1 / 69

Agenda

Enterprise Risk Management – Global Best Practices David Millar Chief Operating Officer The Professional Risk Managers’ Association. Agenda. Definition of ERM The risks that make up ERM Standard ERM frameworks Some case studies The components of risk Risk architectures The benefits of ERM

pascal
Download Presentation

Agenda

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Enterprise Risk Management – Global Best PracticesDavid MillarChief Operating OfficerThe Professional Risk Managers’ Association

  2. Agenda • Definition of ERM • The risks that make up ERM • Standard ERM frameworks • Some case studies • The components of risk • Risk architectures • The benefits of ERM • Implementation issues • Some more case studies • Ten questions for best practice ERM

  3. A definition of ERM “Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” COSO Standards

  4. Breakdown – “a process” • Procedures, a framework, a set of standards, rules, etc governing activities and implementing controls • Involves many (possibly all) employees in an entity (company) • Is written down somewhere and must be kept up to date • There will be a person (not persons) ultimately responsible for the processes, i.e. Head of Group Risk, Chief Risk Officer • Involves communication (in both directions) as well as activities • Needs to be managed, monitored and, increasingly so, reported to the regulators and disclosed to the public.

  5. Breakdown – “in a strategy setting” • etc Project risk Enterprise risk • etc, etc ERM view i.e. complex dependencies • etc, etc

  6. Breakdown – “across the enterprise” Bank TV A single view of risk across the entire company or group Farming Oil Shipping

  7. Breakdown – “identify potential events” “manage risks” • Categorise • Identify • Assess • Consolidate • Monitor • Mitigate % Expected Losses Unexpected Loss (but identified risk) • OR • Model • Record • Evaluate • Report • Disclose “Tail” data $

  8. Breakdown – “risk appetite” “reasonable assurance” • Business strategy = risk x benefit (both need to be identified) • 100% risk-free is neither expected nor beneficial • Risk appetite needs to be agreed at board level anddocumented • An entity needs to identify risks (and their probability) and have a strategy to survive these events • Risk is a commodity and can be hedged • Risk can be covered internally • Risk can be insured externally • The requirement is to be able to apply measures

  9. The risks that make up ERM

  10. What risks are included in ERM ERM

  11. Measure risk where possible …. Example of the relative losses due to risk events measured in an European bank. Note that reputational and strategic losses have not been attributed or measured. 1.23% 4.76% 28.43% 38.09% Note: In this example, ALM Risk is classified as Interest Risk and Liquidity Risk across the balance sheet. Market risk is Pricing & Currency Risks only. 27.49% Source: Diagram - WestLB, March 2004, Ratio - DM

  12. … even if not apparently possible • You may not have: • Overall probability = 0.15%, • Probability in this unit = 0.27% • Average impact = $49,500, • Maximum loss = $346,350 • But you can have: • Probability = very likely • Effectiveness of this unit = moderate • Impact = serious • Losses = in range $200,000 to $500,000 • Enough to create a traffic light system

  13. Some initial definitions – strategic risk • Strategic risk creates adverse impact on an entity, its earnings or capital derived from: • adverse business decisions, • improper implementation of decisions, or • lack of responsiveness to industry changes. • It involves an entity’s • strategic goals, • the strategies to achieve those goals, • the resources available and • the quality of implementation. • Resources include communication channels, operating processes, delivery networks, and managerial capacity and capability. • These are evaluated against the impact of regulatory, economic, technological, competitive,, and environmental changes.

