510 likes | 675 Views
Oversight Management of Risk. May 2010. This report is solely for the use of FDHL-MT. No part of it may be circulated, quoted or reproduced for distribution outside FDHL-MT without prior written approval. Agenda. Broad overview of the Topic The Holistic Approach to Risk Management
E N D
Oversight Management of Risk May 2010 This report is solely for the use of FDHL-MT. No part of it may be circulated, quoted or reproduced for distribution outside FDHL-MT without prior written approval.
Agenda Broad overview of the Topic The Holistic Approach to Risk Management Process of risk management What the Board should question
Definition of Enterprise Risk Management Traditional approach of many companies The need for Board surveillance and a specific Board Committee The role of the Chief Risk Officer (CRO) Broad Overview of The Topic
Risk/Reward Tradeoff Company needs to decide where on this continuum it wishes to sit. This is a Board decision
Definition of Enterprise Risk Management ERM can be described as a risk-based approach to managing an enterprise, integrating concepts of strategic planning, operations and internal controls ERM is evolving to address the needs of various stakeholders, who want to understand the broad spectrum of risks facing complex organizations to ensure they are appropriately managed Definition Of Enterprise Risk Management
Definition Of Enterprise Risk Management../2 Definition of Enterprise Risk Management • Regulators and debt rating agencies have increased their scrutiny on the risk management processes of companies • Some high-profile failures of companies caused by ERM failure have been: • Enron & Barings - Failure of control mechanisms • Lehman & LTCM - Failure to understand business • Union Carbide - Failure in remote part of company • General Motors - Failure to detect industry change
Definition Of Enterprise Risk Management../3 Definition of Enterprise Risk Management • Industries change and companies must be aware of such changes. It is the Board responsibility to react and lead the company through such changes • Kodak is a good example 6 companies in the Dow Jones 30 of 1959 remain in the index (3 from 1929) • General Electric General Foods • Dupont Exxon Mobil • Proctor & Gamble Chevron
ERM – Traditionally Approach Of Many Companies ERM - Traditional Approach of Many Companies • Most companies have not traditionally approached ERM • Modern approach is build ERM into the strategy and budget planning process • Needs a disciplined approach aligning strategy; process; people; technology and knowledge ERM means the removal of traditional, functional, departmental and cultural biases
ERM – Traditionally Approach Of Many Companies../2 ERM - Traditional Approach of Many Companies • What risks are we facing • Are these comparable to the risks of our competition • How do they change with a change in business conditions • What level of risk should we take • How should we manage that risk
The Need For Board Surveillance & A Specific Board Committee The need for Board surveillance and a specific Board Committee • The main function of any corporation is to make profit for its shareholders. To do this they must accept some level of risk • Since the Board of Directors is the guiding body of a company it falls to them to ensure that the company and therefore its RISK is properly managed • All companies are different and their risks and their complexity will determine the manner in which a Board focus on Risk
The Role Of The Chief Risk Officer The role of the Chief Risk Officer (CRO) The Chief Risk Officer is responsible for - developing and managing the risk management structure Should you have one??
The Role Of The Chief Risk Officer../2 • While financial services companies are embracing the CRO position, other industries such as utilities and commodities-based businesses are recognizing the power of knowing all their risks from the top down • James Lam, founder of ERisk, based in New York, and former CRO for Fidelity Investments, has been watching the CRO trend over the last several years and says there are two indicators that CROs are here to stay: salaries are climbing, which demonstrates their value, and CROs are beginning to report right to the CEO, rather than to the CFO or Treasurer, putting them in a more powerful position. Many CRO’s have a dotted line reporting relationship to the Board
The Role Of The Chief Risk Officer../3 • In Nigeria the risk management role never got as far removed from the CEO as it did in developed economies • Therefore the CEO is effectively today’s CRO in most companies in Nigeria Is this healthy and can the CEO perform the executive functions of a CEO and oversee the myriad of risks inherent in today’s listed companies??
