1
Enterprise Risk Management How Does ERM Apply to your Credit Union?Presented by Louise Hanson, Partner, Moss Adams LLPShannon Haas, Senior Manager, Moss Adams LLP
2
MOSS ADAMS AT A GLANCE
• Full service public accounting firm with assurance, tax, and consulting services for middle-market public and private companies
• Largest accounting firm headquartered in the West and one of the 15 largest in the United States
• 21 offices in California, Arizona, New Mexico, Oregon, Washington and Kansas
• More than 230 partners and over 1,800 staff
• Founded in 1913 and headquartered in Seattle, Washington
• A founding member of Praxity, a global alliance of accounting firms
• We are the 4th largest firm servicing credit unions in the nation (based on assets)
3
TODAY’S DISCUSSION OBJECTIVES
• What is Enterprise Risk Management? – an Overview of ERM
• What is Driving ERM? • ERM & the Regulators• How ERM Can Benefit My Institution• How My Institution Can Build an ERM Strategy:
Implementation Overviewo Phase 1 – Planningo Phase 2 – Implementing the Plano Phase 3 – Refining
• Summary
4
WHAT IS ENTERPRISE RISK MANAGEMENT (“ERM”)?
4
5
QUESTIONS TO PONDER…
• In today’s credit union environment what risks or “watch out fors” would you suggest directors, supervisory committees (or even executive management) focus on?
• What would you be looking for in Board Report packages today?
• Do we understand these issues enough to appropriately report on them in each of our credit unions today?
6
AT THE CORE…
• What is the Nature of Banking?Risk Management
• What should Credit Unions be doing?Intermediate Risks
For Members and Borrowers
• What are Directors Expected to do?Create & Protect Member funds and opportunities
Governance Process and Risk Policies
• How are Risks Portrayed in an Institution?Via Financial StatementsVia Processes
7
ENTERPRISE RISK MANAGEMENT
“The decline and ultimate failure of some great
companies has been a historical fact. But such decline
is not inevitable. Rather, it results when corporate
leaders (CEO’s and directors alike) don’t anticipate and
deal with the long term threats facing their companies.”
Harvard Business Review (5/08), “Leading from the Boardroom”
8
WHAT IS “ENTERPRISE RISK MANAGEMENT”?
“Enterprise risk management (ERM) is a process, effected by
an entity’s board of directors, management and other
personnel, applied in a strategy setting and across the
enterprise, designed to identify potential events that may
affect the entity, and manage risk to be within its risk
appetite, to provide reasonable assurance regarding the
achievement of entity objectives.”
The Committee of Sponsoring Organizations (COSO) of the Treadway Commission, (Sept. 2004)
9
WHAT IS ERM?• A structured, consistent, and continuous risk management process
that is applied across the entire organization• Identifies, assesses, prioritizes, and manages the internal and external
risks that impact the organization• Driven by a decision-support process that is aligned with the
management and execution of strategic objectives• Enhanced by the assignment of roles and responsibilities,• reporting and communication,
policies and procedures, andadoption of a risk-based culture Identify &
Assess
Planning & Management
Measure, Monitor &
Report
Business Objectives
10
ENTERPRISE RISK MANAGEMENT“WHAT MIGHT GET IN THE WAY OF MY DUTY TO DELIVER VALUE AND PROTECT THE MEMBERS?”
Risk
Risk Management
Enterprise-Wide Risk Management
The potential that events, expected or unanticipated, may have an adverse impact on capital or earnings.
The employment of systems and processes to manage the critical tradeoff between risk and return in financial decision-making.
The formal mechanism or structure for managing risks across the entire institution on an integrated basis.
11
ENTERPRISE RISK MANAGEMENT (ERM) COMPONENTS
Keys to a good ERM program – must include:
• Risk Identification – What are our key risks? – What level of risk are we willing to allow/accept
(“risk appetite”)?
• Risk Measurement– Risk measurement models (ALM, Credit Stress)– Guidelines and quantification tools (Credit Risk
Classification, Operational and Credit Losses)
12
ENTERPRISE RISK MANAGEMENT (ERM) COMPONENTS
• Risk Control– Policies (Required and Best Practice)– System of risk limitations– Authorities and oversight systems
• Risk Monitoring– System of risk reporting – key measurements
Board driven assessments (internal and external audits, monitoring reports)
Management Self assessments (management generated reporting against pre-set standards)
13
IN A NUTSHELL…
ERM is a process for managing and
controlling risks across an entire
organization, both within and across
business lines and legal entities.
13
14
WHAT’S DRIVING ERM?
