Академический Документы
Профессиональный Документы
Культура Документы
The New York Chapter of the Institute of Internal Audit - 39th Annual Audit Seminar
May 18, 2012 Patchin Curtis, Director Michele Crish, Senior Manager Michael Schor, Senior Manager
Contents
Defining Risk and Risk Management State of Enterprise Risk Management (ERM) Risk Management Framework Role of Internal Audit A Discussion Leading Practices and Insights from Deloittes Global Risk Survey Questions and Answers
Strong risk management and robust financial regulation are the bedrock of a stable financial system
-Hugo Banziger, Deutsche Banks Chief Risk Officer and a Member of the Management Board, 2010
I am fully convinced that going forward, continued improvement of risk management by banks, despite their size, will not only impact on their behavior but also their performance.
-Liu Mingkang, Chairman, China Banking Regulatory Commission, 2004
A fundamental shortcoming is the wide disparity between the rapid pace of financial innovation and the risk management infrastructure on which this innovation was built. historic or statistical measures of risk and exposure, such as value-at-risk, past loss experiences and name concentration in the traditional banking book have proved inadequate.
- Nout Wellink , BIS Chairman, 2008
A bank in which every employee understands his or her responsibility for managing risk is likely to be more sound than a bank in which risk management is always seen as someone else's responsibility. While risk management starts at the business-line level, a well-run bank also has in place an effective program for enterprise-wide risk management that is supported by strong internal controls.
- Sara Raskin, Federal Reserve Bank Governor, 2011
Defining risk
Risk is the potential for loss or harm or the diminished opportunity for gain that can adversely affect the achievement of an organizations objectives, as defined by our Risk Intelligence approach
Risk
Risk does not just relate to events that cause damage to the business - consider risk that applies to value creation If risk associated with value creation is not properly managed, a company may not reap potential rewards A companys leadership team must understand the companys risk and reward profile
If companies avoid too many risks, they will forgo associated rewards
Focusing on rewarded risk enables continued creation and preservation of value, even in turbulent times.
4
Copyright 2012 Deloitte Development LLC. All rights reserved.
ERM IS
A process for providing a risk adjusted view of the achievability of enterprise objectives A means to enhance informed decision making and risk taking An aggregated portfolio view of risks and vulnerabilities and their potential interactions A methodology that supports accountability for risk across the organization
ERM IS NOT
A substitute for managements judgment A bureaucratic exercise that is isolated from the business units A guarantee of a zero risk environment
Credit Risk
Evolving View
View on managing risk enterprise-wide Measure risk, allocate capital based on risk, and measure performance relative to the cost of risk (economic capital) Clarify risk/return economics for line management, and incorporate into pricing and customer profitability Risk adjusted performance for business units, customers and portfolios utilize the same approach Greater link between CFO and Chief Risk Officer Evolving risk management capabilities is to build upon an institutions strengths and existing capabilities
6
Copyright 2012 Deloitte Development LLC. All rights reserved.
Reputation
Operational Risk
Country Risk
Compliance
Market Risk
Benefits
More integrated and comprehensive assessment of risks, and an objective, consistent approach to managing them Enhanced clarity around risk management roles and responsibilities Help create a more common language and improved view of risk across the institution Improved understanding and monitoring on the nature of risk in the business Promote a risk-aware operating culture and accountability Receive favorable treatment from credit agencies, insurers, analysis and other stakeholders
Challenges
Defining ERM: lack of organizational objectives and confusing, contradictory terminology Assessing risk profile in line with strategic decisions Siloed view of risk Identifying and aggregating various risk types Risk measurement: no one tool exists Enabling technology: no one system addressing ERM
4.
State of ERM
Stakeholder Value
Siloed
Independent risk management activities Limited focus on the linkage between risks Limited alignment of risk to strategies Disparate monitoring & reporting functions
Comprehensive
All risk types and business units encompassed End to end business risk management process implemented Common framework, program statement, policy, and risk assessment criteria Dedicated team or function
Integrated
Risk interactions and dependencies rigorously evaluated Risks to develop overarching risk profile aggregated Enterprise-wide at risk measure adopted Risk modeling/scenarios
Optimized
Risk discussion is embedded in strategic planning, capital allocation, product development, etc. Use of dynamic early warning indicators Linkage to performance measures and incentives
10
Some industries have been focused longer on ERM and made greater strides
Optimized Integrated Initial Siloed Comprehensive
Reasons for higher ERM capabilities in certain industries: Highly regulated industry with intense scrutiny from government entities Sophisticated risk analysis inherent to the business Nature of operations is high risk
Note: Placement of industries in this chart is judgmental, but based on Deloittes depth of ERM knowledge and experience with a wide variety of industries.
Copyright 2012 Deloitte Development LLC. All rights reserved.
Risk Governance
Capability
13
Business units are responsible for the performance of their business and the management of risks they take within the risk framework established by executive management Certain functions have a pervasive impact on the business and not only provide support to the business units as it relates to the organization's risk program, but also enhance and enable success when strategically aligned and considered as essential elements of the program
Copyright 2012 Deloitte Development LLC. All rights reserved.
