1 / 22

Enterprise Risk Management Explained

Enterprise Risk Management Explained. Ron DiGiacomo Giacomo Partners San Antonio, Texas 210.243.1568 rdigiacomo@me.com. Enterprise Risk Management is a method for identifying, assessing, controlling, and reporting risk throughout the enterprise

rodriguezd
Download Presentation

Enterprise Risk Management Explained

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Enterprise Risk Management Explained Ron DiGiacomo Giacomo Partners San Antonio, Texas 210.243.1568 rdigiacomo@me.com

  2. Enterprise Risk Management is a method for identifying, assessing, controlling, and reporting risk throughout the enterprise • The board and management have responsibilities for governing the bank’s structure, operations, and risks, especially by establishing a risk culture and risk appetite • Enterprise risk management typically engages three separate, independent functions (commonly referred to as the three lines of defense: front line business units (sometimes called risk control), independent risk management, and internal audit • ERM Requirements for Financial Institutions $50 Billion and Larger are not discussed in this presentation – those requirements are reflected in the source materials on the last slide of this presentation Enterprise Risk Management: An Overview

  3. ERM is a process by which a regulated financial institution: • Establishes a risk culture for the enterprise and a risk appetite for the businesses and processes in which it engages; • Identifies the risks associated with those businesses and processes • Controls the risk associated with those businesses and processes • Monitors its businesses and processes to determine if the controls are effective at preventing and detecting the risks associated with the businesses and processes • Reports to the board and management on key indicators of those risks and the effect on the financial performance, safety, and reputation of the financial institution What is Enterprise Risk Management (ERM)?

  4. The Federal Reserve places significant supervisory emphasis on an institution’s management of risk, including its system of internal controls, when evaluating the overall effectiveness of an institution’s risk management • An institution’s failure to establish a management structure that adequately identifies, measures, monitors, and controls the risks of its activities has long been considered unsafe-and-unsound conduct • Principles of sound management should apply to all risks facing an institution including credit, market, liquidity, operational, compliance, and legal risk • SR 16-11 Supervisory Guidance for Assessing Risk Management at Supervised Institutions with Total Consolidated Assets Less than $50 Billion ERM and The Federal Reserve’s SR 16-11

  5. Besides limiting credit and operating losses, effective ERM affects the CAMELS rating • The “M” in CAMELS represents an assessment of the quality of board oversight and management supervision • The “management” rating reflects examiner conclusions about the board and management’s willingness and ability to effectively address governance, risk management, compliance, bank operations, and financial performance. ERM Is Important for Supervisory Ratings

  6. The board and senior management are expected to use good corporate governance and risk governance practices to: • Set the bank’s strategy, objectives, and risk appetite • Establish the bank’s risk governance framework • Identify, measure, monitor, and control risks • Supervise and manage the bank’s business • Protect the interests of depositors, protect shareholders’ or members’ (in the case of a mutual FSA) obligations, and take into account the interests of other stakeholders • Align corporate culture, activities, and behaviors with the expectation that the bank will operate in a safe and sound manner, operate with integrity, and comply with applicable laws and regulations The Board and Management are Responsible for Effective ERM

  7. The board is responsible for: • Providing effective oversight and credible challenge to management • Holding management accountable for implementing policies and operating within established standards and limits • Establishing an appropriate corporate culture and setting the tone at the top • Staying informed about the bank’s operating and business environment • Understanding the legal and regulatory framework applicable to the bank’s activities and the bank’s material risks • Confirming that the bank has a risk management system suitable for the bank’s size and activities • Ensuring the bank maintains an effective BSA/AML control structure Board Responsibilities

  8. Typically, the board will establish a risk sub-committee with the primary responsibility for risk oversight. For smaller banks, the audit committee usually assumes the oversight of risk management activities. • The Risk Committee’s should: • Help define the bank’s risk appetite • Ensure that the bank’s strategic, liquidity, and capital plans are consistent with the bank’s risk appetite statement and that material risks are addressed in the bank’s strategic plan • Review and approve risk limits • Ensure the bank has appropriate policies and procedures for risk governance, risk management practices, and the risk control infrastructure • Work with management to establish processes for identifying and reporting risks • Regularly discuss the bank’s material risks in aggregate and by risk type • Regularly discuss the effect of the risks to capital, earnings, and liquidity under normal and stressed conditions • Ensure the independence of the risk management functions • Oversee and direct the work of the chief risk officer or equivalents • Ensure effective and timely escalation of material issues to the board and hold management accountable for timely and appropriate corrective action Risk or Audit Committee of the Board