15
WHAT’S DRIVING ERM?- ENVIRONMENTAL -
• Growing size and organizational structure
• Increasing diversity of business lines and complexity of products
• Increasing number of regulations
• Increasingly competitive marketplace
ERM can be the key for how to win
16
WHAT’S DRIVING ERM - INSTITUTIONAL -
• Fragmented or “silo” risk management efforts– fail to recognize interrelationships of risk across businesses or
products
• Lack of aggregation of common risks and reporting– fail to keep Board and management informed of organization-wide
risks
• Lack of attention to how risks are correlated– fails to identify how loans, securities, businesses, etc. might be
affected by common factors and create large exposures
17
POST DOWNTURN, ERM IS MOREIMPORTANT THAN EVER • Bankers, regulators, investors, members and counterparties will not soon
forget the near-collapse in late 2008
• So far, the new era in financial services is a very strong emphasis on safety and risk management
• Those who can demonstrate superior risk management will have a competitive advantage– Greater opportunities in the market due to goodwill from regulators and investors– More and better members
• Key ERM implementation challenges for most credit unions– Culture– Right expertise– Data and Measurement– Transparency/Reporting
18
DRIVERS OF ERM – A SUMMARY
Board of Directors • Demand increased financial disclosure and transparency
Members as Stakeholders • Demand evidence that management understands and manages risk
Regulators/Rating Agencies • Seek assurance around compliance and risk assessment processes
Activists • Demand social awareness, safety & environmental consciousness
Members as Customers • Make decisions based on differentiating factors
Peers • Comparison with others drives industry-wide practice
Competitors • Push innovation, drive leadership
19
ENTERPRISE RISK MANAGEMENT AND THE REGULATORS
20
REGULATORY EXPECTATIONS FOR ERMERM STARTS WITH THE FUNDAMENTAL OF STRONG RISK MANAGEMENT:
From “Rating the Adequacy of Risk Management Processes and Internal Controls at State Member Banks and Bank Holding Companies” (SR95-51 (SUP))
Active Board and Senior
Management Oversight
Adequate Policies, Procedures, and
Limits
Adequate Risk Measurement,
Monitoring, and MIS
Comprehensive Internal Controls
21
NCUA ERM GUIDANCE
NCUA advises an effective system of Enterprise Risk Management includes consideration of:
• Market Condition• Field of Membership• Credit Union Structure
– Size– Complexity– Geographic diversity
22
INCREASING EMPHASIS ON ERM PERSPECTIVE
Basel Committee’s Core Principles for Effective Banking Supervision (2006)
Principle 7 – Risk management process: “Supervisors must be satisfied that banks and banking groups have in place a comprehensive risk management process (including Board and senior management oversight) to identify, evaluate, monitor, and control or mitigate all material risks and to assess their overall capital adequacy in relation to their risk profile. These processes should be commensurate with the size and complexity of the organization.” http://www.bis.org/publ/bcbs129.pdf
Principles for Effective Operational Risk Management (2003) http://www.bis.org/publ/bcbs96.pdf
Principles for Sound Liquidity Risk Management and Supervision (Sept. 2008) http://www.bis.org/publ/bcbs144.pdf
23
PRINCIPLES OF EFFECTIVE OPERATIONAL RISK
MANAGEMENT (BASEL COMMITTEE ON BANKING SUPERVISION)
1. Board should approve and periodically review the Operating Risk Framework.
2. Board should ensure that Framework is subject to independent, competent audit staff review.
3. Senior management responsible for implementation4. Process to identify and assess operational risk inherent in
products, activities, processes and systems.5. Process to monitor operational risk profiles and material exposure
to losses.
24
PRINCIPLES OF EFFECTIVE OPERATIONAL RISK
MANAGEMENT (BASEL COMMITTEE ON BANKING SUPERVISION)
6. Policies, processes and procedures should exist to control and/or mitigate material operational risks.
7. A contingency and business continuity plan should exist.8. The regulators should require that all banks, regardless of size,
have an effective framework in place to identify, assess, monitor and control/mitigate material operational risk as part of an overall approach to risk management.
9. Regulators should conduct regular, independent evaluation of bank’s policies, procedures and practices related to operational risks.
10. Banks should make sufficient public disclosure to allow market participants to assess their approach to operational risk management.
25
IT TAKES 3 TO FLY THIS PLANE
• Risk Manager – looks thru the cockpit window to identify and assess current threats and future risks to the flight path and plane, and glances at the gauges for reassurance
• Compliance Manager – assists the pilot in maintaining the proper flight path and plane operating procedures by using the manual and FAA regulations
• Auditor – uses the cockpit gauges and controls to inform the pilot of how the plane is operating relative to its predetermined flight path
Time & Activities
Time & Activities
Audit Compliance RiskPast
Do we do aswe say?
PresentAre we in
compliance?
FutureWhat can go
wrong?
26
IN SUMMARY
• Boards of Directors/Supervisory Committees are responsible for ensuring that their credit unions are managed in a safe and sound manner. (This hasn’t changed)
• In today’s environment (and increasingly in the future), safety an soundness means that risks need to be well-managed given the credit unions’ risk environment and business model.
