to theprocess!!! (“Risk Culture”)
• Employees need to know their opinionsand ideas make a difference.
• Helpful to have a “process” to follow
19
“So, how do we put together a workable ERM?”
“A lot of froggin’ around?”
Is there light at the end of the tunnel?
Overview of “Workable ERM Process” at Small Institutions
1. Department/Employee Self Assessment2. Senior Management Review3. Reduce to “Top 10 Risks” at BHC/Bank4. Determine adequacy of monitoring
tools and plans for improvement5. Ongoing process for updating6. Process for new products/services
20
“ERM” Benefits(for the Chief “Worry” Officer AND the institution)
• Get clearer picture of risks and staff’sknowledge of their areas.
• “Cross Pollination” and “TeamBuilding”
• Use as a “forum” to take action anddeal with long standing issues
Enterprise Risk Management at Small BHC’s/Banks (Step #1)
• Department “self assessment”– Identify 10 major department risks (prioritize)
– Identify consequences, risk mitigators,monitoring tools, etc.
– Is “action/timeframe needed” to reduce therisk?
– Level and Trend of Risk?
Refer to “Blank” handout!!!
21
A “Format” Suggestion
• Refer to Blank “Risk ManagementMatrix- Top 10”
• This “Form” is to provide “structure” tothe process
• Can be tailored to how you want toconduct the process.
Risk Management Matrix
Risks 1 2
Consequences
Risk Mitigators
Monitoring Tool(s)
What are the risks?
Are they “reasonable” and under your control?
Refer to next slides for more points on identifying “risk” in departments or in your bank.
BE SPECIFIC!!!!!
22
Tips for Identifying “Risk”
• Every department/area has risks!– What worries you the most? (succession,
technology failure, training, etc.)
– Where do you spend most of your time?
– What causes you to lose sleep?
– What gives you a headache???
Tips for Identifying “Risk”(continued)
• Listing no risks is not accurate!– Risk management process loses
credibility.
23
Tips for Identifying “Risk” (continued)
• All “risks” do not need toimmediately be addressed (low risk andpriority).
Risk Management Matrix
Risks 1 2
Consequences
Risk Mitigators
Monitoring Tool(s)
If the risk occurs, what are the consequences?
Ex: lose money, customer dissatisfaction, violation of law or regulation, hurt reputation, loss of productivity, hurt morale, etc.
24
Risk Management Matrix
Risks 1 2
Consequences
Risk Mitigators
Monitoring Tool(s)
What items/issues “mitigate” the risk and the consequences of it happening?
Ex: training, written policies and procedures, audit review, committee/board review, external review, firewalls, etc.
Risk Management Matrix
Risks 1 2
Consequences
Risk Mitigators
Monitoring Tool(s)
What type of tools allow staff and management to monitor these risks?
If the risk is “identifiable” and “reasonable” you should be able to monitor and measure it!!!!!
Ex: daily exception reports, “error messages”, reconcilements, internal/external audit reports, customer complaints, proof errors, etc.
25
Risk Management Matrix
Plans for Improvement
Status
OverallRisk Level
Trend of Risk 1 2
If you find a risk issue that does not have adequate mitigators and monitoring tools, probably should have some type of plan to remedy this!!!!!!
- Have a timeframe for resolution!!!
Addressing “Risks”
• Focus on the “root cause” not the“symptom”
• Ask the
“hard questions”
26
Don’t just “rig”
something together to address a problem orrisk issue!!!
Risk Management Matrix
Plans for Improvement
Status
OverallRisk Level
Trend of Risk 1 2
If there are “Plans for Improvement,” there should be some tracking mechanism to track progress and make someone accountable for “the action.”
27
Risk Management Matrix
Plans for Improvement
Status
OverallRisk Level
Trend of Risk 1 2
Somewhat subjective (High, Moderate, Low), but provides a baseline for future assessments of this risk.
Risk Management Matrix
Plans for Improvement
Status
OverallRisk Level
Trend of Risk 1 2
Again, somewhat subjective (Increasing, Stable, Decreasing), but provides a baseline for future assessments of this risk.
- Ideas? Increasing activity/volume,changing customers or personnel, etc.
28
Enterprise Risk ManagementStep #2 – “Sr. Mgmt Review”
• Sr. Mgmt reviews all self assessmentsfrom every department
• WILL REQUIRE SOME TIME!– May need clarification from staff to clearly
understand each of the risks
– Every risk should be clearly understood!
