220 likes | 350 Views
CAACM 5th Annual Meeting & Conference in Collaboration with ICATT The Changing Face of Enterprise Risk Management July 13-15, 2011 Hyatt Regency - Trinidad and Tobago. Overview. Risk has always been managed, somehow, or the other.
E N D
CAACM 5th Annual Meeting & Conference in Collaboration with ICATTThe Changing Face of Enterprise Risk ManagementJuly 13-15, 2011Hyatt Regency - Trinidad and Tobago
Overview • Risk has always been managed, somehow, or the other. • As a concept RM evolved from the insurance industry where risk financing was the main RM activity. • Financial services crisis in 2008 demonstrated the extent to which uncontrolled risk taking has damaged economies. • RM for years was done by buying insurance. • More recently companies managed risk through the capital markets with “derivative” instruments. • Risks that defy easy measurements like reputation, legal, human resources have led to the emergence of ERM.
Risk Management Standards Some of the popular standards: • Australia/New Zealand (AS/NZS) Standard 4360 2004. • COSO 2004 ERM - Integrated Framework • Defines and prescribes a process for implementing ERM. • The ISO 31000 (2009) -1st global risk management standard. • ISO 31000 definition has shifted the emphasis from the “event” (something happening) to the “effect” – really the effect on OBJECTIVES!
What is ISO? • International Organization for Standardization (ISO) is the world's largest developer and publisher of International Standards. • ISO is a specialized international organization founded in Geneva in 1947 and concerned with standardization in all technical and non-technical fields except electrical and electronic engineering.
Why an ISO Standard in RM? • Organizations around the world [be they public, private, for profit, not-for-profit, multinational, etc.] were facing increasing and greater risks and risk management was not being consistently defined and applied across sectors and countries. • The challenges of inconsistent practices and definitions thus give rise to the need for a universal standard.
Why did ERM evolve? Risk managers today need to manage known risks AND they must also be prepared to cope with unknown risks that may manifest themselves at any time. Risk managers can only meet these demands if they operate at a strategic level. Calls for strengthening risk oversight have been occurring on an increasing basis over the last several years. NYSE (2004) adopted governance rules that require audit committees of listed firms to oversee management’s risk oversight processes. More recently rating agencies, such as S & P, have begun to explicitly evaluate an entity’s ERM processes as an input into their credit ratings analysis.
Marsh & RIMS 3 Levels of RM Strategic RM incorporates all of the characteristics of traditional and progressive approaches, but adds in measures with more of a “C-suite view” of risk. Companies that practice strategic RM tend to view risk as something to optimize, not just to mitigate or avoid. There is a concerted effort to index risk against competitors and against the organization itself. There is a stronger effort to weave risk issues into the overall conversation about the firm’s business decisions.
Antecedents of ERM Implementation • The idea that ERM is a key component of effective governance has gained widespread acceptance. • Literature review suggests five broad groups of factors that determine extent of ERM implementation: • Regulatory influences • Internal influences • Ownership • Auditor influence • Firm and industry-related characteristics
Why the Continuing RM evolution? In light of so many financial failures, Robert P. Hartwig lashed out at then current ERM frameworks. Hartwig: Financial crisis was the result of a failure of RM [in the banking and securities markets] on a colossal scale. We may literally have to tear up the manual of ERM and start over. How did so many major financial players miss or overlook such huge, systemic exposures? But there is no “manual of enterprise risk management” to tear up. Risk management is a general term referring to the overall process of addressing risk, not any one particular method for mitigating risk.
Why the Continuing RM evolution? But, RIMS contends that the financial crisis resulted from: System-wide failure to embrace appropriate ERM behaviors - or attributes - within these distressed organizations. Failure to develop and reward internal RM competencies. Failure to use ERM to inform management’s decision making for both risk-taking and risk-avoiding decisions. Over-relianceon the use of financial models, with the mistaken assumption that the “risk quantifications” (used as predictions) based solely on financial modeling were both reliable and sufficient tools to justify decisions to take risk in the pursuit of profit. Failure to embed ERM best practices from the top all the way down.
