Where Do We Go From Here: Risk Management after the Financial Meltdown Kevin McCabe Wells Fargo...
19
Where Do We Go From Here: Risk Management after the Financial Meltdown Kevin McCabe Wells Fargo Audit Services EVP & Chief Auditor FIRMA 24 th National Risk Management Training Conference March 29, 2010 © 2010 Wells Fargo & Co All rights reserved.
-
Upload
jasmine-bryant -
Category
Documents
-
view
215 -
download
1
Transcript of Where Do We Go From Here: Risk Management after the Financial Meltdown Kevin McCabe Wells Fargo...
Where Do We Go From Here:Risk Management after the Financial Meltdown
Kevin McCabeWells Fargo Audit Services
EVP & Chief Auditor
FIRMA
24th National Risk Management Training Conference
March 29, 2010
© 2010 Wells Fargo & Co All rights reserved.
How Did We Get Here??
Everyone contributed:
Government – Legislation, Regulators, Activists …
Financial Institutions – Mortgage Brokers, Bank Lenders, Securitizations, Portfolio Managers, Pension Plans, Shadow Banks (GMAC, AIG, ) …
Oversight Groups – Boards, Audit Committees, Risk Managers, Internal Auditors, External Auditors …
Home Owners – trading up, leveraging, lying …
So what is going to be done about it?
2
33
Legislation, Regulation, etc.
Very likely governments will propose new regulations, more firewalls, restrictions, taxes and penalties on Financial Institutions
Impact on us: New requirements will come in the form of ‘new’ interpretations rather than many new regulations.
New Regulator Standards for Banks
FRB SR 09-1 Market Risk Rule in BHC’s
FRB SR 08-8 Compliance Risk Management Programs and
Oversight at Large Banking Organizations with Complex Compliance Profiles
SEC New Risk Management Disclosure Rules
Basel II (and coming soon III)
Senior Supervisor Group Surveys & Action Plans
What do these have in common?
4
Enterprise Risk Management
All recent regulations have pushed for enhanced enterprise risk management that has: Corporate Head of Risk
Corporate body that sets Policy, Risk Appetite, Provides Oversight, Escalation, and Reporting to the Board
Business Line Procedures, Execution, Monitoring, Training, and Reporting
Independent Testing and Reporting
In short, you need an effective ERM Framework
5
Many theoretical models to choose from -- COSO ERM being the most accepted in the USA
Choose an implementation that can accommodate your need to roll-up based upon Business line, Country, Legal entity and Unique risks (Basel uses only Credit, Market, and Operational)
Wells Fargo’s ERM framework has four essential roles and responsibilities
6
Enterprise Risk Management
7
ERM Framework
Cultural Goal: Promote effective risk management - characterized by Accountability, Transparency, Efficiency, and Proactive Issue Identification, Disclosure, and Remediation - through clear delineation and execution of KEY ROLES & RESPONSIBILITIES.
Board of Directors
Enterprise Risk Management Committee
POLICY & OVERSIGHT
RISK MGMT EXECUTION
INDEPENDENT ASSESSMENT
Set overall business strategy, structure, and risk appetite
STRATEGY
8
ERM Framework
CERM
Board of Directors
Enterprise Risk Management Committee
POLICY & OVERSIGHT
RISK MGMT EXECUTION
INDEPENDENT ASSESSMENT
Cultural Goal: Promote effective risk management - characterized by Accountability, Transparency, Efficiency, and Proactive Issue Identification, Disclosure, and Remediation - through clear delineation and execution of KEY ROLES & RESPONSIBILITIES.
Lead emerging risk identification & assessment,
policy formulation/change management, & regulatory
relations
Set overall business strategy, structure, and risk appetite
Provide ongoing oversight of risk LOB programs
STRATEGY
Corporate ERMLead the effort and set the Policy for every Line of Business (LOB)
Once set up CERM should lead on emerging risks and provide Oversight.
CERM should have good working relationships with the Regulators
9
ERM Framework
LOB Risk Mgmt. Programs (GCORMS & Business Program Managers)
CERM
Ongoing proactive self-assessment, disclosure, & issue remediation
Inform & influence independent testing
Board of Directors
Enterprise Risk Management Committee
LOB self-reporting re: state of program and
state of risk mgmt
POLICY & OVERSIGHT
RISK MGMT EXECUTION
INDEPENDENT ASSESSMENT
Cultural Goal: Promote effective risk management - characterized by Accountability, Transparency, Efficiency, and Proactive Issue Identification, Disclosure, and Remediation - through clear delineation and execution of KEY ROLES & RESPONSIBILITIES.