• You need to be able to answer “Yes” to this regulator question: “Do you have a program that appropriately identifies emerging risks in a timely manner?”
• Therefore:
Safety/Soundness = Risk Management
Consequently, the foundation for modern Corporate Governance is Enterprise Risk Management.
27
BENEFITS OF ERM
28
ORGANIZATIONAL GOALS OF ERM
• Protect/Enhance Members’ funds and opportunities• Link Strategy and Risk Profile• Recognize and Manage integrated/cross
organizational risks• Enhance Risk Based Decisions• Capital Management/Preservation• Seize Opportunities• Disciplined Culture
For a director/committee member, do these sound familiar?
29
BENEFITS OF ENTERPRISE RISK MANAGEMENT
• Enhances integrated decision-making better deal with the risk from growth, mergers, new products, etc.
• Better align risk and strategy.• Framework for identifying enhance return opportunities – improved risk mitigation.• Improve deployment of capital resources – allocating capital to business areas to
achieve superior risk returns (RAROC).• Credibility and confidence in governance and risk management – members,
regulators, external auditors.• Anticipate risk – seize opportunities/minimizing cost.• Improved understanding and management of interactions and interrelationships
between risks.• Clear accountability and ownership of risk.• Regulatory compliance with safety and soundness guidelines, foundation for a
strong internal control environment.
30
BENEFITS OF ENTERPRISE RISK MANAGEMENT (CONTINUED…)
All the previous positively impact: • Protection of capital.• Enhancement of earnings.• Reduction of losses (Fraud, Credit, Operational).• Greater efficiency in process flows.• Better defined/more efficient internal audit programs.• Better understanding of effect of market movements.
31
WHAT WE ARE OBSERVING: INDUSTRY ERM THEMES SO FAR FOR 2012+
• ERM– Managing an acquisition (valuation, financial integration, change in risk profile, culture, data
integration, etc.)– Model validation– Incentive programs that incorporate risk and are better aligned with organizational performance
• Compliance and regulatory– Regulatory reform outcomes– Stress testing– Compliance: fair lending, BSA, AML
• Credit– Provision and reserve going forward– Growing the loan portfolio– Diversifying away from risk concentrations in the portfolio
• Market Risk– The investments portfolio – understanding the risks going forward– Interest rate risk management
32
BUILDING AN ERM STRATEGY: IMPLEMENTATION OVERVIEW
33
ERM IMPLEMENTATION PHASES
Detective controls and
processes
Preventative Controls and
processes
Proactive planning and improvement
Strategic ERM
Compliance and Prevention
Operating Performance
Enhanced Member Benefits
GRADUAL EVOLUTION OF THE PROCESS
34
EARLY INTERMEDIATE ADVANCED
• Minimal credit grading
• No portfolio analysis
• No operational risk measurement
• ROA as return measure
• Some risk quantification combined with seasoned judgment
• Operational and market risk in early stages
• Efffective regulatory and investor relations
• Some RAROC calculations
• An integrated risk management perspective
• Granular risk quantification
• Portfolio analytics
• Active portfolio management function
• Full RAROC across credit union
DEVELOPING ERM CAPABILITIES IS AN EVOLUTION, NOT AN EVENT
Add Capabilities as Risk/Complexity are Added
35
LET’S DO A QUICK SELF ASSESSMENT
• Go to the separate handout
• Complete the “Risk Oversight Self Assessment” survey
– There are no right or wrong answers
– Try to objectively answer each question for a credit union you have in mind
36
SELF ASSESSMENT - IMPLICATIONS
Q 1-12 Q 13-28 ImplicationsYes No Lots of focus on strategic planning,
lots of risks, but few risk management processes
Yes Yes Strategic planning and risk management are reasonably integrated and organization
making great ERM progress
No Yes Few perceived strategic risks but overspending on ERM processes
No No Few perceived risks, but no system to be sure or to identify risks-opportunities
37
LINKING ERM TO STRATEGY
Strategic Integration
Risk vs. Return Optimization
Risk Management
Risk Measurement
Loss Minimization
Compliance/Monitoring
Mat
urity
Lev
el
High
Low
Time
Risk appetite
articulated
38
ERM – STRENGTHENING FOCUS ON STRATEGIC RISK EXPOSURES
Profitability
Increased Revenues
Expense Savings
Increased Loan Yield (Rate &
Volume)
Non-interest Income
Products
Reduce Head Count
Other Cost Savings
Measures – Vendor Mgmt.
Risk Drivers
Risk Drivers
Risk Drivers
Risk Drivers
Risk Drivers
Risk Metrics?
Risk Metrics?
Risk Metrics?
Risk Metrics?
Risk Metrics?