Enterprise Risk ManagementStep #3 – Determine “Top 10”
• Need to reduce all risks identified in thedepartment to “Top 10”
• After review of all, reduce to a “MostSignificant Risks” list
• Will probably require senior mgmt to “multi-vote” to reduce to “Top 10” (and then“Prioritize” the final list)
29
Step #3 – Determine “Top 10”(continued)
• USE OF MULTI-VOTING:– Is a way of reducing a large number of items
down to a workable amount.
– Involves each person having a set number ofvotes that are cast (one per item).
– Influential person or persons in authority alwaysvote last (no exceptions).
Example: If “80” total “risks”, each person gets 15 votes the first round. “Groupings” will occur!
Step #3 – Determine “Top 10”(continued)
• USE OF MULTI-VOTING: (continued)
• If “80” total “risks” are identified throughout the organization,each person gets 15 votes the first round. Certain “risks” willbe selected by more than one person; these “risks” will formthe “Most Significant Risks” list, which may total 20+.
• To reduce “Most Significant” list to the “Top 10”, eachindividual will now get “8” votes (always less than the numberyou’re seeking). Object is to ensure that each individual makesclear what they feel are the biggest risks to the bank.
EXAMPLE:
30
Step #4 – Adequacy of Risk Management for the “Top 10”
• Need to review the adequacy of riskmanagement system for the “Top 10”
• Are current “risk mitigators” adequate?
• If not, what should be done? Timeframes forimprovement?
• Management Reports? Board Reports?
“We can't solve problems by usingthe same kind of thinking we used when we created them."
Albert Einstein
31
Step #4 – Adequacy of Risk Management for the “Top 10”
(continued)
• Refer to “Top 10 (Sample Only)”Risk Management Matrix
Step #5 – Ongoing Process to Update the “Top 10”
• Very dependent on institution, but annually atleast.
• Probably does not need to be completed “fullscale” every year unless material changesoccur.
• Consider “not” doing this at the same time asstrategic planning activities! (at least the 1st time)
32
Step #6 - ERM for New Products and/or Services
• Worthwhile to have some type of RMprocess to ask/answer the “hardquestions”
• Formality depends on the complexity ofthe new product/service to be offered.
Step #6 - ERM for New Products and/or Services
(from OCC 2004-20)
• Due Diligence (identify risks, in-house expertise,background of 3rd parties, etc.)
• What “controls” need to be implemented?(policies, training, limits, develop MIS to identify,measure, monitor and control risk)
• “Performance Monitoring” (benchmarks todetermine success, process to review, “exit time”)
33
New Products & ServicesRemember!!!
• Don’t create a “new” problem by tryingto solve an “old” problem!
• And, don’t create new risks by trying tosolve old problems!
Example: “We need to increase revenues, so lets expand into the XXXXX area!”
The “Banking Graveyard” contains manyheadstones from those trying to save orquickly increase the bottom line!!!
AG OilComm.
R.E.
Annuities
MutualFunds
Insurance
34
Certain plansmay initiallyseem like a good idea, but when trying to implement, itbecomes quiteapparent the risks outweighthe potential reward!
Recap of “Enterprise Risk Management”
• Why it’s important, What it is, How toimplement and/or enhance RM and ERM
• Not a new concept, but formalization ofERM will “trickle down” to all banks.
• Having a more formalized process hasmany benefits to institutions
35
Additional Questions, Comments?
• Give me a call!– 202-597-1329
Please complete your course evaluations…we value your feedback!!!