Lead emerging risk identification & assessment,
policy formulation/change management, & regulatory
relations
Set overall business strategy, structure, and risk appetite
Inform & influence policy
Provide ongoing oversight of risk LOB programs
STRATEGY
Line of Business (LOB) to develop Procedures to meet Policy (should influence future policy changes and audit scopes) and then proactively monitor and report status to CERM.
10
ERM Framework
LOB Risk Mgmt. Programs (GCORMS & Business Program Managers)
WFASCERMInform & influence plan,
scope, and script of independent testing
Advise, influence, & evaluate policy design & oversight processes
Provide assurance re: program integrity/effectiveness
Ongoing proactive self-assessment, disclosure, & issue remediation
Inform & influence independent testing
Test & validate program integrity/effectiveness to support leverage
Board of Directors
Enterprise Risk Management Committee
LOB self-reporting re: state of program and
state of risk mgmt
POLICY & OVERSIGHT
RISK MGMT EXECUTION
INDEPENDENT ASSESSMENT
Cultural Goal: Promote effective risk management - characterized by Accountability, Transparency, Efficiency, and Proactive Issue Identification, Disclosure, and Remediation - through clear delineation and execution of KEY ROLES & RESPONSIBILITIES.
Lead emerging risk identification & assessment,
policy formulation/change management, & regulatory
relations
Set overall business strategy, structure, and risk appetite
Inform & influence policy
Provide ongoing oversight of risk LOB programs
Advise & influence control design
Leverage independent testing for program
oversight needs
STRATEGY
Corporate Audit (WFAS) performs independent testing but should leverage work done by LOB control groups.
Audit should also ‘advise’ on control design.
Strong Audit groups should test risk management processes, not just test controls
Audit should influence CERM policy & design
11
ERM Framework
LOB Risk Mgmt. Programs (GCORMS & Business Program Managers)
WFASCERMInform & influence plan,
scope, and script of independent testing
Advise, influence, & evaluate policy design & oversight processes
Provide assurance re: program integrity/effectiveness
Ongoing proactive self-assessment, disclosure, & issue remediation
Inform & influence independent testing
Test & validate program integrity/effectiveness to support leverage
Board of Directors
Enterprise Risk Management Committee
Coordinated risk reporting
LOB self-reporting re: state of program and
state of risk mgmt
Enterprise risk aggregation, trending & assessment & reporting re: state of
programs & risk management
Independent assurance re: enterprise risk assessment & program integrity/effectiveness
POLICY & OVERSIGHT
RISK MGMT EXECUTION
INDEPENDENT ASSESSMENT
Cultural Goal: Promote effective risk management - characterized by Accountability, Transparency, Efficiency, and Proactive Issue Identification, Disclosure, and Remediation - through clear delineation and execution of KEY ROLES & RESPONSIBILITIES.
Lead emerging risk identification & assessment,
policy formulation/change management, & regulatory
relations
Set overall business strategy, structure, and risk appetite
Inform & influence policy
Provide ongoing oversight of risk LOB programs
Advise & influence control design
Leverage independent testing for program
oversight needs
STRATEGY
CERM and Audit should both report quarterly to Senior Management and the Board on the state of controls, issues, trends, etc.
Longer term a joint report would be best!
12
ERM Framework
LOB Risk Mgmt. Programs (GCORMS & Business Program Managers)
WFASCERMInform & influence plan,
scope, and script of independent testing
Advise, influence, & evaluate policy design & oversight processes
Provide assurance re: program integrity/effectiveness
Ongoing proactive self-assessment, disclosure, & issue remediation
Inform & influence independent testing
Test & validate program integrity/effectiveness to support leverage
Board of Directors
Enterprise Risk Management Committee
Coordinated risk reporting
LOB self-reporting re: state of program and
state of risk mgmt
Enterprise risk aggregation, trending & assessment & reporting re: state of
programs & risk management
Independent assurance re: enterprise risk assessment & program integrity/effectiveness
POLICY & OVERSIGHT
RISK MGMT EXECUTION
INDEPENDENT ASSESSMENT
Cultural Goal: Promote effective risk management - characterized by Accountability, Transparency, Efficiency, and Proactive Issue Identification, Disclosure, and Remediation - through clear delineation and execution of KEY ROLES & RESPONSIBILITIES.