  14. Financial risk

  15. Operational risk From - Basel Committee on Banking Supervision, Sound Practices for the Management and Supervision of Operational Risk, February 2003

  16. Other risks

  17. Some case studies

  18. Shell (2003-4) • Shell are quoted on both Dutch and UK exchanges and on the NYSE (via ADRs) as Shell Transport & Trading and Royal Dutch petroleum) • Shell overstated its proven oil reserves from 1998 to 2004 by up to 25%. Management were rewarded on the basis of reserves quoted. • The misrepresentation could no longer be hidden in the accounts and directors of Shell began to be worry about the Sarbox implications. • The FSA and SEC indicated in 2001 that they were unhappy about the figures. Shell said their views were “immaterial or overly pessimistic”. • Shell have now been found to have committed “market abuse” including the release of false data leading to inflated share prices. • Shell are fined $140M and have to put in extensive controls to prevent a repeat, There are criminal proceedings against individuals. • There is market concern that other oil companies have been doing the same. This will also impact the ratings of the sovereign oil countries. A controls loss which will impact on share price.

  19. Metallgesellschaft (1993) • A metal company, owned by DeutscheBank, Allianz/Dresdner, Daimler-Benz and the Kuwait Investment Authority, which moved into risk management services and energy derivatives. • It sold 10 year oil contracts at fixed prices over spot with an option to terminate early if the NYMEX price > MG selling price. MG then paid half the difference between the futures price and the MG prices. • It managed this through volume dealing and a hedging strategy. Studies have shown this strategy was mathematically valid. • It failed as the size of the deals impacted the market causing liquidity issues and creating cash flow problems. US (then) accounting rules allowed hedge proceeds to be netted, German rules did not, creating an poor balance sheet which effected credit rating and reputation. • The Management and Supervisory Boards pleaded ignorance of the situation. MG announced losses of $1.5 billion at the end of 1993.

  20. Citigroup (2004) • August 2nd - a quiet Monday holiday period in Europe. • Citigroup traders started dumping European government bonds - €11B worth of sell orders in 2 minutes in 100 bonds on 11 markets using 13 trading platforms. The trading platforms were swamped - prices fell rapidly. • An hour later, the Citigroup attacked again buying €4B of bonds cheaply. This trading coup netted the bank €15M+. • Citigroup did nothing wrong. However • the market (Citigroup’s counterparties) claim they broke a gentleman’s agreement for orderly trading in government bonds, • governments (Citigroup’s clients) are angered that their bond prices have fallen overall and their trading platforms were trashed. • Citigroup claim high ethical values. The market would disagree. This is may have cost Citigroup more than the €15M profit in lost fees.

  21. Standard risk frameworks

  22. Risk frameworks Enterprise Risk Risk assessments, indicators, controls and events data Financial Risks Operational Risks Other Risks Strategic & Regulatory Risks Credit Market Pricing Interest Rate Liquidity ALM Supplies failure Legal Technology Government Operational Disaster Fraud Terrorism Project

  23. Enterprise Risk Framework • Enterprise risk frameworks: • … are the consolidation of many lower level, risk area specific risk frameworks - many of these will already be in existence (credit risk, project risk, ALM) • … can be built (and should be so planned) over time • … should be structured to suit individual need (business, regulations, share structure) • … must not detract from and works in harmony with current and local risk framework solutions • Do not get obsessed with quantification over qualification. • There are no complete pre-packaged solutions but a number of established ERM frameworks • Globally, most are building their own framework from scratch around established software packages or are modifying / expanding the COSO standards.

  24. The COSO Framework • The Treadway Commission (1987) recommended that public companies must be able to “identify, understand, and assess the factors that may cause its financial statements to be fraudulently misstated”. • This was not enacted (lots of US lobbying) but a control framework was developed entitled "Committee of Sponsoring Organizations Internal Control - Integrated Framework" (COSO) – released in 1992. • COSO ERM project launched in 2001, builds on COSO Internal Control Framework, consists of framework and application guidance. Draft released in 2003 and full version released in August, 2004 (www.cpa2biz.com/CS2000/Products/CPA2BIZ/Publications/COSO+Enterprise+Risk+Management+-+Integrated+Framework.htm). • The SEC rule-making for Sarbanes-Oxley Section 404 mandated that a company’s internal control over financial reporting be based on a recognized internal control framework. The COSO framework was suggested by the SEC but they will accept locally-approved risk frameworks from overseas if they match COSO.