Risk Management Matrix – “Top 10” (Department or Bank-Wide)R
isk
s
1 2 3 4 5 6 7 8 9 10
Co
ns
eq
ue
nc
es
Ris
kM
itig
ato
rsM
on
ito
rin
gT
oo
l(s
)
Pla
ns
for
Imp
rov
em
en
tS
tatu
sO
ve
rall
Ris
kL
ev
el
Tre
nd
of
Ris
k
1 2 3 4 5 6 7 8 9 10
Risk Management Matrix – “Top 10” (Sample Only!!!!!)Bank: Somewheresville State BankBanker: Jamie Q. Banker
Ris
ks
Borrowerdefaults on loan
1
Internet attack ofbank website
2
In-houseprocessing “fails”
3
Improperlyperfected liens
on loan collateral
4
Actions by staffthat are
inappropriatefrom a personalor legal basis
5
Not performingall account
reconcilementson a routinebasis and
documenting allexceptions
6
Failure tocomplete routine
internal auditprocedures
7
Inaccurate oruntimely filing of
regulatoryreports (callreports, FR
2900, sales anduse tax quarterlyreporting, BHCreports, income
tax filings)
8
Lack ofadequatepersonnel
backup in proofarea
No writtenprocessingprocedures
9
Compliance withBank SecrecyAct and Patriot
Act
10
Co
ns
eq
ue
nc
es
Reduce reservefor loan losses
May requireprovision,reducesearnings
Large number ofweb requests
prohibitscustomer accessto their accounts
Inability toprocess bankand customer
work
Customerdissatisfaction
Bank cannottake control ofcollateral in theevent of default;loan losses will
occur
Loss ofcustomers andpossible legal
liability
Financials out ofbalance—
research andcorrectionrequired
Make inaccurateconclusions
Limits check foradequate
separation ofduties,
independentinternal controls
& policycompliance
Inaccuratereports lead topotential civil
money penalties;tax penalties
Missing keyperson could
delaydaily/weeklyprocessing
Untimely postingof debits/credits
Miss processdeadline at FRB
Non compliancewith regulationsexposes bank to
financial loss,regulatory fines,
bad presscoverage
(reputation)
Ris
kM
itig
ato
rs
Conservativelending
Loan policy
Board approvalof loans >$150M
Low historicallosses
Firewalls
Customers have“security certs”
on homecomputers
Daily offsitestorage
“Hot Site” inplace and tested
Work withreputable/known
vendors
Periodic reviewof vendorfinancials
Standardizedloan documents
Loan docsreviewed by
officer prior toclosing
Funds notdisbursed untilall docs are inthe loan file
Continual stafftraining on
pertinent issues
Individual andgroup meetings
where issues arediscussed
Individualperformancereviews that
addressproblems
Reconcilementsreviewed by deptmanager daily,
weekly, monthly.
Internal auditreviews
External auditspot check
External Auditfirm’s annual
review ofdepartments
Risk assessmentanalysis
G/L softwarereconcilesregulatory
reports
back-uppersonnel
trained to ensuretimely andaccurate
completion
Key person veryhealthy and a
loyal employee,but is not gettingany younger!!!
EmployeeTraining
Policy andProcedures
Audit Program
New Acct &wires screened
SARS filed
Mo
nit
ori
ng
To
ol(
s)
Past Due List
Problem LoanList
TechnicalExceptions List
Exam Reports
Daily FirewallReports
Periodic testsconducted bythird parties
“Error Message”to operators
“Non-posteditems” report
“IncidentTracking
Reports” withvendor
TechnicalException
Report
Exam Reports
Monthly salesand contact
reports
Customercomplaints(formal and
informal)
Copies ofreconcilements
Internal AuditReports
External Auditfindings and
reports
Internal AuditSchedule
Audit Reports tothe Board
Tickler system inplace with due
dates
Customercomplaints
Proof Machineerrors
Sick Daystaken?
New CustomerReports
Large Trans.Reports
MaintenanceReports (unusual
activity)
Audit Reports
Pla
ns
for
Imp
rov
em
en
tAdd more“objective”factors to
internal riskratings
Implement loanreview system
Continueupgrading
Firewalls asneeded
None Specific
Continueworking withvendor “if”frequent
problems occur
Initiate use of“File Checklist”
which willinclude ensuringappropriate lien
perfectiondocuments
Increasedattention to sales
objectives andreports
Review andimplementautomated
reconcilementsoftware, if
needed
Board tocommence
reviewing auditschedule
quarterly, andcomparing to
existing reports
Ensure allrelated
personnel knowdue dates and
softwareapplications
Cross-trainanother
employee,Dennie Emmans
in proof area
Complete auditchecks. Update
policies asneeded.
Sta
tus Current -
Proposedobjective factorsdue by Dec 31
N/A N/A
In process; willdesign and
implement byJanuary 1
N/AIn process; doneby November 30
In process;Board Chairmanto start quarterlyreviews of audit
schedule inDecember
In-process;training to be
heldNov 11th at
11AM
In-process; willrotate Dennie
into proofstarting Dec 1
Ongoing
Ov
era
llR
isk
Lev
el
Moderate Moderate Stable Moderate Low Low Moderate Low Low Low
Tre
nd
of
Ris
k
Increasing
1
Increasing
2
Low
3
Stable
4
Stable
5
Stable
6
Increasing
7
Stable
8
Increasing
9
Stable
10
Ris
ks
Borrowerdefaults on loan
Internet attack ofbank website
In-houseprocessing “fails”
Improperlyperfected liens
on loan collateral
Actions by staffthat are
inappropriatefrom a personalor legal basis
Not performingall account
reconcilementson a routine
basis
Failure tocomplete routine
internal auditprocedures
Inaccurate oruntimely filing of
regulatoryreports
Lack ofadequatepersonnel
backup in proofarea
Compliance withBank SecrecyAct and Patriot
Act