1 / 41

The Business Case for Enterprise Risk Management

The Business Case for Enterprise Risk Management. American Bankers Association October 7, 2007 San Diego, CA. Mark S. Beasley Deloitte Professor of Enterprise Risk Management North Carolina State University. Melodye Mayes Tomlin

rroy
Download Presentation

The Business Case for Enterprise Risk Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Business Case for Enterprise Risk Management American Bankers Association October 7, 2007 San Diego, CA Mark S. Beasley Deloitte Professor of Enterprise Risk Management North Carolina State University Melodye Mayes Tomlin Senior Vice President & Enterprise Risk Management Coordinator Branch Banking &Trust Company

  2. Today’s Objectives • Determining the Strategic Focus for Enterprise Risk Management (ERM) • Identifying First Steps of ERM Launch • Achieving the ERM Value Proposition

  3. Huge Governance Challenge:Risks are Complex and Increasing Competitive Marketplace Globalization Legal requirements Complex Business Transactions Short Product Cycles Explosion of Technology

  4. Risks are… Known Unknown, but knowable Unknown, Unknown Despite that… Expectations for Management: Shift more to the “known” status Have a plan for unknown, unknown Risk Characteristics…Make Risk Management Difficult

  5. Emerging Risks in Financial Services • ALLL – accounting vs. regulatory expectation • Stock options and insider trading • Credit card practices • Change in legislative environment • Pandemic planning • Payment strategies • Sub-prime lending and Alt A • Tax strategies

  6. NYSE Listing Standards: The audit committee has the duty and responsibility to “discuss policies with respect to risk assessment and risk management.” Rating agencies now focusing on ERM practices Standard & Poors Moody's Fitch SEC requirements to consider risk factor disclosures Federal Sentencing Guidelines Regulatory Expectations Interpretations of Delaware case law Additionally for Banks….Basel II Expectations for Oversight of Risk Management on the Rise

  7. ERM Evolution at BB&T • Enterprise risk management is not a new function (but it is a new department). • The proposed changes in Basel prompted us to evaluate our risk management structure. • BB&T’s growth was largely through acquisitions ($ 10 billion in 1995 to $127 billion today). • Expectations from the banking regulators changed as the organization became more complex. • The development and communication of a corporate risk management policy clearly defines our approach. • Annual reporting to the Boards of Directors began in August 2004 and ongoing reporting to the Risk Management and Executive Committee began in December 2005.

  8. Many Organizations Still Use a Traditional Risk Management Approach… Strategic Market Risks Operations Risks Finance Risks Human Capital Risks IT Risks Legal Risks Reputation Risks “Silo” or “Stove-Pipe” Risk Management…

  9. …But are Seeking to Move Up the Risk Management Continuum Strategic -Proactive board and senior management involvement -Risk managed and assessed across entire organization -Common language and approach used and understood -Real-time analysis of risk portfolio • Aware • Some board and senior management support • -Risk leader identified • -Periodic risk profiling • -Key risks defined in common vocabulary • -Recognized need for ERM • Reactive • Lack of Board or senior management emphasis on risk • No common risk lingo • Stove-pipe risk management • Ad hoc approach • Missing coverage of risk areas *Most companies straddle these two stages*

  10. Risk Management Direction – Other Banks* • Key Findings from Respondents: • 70% - Oversight responsibility w/BOD (57% in 2002) • 84% - A Chief Risk Officer is in place (65% in 2002) • 80% - Believe RM is extremely or very effective for credit/market risk (47% for business continuity/IT security, 43% operational/vendor risk and 35% for geopolitical risk) • 35% - ERM program is in place (32% in process / 18% planning) • 75% - ERM program’s value exceeded cost (only 4% quantify) “Most institutions have an unfinished agenda when it comes to developing sophisticated risk management capabilities.” *Source: Global Risk Management Survey; 5th Edition – Deloitte & Touche LLP - 2007

  11. Today’s Objectives • 1. Determining the Strategic Focus for Enterprise Risk Management (ERM) • 2. Identifying First Steps of ERM Launch • 3. Achieving the ERM Value Proposition

  12. Many are Embracing an “Enterprise Risk Management” Approach to Oversight • ERM is a process, effected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. • Committee of Sponsoring Organizations of the Treadway Commission (COSO 2004) * * See www.coso.org for more information

  13. ERM Brings Risks Together Valuation Creation and Preservation Enterprise Focus on Risks Strategic Market Risks Operations Risks Finance Risks Human Capital Risks IT Risks Legal Risks Reputation Risks • Key Message: • Senior Management is facilitating the aggregation and interactions of those risk exposures

  14. The Role of ERM (today) Within BB&T is… • Monitoring emerging risks, • Reviewing cross-functional risk policies, • Working with management to identify previously undetected cross-functional risks, and • Developing enterprise-wide risk management processes. • Also included are independent oversight functions regarding operational, market, and credit risks, with no transfer of the ownership of risk. In total, the ERM Department skill sets have been selectively combined in order to provide subject matter experts that can enhance Executive Management’s oversight of traditional risk management practices.