The Role Of The Chief Risk Officer../4 The Role of the Chief Risk Officer (CRO) This is an example of a Risk Department’s functional breakdown Each company will have a different formation to align with its strategy
The Holistic Approach to Risk Management • Managing risk in silos • View risk as a portfolio • Risk is dynamic • Risk is an opportunity
Managing Risk in Silos Managing Risk in Silos • Risk needs to be managed both centrally and in silos (decentralized) • ERM is managed centrally • Operational and financial risk should be managed locally as that is where the business managers are and they should understand their specific risks better than a central committee This is an example of a Risk Department’s functional breakdown Each company will have a different formation to align with its strategy
Managing Risk in Silos Managing Risk in Silos../2 “Field decisions are best taken by the most junior officer, in the field, allowed to take such decisions” General Andrew Stuart
Managing Risk in Silos Managing Risk in Silos../3 Bhophal incident -1984 • Union Carbide Corporation a Dow 30 stock owned 515 OF Union Carbide India Limited • Dec 1984 an act of sabotage caused a gas leak and resulted in 3,800 deaths • Caused international incident • Chairman Anderson went to India with task force, was put under house arrest and asked to leave the country This is an example of a Risk Department’s functional breakdown Each company will have a different formation to align with its strategy
Managing Risk in Silos Managing Risk in Silos../4 • The result was that UCC suffered a massive reputational hit, was heavily fined • The company fell out of the DJI in 1999 and was bought by Dow Chemicals in 2001 • UCC is still fighting damage law suits in the USA to this day Question is how many Directors of UCC even knew they had an Indian plant?
Managing Risk in Silos Managing Risk in Silos../5 Bhophal incident -1984 Problems: • Management of company was left solely to the Indian management and as a 51% owned entity UCC management took a hands off approach BUT it was UCC’s reputation at risk • The cause of the leak and the fact that it was sabotage did not protect UCC. They clearly had no ERM system in place to protect the parent from regional catastrophic risk • Only a comprehensive risk plan would have identified the potential risk to the parent
Managing Risk in Silos Managing Risk in Silos../4 Manage silo risk in conjunction with enterprise risk and ensure that it is global GLOBAL RISK MANAGEMENT
View risk as a Portfolio View Risk As A Portfolio • The idea of having ERM at the top supervising all other risk activities is to ensure that all risks are covered • The concept of managing risks as a portfolio is not to treat all risk in isolation • If a company has a subsidiary gravel pit and a subsidiary cement factory, you do not have to hedge the forward sales of gravel or the purchase price of gravel since they are offsetting risks at consolidation This is an example of a Risk Department’s functional breakdown Each company will have a different formation to align with its strategy
View risk as a Portfolio../2 • The art of managing a portfolio is to find uncorrelated asset returns and buy both asset classes and leave both unhedged as their volatility will partially offset each other • The danger is that if these are treated in isolation excess cost will be incurred by hedging both risks • The portfolio risk is that both assets may be structured to achieve the same thing and thus not be as uncorrelated as at first believed This is an example of a Risk Department’s functional breakdown Each company will have a different formation to align with its strategy
View risk as a Portfolio View Risk As A Portfolio../3 Typical financial portfolio, can be replicated for any business grouping
View risk as a Portfolio View Risk As A Portfolio../4 Return Observations This is an example of a Risk Department’s functional breakdown Each company will have a different formation to align with its strategy
A Portfolio Approach Involves creating a general understanding of: • A company’s resources • The business environments in which it operates • How value is created and stored • The key risk issues underlying its value propositions • How its business models are alike and dissimilar • Every important business dimension
A Portfolio Approach: Realigning the Internal Model Mission, Vision & Values Operational Financial Employees Debt and Equity Holders Employment Practices and Compensation Structure Governance and Organizational Structure Legal and Ownership Structure
Risk is Dynamic As a mortgage banker your risk is clearly rising as house prices rise same for the security forces as terrorism increases
Risk is Dynamic../2 • As risks increase the risk managers must find a way to counteract the impact of risk incidents. This is usually expensive and not thought out before • Conversely when risk is lower the need for insurance is lower and economic logic dictates that then you should take off excessive insurance and maximize profits
Risk as an Opportunity • Too many organisations see risk management as a compliance issue, rather than developing approaches which add value and competitive advantage and which reflect their own business culture and stakeholder base • Most approaches to risk management are therefore not driven or inspired by enhancing opportunities (the upside of risk) but by the fear of the ever greater penalties for doing something wrong (the downside of risk) Prof Martin Loosemore
Risk as an Opportunity../2 • When Jamie Dimon stepped up to the plate and bought 100% of Bear Stearns for $2 per share, he used the fact that he had preserved his cash for a rainy day and was able to use it to buy a huge opportunity. So much so that he had to up the price a week later to $10 per share to avoid an awkward law suit • This was a financial example of risk management turning into an opportunity. There are many less notable but equally important examples of good risk management providing superb gains in business
Risk as an Opportunity../3 Potential benefits of successful risk management • Improved performance and competitive advantage • Greater resilience to unforeseen risks • Greater capacity to seize opportunities • Greater teamwork and collective responsibility for decisions throughout all organizational levels and supply chains • Higher client satisfaction and retention • Greater regulatory compliance • Less rework, disruption and conflict rework • Enhanced reputation • Higher quality information for making business decisions
Process of Risk Management • Identify risk • Quantify risk • Mitigate risk • Monitor risk
Identify Risk Experienced-based approach • Is dependent on corporate experience • Search for bad outcomes and try to identify risk drivers • Solicit staff for potential risk in processes etc. Environmental approach • Seeks to understand the business in the context of its environment • What is changing and how will it affect the business?