  25. The COSO structure Allows structured risk management Is enterprise-wide Allows objectives to be assessed with different criteria Allows controls to be looked at from different perspectives Source: 2003 COSO Draft

  26. Reference – for later reading The COSO Components Source: 2003 COSO Draft

  27. The COSO Control Model Reference – for later reading CONTROL ENVIRONMENT • Integrity and Ethical Values • Commitment to Competence • Board of Directors/Audit Committee • Management Philosophy and Operating Style • Organization Structure • Assignment of Authority and Responsibility • Human Resource Policies and Practices RISK ASSESSMENT • Entity-Wide Objectives • Activity-Level Objectives • Risk Identification • Change Management CONTROL ACTIVITIES • Top Level Reviews • Direct Functional or Activity Management • Information Processing • Physical Controls • Performance Indicators • Segregation of Duties • Controls Over Information Systems • Data Centre • Application Development & Maintenance • System Software • Access Security • Application Controls INFORMATION AND COMMUNICATION • Information • Communication MONITORING • Ongoing Monitoring • Separate Evaluations • Reporting Deficiencies

  28. AS/NZS 4360-1999 • The world’s first ERM standard? • Australia New Zealand Standard 4360 : 2004 www.riskmanagement.com.au/ - 2 volumes (from AUD$ 94.50 in pdf format) • Risk Scoring – Consequence x Likelihood • Risk Assessment - Qualitative and / or Quantitative • Updated Sept ’04 – to include risk opportunity features

  29. Reference – for later reading AS/NZS 4360-1999 – Contents 1 Scope and general  2 Risk management process overview  3 Communication and consultation  3.1 General  3.2 What is communication and consultation?  3.3 Why communication and consultation are important  3.4 Developing a process for communication and consultation 4 Establish the context  4.1 Context  4.2 Objectives and environment  4.3 Stakeholder identification and analysis  4.4 Criteria  4.5 Consequence criteria  4.6 Key elements  4.7 Documentation of this step  5 Risk identification  5.1 Aim  5.2 Components of a risk  5.3 Identification process  5.4 Information for identifying risks  5.5 Approaches to identifying risks  5.6 Documentation of this step  6 Risk analysis  6.1 Overview  6.2 Consequence and likelihood tables  6.3 Level of risk 6.4 Uncertainty  • 10 Recording the risk management process  • 10.1 Overview  • 10.2 Compliance and due diligence statement  • 10.3 Risk register  • 10.4 Risk treatment schedule and action plan  • 10.5 Monitoring and audit documents  • 10.6 Incident data base  • 10.7 Risk Management Plan  • 11 Establishing effective risk management   • 11.1 Policy  • 11.2 Management commitment  • 11.3 Responsibility and authority  • 11.4 Resources and infrastructure  • 11.5 Culture change  • 11.6 Monitor and review risk management effectiveness  • 11.7 The challenge for leaders- Integration  • 11.8 The challenge for managers- Leadership  • 11.9 The challenge for all- Continuous improvement  • 11.10 Key messages and questions for managers  • 12 References  • 12.1 Standards and Handbooks  • 12.2 Further reading • 6.5 Analysing opportunities  • 6.6 Methods of analysis  • 6.7 Key questions in analysing risk  • 6.8 Documentation of the analysis  • 7 Risk evaluation  • 7.1 Overview  • 7.2 Types of evaluation criteria  • 7.3 Evaluation from qualitative analysis  • 7.4 Tolerable risk  • 7.5 Judgement implicit in criteria  • 7.6 Evaluation criteria and historical events • 8 Risk treatment  • 8.1 Introduction  • 8.2 Identify options  • 8.3 Evaluate treatment options  • 8.4 Selecting options for treatment • 8.5 Preparing treatment plans  • 8.6 Residual risk  • 9 Monitoring and review  • 9.1 Purpose •  9.2 Changes in context and risks  • 9.3 Risk management assurance and monitoring  • 9.4 Risk management performance measurement  • 9.5 Post-event analysis 