  15. Determining the Strategic Focus for Enterprise Risk Management (ERM) Identifying First Steps of ERM Launch Achieving the ERM Value Proposition Today’s Objectives

  16. Defining Key Initial Steps Step 1: Assess ERM Culture

  17. Recognizing Realities of Culture and ERM • Embrace of ERM can threaten “organizational culture” • Fear of exposing vulnerabilities –desire to hide risks • ERM – another fad? • Correlations and aggregations of risks – easy in concept, hard in reality • Pressure to go from “0 to 60” overnight • Inadequate risk information systems for tracking and reporting risks • Resistance is rational • Change is disruptive – it will get worse before it gets better • Top-down approach is critical ERM Deployment requires “evolution” – not a flip of the switch

  18. Integrating ERM with the Culture • ERM had the support of Executive Management • Understanding the BB&T culture was a priority • Education of ERM possibilities was important • ERM developed into a collaborative initiative • Early on ERM focused on the ‘value’; the structure followed • ERM filled identified ‘gaps’ • ERM has evolved at its own pace

  19. Defining Key Initial Steps Step 2: Identify Core People Step 1: Assess ERM Culture

  20. Creating an ERM Culture of Accountability • CEO viewed as ultimately responsible for ERM • Practically difficult for CEO to lead detailed risk management effort • Most CEO’s are delegating to a “Risk Champion” to facilitate risk approaches • Some pinpoint a C-level executive to lead • Rise of Chief Risk Officers • Others assign dual titles to Other Officers • General Counsel, VP Internal Audit, VP of Strategy • Others create an Executive Committee • Executive Management Committees • Separate Risk Committees

  21. BB&T ERM Committee Structure BB&T Board of Directors Executive Management Strategic Risk Active Involvement and Participation Loan Policy Committee ORM Committee Compliance Oversight Committee Market Risk & Liquidity Committee ERM Committee Credit Risk Operational Risk Compliance Risk Liquidity Risk Reputation Risk Legal Risk Market Risk All Employees

  22. BB&T ERM Department Organization Enterprise Risk Manager Corporate Business Recovery Operational Risk Management ERM-Market Risk Amendment ERM Operations Corporate Bank Investigations ERM-Credit Risk Review

  23. Defining Key Initial Steps Step 3: Identify Key Risk Categories Step 2: Identify Core People Step 1: Assess ERM Culture

  24. ERM Brings Risks Together Valuation Creation and Preservation Enterprise Focus on Risks Strategic Market Risks Operations Risks Finance Risks Human Capital Risks IT Risks Legal Risks Reputation Risks • Key Message: • Helpful to have some “buckets” for categorizing risks

  25. Standard & Poor’s Example of Risk Categories Risk ratings admin control Portfolio Management Risk Transfer Investing Structuring Underwriting Processing Clearing Trading Credit Fiduciary Operational ALM Market Fraud ERM Audit Sales Practice Accounting Compliance/ Legal Policies Risk Appetite Strategic/ Business Reputation Conflict of Interests Disclosure Management Incentives Competition Product Innovation

  26. Step 4: Agree on Common Risk Definitions Defining Key Initial Steps Step 3: Identify Key Risk Categories Step 2: Identify Core People Step 1: Assess ERM Culture

  27. Clarification of Terminology is Key • “Risk” is in the eye of the beholder • Risk averse and risk seekers both claim they manage “risk” • Need to determine – is “risk” all bad? • Each entity needs to set some basic definition of key terms • Early steps can be merely a conversation • COSO Definitions Risk – possibility that an event will occur and adversely affect the achievement of objectives Opportunities – possibility that an event will occur and positively affect the achievement of objectives Risk appetite – the amount of risk, on a broad level, an entity is willing to accept in the pursuit of value Risk tolerance – acceptable levels of variation relative to the achievement of objectives • Over time – may lead to more formalization