Quantify Risk What risk measures are available to business managers • Financial Indicators • Liquidity • P&L performance measures Key Risk Indicators • Customer complaints • Lawsuits • Plant failures • Accidents • Errors
Quantify Risk../2 • Many quantitative measures have been created to measure risk • One of the most important and mis-understood of these is Value @ Risk or VAR • A simplified definition of VaR is that it measures the amount of loss one can expect for a given portfolio over a specified period of time with a 95% or 99% degree of confidence
Quantify Risk../3 The problem with VaR • VaR risk can be hedged away but adds to total book • The data is usually too short term in nature to represent a full economic cycle, thus there have been far more 100 year events in the last 30 years than is feasible • The data has no answer for how much one can lose in the 1% or 5% of events not covered by the confidence levels • VaR tends to be used in isolation and it should not be. It does not pretend to measure Liquidity Risk
Quantify Risk Quantify Risk../4 Short-term Data
Quantify Risk Quantify Risk../5 Long-term Data For a good example see page 77 Exhibit 5.4 in “Bank Boards and the Financial Crisis” by Nestor Associates
Quantify Risk../6 How serious was the overemphasis on VaR in 2008? • UBS blames an over-dependance on VaR and an absence of other risk measures in its mortgage book, as an overarching cause for the horrendous losses they suffered in their fixed income business • Using VaR without liquidity limits allowed the book to grow to proportions that could not easily be financed when market liquidity dropped • VaR is a useful tool but not in isolation
Quantify Risk../7 • Balanced scorecards and Key Performance Indicators tie strategy to operations • Credit losses or problems • Audit problems and exceptions Frequently too much time is spent trying to refine what risks are being monitored and not enough time is spent fixing issues that cause risk (80/20 Rule)
Risk/Mitigation Heatmap Frequency Level of Risk
Mitigate Risk • The process to mitigate risk will vary from one situation to another, proper risk mitigation calls for understanding what you currently have and what needs to be done in order to maintain your status quo • Don’t waste time and money mitigating non critical risks, you will always have risk; identify the main causes of risk and manage those causes
Monitor Risk • In much the same way as decisions should be taken by the most junior person permitted to take the decision; risk should be monitored all the way through the organization, by the most junior person able and permitted to monitor that risk • No one person or department should be managing too many risks as then most risks will not be properly monitored
Monitor Risk../2 • Set up a series of dashboards that are easy to read and indicate the key risks to be monitored by the entity or person and ensure that all of these functions are working properly • The Board equally should have one dashboard the indicates whether the systems are effective and that risk management processes are consistently performed • They need a separate dashboard that monitors catastrophic risk and requires the Board’s action
What The Board Should Question • Process • Resources • Is risk mitigation foolproof • Does the company have sufficient capital maintain its risk profile
Process Must be: • Simple process oriented and preferably automated • Regularly performed • Understandable to the operator • If a risk is not handled immediately system must trigger risk potential to the next level • Performed consistently across all parts of the organization
Resources • Insufficient resources will result in sub-optimal results (you get what you pay for) • If the company cannot afford the means to monitor its risk; can it afford to take the risk? • Resources must be consistent across all aspects of the organization and be able to communicate • Must be available at ALL TIMES
Is Risk Mitigation Foolproof? • Risk must be ranked according to severity of the event and its frequency • It is too expensive to insure every event so a policy must be designed that takes into account the risk/reward from mitigating against the event Certain events cannot be allowed to happen even once and therefore must be protected against at all costs
Does Company have Sufficient Capital? • If the company has lost capital it must lower its risk profile otherwise the management is violating the risk budget that was agreed with the Board • If the Board leaves the same level of risk available to management they must understand that they have moved the company closer to potential disaster This is Measurable