39
THE MOSS ADAMS PHASES TO ERM IMPLEMENTATION
• STEP 1 – PLANNING – (a.k.a., “putting your best foot forward, knowing the process isn’t going to be perfect because it’s a new area of focus, and every institution is unique”)
• STEP 2 – IMPLEMENTING – (a.k.a., “executing on your plan, making slight adjustments as needed; saving significant revisions to the process for the “refining” stage”)
• STEP 3 – REFINING – (a.k.a., “fixing what needs to be fixed and/or what wasn’t addressed after implementing your plan”)
A simple 3-step process for getting your ERM program off the ground
40
ERM IMPLEMENTATION PHASE 1 - PLANNING
41
BUILDING YOUR ERM ROADMAP/ IMPLEMENTATION PLAN: STEP #1 – PLANNING
A. Gain Board/Committee/Executive level of support - “Tone at the Top” might be the single biggest factor in being successful at implementing; start to build consensus/ buy-in
B. Revisit/review your strategic plan – the ERM vision s/b aligned with your organization’s size/complexity
C. Start thinking about how you are going to identify (and categorize) risk TIPS: • Define plan owners, roles and responsibilities for execution, timelines, resource alignment• Prioritize key tasks – look for up-front, early wins• Utilize existing management structures• Think about existing organizational design/structure• Other: degree of alignment with finance, specific control tools, etc?• Start to build consensus among key internal and external parties (including regulators*)• Preliminary risk assessment – work on the “completeness” of the risks inventory• Look for risk concentrations• Understand management’s current risk activities – functions, controls, what is tracked, who
does it, etc.?
42
TONE AT THE TOP & CULTURE
• It’s that CULTURE thing!!• Mutual Expectations, Respect, Reliance• Model the Standard
Legally: Duty of Loyalty and CareBusiness JudgmentDisclosure / Transparency
• Open Communications, Debate• Brainstorm risks at various management levels - what risk
is coming around the corner? • Welcome the Messenger• Welcome Dumb Questions• Draft Policies
43
ERM POLICY
• Policy Statement• Purpose/objectives
o Integrated mgmt of risko Governance of risk oversighto Independent review and monitoringo Best practice risk control
• Responsibilitieso Board of Directorso Supervisory Committeeo Board Risk Committeeo Management Risk Committeeo CEOo CROo Internal Auditoro Department Heads
• Risk Categories• ERM Process• Policy Guidelines/Limits
• Risk Metrics and tools– Risk Assessments– Measures
• Controls & Monitoring• Risk Response• Communication &
Reporting• Policy Exceptions
44
ERM CHARTER
• Purpose/Objectives – Board/Committee delegation to:Identify and Manage risksAdhere to policies
• Committee Members and ChairChief Risk Officer direct report
• MeetingsFull Board reporting
• Duties and responsibilitiesSupervisory Committee interactionOversight of Management Risk Committees
• Performance Evaluation• Committee Resources
45
ERM IS A SHARED RESPONSIBILITY: TYPICAL ROLES/NEEDS
Board of Directors -Governance-Reputational Risk-Board Training
CEO/COO -Business Risk-Execution Risk-Strategy/Mergers
CFO-Internal Controls-Economic Capital-Performance Measurement
CRO (Larger) -ERM Roadmap-Policies/Limits/Appetite-Risk Quantification-Dashboards
Functional Risk Managers/Delegated Responsibilities:
-Credit Risk- Market Risk- Interest Rate Risk- Operational Risk-Compliance Risk- Technology Risk-Etc.
46
A VISION FOR ERM IS FUNDAMENTALLY LINKED TO STRATEGIC GOALS FOR YOUR ORGANIZATION • What are your core competencies? What is your market? What does your credit
union want to be? Who are your members?• What are your return goals?
• (Risk vs. Reward = Credit & IRR; Capital Adequacy; Regulatory; Fraud; Other?)
• Identify Risks to your credit union – What risks do you take-on to generate these returns? Focus on “key” risks. – Credit risks in lending? – Credit risks in your investments portfolio?– Market risks through interest rates?– Market risks through your investments portfolio?– Operational risks through providing processing/cash management services?– Compliance risks in highly regulated markets?– Other?
• How much of each risk type will you take on? Is your level of risk appropriate given your return goals (risk appetite)? Do you have sufficient capital and liquidity to support these risks?
