ERM GOVERNANCE - acuia.org - Risk Governance.pdf · •Enterprise risk management is a structure...
Transcript of ERM GOVERNANCE - acuia.org - Risk Governance.pdf · •Enterprise risk management is a structure...
ERM GOVERNANCE
Presented by:
Eric Holmquist
Managing Director, Enterprise Risk Management
Association of Credit Union
Internal Auditors (ACUIA)
24th Annual Conference
June 19, 2014
Enterprise Risk Management
• Introductions
• What and where is risk management?
• Enterprise Risk Management
• Program governance
• Roles & responsibilities
• Program tools
• Understanding risk profiles
• Other program elements
• Q & A
© 2014 Accume Partners 2
Enterprise Risk Management
The evolution of risk management Insurance / hedging
Risk avoidance
Risk identification
Risk alignment!
© 2014 Accume Partners 3
Enterprise Risk Management
© 2014 Accume Partners
Risk represents the uncertainty of outcomes in the pursuit of objectives.
Risk Management is the process by which we align risk acceptance.
4
Enterprise Risk Management
Two themes common to every organization:
• We manage risk in silos
• We don’t know what we don’t know
© 2014 Accume Partners 5
6
What ERM is Not
• Not a singular formula for addressing all risks
• Not just a list of risks common to the organization
• Not a “set it and forget it” program
• Not a compliance program
• Not a list of internal controls
• Not a crystal ball into the future
• Not regulatory window dressing
• Not an added layer of bureaucracy
• Not going to stop all bad things from happening
• Not going to uncover every conceivable risk
• Not easy
• Not very useful …if done badly
© 2014 Accume Partners
7
What is Enterprise Risk Management?
• A method for aligning risk with acceptable tolerance, starting at
the point of strategy
• A program that ensures that risk of all types is actively
identified, assessed and managed throughout all parts of the
organization
• A framework for establishing standards to ensure consistent
approaches are used for risk management
• A structure for gathering risk information from throughout the
organization and presenting it to the Board and senior
management in a format that is informative and actionable
• A culture that accepts that risk must be managed and does so
with transparency and accountability
© 2014 Accume Partners
8
Why Adopt an ERM Program?
• A more complete understanding of risk and controls – in other words, a portfolio view of risk
• Helps preserve capital and shareholder value
• Addresses uncertainty starting with strategy
• Allows for efficient risk alignment with acceptable tolerance
• Provides common language and a structured approach
• Enforces risk awareness and accountability
• Ensures proper pricing for risk
• Addressing risk types holistically rather than in silos
• Regulatory expectation
• Industry best practice
© 2014 Accume Partners
9
ERM Goals and Objectives
• Building a risk aware culture that incorporates risk
management into day-to-day activities
• Utilizing a clear framework and process for identifying and
assessing risk, starting from strategy and throughout
execution
• Ensuring a structure for establishing, communicating and
enforcing compliance with risk appetite and tolerance
• Creating a process for monitoring key risks and being
prepared with suitable response measures
• Provide management with a tool for evaluating new
initiatives with a methodology consistent with the ERM view
• Reporting to management and the Board on risk issues
© 2014 Accume Partners
Enterprise Risk Management
Risk Governance
© 2014 Accume Partners 10
Governance Roles
© 2014 Accume Partners 11
Board of Directors
Supervisory Committee
Audit Director
CEO
CCO CFO CLO HR Etc.
Board Risk Committee
Chief Risk Officer
Compliance Officer
Mgmt Risk Committee
What happened?
What could
happen?
How are we going to get there?
Where are we going?
© 2014 Accume Partners
The Context of ERM
Enterprise Risk Management connects all of
the pieces.
Risk Appetite & Tolerance
Statements
Internal Audit Risk
Assessments
Inherent Risks
Internal Controls
Residual Risk ERM Risk
Assessment
12
© 2014 Accume Partners
The Context of ERM
Enterprise Risk Management connects all of
the pieces.
Inherent Risks
Internal Controls
Residual Risk
Internal Audit
Risk Management
13
Enterprise Risk Management
The Tools
• The Strategic Plan
• Risk Appetite and Tolerance Statements
• Oversight (CRO, risk committees)
• Risk policy & program
• Risk assessments
• Risk monitoring
• Incident response
• Risk reporting
© 2014 Accume Partners 14
The Board of Directors
• Holds management accountable to ERM goals
• Stewards of risk appetite & tolerance
• Must provide credible challenge
• Is training needed? If so, get it.
• Push past credit and interest rate risk
• Ensures program is forward looking
• Sets the correct cultural tone
© 2014 Accume Partners 15
The Chief Risk Officer
• Independent, report to Board Risk Committee
• Cannot be Internal Audit II
• Help with “know” rather than “no”
• Approver of policy and process, not proposals
• They own the program, not the risk
• Subject matter expertise is extremely critical, but can also be supplemented
• Lives in the grey space between IA and business
© 2014 Accume Partners 16
Board Risk Committee (BRC)
• Membership: Selected board members
• Chairperson: Selected independent board member, preferably with some risk management experience
• CRO Role: Reports to BRC in order to provide independence from day-to-day operations. The CRO provides reporting and analysis on risk issues to this committee
• Charter: Responsible for overseeing the overall enterprise risk program, approving risk appetite and tolerance levels and monitoring risk levels within the credit union
• Focus: Forward looking view of the enterprise
© 2014 Accume Partners 17
Board Risk Committee (BRC)
Sample Agenda
• ERM risk reports
• Risk assessment updates
• ERM project task list
• New products
• New initiatives
• Periodic reports
• VM, IT, BCP, Info Sec, compliance, etc.
