Adding Value through Enterprise Risk Management
Getting Value out of Enterprise Risk Management Rebecca Towne President, Quadrant Risk Advisory
Getting Value out of ERM
Where is your bank? a) We have just learned to spell ERM b) We have developed the basic components of an ERM program - it’s too early to know if it is adding value c) Our ERM program is well underway and helping us to understand and manage risk
Specific Ways to Get Value out of Enterprise Risk Management $
Cost Saving Tips
Ways to Get Value out of ERM
Reduced risk/financial “surprises”
• Look forward, and learn from past mistakes (including others’)
A global view of risk
• Look across silos • Aggregate and compare information
Enhanced business line risk ownership
More efficient, risk-based processes
• Make it easy • Spend the for managers majority of your to fulfill their time on the risk highest risks management responsibilities
Reduced risk/financial surprises
Ways to Get Value out of ERM Reduced risk/financial “surprises” While it is important to look backward and learn from past mistakes, …there is more value in anticipating risks and taking action before losses occur
Ways to Get Value out of ERM Reduced risk/financial “surprises” When identifying and assessing risks, look beyond those that the Bank has experienced in the past
Monitor risk events experienced by other financial institutions
Consider enterprise-wide strategic and
reputational risks, in addition to other, more commonly assessed risk categories
Ways to Get Value out of ERM Reduced risk/financial “surprises” Ways to be more forward-looking:
Identify and monitor early indicators of risk, in addition to historical performance metrics
Estimate performance under stress scenarios Consider risks associated with proposed new products and strategies well in advance of implementation
Ways to Get Value out of ERM
Policy override rates
Delinquency rates
Score distributions
NPL/NPA rates
Loan concentrations
Charge-off rates
1-5 YEARS AGO
TODAY
+ 1-5 YEARS
Policy override rates
Delinquency rates
Score distributions
NPL/NPA rates
Loan concentrations
Charge-off rates
Ways to Get Value out of ERM Reduced risk/financial “surprises” Set thresholds that alert management when action is needed Differentiate between thresholds and limits that
represent the outer bounds of the Bank’s risk appetite Resist the temptation to raise risk limits when they are approached
Discontinue monitoring of indicators that are not telling you anything
$
Ways to Get Value out of ERM Reduced risk/financial “surprises” Develop a risk-based new product risk review process
Focus on proposals for material changes – $ others should speed through
Do research and use subject matter experts to identify risks not already well understood
Involve Risk Management early in the process so they do not become a roadblock
A global view of risk
Ways to Get Value out of ERM A global view of risk
Why is a global view of risk important?
Consider the impact of splitting up your own
investment portfolio and giving each piece to a different advisor, …each of which provides a report that uses different measurements and looks completely different
Ways to Get Value out of ERM A global view of risk
Designate an ERM Committee that looks across business and risk “silos”
Use ERM committee meetings to get managers’ input and buy-in, and to share information across silos
For smaller banks - where most committees have the same members - designate one executive meeting a quarter as an ERM committee meeting
Ways to Get Value out of ERM A global view of risk
Creating a concise, enterprise-wide risk report can avoid giving the Board reports that resemble the Indianapolis phone book
Ways to Get Value out of ERM A global view of risk
To add the most value, create a concise ERM report that includes:
All risk categories Thoughtful written analysis Top risks to the Bank Emerging risks Comparisons of risk trends to thresholds and limits
Ways to Get Value out of ERM Example:
Bank Name
Enterprise Risk Management Summary
As of September 30, 2016
1
Top 10 Residual Risks
Action Plan
Unauthorized external access to IT infrastructure or systems due to virus, malware or breach of the firewall
TBD
2 Inadequate liquidity resulting from rapid loan growth
TBD
3 Other
TBD
4 Other
TBD
5 Other
TBD
6 Other
TBD
Top risks and action plans 7 Other
TBD
8 Other
TBD
9 Other
TBD
10 Other
TBD
Status