47
ERM RISK COMPONENTS• Credit Risk and Market Risk are typically called ‘financial risks’ – return and risk are
usually directly correlated here
• Greater risk will lead to higher returns in the long run, but will also result in significantly greater earnings volatility and require much more capital. A risk appetite is needed to decide how much risk and what types of risk are appropriate
• Operational Risks can also be financial risks, but the risk/return relationship can be very different – Some operational risks such as regulatory and compliance concerns are not related
to returns, only protection against future loss or are a cost of doing business– Fee-based businesses such as payment processing are operational-risk driven
businesses with a direct relation to returns
• Regardless of the risk type, ERM practices can enable management and the board to:– Develop a consolidated view of their risk profile across all risk types and understand
hot spots– Measure risk exposure using quantitative and qualitative methods– Set a risk appetite and manage to it– Better understand where returns are generated
48
REGULATORY RISK CATEGORIES (RISKS EXAMPLE 1)
NCUA Risk Categories
Credit Risk
Interest Rate Risk
Liquidity Risk
Transaction Risk
Compliance Risk
Strategic Risk
Reputation Risk
Fed Risk Categories
Credit Risk
Market Risk
Liquidity Risk
Operational Risk
Legal risk
Reputational Risk
FHLB Risk Categories
Credit Risk
Market Risk
Liquidity Risk
Operational Risk
Business Risk
49
REGULATORY CAPITAL RULES HAVE CREATED A FRAMEWORK FOR CLASSIFICATION OF RISK TYPES (RISKS EXAMPLE 2)
Risk Type Definition
Credit Risk Loss due to a borrower’s inability to meet its financial obligations
Loss due to change in borrower’s credit quality
Market Risk Loss due to change in market value of traded positions
Loss due to impact of changes in cost to close accrual positions (primarily interest rate risk)
Operational Risk Loss resulting from inadequate or failed internal process, people and systems, or from external events. The definition includes legal risk. The definition does not include strategic or reputational risks.
50
MANY INSTITUTIONS HAVE ADOPTED THESE DEFINITIONS FOR A FUNCTIONAL ERM STRUCTURE (RISKS EXAMPLE 2.1)
Credit Risk
Enterprise Risk Management Functional Structure (Not Organizational Structure)
Market Risk Operational Risk
Compliance Risk Int. and Ext. FraudBusiness Process FailureHRLitigationData SecurityTechnology/SystemsNatural DisasterEtc.
Change in Fair Value
Interest Rate Risk
Currency Risk
Liquidity Risk
Commercial
Retail
Counterparty
Other Risk Category Possibilities: Business, Strategic, Concentrations, Reputation, etc.
51
ERM IMPLEMENTATION PHASE 2- IMPLEMENTING THE PLAN
51
52
BUILDING YOUR ERM ROADMAP/IMPLEMENTATION PLAN: STEP #2 – IMPLEMENTING
A. Identify and prioritize the RISKS- Keep it to the “TOP 5” for in-depth Board reporting - Additional risks can be identified and listed, but don’t take away the
focus from the Top 5
B. Simultaneously adopt a preliminary risk framework and conceptualize simple reporting
C. Identify gaps in the process and start to analyze (but don’t let them slow you down!)
TIPS: • Identify strengths and weaknesses in existing risk management function• Re-align existing capabilities with where you need to get to• Scope: risk controls, information technology, culture, expertise, policies, risk quantification,
reporting/transparency 52
53
ERM IMPLEMENTATION – THINK ABOUT “RISK AWARENESS”
53
Difficult process – 3 levels of risk awareness
• Known – You lend money to various parties and someone isn’t going to pay (credit risk)
• Unknown, but knowable – e.g., flood or other natural disaster that isn’t unusual for the area.
• Unknown, unknowable – would not ever know in advance, but is there a plan I can have if “something” takes me out of what I do?
This helps you to think beyond the everyday risks.
54
FOCUS ON KEY ENTERPRISE RISKS
• Risk issues that are most significant and deserve attention of executive management and the Board.
• Issues identified through the risk assessment process within each functional risk area.
• Escalated to upper levels with mitigation and action plans presented.
54
55
ERM IMPLEMENTATION – RISK ASSESSMENT
Ask each Board member:
“With our credit union’s business model in mind, what are the Top 5 emerging risks:”
1. _________________________________________2. _________________________________________3. _________________________________________4. _________________________________________5. _________________________________________
Ask Management the same question. Will the results be similar?
How often does the Board and Senior Management engage in explicit discussions about risk?
Reminder: Addressing risk in an advanced ERM process becomes strategic instead of defensive 55
56
RISK ASSESSMENT (CONTINUED)…
• For identified risk events:– What is the time frame to consider?– How likely is the event to occur?– What would be the impact?
• On financial goals (cash flow, capital, reported earnings)
• On operational goals• On reputation/brand
– Inherent vs. residual risks?
56
57
ONE COMPLICATION: INHERENT VS. RESIDUAL RISK
• What risks are we assessing?– Ignore response to start: tendency to over value controls
“100% under control” – red flag; nothing is foolproof.– Inherent risk: Risk to an entity in the absence of any actions
management might take to alter either the risk’s likelihood or impact
– Residual Risk: Risk that remains after management responds to the risk identified
Back to some risk assessment examples….
