190 likes | 331 Views
Incorporating ERM Successfully . Laura Olle Chief Enterprise Risk Officer Capital One Financial Corporation. Capital One at a Glance. A leading financial services company 6 th largest credit card issuer in the U.S.; 6 th largest issuer in the UK $71 billion in managed loans
E N D
Incorporating ERM Successfully Laura Olle Chief Enterprise Risk Officer Capital One Financial Corporation
Capital One at a Glance • A leading financial services company • 6th largest credit card issuer in the U.S.; 6th largest issuer in the UK • $71 billion in managed loans • 47 million accounts • Located in 8 U.S. cities, Canada, U.K., France and South Africa • A FORTUNE 200 Company (#200) • Numerous awards including: • Top 100 training organization – Training magazine • One of the “Best Companies to Work for” in the U.K. – The Sunday Times • “A top 100 company in Customer Relationship Management” – CIO magazine
Capital One is a large and complex organization 19952003 Customers 6 million 47 million Loans $10 B $71 B Associates 3,000 17,000 Business Card focus Diversified Organization structure Functional 20+ LOB’s Asset type Prime Full spectrum External events have undermined confidence Corporate Failures Enron -- Worldcom Tyco -- IM Clone Quest Monoline Credit Card Failures Providian -- Nextcard Metris Wall Street Revelations Biased equity research IPO allocations Market timing scandals The need for more formalized risk management results from internal and external forces Value in a more sophisticated approach Increased scrutiny from regulators, rating agencies, and analysts
Our increasing size and diversification strategy required that we make risk management much more explicit Risk Management Elements New or increased emphasis Previously in place Formalized Explicit Decision Making Governance Annual Risk Identification & Assessment IBS Testing Conservative Credit Decisioning Conservative Reserves Customer Value Emphasis High Quality Hiring Standards Collaborative Decision Making Enhanced Procedures and Controls Updated Policies
Our goal is to avoid some key pitfalls as we transition into a truly great company that values managed risk taking Organizational Evolution Hierarchical Organization Great Organization High Culture of Discipline Bureaucratic Organization Start-up Organization Low Low High Ethic of Entrepreneurship
Capital One has taken a number of actions to strengthen risk management and governance • Declared risk management to be a strategic imperative in 2002 “Embrace formal controls and governance to enable continued successful growth” • Build a state of the art risk management process • Make effective process controls commonplace • Create a culture that values “Managed Risk Taking” • Created independent Credit Risk Management and Enterprise Risk Management functions (headed by Peter Schnall and Laura Olle) • Implemented a new governance structure in 2003, including Executive Committee and five sub-committees
We’ve established a risk management style that best fits our culture ‘Top Down’ Risk Management Style ‘Bottom Up’ Risk Management Style • Strategy and process defined from ‘the center’ • Implementation of the strategy performed by associates from ‘the center’ • Monitoring and control are the responsibility of the ‘the center’ • Strategy and process determined at business area level • Implementation of the strategy performed by business area associates • Risk monitoring and control are the responsibility of the business area ‘Integrated’ Management Style • Strategy and process defined by the center, in collaboration with business areas • Implementation of the strategy performed by business area associates with corporate support • Risk monitoring and control are the responsibility of the business area Best Fit
We drew upon internal and external expertise to develop our Enterprise Risk Management (ERM) function • Followed a structured process with leadership, oversight and involvement by senior management and the Board • Considered current risk management capabilities • Assessed industry best practices and regulatory expectations • Involved external subject matter experts in risk management and regulatory matters
The ERM Department strengthens Capital One’s ability to manage risk ERM Mission: To drive Capital One’s capability to balance risk and reward and to minimize surprises by: Leading the developmentof an environment where consideration of risk is a natural part of everyday management and decision-making Providing tools, methodologies, and standards to enable business areas to assess and manage their own risk Independently monitoring, assessing and reporting on key risks
ERM drives the overall governance of risk management Board of Directors Ultimate responsibilityfor oversight of risk management CERO / ERM Committee • Synthesizes issues for the Board • Establishes ERM policies and tolerances • Reviews significant risk issues • Ensures governance and infrastructure for the ongoing management of the risk profile Business Area Managers • Own risk management and mitigation • Perform risk assessments at least annually • Provide assertions on risk exposure for their business area Risk Management Governance Model
We structured our approach after the COSO framework Organization and Culture • Organizational structure • Accountability • Authority levels • Staffing and capability • Ethical values and integrity • Risk management philosophy & culture • Risk Limits Objective Setting Monitoring • Strategic and budget planning process • Measurability and alignment of objectives • Communication and understanding of objectives • Business performance monitoring • Risk measurement and analysis • Risk management and control self assessment • Independent evaluations Risk Assessment Process • Execution • Risk (event) identification • Risk evaluation • Risk response Information and Communication Ongoing Control Activities • Information infrastructure • Common reporting metrics • Information reports • Communication channels & methodologies • Business process and IT controls • Physical controls • Control documents – policies, procedures, standards and guidelines
Capital One took a holistic approach to risk • ERM process looks at all aspects of risk, including: • Operational • Credit • Compliance • Legal • Market • Liquidity • Strategic • Reputation • Establishing these categories helps assure that all risks are considered and that information about significant risks from different business areas, processes, and geographic areas can be aggregated and reported to support our enterprise-wide risk management program.
2003 ERM activities were directed at building many components in the framework ERM Governance, ERM and BRO staffing ERM Policy Program Foundation Course Risk appetite Compliance/CROWN ORSA, Significant Risk Report New Venture Assessment Risk Mitigation Organization and Culture Objective Setting Monitor Event database KRI Pilot ERMC Reporting Package Change Management Policy Playbook Risk Assessment Process ERMC Reporting Secura assessment Regulatory exam Audit reviews Information and Communication Ongoing Control Activities Policies, Spreadsheets
B.R.O.s B.R.O.s Business Areas B.R.O.s B.R.O.s Risk Stewards There are four key players in our approach to managing risk • Drives Capital One’s capability to balance risk and reward and to minimize surprises; sets overall approach to managing risk ERM Accountable for managing risk and following the defined approach Internal Audit Determine the approach to manage a specific risk category Test and validate controls and that the approach is being followed
We faced challenges in working disciplined risk management into our culture • Our organizational personality was geared towards entrepreneurialism • Historical aversion to formalized structure • Company was evolving from “start-up” to complex Fortune 200 organization • Leadership support and local ownership of risk have helped us overcome • these challenges Keys to success Leadership Support Local ownership of risk Corporate imperative Business Risk Officers
We continue to consider ways to further drive the use of risk-related measures • Position reporting (credit exposure, liquidity, ALCO, etc.) • Loss experience (operational loss events, NACO, delinquencies) • Monitoring of risks and controls (KRIs) • Stress testing • NPV/IRR • Proactive measures (self assessments) • Risk-based performance measures • SVA (Shareholder Value Added) • RAROC (Risk Adjusted Return on Capital) • Capital allocation
Long-term benefits of implementing ERM • Improved risk-adjusted returns and reduced surprises • Improved strategic decision-making • Improved understanding of risks and control effectiveness • Support for growth and strategic initiatives • A culture that values managed risk-taking • Meeting expectations of external stakeholders • Greater shareholder value (greater EPS and P/E ratio)
Strengthening our risk management culture is a multi-year proposition The Goal Integrated Risk Management This Year Comprehensive Risk Management Make sure it all works together 2003 Put in place everything we need Formalizing Risk Management Formalize the building blocks