  28. Common Risk Language

  29. Step 4: Agree on Common Risk Definitions Defining Key Initial Steps Step 5: Begin Building Risk Inventory Step 3: Identify Key Risk Categories Step 2: Identify Core People Step 1: Assess ERM Culture

  30. Often Start by Building Business Risk Inventory Turnbull 030117vb.ppt EXTERNAL RISKS EXTERNAL RISKS • • Disease • Industry • Regulatory • Technological Innovation Capital Availability • Capital Availability • Disease • Industry • Regulatory • Technological Innovation • Competitor • Economy • Legal • Shareholder Relations • Terrorism • Competitor • Economy • Legal • Shareholder Relations • Terrorism • Customer Needs • Financial Markets • Natural Hazard/Catastrophe • Sovereign/Political • Customer Needs • Financial Markets • Natural Hazard/Catastrophe • Sovereign/Political INTERNAL RISKS INTERNAL RISKS Strategic Operational Financial Strategic Operational Financial Process • • • Alignment Efficiency Performance Gap Relationship Mgmt • • Cash Flow Brand/Reputation • Business Interruption Environmental Physical Security Strategy • • Collateral • Business Model Capacity Health & Safety Product Development Implementation • • Commodities • Change Response Knowledge Product Liability Sourcing • Business Portfolio • Compliance Management Product/Service Failure Supply Chain • Concentration • Delivery Channels Contract Commitment Measurement Product/Service Pricing Transaction Processing • Counterparty • Customer Satisfaction Partnering Intellectual Property Cycle Time • Credit • Marketplace • Default • Management Human Capital Integrity Technology Organization Structure Information • Equity • Financial Instruments Accounting Information Accountability Conflict of Interest Access • Planning • Change Readiness Budgeting & Forecasting Employee Fraud Availability Foreign Exchange • • Product Life Cycle Communications Capacity Completeness/Accuracy Ethical Decision • Interest Rate • Competencies/Skills Data Integrity Making Investment Evaluation Resource Allocation Empowerment e-Commerce • Liquidity Illegal Acts • Pension Fund Social Responsibility Infrastructure Hiring/Retention Management Fraud Regulatory Reporting • Modeling • Relevance Leadership Third-Party Fraud Taxation Opportunity Cost Outsourcing Reliability Unauthorized Acts Sarbanes Oxley Performance Incentives Succession Planning Training/Development - INDUSTRY SPECIFIC RISKS \

  31. Risk & Control Self-Assessment Process

  32. ERM Objective Stakeholder Risk Appetite Portfolio of Risks

  33. Some Express in Relation to a Heat Map Impact of Occurrence

  34. Today’s Objectives • Determining the Strategic Focus for Enterprise Risk Management (ERM) • Identifying First Steps of ERM Launch • Achieving the ERM Value Proposition

  35. Better information about risks All entities face risks and risks constantly change – a huge information need Opportunities to take risk Some risks create opportunities for returns Other risks are over-managed Partnering on risk responses Capture efficiencies of coordinated risk responses Consistency in approach Work off same “score sheet” Avoid offsetting risk “gains” with inefficient risk management Strategic advantage Not all strategies bear same level of risks Ensure return is commensurate with risk Risk intelligence leads to competitive advantage – beat competition in response Business Case for ERM

  36. Have to Help Connect ERM Activities to Value Increased Shareholder Value Increase in Revenues Decrease in Overall Costs ERM Activities Decrease cost of capital Increased productivity Congress Regulators Enhanced reputation Response to risks in early stage Continuity of operations Management Better resource allocation Partnering on risk solutions Better work environment Compliance with regulations

  37. The ‘Value-add’ Proposition • Qualitative vs. quantitative • Cross-functional risk discussions • Identification of gaps in ‘risk ownership’ • Common risk language • Consolidated issues tracking (audit, compliance, regulatory, SOX) • Consistent review of risk related policies • Coordinated risk discussion related to new product/initiatives • Integrated risk assessments • Regulatory coordination

  38. “I think the point to risk management is not to try and operate your business in a risk-free environment. It’s to tip the scale to your advantage. So it becomes strategic rather than just defensive.” – Peter Cox, CFO, United Grain Growers Ltd. Company Perspective:

  39. NC State’s ERM Initiative Web Site Resources Summaries and links to ERM resources: - ERM conceptual frameworks - Business press articles - Books - Best practice documents - Conferences and other programs www.erm.ncsu.edu

More Related