  30. Reference – for later reading Other Frameworks • The UK’s Turnbull Committee’s 1999 report was updated in 2005 - http://www.frc.org.uk/corporate/internalcontrol.cfm • The Canadian Institute of Chartered Accountants created the Criteria of Control (CoCo) Board, now the Risk Management and Governance Board, and published the CoCo Guidance on Control (1995) (www.cica.ca). • The Association of Insurance & Risk Managers (www.airmic.com), The Institute of Risk Management (www.theirm.org/) and The National Forum for Risk Management in the Public Sector (www.alarm-uk.com/), have created a Risk Management Standard for their members. Available free at their websites. • The King Committee on Corporate Governance (King II) from South Africa. Copies for R 600 plus postage – from http://www.iodsa.co.za/downloads/reports/kingreport_orderform.pdf • Another available standard is that from the UK's Treasury Department. This is available from http://www.hm-treasury.gov.uk/media/3/5/FE66035B-BCDC-D4B3-11057A7707D2521F.pdf

  31. Risk components

  32. Financial and Non-Financial Risk Non-Financial (will include some financial) Enterprise Risk Enterprise Risk is essentially non-financial with a large financial component. Pure Financial ---------------------------- Risk data -------------------------- Strategic Risks Financial (Trading) Risks Operational (Procedural) Risks Other Risks Regulatory Reputational Pandemic Environment Government Credit Market Pricing Interest Rate Liquidity ALM Operational Disaster Fraud Terrorism Project Legal

  33. Financial risk • Financial Risk – Balance Sheet Risk • Assets (what you have or what is due to come into your possession at a future date) and Liabilities (what you owe to someone else) can all be given a numeric financial value and these values can be balanced. • However, the value of these can vary: • The market price can go up or down • The value you give can be right or wrong • The expected payment for services given or taken can vary • The currencies involved can move against each other • You may not receive what is owed to you • You may not be able to realise the validly quoted price

  34. Financial risk • All financial risk can be modelled (in theory and as long as you get the modelling factors right) • The risk are a combination of many, volatile parameters • An asset or a liability can be given a value – and the risk that an asset or liability can vary in value (to zero in the case of default) can also be given a value • This value can then be protected through: • Hedging – buying an liability or asset which varies in price exactly opposite to the value of the original asset or liability • Insurance – purchasing a policy that pays up in the event of the value of the asset or liability changing by more than an agreed value. • Capital – storing money away against a rainy day

  35. Non-financial (operational) risk • Has financial and non-financial impacts • A much wider range of categories of types of risk • A much smaller volume of incidents (risk or loss events) • Cannot always be quantified • Less historic data • Less commonality of recording incidents • May be dependent on qualitative analysis • Can have a much greater impact than financial risk • Incidents are not always obvious • Recording depends on human intervention, attitude, willingness and interpretation

  36. What are the components to non-financial risk management? • Risk identification • Risk (and other components) categorisation • Organisational modelling • Risk assessment • Loss event recording • Management and mitigation • Reporting and analysis

  37. The building blocks of non-financial risk • Risk categorisation • Descriptions • Likelihood (probability) • Impact – both inherent and residual • Risk structure (s) • Risk controls • Risk indicators • Risk events (incidents or transactions) • Parameters • Potential impact • Actual impact • Knock-on effects

  38. A risk structure RISK REGISTER Attributes2 1 – flat table 2 3 4 etc

  39. A risk structure RISK REGISTER PRIME RISK STRUCTURE1 Attributes2 1 – flat table 2 3 4 etc One to many Up to N levels, risks linked at lowest level

  40. A risk structure RISK REGISTER EVENTS REGISTER PRIME RISK STRUCTURE1 Attributes3 Attributes2 A – flat table B C D etc 1 – flat table 2 3 4 etc Many to many One to many Up to N levels, risks linked at lowest level

  41. A risk structure RISK REGISTER EVENTS REGISTER PRIME RISK STRUCTURE1 Attributes3 Attributes2 A – flat table B C D etc 1 – flat table 2 3 4 etc Many to many One to many Attributes4 Α – flat table β γ δ etc Up to N levels, risks linked at lowest level CONTROLS REGISTER

