en enterp rpri rise r risk m management
play

En Enterp rpri rise R Risk M Management Foundations of an E - PowerPoint PPT Presentation

En Enterp rpri rise R Risk M Management Foundations of an E nterprise R isk M anagement Program Pres esen ented ed b by Cathy S Smoy moyer Seni enior Vi Vice P e Pres eside dent t & & Chi Chief R Risk O Officer ERM


  1. En Enterp rpri rise R Risk M Management

  2. Foundations of an E nterprise R isk M anagement Program Pres esen ented ed b by Cathy S Smoy moyer Seni enior Vi Vice P e Pres eside dent t & & Chi Chief R Risk O Officer

  3. ERM is… A comprehensive enterprise-wide risk framework that aligns organizational risks with risk appetite and strategic objectives

  4. ERM…What it is • Integrates risk management throughout organization • Allows for informed risk decisions (avoid, reduce, share, accept) • Reduces potential for surprises • Identifies areas of opportunity • Assists management to stay within boundaries set by strategic objectives and risk appetite • Different for every entity – must be appropriate for the size and complexity of the organization

  5. ERM…What it is NOT • Risk elimination process • Enforcement process RISK • Just to comply with regulations • Going to stop bad things from occurring • Going to identify all potential risks • A static program or process Don’t run from • An audit function risk…embrace risk and make it work for you • Drive or run the organization

  6. ERM Stages of Development Full package ERM software with Strategic assessment, monitoring, reporting, and management modules Introduction of risk assessment Operational software Spreadsheets and nominal technology Developmental

  7. Three ee Lines es o of Defen ense First Line Second Line Third Line Business Unit Risk Management Internal Audit • Serves as first line • Responsible for • Provides of defense to ERM architecture independent identify and and framework review of the address risk adequacy of • Provides credible controls • Understands risk of challenge to individual business management lines • Manages processes • Monitors risks within business line

  8. CREDIT RISK - The risk to current or anticipated earnings or capital arising from an obligor's failure to meet the terms of any contract with the Credit Union or perform as agreed. INTEREST RATE RISK - The risk to current or anticipated earnings or capital arising from movements in Risk Categories interest rates. • Credit Risk LIQUIDITY RISK - The risk to current or anticipated earnings or capital arising from an inability to meet obligations when they come due. • Interest Rate Risk • Liquidity Risk TRANSACTION RISK - The risk to current or anticipated earnings or capital arising from inadequate or failed internal processes or systems, human errors or misconduct, or adverse external events. • Transaction Risk COMPLIANCE RISK - The risk to current or anticipated earnings or capital arising from violations of • Compliance Risk laws, rules or regulations, or from noncomformance with prescribed practices, internal policies and procedures, or ethical standards. • Strategic Risk STRATEGIC RISK - The risk to current or anticipated earnings, capital, or franchise or enterprise value arising from adverse business decisions, poor implementation of business decisions, or lack of • Reputation Risk responsiveness to changes in the financial institution industry and operating environment. K • Technology Risk REPUTATION RISK - The risk to current or anticipated earnings, capital, or equity value arising from negative public opinion. • Legal Risk TECHNOLOGY RISK - The risk to current or anticipated earnings or capital arising from inadequate or failed internal systems or adverse external events affecting external or internal systems. LEGAL RISK - The risk to current or anticipated earnings or capital arising from litigation caused by non- compliance with laws and regulations, as well as prudent ethical standards and contractual obligations.

  9. Risk Committee Members • Board Member Purpose To implement and manage the ERM Program • Chief Executive Officer and to ensure the management, risk, compliance, and audit functions are • Chief Operations Officer appropriately identifying, measuring, • Chief Financial Officer addressing, and monitoring risks within the governance structure set by the CEO and the • Chief Risk Officer (Chair) Board of Directors. • Chief Information Mitigated Accepted Transferred Systems/Technology Officer • Chief Human Resources Officer Risks Measured • Chief Lending Officer Monitored Identified

  10. Enter erprise e Risk M k Managem emen ent Pres esen ented ed b by Ken S Sch chaafsma VP P of En Enterprise R Risk M Management