  9. The CEO and senior management play a critical role in communicating to the board and managing the bank • Effective communication is important for corporate and risk governance • The board delegates authority to senior management for directing and overseeing day-to-day management of the bank • Senior management is responsible for developing and implementing policies, procedures, and practices that translate the board’s goals, strategic objectives, and risk appetite and limits into prudent standards for the safe and sound operation of the bank Senior Management Responsibilities

  10. The CEO and his or her senior management team are responsible for: • Executing the bank’s strategic plan and ensuring the adequacy of capital and resources in carrying out the strategic plan • Developing a risk management framework that enables management to effectively identify, measure, monitor, control, and report on risk exposures consistent with the bank’s risk appetite • Implementing a strong risk culture and ethical standard and providing incentives to reward appropriate behavior • Establishing and maintaining an effective system of internal controls • Developing accurate and reliable management information and reporting systems • Maintaining internal processes, including stress testing when appropriate, to ensure capital and liquidity levels are commensurate with the bank’s risks in normal and stressed conditions • Ensuring the appropriate allocation of staff resources and effectively overseeing personnel • Complying with laws, regulations, and internal policies, including ethics policies and policies governing insider activities • Establishing talent management and compensation programs • Keeping the board apprised of the bank’s strategic direction, risk profile, risk appetite, business operations, financial performance, and reputation Senior Management Responsibilities

  11. According to the Federal Reserve’s SR 16-11, in assessing the quality of the oversight provided by the board of directors and senior management, examiners should consider: • If the board of directors has approved significant policies to establish risk tolerances for the institution’s activities and periodically reviews risk exposure limits to align with changes in the institution’s strategies, address new activities and products, and react to changes in the industry and market conditions. • Senior management has identified and has a clear understanding and working knowledge of the risks inherent in the institution’s activities. Senior management also remains informed about these risks as the institution’s business activities evolve or expand and as changes and innovations occur in financial markets and risk management practices • Senior management has identified and reviewed risks associated with engaging in new activities or introducing new products to ensure that the necessary infrastructure and internal controls are in place to manage the related risks • Senior management has ensured that the institution’s activities are managed and staffed by personnel with the knowledge, experience, and expertise consistent with the nature and scope of the institution’s activities and risks • All levels of senior management provide appropriate management of the day-to-day activities of officers and employees, including oversight of senior officers or heads of business lines • Senior management has established and maintains effective information systems to identify, measure, monitor, and control the sources of risks to the institution. Evaluating the Board and Senior Management

  12. Management must design, implement, and continually monitor a risk management system as a component of its risk management program that reflects the bank’s risk profile, size, and complexity • As the bank grows or offers new products and services that are different than traditional banking products and services, the risk management system must evolve to identify, control, monitor and report on the associated emerging risks • Regardless of the bank’s size and complexity, a sound risk management system must: • Identify risk • Controls risk • Monitors risk • Measures risk Risk Management program components: Risk Management system

  13. Identifying Risk • Risk identification should be a continual process and should occur at the transaction, portfolio, and enterprise level • Management should inventory the significant risks in each of its products and processes and update the risk inventory as those products and processes change • The board and management should recognize and understand existing risks and risks that may arise from new business initiatives, including risks that originate in nonbank subsidiaries, affiliates, and third-party relationships, and those that arise from external market forces or regulatory or statutory changes • Proper risk identification is critical for banks undergoing mergers and consolidations to ensure that risks are appropriately addressed Risk Management System: Identify risk

  14. Controlling Risk: • The board and management should establish and communicate risk limits to its businesses through policies, standards, and procedures that define responsibility and authority • These limits should control exposures to the various risks associated with the bank’s activities • The limits are tools that management can adjust when conditions or risk appetites change • Management should authorize and document exceptions to risk limits when warranted. Risk Management System: Controlling risk