Operating models
Control/Compliance Operating Philosophy
Risk organization may be perceived to be enforcer of risk policies and rules Centralized risk function often assumes ownership and management of particular risks Drive risk management/ process/ function integration and alignment Integrate and coordinate crossfunctional risk interdependencies Extensive reliance on policies and procedures Many activities focused on monitoring compliance Risk organization may be Risk organization may be perceived to be a burden on the perceived to be business partner business Support/conduct risk Line management ownership of assessments using various risks techniques Avoids unnecessary disruption to Identify likely/potential critical risks and proactively engage risk the business owners, build tools, processes, etc. Focus on enhancing risk informed decision making and managing risks during execution of decisions Requires tool/process Identify high level risk trends development investments Gather information and report to Utilization of tools/process is center for data analysis optional Tools/process may not be fully utilized or adopted by business/risk owners Risk organization should provide quality services to business units
Copyright 2012 Deloitte Development LLC. All rights reserved.
Risk Culture
Typical Attributes
15
External Auditor
Regulator
17
Risk appetite
At the highest level, risk appetite defines the amount of overall risk that a firm is willing to accept in pursuit of its business objectives
Risk appetite principles:
Defined by senior management and approved by the Board of Directors Aligned with business objectives and should be linked to KPIs Responsibility distributed across the organization to all levels of management Embedded in policy development, business and strategic planning, resource allocation, and various business and risk processes
Risk Appetite Scale
Action and correction Strategic goals & value drivers
Risk Seeking
Description Taking risk is considered part of companys strategy New market expansion and acquisition activities
Risk Tolerant
Company takes an aggressive approach towards taking risk Portfolio management, innovation
Risk Neutral
Company takes a balanced approach to risk taking Operations, asset / liability management
Risk Averse
Company accepts as little risk as possible Heath, safety, environment, security, fraud, financial reporting, regulatory compliance and reputation
18
Risk processes
Key risk processes to establish a robust risk management framework:
Risk Identification 1 2 Risk Assessment 3 Risk Measurement 4 Risk Response & Mitigation 5 Risk Monitoring & Reporting
Structured around enterprise wide framework of risk categories and definitions Both top down and bottom up process
Provide a qualitative and quantitative view of risk Assessed on the Gross / Inherent basis and on the Net / Residual basis taking into consideration existence of risk mitigation Level of complexity of the risk assessment should correlate to level of significance of the risk Need BU involvement
Range of risk measurement methodologies exist Data availability and quality is key Most start with qualitative form of risk assessment Examples include: risk assessment & scoring, KRIs, loss event and scenario modeling, economic capital modeling and allocation
Appropriate response is dependent on companys strategic objectives, risk appetite, level of action required and return/ reward / cost of the mitigation plan Can range from fully mitigate to partial mitigation, to accept and no mitigation Establish a risk mitigation framework
Risks usually monitored individually and then aggregated and reported RM Function usually aggregates and reports Effective risk reporting should include info on key risks enterprise wide, provide clear picture of risk profile and emerging risks, and focus on KRIs, limits and thresholds Risk dashboard
19
Leading Practices and Insights from Deloittes Global Risk Management Survey Seventh Edition
The survey was conducted during Q3 2010 We solicited responses from CROs or their equivalents at financial services firms around the world 131 financial institutions with a total of over $17 trillion in assets participated Topics included: Risk governance Enterprise risk management Basel II, Solvency II, and economic capital Managing risk types Risk management systems & technology infrastructure
Source: Navigating in a Changed World, Deloitte Global Risk Management Survey, 7th edition http://www.deloitte.com/assets/Dcom-UnitedStates/Local%20Assets/Documents/us_fsi_grms_031711.pdf Copyright 2012 Deloitte Development LLC. All rights reserved. 23
Primary Business
Geography
Asset Size
24
25
50%
40%
43%
30%
37%
28%
28%
31%
31% 22%
20%
22% 26%
20% 13%
25%
10%
12% 13% 6% 2% 6% 2%
10%
7% 10% 3%
0%
3%
3%
3%
Completely
Substantially
26
27
28
41%
29
37%
33%
31%
29%
28%
27%
30
Leading practices
Role of the board of directors: Increased focus on governance and oversight for risk management and on approving a clearly stated-risk framework, policies and risk appetite statement Role of the chief risk officer: Increased responsibility and visibility: direct reporting lines to the board and/or CEO and leading ERM program, including risk governance, reporting and analytics, where appropriate Three lines of defense: Define risk framework that clearly identifies roles, responsibilities and monitoring across the organization Risk appetite statement: Approving an enterprise-level statement of risk appetite and integrating into business activities, e.g. limits Risk metrics: Focus on key risk metrics in decision-making across the organization, including strategy planning, budgeting, and performance measurement Chief Compliance Officer and Compliance Program: Emphasis on building enterprise-wide, independent compliance risk management program consistent with regulatory guidance and elevating visibility of CCO and direct reporting line to the board Risk reporting: Continued challenges with integration of systems and data; yet focus remains on aggregation and analysis across asset classes and business. Enhanced reporting to management and the board
Copyright 2012 Deloitte Development LLC. All rights reserved.
31
Risk management likely continues to be an area of substantial focus, given market conditions and regulatory change No two institutions are alike: Business strategy and the mix of component businesses and jurisdictions will help drive decision-making Risk governance boards have been increasingly proactive in risk management and this will likely continue The CRO is increasingly a more senior executive position Even traditional risks such as operational risks can benefit from more attention; additional risks may need focus Continued and increased use of risk measurement models and approaches, including stress testing, require assessment of models and assumptions Data integrity and data analysis become increasingly important as systems are integrated and reporting needs increase
32
This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. In addition, this presentation contains summarized survey results, which are included for informational and discussion purposes only. Participant survey responses were taken as is and were not confirmed or validated by Deloitte. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this presentation.
About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting. Copyright 2012 Deloitte Development LLC. All rights reserved. Member of Deloitte Touche Tohmatsu Limited