  11. Business Reputation Strategy Interest Rate Strategic Liquidity Regulation Market & Compliance Liquidity Concentration Financial Crime Risk Universe Credit Obligor Operational Execution & Delivery Counterparty Internal Fraud Business Concentration Disruption External Business Fraud Practices

  12. Risk Inventory Example Theft of NPI Operational Internal Fraud Theft of Assets Theft of Equipment Identity Theft – Loan Application External Fraud Member deposit of fraudulent or worthless check Malware which steals member NPI Investment Advisor recommends a product that does not fit member investment profile Clients, Products, Employment Violence at an Alliant location by employee, member, or guest & Business Practices Employment practices not in compliance with regulation Physical assets unavailable Business Disruption , System Human capital unavailable Failures, Damage to Assets Systems unavailable Vendors unavailable Vendor fails to execute under terms of the contract Execution, Delivery & Process Deposit Transactions are not completed timely or accurately Management Improper or late placement of lien on collateral used for loan

  13. Risk Appetite • The Board should approve risk appetite measures for each category of risk. The Executive Leadership Team should approve lower and upper tolerance levels. • Actual results should be monitored against appetite and tolerance levels. Results exceeding any of these levels should be escalated to defined governance groups. Loss as a Percent of Revenue (Sample Metric and Data) 1.6 1.4 1.2 Actual Results 1 Appetite Upper Tolerance 0.8 Lower Tolerance 0.6 0.4 0.2 0 2016 Q1 2016 Q2 2016 Q3 2016 Q4 2017 Q1

  14. Risk Reporting and Metrics Risk management reporting should be delivered to the Board of Directors, Executive Management and relevant governance committees regularly. The reporting could include: • An Enterprise Risk Profile (sample depicted below) • A table reflecting risk results vs risk appetite and tolerance levels A report of top enterprise risks, which reflect the risk ratings and actions being taken to mitigate the top • risks • Summaries for each risk type which provide a more granular look into the risk profile, themes, and metrics for the risk type along with updates on current projects and action plans to reduce risk levels

  15. Sample Governance Structure Full Board Asset and Liability Supervisory Credit Committee Committee Committee Executive Leadership Team / Enterprise Risk Committee Capital Analysis and Stress Compliance Operational Internal Credit IALCO Testing Committee Risk Committee Committee Committee

  16. Enter erprise e Risk M k Managem emen ent Pres esen ented ed b by Lisa S Sunderman VP P of En Enterprise R Risk M Management

  17. Link k to Strategy y Setting • Competitive Positioning • Member Experience • Business Mix • Initiatives • Strategic Capital

  18. En Enterp rpri rise R Risk M Management’s Es Essential Link to St Strategic ic Plannin ing • Risk is possibility of not meeting objectives • Risk Management Policy Statement sets range for success or failure – This is your guiding light • Monitoring of Tolerances set by management • Feedback to Strategy Setting

  19. Ex Example: Inform rmation Securi rity Protect cting Assets Objectives: security, integrity and confidentiality Responsibilities: Board, Committees, Management Risk Appetite Statement: Defines level of acceptable risk, reasons and approach Program Components: Access controls and restrictions, encryption, information system modifications, monitoring systems, response programs, backup and recovery Risk Assessment: Proactively identify foreseeable threats, assess likelihood and impact, assess control sufficiency and determine action to fill gaps

  20. Example: Strategic Capital Ex Your r Rainy Day O Opport rtunity • Definition – Target capital level 4.5% Strategic Capital above the regulatory minimum 16% to cover: 14% • Strategic Growth 12% • Risk Management 10% • Finance 8% 6% 4% 2% 0% Well Capitalized Minimum Target Capital Levels

  21. ERM S Stakeh ehol older ers • Every link in the Governance Structure • Board & Board Committees • Supervisory/Audit Committee • Management Committees • Business Leaders + Members and Regulators

  22. Key Qu Ques estion ons f for ERM Stakeh ehol older ers • What are key strategies/initiatives? • What are the consequences of achieving or not achieving them? • What are the potential risk events inherent in your part/role of the business? • Which events could ruin the company? How fast could they happen? • How prepared are you to prevent or respond to those risk events? • How exposed are you? For the greatest ones, how likely are they? • What can be done to reduce our largest residual risks? • Are we positioning ourselves for opportunity? • How do you know your answers are reliable?

Recommend


More recommend