Lead emerging risk identification & assessment,
policy formulation/change management, & regulatory
relations
Set overall business strategy, structure, and risk appetite
Inform & influence policy
Provide ongoing oversight of risk LOB programs
Advise & influence control design
Leverage independent testing for program
oversight needs
Systematic
Timely
Transparent
Credible
Verifiable
STRATEGY
Every process should meet some predetermined minimum standards.
WFC has chosen Systematic, Transparent, Credible, Verifiable and Timely as our standards.
13
ERM Framework
LOB Risk Mgmt. Programs (GCORMS & Business Program Managers)
WFASCERMInform & influence plan,
scope, and script of independent testing
Advise, influence, & evaluate policy design & oversight processes
Provide assurance re: program integrity/effectiveness
Ongoing proactive self-assessment, disclosure, & issue remediation
Inform & influence independent testing
Test & validate program integrity/effectiveness to support leverage
Board of Directors
Enterprise Risk Management Committee
Coordinated risk reporting
LOB self-reporting re: state of program and
state of risk mgmt
Enterprise risk aggregation, trending & assessment & reporting re: state of
programs & risk management
Independent assurance re: enterprise risk assessment & program integrity/effectiveness
POLICY & OVERSIGHT
RISK MGMT EXECUTION
INDEPENDENT ASSESSMENT
Cultural Goal: Promote effective risk management - characterized by Accountability, Transparency, Efficiency, and Proactive Issue Identification, Disclosure, and Remediation - through clear delineation and execution of KEY ROLES & RESPONSIBILITIES.
Lead emerging risk identification & assessment,
policy formulation/change management, & regulatory
relations
Set overall business strategy, structure, and risk appetite
Inform & influence policy
Provide ongoing oversight of risk LOB programs
Advise & influence control design
Leverage independent testing for program
oversight needs
Systematic
Timely
Transparent
Credible
Verifiable
STRATEGY
WF Legal Group
Advise & influencepolicy
Advise & advocate re:risk mgmt. execution
Corporate Legal has an advisory and advocacy role as well.
14
ERM Framework
WF Legal Group
LOB Risk Mgmt. Programs (GCORMS & Business Program Managers)
WFASCERMInform & influence plan,
scope, and script of independent testing
Advise, influence, & evaluate policy design & oversight processes
Provide assurance re: program integrity/effectiveness
Ongoing proactive self-assessment, disclosure, & issue remediation
Inform & influence independent testing
Test & validate program integrity/effectiveness to support leverage
Board of Directors
Enterprise Risk Management Committee
Coordinated risk reporting
LOB self-reporting re: state of program and
state of risk mgmt
Enterprise risk aggregation, trending & assessment & reporting re: state of
programs & risk management
Independent assurance re: enterprise risk assessment & program integrity/effectiveness
POLICY & OVERSIGHT
RISK MGMT EXECUTION
INDEPENDENT ASSESSMENT
Cultural Goal: Promote effective risk management - characterized by Accountability, Transparency, Efficiency, and Proactive Issue Identification, Disclosure, and Remediation - through clear delineation and execution of KEY ROLES & RESPONSIBILITIES.
Lead emerging risk identification & assessment,
policy formulation/change management, & regulatory
relations
Set overall business strategy, structure, and risk appetite
Inform & influence policy
Provide ongoing oversight of risk LOB programs
Advise & influence control design
Leverage independent testing for program
oversight needs
Systematic
Timely
Transparent
Credible
Verifiable
STRATEGY
Advise & influencepolicy
Advise & advocate re:risk mgmt. execution
Overall this looks complex but it can work to meet every type of risk to which WFC has applied the model.
15
Evolution of the ERM framework at WFC ERM framework built to address new regulatory
expectations and requirements
“Need for speed” resulted in overlapping roles and duplicated efforts (“Risk management at the Federal, state, county, and local levels”)
Once built (and regulatory requirements met), focused on the opportunity and need to be both more effective (role clarity and no gaps) and more efficient (do things once and well)
Coordination with Internal Audit
16
Risk Management and Internal Audit need to work together for either to be considered Strong
Each can work independently, perhaps even competitively, to achieve their mission
But if they are not coordinated and working together the costs will be high and the effectiveness will be low
WFAS Success Model
17
Expand WFAS’s
Capabilities
Strengthen WFAS’s Fundamentals
Partner with
Governance and Risk
Management Structure
Strong
Good
Satisfactory
Conclusion
18
There are many causes to the last ‘Great Recession’ and there will be many short term ‘fixes’
But longer term the right solution will be fulfilling the long-held goal of effective ERM
Find a model that works and is effective for your company and culture
Ensure coordination across all control groups
Questions?
19