  42. PRIME RISK STRUCTURE INDICATORS Attributes 4 a – flat table b c d etc Up to N levels, risks linked at lowest level A risk structure with indicators RISKS EVENTS Attributes Attributes 1 – flat table 2 3 4 etc A – flat table B C D etc • Transaction indicators, HR indicators, External indicators such as weather, etc Attributes4 Α – flat table β γ δ etc CONTROLS

  43. Risk categorisation (Merrill Lynch Capital) • 52 risks grouped into categories • People • Financial • Credit • Reporting & Control • Customer Suitability & Servicing • External • Technology • Legal/Regulatory • Reputational (!) Employee Fraud Resource Management Involuntary Downsizing / Restructuring / Constrained Resources Loss of Key Individuals / Teams Lack of Training/Experience / Knowledge / Ability Knowledge Capital Risk Efficiency Risk Leadership Risk Authority / Limit Risk Performance Incentives Risk Change Readiness Risk Alignment Risk People Risk: The risk of loss related to management and deployment of people including inappropriate resource management (e.g., lack of training and constrained resources) inappropriate management oversight, employee irregularities, discrimination, harassment and turnover.

  44. Architecture - how does it all fit together?

  45. An ERM architecture consists of interlocking parts MIS and Internal Audit – strategic direction and control, disclosure, etc Transaction Compliance – transparency, best execution, Conduct Of Business, etc. Transaction Processing – quote, buy/sell, clear, settle, report, etc. Risk Management – capital adequacy, risk management, event repair, etc. Business Controls – trading limits, management processes and authorisations, etc. A similar model could be created for the retail financial or insurance businesses

  46. Types of risk Enterprise Risk Risk assessments, indicators, controls and events data Strategic Risks Financial (Trading) Risks Operational (Procedural) Risks Other Risks • Regulatory • Pandemic • Legal • Environment • Government • Credit • Market Pricing • Interest Rate • Liquidity • ALM • Operational • Disaster • Fraud • Terrorism • Project

  47. Transaction data and local KRIs A risk MIS view Board/Senior Management Risk MIS Risk indicators Parts returned Days debtors Net sales ALM / ALCO Limits and positions Capital allocation % leavers Response time Oil reserves Operational Risk System Liquidity Risk System Market Risk System Accounts HR management Sales systems CRM Manufacturing etc. Credit Risk System

  48. Transaction data and local KRIs An enterprise risk MIS view Board/Senior Management Enterprise Risk MIS Corporate Goals Strategic Risk System Risk indicators Risk Appetite Parts returned Days debtors Net sales ALM / ALCO Limits and positions Capital allocation % leavers Response time Oil reserves • External Information • Competitor reports • Demographics • Weather trends • Financial trends • Gartner, etc • New technologies • Political moves • Etc. Operational Risk System Liquidity Risk System Market Risk System Accounts HR management Sales systems Manufacturing CRM etc. Credit Risk System

  49. A corporate MIS view Board/Senior Management Corporate MIS Enterprise Risk MIS Strategic Risk System Corporate Goals Risk Appetite Risk indicators • External Information • Competitor reports • Demographics • Weather trends • Financial trends • Gartner, etc • New technologies • Political moves • Etc. Regular corporate performance data Parts returned Days debtors Net sales ALM / ALCO Limits and positions Capital allocation % leavers Response time Oil reserves Operational Risk System Liquidity Risk System Market Risk System Accounts HR management Sales systems CRM Manufacturing etc. Credit Risk System Transaction data and local KRIs

  50. Financial (credit, market, liquidity, etc) risk Real-time High availability High performance requirements Very large amounts of data Kept for a long time Data comes from existing core systems Non-financial (operational and strategic) risk Once a day for input Once a month for reporting Low performance requirements Relatively small amounts of data Kept for a long time Data collection systems need to be developed Data implications

More Related