58
RISK CATEGORIES WITHIN ERM (RISKS EXAMPLE #3)
Strategic Credit Interest Rate Liquidity
Product OfferingMerger & Acquisition
CompetitionRevenue Growth
ProfitabilityCapital
Payment DefaultLoan Concentration
Loan QualityCollateral Valuation
Interest RatesYield Curve
Investment VolatilityForeign Exchange
Funding SourcesOn/off Balance Sheet
Contingency
LegalComplianceOperationalReputation
Image & BrandingEmployee RelationsCustomer RelationsRegulatory Relations
Public RelationsShareholder Relations
ID Theft & FraudSecurity & Privacy
Business ContinuityPhysical Security
VendorsProcess Errors
Financial Reporting
ConsumerMember Business
FiduciaryMoney Laundering
Employment LawContracts
Intellectual PropertyLitigation
59
ABC INSTITUTIONSIMPLE ENTERPRISE RISK ASSESSMENT EXAMPLE (RISKS EXAMPLE #4).
Operatons
Reporting
Compliance
Safeguard of Asse
ts
Risk Im
pact (AVG.)
Vulnerability
Control E
nvironment
Control M
onitorin
g
Risk Lik
elihood (A
VG.)
Inherent Risk
(Impact x
Vulnerability)
Residual R
isk (ri
sk after contro
ls)
(Impact x
Likelih
ood)
Test?
Residual R
isk
RiskTeste
d?
Risk Unive
rse
PRIOR YEARLoans Lns 5 5 4 3 4.25 5 2 2 3.00 21.25 H 12.75 M Yes (I/A) 20.00 H Yes
ALLL ALLL 4 3 4 5 4.00 5 3 2 3.25 20.00 H 13.00 M - 19.00 H Yes
Investments Inv 3 4 3 3 3.25 4 2 3 3.25 13.00 M 10.56 M - 16.00 M -
Deposits Dep 5 5 4 3 4.25 2 1 2 1.75 8.50 L 7.44 L - 9.00 M -Internet Banking IntBk 5 4 3 4 4.00 4 2 3 2.75 16.00 H 11.00 M Yes (I/A) 12.00 L -
Debit Cards Debit 4 3 3 4 3.50 4 2 4 3.25 14.00 H 11.38 M - 13.00 M -
ACH ACH 3 3 3 3 3.00 2 2 3 2.50 6.00 L 7.50 L - 5.00 M YesWire Transfers Wires 3 2 4 4 3.25 3 1 3 2.50 9.75 M 8.13 L Yes (I/A) 8.00 H -Debit Cards 4 3 3 4 3.50 3 1 2 2.00 10.50 M 7.00 LItem Proc., Br Cap IP 3 2 2 3 2.50 2 1 3 2.25 5.00 L 5.63 L - 4.00 H -
General Ledger GL 4 4 3 4 3.75 4 2 3 2.75 15.00 H 10.31 M - 11.00 H -
ALM/IRR ALM 4 4 4 3 3.75 4 3 3 3.50 15.00 H 13.13 M Yes (Ext.) 16.00 H -
AVP, Punch & Disb AP 4 3 3 74 3.50 3 2 3 2.75 10.50 M 9.63 M - 10.00 M -
EDP EDP 5 3 4 3 3.75 3 1 2 2.25 11.25 M 8.44 L - 12.00 M -
BSA BSA 5 3 5 4 4.25 4 1 3 2.75 17.00 H 11.69 M - 16.00 H -Compliance Comp 4 3 4 4 3.75 3 1 2 2.00 11.25 M 7.50 L Yes (Ext.) 12.00 M -
Collections Coll 4 2 3 2 2.75 3 2 3 2.75 8.25 L 7.56 L - - - -
Impact Risk Likelihood (vVulnerability/Control) From To RiskNegligible 1 Remote / Excellent 1 8.99 Low
Low 2 Unlikely / Good 9 13.99 ModModerate 3 Possible / Fair 14 25.00 High
High 4 Probable / Needs ImprovementExtreme 5 Certain / Does Not Exist
PRIOR YEAR
60
RISK MANAGEMENT CONTINUUM
Reactive• Lack of Board or senior
management emphasis on risk
• No common risk lingo• Stove-pipe risk management• Ad hoc approach• Missing coverage of risk
areas
Aware
• Some board and senior management support
• Risk leader identified
• Periodic risk profiling
• Key risks defined in common vocabulary
• Recognized need for ERM
Strategic
• Proactive board and senior management involvement
• Risk managed and assessed across entire organization
• Common language and approach used and understood
• Real-time analysis of risk portfolio (real-time KRIs)
• Recognized need for ERM
Most companies straddle Goal
61
RISK ASSESSMENT CYCLE
Identify risk & controls
Assess exposures and control
effectiveness
Determine corrective action(s)
Test Controls
Management Certification
Board of Directors
Risk Assessment
*Report; reassess risks
& ratings
*Track Project & Task priority,
status, due dates, hours
*Record testing scope, conclusion and
recommendation(s)
*Shows a snapshot of the
pulse of enterprise risk
management at –a-glance
62
GOVERNANCE AND MANAGEMENT STRUCTURERISK VIEW
Credit Risk
Interest Rate Risk
Liquidity Risk
Operational Risk
Information Technology
Risk
Human Capital
Compliance Risk
Legal Risk
Strategic Risk
Reputation Risk
Board Credit
Committee
Credit Polity
Executive Loan
Committee
Chief Credit Officer
Finance Committee
Funds Management Policy
ALCO
Chief Financial Officer
Supervisory Committee
Operational Risk Policy
IT Policies
Security & Cont. Plan &
Mgt. Committees
Technology Steering
Committee
Senior Operations
Officer
Chief Information
Officer
Ethics Committee
Human Capital
Risk Policy
HR/Compen-
sation Committee
SVP, Human
Resources
BSA/ComplianceCommittee
Compliance Program
Legal Policy
Management Committee
Director of Regulatory Risk Mgt.