Summary of Changes in the Risk Profile
Thoughtful analysis
Summary of External Risks
Key measures
Risk Assessment Matrix Strategic1
Inherent Risk
Controls
Residual Risk
High
Adequate
Moderate
Summary across risk types Credit
2
-
-
Moderate
Credit 1
High
Adequate
Moderate
Market 2
-
-
Moderate
-
-
Low
High
Adequate
Moderate Moderate
2
Liquidity
Operational1 Legal/Compliance
1
High
Adequate
Reputation1
High
Marginal
High
Total
High
Adequate
Moderate
Trend
Current Quarter %
Risk Category
20 18 16 14 12 10 8 6 4 2 0
Capital Adequacy
13.1
11.8 8.3
12.0 9.5
9.0
11.0 8.9
7.0
Tier 1 RBC
6.4
Total RBC
7.5
6.0
Leverage
1
Based on judgmental enterprise-wide risk and control self-assessment 2 Based on quantitative analysis, KRIs and risk limits
Key Risk Limits Return on assets
9/30/2015
Sample Credit Union 12/31/2015
% Change
3/31/2016
Risk trends compared to limits & thresholds Return on equity
Total loans/total shares Capital/assets
Members / Employees Efficiency ratio
Quarterly loan growth
% Change
6/30/2016
Severe Stress
Peer Group
% Change
9/30/2016
Policy Minimum % Change
Limit
Enhanced business line risk ownership
Ways to Get Value out of ERM Enhanced business line risk ownership Business line risk ownership can be the difference between all employees taking responsibility for understanding and managing the risks in their areas, and a handful of people in Risk Management trying to manage risk across the Bank
Ways to Get Value out of ERM Enhanced business line risk ownership Provide training on the risk management responsibilities of the Bank’s three lines of defense
Clarify that risk management is part of what
managers are already doing on a daily basis Incorporate risk factors into performance evaluations and incentive plans
Avoid ERM assigning tasks to line managers without providing value back to the business
Ways to Get Value out of ERM Enhanced business line risk ownership Develop a Risk Appetite Statement that is meaningful to line managers
Use qualitative statements that set risk management
priorities – e.g., avoiding harm to the Bank’s reputation
Describe what is “outside the box,” such as subprime or out-of-footprint real estate lending
Avoid thresholds that are not meaningful to line
managers (e.g., portfolio-wide delinquency rates)
Communicate the appetite to all managers!
More efficient, risk-based processes
Ways to Get Value out of ERM More efficient, risk-based processes Start by developing a risk and control selfassessment that helps you to prioritize risks across the enterprise Use common definitions, so “high risk,” for example, means the same thing across all areas
Work collaboratively with line managers, rather than sending out surveys
Make use of other, existing risk assessments Avoid creating huge, unwieldy assessments!
$
Ways to Get Value out of ERM More efficient, risk-based processes
Keep assessments fresh by integrating them with $ new product risk reviews and internal audits Avoid annual risk assessment update “assignments,” which can be frustrating for line managers
Tip: Most of the time,
managers will respond “No updates are needed” anyway
Ways to Get Value out of ERM More efficient, risk-based processes Develop action plans to address the highest risks and reduce time spent on low risks
Avoid assessments
becoming “black holes” into which information falls - never to be seen again…
$
Ways to Get Value out of ERM Example: Top Residual Risks
Action Plan
Unauthorized external access to IT infrastructure or systems resulting from viruses, malware, or breach of the firewall A key third party vendor fails to fulfill obligations or comply with laws, regulations or service level agreements Inability to recruit and retain an adequate level of qualified employees
Evaluate firewall intrusion detection and prevention capabilities Complete the implementation of the Bank’s vendor risk management program Obtain and analyze market compensation studies
Putting it all together
Putting it All Together The key to getting value out of ERM is to make sure that every process is helping management to understand and manage risk. For example: Risk Appetite Risk Assessment Risk Measurement Risk Monitoring and Reporting
Strategic planning
Business line risk-taking
Informed management decisions Evaluation of risks and returns
Prioritized risk management efforts
Early detection of risks
Objective risk limits Alignment with the risk appetite