• Annually: approve the ERM Policy & Program along with the Risk Appetite and Tolerance Statements
© 2014 Accume Partners 18
Management Risk Committee (MRC)
• Membership: Executive and selected senior management
• Chairperson: Chief Risk Officer
• CRO Role: Coordinating the agenda, directing the ERM program, facilitating the enterprise risk assessment, overseeing the ERM program and its strategic objectives
• Charter: Responsible for overseeing execution of the enterprise-wide risk management program, including strategic initiatives, emerging risk issues and risk oversight
• Focus: Forward looking view of the operation
© 2014 Accume Partners 19
Management Risk Committee (MRC)
Sample Agenda
• Loss or other major events
• Risk assessment updates
• ERM project task list
• New products and services
• New initiatives
• Other new business
• Periodic reports (VM, IT, BCP, Info Sec, compliance, etc.)
• Report preparation for BRC and BOD
© 2014 Accume Partners 20
Enterprise Risk Management
Risk Appetite and Tolerance
© 2014 Accume Partners 21
Enterprise Risk Management
• Effective risk management is about establishing guardrails, not speed bumps
• The two most important guardrails are:
• The Strategic Plan
• Risk Appetite Statements
• Everything else should exist in the middle
• The “make or break” factors:
• Clarity
• Consensus
• Communication © 2014 Accume Partners 22
Risk Appetite And Tolerance
• One of the most important risk management tools we have right now.
• Should provide context for everything the credit union does, from strategy to operations.
• The process of coming to agreed upon statements forces you to address issues about culture, ethics, tolerance and capacity.
• Risk management is about so much more than the “life ending events.” It’s all the other stuff that is actually harder to manage.
© 2014 Accume Partners 23
Establishing Risk Tolerance
© 2014 Accume Partners 24
Enterprise Risk Management
Risk Assessment, Monitoring and Reporting
© 2014 Accume Partners 25
Assessing Risk
© 2014 Accume Partners 26
© 2014 Accume Partners
Assessing Risk
27
Risk Analysis
• Enterprise risk assessment should include information on:
• The business model (macro level risks)
• Operations (process level risks)
• Risk monitoring and analysis (risk trends)
• Risk specific assessments, where applicable, continue to support these assessments
• The context for all risk assessments is your risk appetite and tolerance statements & metrics
© 2014 Accume Partners 28
Enterprise Risk Management
• Questions
• Do you know what your risks really are?
• Can you connect the dots from risk appetite to strategy to operations?
• Can you connect the dots from corporate strategy to IT strategy?
• Do you have the right level of controls to align?
• Is there a culture of risk awareness, transparency and accountability?
© 2014 Accume Partners 29
Risk Types
• Typical risk types include: credit, interest rate, liquidity, operational, compliance, strategic, price/market & reputation, but can include many other types of risk.
• Risk types tell us more about the scope and nature of risk, but very little about how to manage it
• They are all a type of lens, but only looking through one lens can give a distorted view
• All risk is a function of processes, and that is how we must manage it
© 2014 Accume Partners 30
Managing Change
• The seeds of risk are sewn in change
• Risk management is largely change management
• For any strategic or operational change:
• What is the benefit?
• What is the cost?
• What is the risk?
• Reporting should also contain a summary of lessons learned from completed change initiatives
© 2014 Accume Partners 31
Risk Monitoring
• KRI’s (or equivalent) are one of the most important tools a risk manager has – the are specifically designed to monitor the moving parts
• What is being monitored? How? And why?
• What key risk indicators are in place, and why?
• Any report of “what happened” should generally include “how do we feel about it?”
• The context for all risk monitoring is your risk appetite and tolerance statements & metrics
© 2014 Accume Partners 32
Risk Response
• Understanding how management will respond to unexpected events is one of the most important risk management tools you have
• Response happens at three levels
• Operational (departmental)
• Limited scope (incident response)
• Broad scope (BCP/DR)
© 2014 Accume Partners 33
Summary
• Risk management is about aligning risk with acceptable risk tolerance levels
• Enterprise risk management is a structure for managing risks across the entire credit union on an integrated basis
• Use risk types, but manage risk holistically
• Create risk ownership and accountability
• Focus is on the purpose and presence of controls
• In every way make a part of the organizational fabric
© 2014 Accume Partners 34
QUESTIONS?
© 2014 Accume Partners
Presented by:
Eric Holmquist
Managing Director, Enterprise Risk Management
For more information please contact:
Eric Holmquist
Managing Director, Enterprise Risk Management
341 New Albany Road
Moorestown, New Jersey 08057
Mobile Phone: 215.817.2107
© 2014 Accume Partners 36