  15. According to the Federal Reserve’s SR 16-11, in evaluating the bank’s internal controls, examiners should consider whether the following conditions are met: • The institution’s board of directors, or audit committee, and senior management are responsible for developing and implementing an effective system of internal controls and that the internal controls are operating effectively • The system of internal controls is appropriate to the type and level of risks posed by the nature and scope of the institution’s activities. • The institution’s organizational structure establishes clear lines of authority and responsibility for risk management and for monitoring adherence to policies, procedures, and limits. • Internal audit or other control functions, such as loan review and compliance, provide for independence and objectivity. • The official organizational structures reflect actual operating practices and management responsibilities and authority over a particular business line or activity. • Financial, operational, risk management, and regulatory reports are reliable, accurate, and timely; and wherever applicable, material exceptions are noted and promptly investigated or remediated. • Policies and procedures for control functions support compliance with applicable laws, rules, regulations, or other supervisory requirements. • Internal controls and information systems are adequately tested and reviewed; the coverage, procedures, findings, and responses to audits, regulatory examinations, and other review tests are adequately documented; identified material weaknesses are given appropriate and timely, high-level attention; and management’s actions to address material weaknesses are objectively verified and reviewed. Risk Management System: Controlling risk

  16. Monitoring Risk: • Management should monitor risk levels to ensure timely review of risk positions and exceptions • Monitoring reports should be timely and accurate and should be distributed to appropriate individuals including the board to ensure action • Well-designed monitoring systems allow the board to hold management accountable for operating within established risk appetites. Risk Management System: monitoring risk

  17. Under the Federal Reserve’s SR16-11, in assessing an institution’s measurement and monitoring of risk and its management reports and information systems, examiners should consider whether these conditions exist: • The institution’s risk monitoring practices and reports address all of its material risks • Key assumptions, data sources, models, and procedures used in measuring and monitoring risks are appropriate and adequately documented and tested for reliability on an on-going basis (See also, SR letter 11-7: Guidance on Model Risk Management) • Reports and other forms of communication address the complexity and range of an institution’s activities, monitor key exposures and compliance with established limits and strategy, and as appropriate, compare actual versus expected performance • Reports to the board of directors and senior management are accurate, and provide timely and sufficient information to identify any adverse trends and to evaluate the level of risks faced by the institution Risk Management System: monitoring risk

  18. Measuring Risk: • Accurate and timely measurement of risks is essential to effective risk management systems • More sophisticated measurement tools are needed as the complexity of the risk increases • Management should periodically conduct tests to ensure that the bank’s measurement tools are accurate • Sound risk measurement systems assess the risks at the individual transaction, portfolio, and enterprise levels • Larger, more complex companies should assess the effect of increased transaction volumes across all risk categories Risk Management System: measuring risk

  19. Policies are statements of actions that the bank adopts to pursue certain objectives • Policies should control the types of risks that arise from the bank’s current and planned activities • Policies guide decisions and often set standards (on risk limits, for example) and should be consistent with the bank’s underlying mission, risk appetite, and core values • While the board or a designated board committee is responsible for approving designated policies, management is responsible for developing and implementing the policies • The CEO and management should ensure that policies are periodically reviewed for effectiveness • Policies should clearly delineate accountability and be communicated throughout the bank Risk Management program components: policies, procedures and processes

  20. Processes and Procedures • Processes are the procedures, programs, and practices that impose order on the bank’s pursuit of its policies and objectives. • Processes define how activities are carried out and help manage risk. • Effective processes are consistent with the underlying policies and are governed by appropriate checks and balances (such as internal controls). Risk Management program components: policies, processes and procedures

  21. The following guidelines from the Federal Reserve’s SR- 16-11 should assist examiners in evaluating an institution’s policies, procedures, and limits: • The institution’s policies, procedures, and limits provide for adequate identification, measurement, monitoring, and control of the risks posed by its significant risk-taking activities • The policies, procedures, and limits are consistent with the institution’s stated strategy and risk profile • The policies and procedures establish accountability and lines of authority across the institution’s activities • The policies and procedures provide for the review and approval of new business lines, products, and activities, as well as material modifications to existing activities, services, and products, to ensure that the institution has the infrastructure necessary to identify, measure, monitor, and control associated risks before engaging in a new or modified business line, product, or activity Risk Management program components: policies, processes and procedures

  22. Federal Reserve’s SR 16-11: Supervisory Guidance for Assessing Risk Management at Supervised Institutions with Total Consolidated Assets Less than $50 Billion • Comptroller’s Handbook, M-CRG, Safety and Soundness, Corporate Risk and Governance, Version 1.0, July 2016 • OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches – OCC Appendix D to Part 30 Enterprise Risk Management – Regulatory Sources

More Related