Regulatory Impact on ERM ERM must be part of the culture - accepted, expected and practiced at the highest levels and down through the organization - if it is to help the organization make better risk-adjusted decisions. There’s an increased focus on the effectiveness of BOD risk oversight practices: NYSE’s corporate governance rules already require audit committees of listed corporations to discuss risk assessment and RM policies. Credit rating agencies, such as S&P, are assessing ERM processes as part of their corporate credit ratings analysis. More importantly, while business leaders know organizations must regularly take risks to enhance stakeholder value, effective organizations recognize strategic advantages in managing risks.
Regulatory Impact on ERM Signals from some regulatory bodies now suggest that there may be new regulatory requirements or new interpretations of existing requirements placed on boards regarding their risk oversight responsibilities. Legislation has also been introduced in US Congress that would mandate the creation of board risk committees. The U.S. Treasury Department is considering regulatory reforms that would require compensation committees of public financial institutions to review and disclose strategies for aligning compensation with sound risk-management. July 2009, the SEC issued its first set of proposed rules that would expand proxy disclosures about the impact of compensation policies on risk taking and the role of the BOD in the company’s risk management practices.
Barriers to Adopting more Strategic Approaches to RM Ability to feasibly/definitively demonstrate value and ERM ROI metrics Senior management concerns that ERM processes are too difficult and/or costly Personnel and financial resources dedicated to RM Personnel skills, expertise and capabilities Products that would enhance RM strategy and capabilities RM technology issues
Barriers, What Barriers? Changes that must be made to help firms adopt more strategic approaches to RM: Reorganize and reengineer the RM function Increase internal education Increase investment and resources in RM capabilities Implement RM supporting software/technology
Can ERM Evolve Further? Some ERM truisms: Firms are using RM more in developing their strategic goals and objectives. Senior management at many firms are now more aware than ever of the need to incorporate risk into the decision making process. Firms are increasing their investment in RM Today RM must deal with the known risks as well as the unknown and the unknowable.
Steps to ERM Improvement Integrate strategic planning processes and risk assessment activities to take advantage of risk opportunities and consider risk variations across strategic goals. Reward risk ownership and effective RMAPs, so in this way ERM is being aligned with the firm’s balanced scorecard and merit payouts. Going forward – companies must focus not only on the downside of risk but the upside as well.
What Role Should RMIS Play? RMIS and other technologies today have a large role in managing risk. Demand for on line, real time risk related calculations with quick response times means that a new generation of risk systems architecture is required to cope with such demands. These RMIS have to be event-driven systems with service-oriented frameworks.
BOD ERM Role & What Prevents That? BOD must: Take responsibility for ensuring that the institution has a framework in place to embed ERM and its constituent parts including risk appetite, risk roles and responsibilities, etc. Verify that risk and other key personnel are appropriately trained to fulfill their ERM roles and responsibilities. Insist on receiving regular risk reports and RMAPs. Ensure that corporate objectives are developed in conjunction with ERM insights. Ensure that executive management conduct table top risk exercises and submit reports on same to BOD. Ensure that business continuity and disaster recovery plans are developed, tested and improved regularly.
Changing Skills Set for the CRO Most progressive institutions have a dedicated senior executive charged with the responsibility of being the “Risk Champion” at their organisation. CRO is largely charged with the Risk Champion role. However, the CEO or MD is really the “chief-risk-officer” just as he/she is the “chief-revenue-officer”. CRO by designation must possess a 360 degree view of the firm. CRO must be multi-faceted in terms of skills set, but in particular, must be a great communicator and facilitator, very good with finance, and must thoroughly understand the core nature of the business.
There is no time like the present to rethink your company’s approach to enterprise risk management.ERM is a process that must be ongoing and flowing throughout your institution!Thank You Email: rawlem@gmail.comSkype: rawle.mitchell64Cell: 347-891-9252