What questions do you have? [email protected] 317-566-2112
Getting Value out of ERM
Where is your bank? a) We have just learned to spell ERM b) We have developed the basic components of an ERM program - it’s too early to know if it is adding value c) Our ERM program is well underway and helping us to understand and manage risk
Specific Ways to Get Value out of Enterprise Risk Management $
Cost Saving Tips
Ways to Get Value out of ERM
Reduced risk/financial “surprises”
• Look forward, and learn from past mistakes (including others’)
A global view of risk
• Look across silos • Aggregate and compare information
Enhanced business line risk ownership
More efficient, risk-based processes
• Make it easy • Spend the for managers majority of your to fulfill their time on the risk highest risks management responsibilities
Reduced risk/financial surprises
Ways to Get Value out of ERM Reduced risk/financial “surprises” While it is important to look backward and learn from past mistakes, …there is more value in anticipating risks and taking action before losses occur
Ways to Get Value out of ERM Reduced risk/financial “surprises” When identifying and assessing risks, look beyond those that the Bank has experienced in the past
Monitor risk events experienced by other financial institutions
Consider enterprise-wide strategic and
reputational risks, in addition to other, more commonly assessed risk categories
Ways to Get Value out of ERM Reduced risk/financial “surprises” Ways to be more forward-looking:
Identify and monitor early indicators of risk, in addition to historical performance metrics
Estimate performance under stress scenarios Consider risks associated with proposed new products and strategies well in advance of implementation
Ways to Get Value out of ERM
Policy override rates
Delinquency rates
Score distributions
NPL/NPA rates
Loan concentrations
Charge-off rates
1-5 YEARS AGO
TODAY
+ 1-5 YEARS
Policy override rates
Delinquency rates
Score distributions
NPL/NPA rates
Loan concentrations
Charge-off rates
Ways to Get Value out of ERM Reduced risk/financial “surprises” Set thresholds that alert management when action is needed Differentiate between thresholds and limits that
represent the outer bounds of the Bank’s risk appetite Resist the temptation to raise risk limits when they are approached
Discontinue monitoring of indicators that are not telling you anything
$
Ways to Get Value out of ERM Reduced risk/financial “surprises” Develop a risk-based new product risk review process
Focus on proposals for material changes – $ others should speed through
Do research and use subject matter experts to identify risks not already well understood
Involve Risk Management early in the process so they do not become a roadblock
A global view of risk
Ways to Get Value out of ERM A global view of risk
Why is a global view of risk important?
Consider the impact of splitting up your own
investment portfolio and giving each piece to a different advisor, …each of which provides a report that uses different measurements and looks completely different
Ways to Get Value out of ERM A global view of risk
Designate an ERM Committee that looks across business and risk “silos”
Use ERM committee meetings to get managers’ input and buy-in, and to share information across silos
For smaller banks - where most committees have the same members - designate one executive meeting a quarter as an ERM committee meeting
Ways to Get Value out of ERM A global view of risk
Creating a concise, enterprise-wide risk report can avoid giving the Board reports that resemble the Indianapolis phone book
Ways to Get Value out of ERM A global view of risk
To add the most value, create a concise ERM report that includes:
All risk categories Thoughtful written analysis Top risks to the Bank Emerging risks Comparisons of risk trends to thresholds and limits
Ways to Get Value out of ERM Example:
Bank Name
Enterprise Risk Management Summary
As of September 30, 2016
1
Top 10 Residual Risks
Action Plan
Unauthorized external access to IT infrastructure or systems due to virus, malware or breach of the firewall
TBD
2 Inadequate liquidity resulting from rapid loan growth
TBD
3 Other
TBD
4 Other
TBD
5 Other
TBD
6 Other
TBD
Top risks and action plans 7 Other
TBD
8 Other
TBD
9 Other
TBD
10 Other
TBD
Status
Summary of Changes in the Risk Profile
Thoughtful analysis