Legal Director
Strategic Planning Committee
Strategic Risk
Policy
Reputation Risk Policy
Management Committee
Chief Risk Officer
ERM
Supervisory Committee
ERM Policy
Internal Audit
Charter
Enterprise Risk Management
Committee
Chief Risk Officer
Risk Categories
Board of Directors
Risk Management
Policies
Senior Management Committees
Senior Management
Officers
*Supervisory Committee sole committee composed of strictly outside individuals
63
ASSESSED RISK REPORTING: RISK MAPPING
• Heat Maps are a valuable tool for communicating/reporting risks• Chart both likelihood/probability and severity/impact
64
HEAT MAP PORTRAYAL OF INHERENT RISKS
Impact(Severity)
Likelihood (Probability of Occurrence)
9
10
6
5
1
2 4
7
38
Mitigation Risk
Not Mitigated
Marginal Mitigation
Sufficient/Acceptable
Risk Event:1. -----2. -----3. -----4. -----5. -----
65
ERM IMPLEMENTATION PHASE 3 - REFINING
66
BUILDING YOUR ERM ROADMAP/IMPLEMENTATION PLAN: STEP #3 – REFINING
A. Plan for Remediation of Gaps/Execution• What are you doing to address the immediate risks? (What’s the risk response – Tolerate,
Terminate, Transfer, or Treat?)• What controls will be in place going forward to monitor the risks? • Develop recommendations to remediate gaps• What Key Risk Identifiers (KRI’s) have you identified (or intend to indentify) going forward?• Cement consensus, buy-in among key parties• Further define plan owners, roles and responsibilities for execution, timelines, resource
alignment• Memorialize project plan
B. Enhance Definition of “Risk Appetite” for credit union• Quantifying risk
C. Enhance Reporting• What will reporting to executive management and the Board look like going forward? • Ongoing monitoring of implementation progress with board-level accountability• Benchmark vs. industry leaders in this area as well as peers
67
SELF EVALUATION APPROACH FOR IDENTIFYING GAPS TO REMEDIATE
• Organize subject-matter experts in each of the credit union’s risk categories and at the ERM level.– Facilitate a discussion of the credit union’s risk
categories.• Comprehensive evaluation of credit union’s risk
management processes.• Prepare detailed report with findings, observations and
recommendations in respective risk categories.• Major conclusions and recommendations to create final
report.• Recommendations/Action Plan/Implementation
– Management Risk Comm.– Board Risk Comm.
68
ELEMENTS OF RISK APPETITE
Existing Risk Profile
Risk Capacity
Risk Tolerance
Desired Level of Risk
The existing level and distribution of risks across risk categories (e.g. financial risk, market risk, operational risk, reputation risk, etc.
The Maximum risk a firm may bear and remain solvent
Acceptable levels of variations an entity is willing to accept around specific objectives
What is the Desired risk / return level
Determination of Risk
Appetite (the amount of risk an
entity is willing to accept in the pursuit
of value)
69
WAYS TO DEFINE RISK APPETITE
Quantitative Clearly defined measureCan be cascaded to business unitsFor example, loss of capital or degree of volatility in earnings
Qualitative Not all risks can be accurately/credibly measuredFor example, risk of damage to reputation
Zero Tolerance A subset which can be very clearly definedFor example, loss of life or violation of laws
70
CREATE AN IDEAL ROSTER OF RISK REPORTS
EXAMPLES: • A high-level summary of the top risks for the enterprise as a
whole; broken down by operating unit, geographic locations, product group, etc., along with significant gaps in risk management capabilities
• Report of emerging issues or risks that warrant immediate attention
• Summary of risk events, e.g., significant exceptions versus policies or established limits
• Summary of significant changes in key variables beyond management’s control (e.g. interest rates, exchange rates, etc.) and the effect on earnings, cash flows, capital, and the business plan.