Summary of External Risks
Key measures
Risk Assessment Matrix Strategic1
Inherent Risk
Controls
Residual Risk
High
Adequate
Moderate
Summary across risk types Credit
2
-
-
Moderate
Credit 1
High
Adequate
Moderate
Market 2
-
-
Moderate
-
-
Low
High
Adequate
Moderate Moderate
2
Liquidity
Operational1 Legal/Compliance
1
High
Adequate
Reputation1
High
Marginal
High
Total
High
Adequate
Moderate
Trend
Current Quarter %
Risk Category
20 18 16 14 12 10 8 6 4 2 0
Capital Adequacy
13.1
11.8 8.3
12.0 9.5
9.0
11.0 8.9
7.0
Tier 1 RBC
6.4
Total RBC
7.5
6.0
Leverage
1
Based on judgmental enterprise-wide risk and control self-assessment 2 Based on quantitative analysis, KRIs and risk limits
Key Risk Limits Return on assets
9/30/2015
Sample Credit Union 12/31/2015
% Change
3/31/2016
Risk trends compared to limits & thresholds Return on equity
Total loans/total shares Capital/assets
Members / Employees Efficiency ratio
Quarterly loan growth
% Change
6/30/2016
Severe Stress
Peer Group
% Change
9/30/2016
Policy Minimum % Change
Limit
Enhanced business line risk ownership
Ways to Get Value out of ERM Enhanced business line risk ownership Business line risk ownership can be the difference between all employees taking responsibility for understanding and managing the risks in their areas, and a handful of people in Risk Management trying to manage risk across the Bank
Ways to Get Value out of ERM Enhanced business line risk ownership Provide training on the risk management responsibilities of the Bank’s three lines of defense
Clarify that risk management is part of what
managers are already doing on a daily basis Incorporate risk factors into performance evaluations and incentive plans
Avoid ERM assigning tasks to line managers without providing value back to the business
Ways to Get Value out of ERM Enhanced business line risk ownership Develop a Risk Appetite Statement that is meaningful to line managers
Use qualitative statements that set risk management
priorities – e.g., avoiding harm to the Bank’s reputation
Describe what is “outside the box,” such as subprime or out-of-footprint real estate lending
Avoid thresholds that are not meaningful to line
managers (e.g., portfolio-wide delinquency rates)
Communicate the appetite to all managers!
More efficient, risk-based processes
Ways to Get Value out of ERM More efficient, risk-based processes Start by developing a risk and control selfassessment that helps you to prioritize risks across the enterprise Use common definitions, so “high risk,” for example, means the same thing across all areas
Work collaboratively with line managers, rather than sending out surveys
Make use of other, existing risk assessments Avoid creating huge, unwieldy assessments!
$
Ways to Get Value out of ERM More efficient, risk-based processes
Keep assessments fresh by integrating them with $ new product risk reviews and internal audits Avoid annual risk assessment update “assignments,” which can be frustrating for line managers
Tip: Most of the time,
managers will respond “No updates are needed” anyway
Ways to Get Value out of ERM More efficient, risk-based processes Develop action plans to address the highest risks and reduce time spent on low risks
Avoid assessments
becoming “black holes” into which information falls - never to be seen again…
$
Ways to Get Value out of ERM Example: Top Residual Risks
Action Plan
Unauthorized external access to IT infrastructure or systems resulting from viruses, malware, or breach of the firewall A key third party vendor fails to fulfill obligations or comply with laws, regulations or service level agreements Inability to recruit and retain an adequate level of qualified employees
Evaluate firewall intrusion detection and prevention capabilities Complete the implementation of the Bank’s vendor risk management program Obtain and analyze market compensation studies
Putting it all together
Putting it All Together The key to getting value out of ERM is to make sure that every process is helping management to understand and manage risk. For example: Risk Appetite Risk Assessment Risk Measurement Risk Monitoring and Reporting
Strategic planning
Business line risk-taking
Informed management decisions Evaluation of risks and returns
Prioritized risk management efforts
Early detection of risks
Objective risk limits Alignment with the risk appetite
What questions do you have? [email protected] 317-566-2112