• Summary of the status of improvement initiatives
71
SOME EXAMPLES OF EXTERNAL KEY RISK INDICATORS
Industry and Competitor TrendsNumber of CompetitorsNew product or service announcementsPricing TrendsRisk events realized by competitorsShifts in customer tastes/trends
Economic TrendsUnemployment forecastsConsumer spending trendsTrade and foreign policy
Liquidity/Capital MarketsInterest rate trends/forecastsCredit spreads in debt and credit marketsStock market trends and forecasts
Supply Chain IssuesFinancial health of suppliersRisk events at suppliersPricing trends
Regulatory ChangesAnticipated changes in tax policyNew regulations/restrictionsChanges in key political offices
72
SOME EXAMPLES OF INTERNAL KEY RISK INDICATORS
Business OperationsTransactions, outputSales volume, failed dealsOperational performance issuesSupply chain/logistics
Information TechnologyDisasters, outages, disruptionHelp desk metricsSecurity metricsProject metricsIT incidents/investigations, complaintsIT audit issues
ComplianceState of controlsRegulatory inquiries/investigationsLitigation casesDiscovery requests
Human ResourcesTurnoverHeadcountCorporate training: policies,
procedures, ethicsVacanciesSick daysDisciplinary actions
Accounting/FinanceAdjustmentsUnsubstantiated balancesMissed deadlinesWrite-offs
AuditHigh-risk issues/material weak.Past-due audit issues
73
KEY RISK INDICATORS GUIDANCE FOR DEVELOPING YOUR ERM DASHBOARD (THE METRIC/DATA IS…)
• Loan Delinquencies• Portfolio Stress Tests• Interest Rate Thresholds• Profitability Goals• Regulatory Concerns
• Information Security Incidents• IT Changes• New Products• Failed Customer Interactions• Business Continuity Tests
• Operational Losses• Process Errors• Policy Exceptions• Audit Issues• Staff Turnover
Based on established practices or benchmarks
Developed consistently across the organization
Provide an unambiguous and intuitive view of the highlighted risk
Allow for measurable comparisons across time and business units
Provide opportunities to access the performance of risk owners on a timely basis
Consumes resources efficiently (not overly burdensome to get the info)
74
RISK REPORT EXAMPLE (KRI REPORT)Target Key
Better Than expected Expected Worse Than Expected N/A
1st qtr
2nd qtr
3rd qtr
4th qtr YTD
1st qtr
2nd qtr
3rd qtr
4th qtr YTD
Average Daily Census Past due over 30 daysAssets per FTE Past due over 60 daysetc. Past due over 90 daysetc. Over 90 days and accruing
ALLL/LoansNet charge-off %, annualized
1st qtr 2nd qtr 3rd qtr 4th qtr YTD TDR's/LoansNet Interest Margin etc.ROA etc.ROE etc.Effi ciency Ratio etc.Tangible Book Value
N/A etc.N/A etc.
etc.etc.etc.etc.
Human Resources Credit Quality
Financial
75
IN SUMMARY…
76
NO ERM AT YOUR CREDIT UNION?
• It’s happening already…this is the business of banking
• Start simply…joint Board/Committee and Management adventure
• Focus on Business and Regulators…how to use it to improve processes and performance…a continuous improvement perspective
77
GREAT DUMB QUESTIONS
• What happens if…?• Seems like that market is…could that impact us?• I heard about…do we have risk exposure here?• Does our policy explain what to do if…?• Who is responsible for making sure we don’t…?• Do we have a limit on…?• What does our strategic plan say about…?• Do you think senior management knows how the Board
feels about that risk?• Are there any other Board members who didn’t understand
that; I’m not clear about…?• Has anyone around here read the COSO template for risk
management?
78
RECOMMENDATIONS FOR ERM
• Develop ERM Policy– Define Risk categories, roles,
Measure, monitor, and reports
• Develop ERM Committee Charter– Define members, roles, scope, reporting relationship
to other committees
• Publish ERM Board Packet– Key risk indicators (KRI) dashboard– ALCO, Credit, Compliance, Operational Risk
summaries
79
RECOMMENDATIONS FOR ERM
• Prepare a glossary for risk, compliance, audit– Common terminology is part of culture
change and education
• Arrange all risk, compliance, audit, regulatoryactivities on a calendar– Show the full scope of ERM activities
• Use a standard set of risk categories– Assess and monitor these exposures and
tolerances across business units
80
QUESTIONS?
Louise Hanson425-303-3037
Shannon Haas415-677-8314
Top Related