Governance structures and leading practices for risk management in - - PDF document

Governance structures and leading practices for risk management in practices for risk management in central banks

Helena Tejero, Division Head, Risks & Processes, Bank of Spain Central Bank Governance Forum 2014 IMF / Hawkamah, Dubai, United Arab Emirates December 8, 2014

FEDERAL RESERVE BANK OF PHILADELPHIA

Today‘s agenda

• International Operational Risk Working Group (IORWG) Overview
• Central Banks Risk Governance Structures
• Central Banks Risk Practices
• Conclusions

1

The views herein are the personal views of the speaker and do not necessarily represent the views of either the IORWG members or the Bank of Spain.

International Operational Risk Working Group

2

International Operational Risk Working Group (IORWG) Overview

Leadership:

• Chaired by the Federal Reserve Bank of

Philadelphia and the Bank of Spain. Conferences organized: I. Spain, 2006 II United States 2007 p p Objectives:

• Share best practices.
• Innovate new frameworks and methodologies.
• Generate genuine interest on ORM*.

Membership Representatives:

• Risk representatives from central banks and

monetary/supervisory authorities across the ld II. United States, 2007

• III. Denmark, 2009
• IV. France, 2008
• V. Brazil, 2010
• VI. Thailand, 2011
• VII. Sweden, 2012

VIII.Morocco, 2013

• IX. Israel, 2014
• X. South Africa (planned for 2015)

3

world. Membership Benefits:

• Knowledge sharing, networking opportunities,

and research topics with other central banks through “global” expert groups participation. Information channels:

• IORWG website (www.iorwg.org).
• Regular email alerts to members.

(*) ORM stands for Operational Risk Management

In October 2005, 18 institutions agreed to be part of the IORWG …

Latvia Lith i Estonia France UK Germany Sweden Austria Luxembourg Ireland The Netherlands Denmark Spain ECB Japan United States of America Canada Thailand Portugal Switzerland Mexico Lithuania Bulgaria Philippines Norway Greece Korea Belgium Jordan Poland Azerbaijan Hong Kong Curaçao

4

… 59 members in 2014.

Brazil Morocco International

(Bank for International Settlements, BIS)

Australia New Zealand Malaysia Chile South Africa Israel Malta International

(Bank for International Settlements, BIS)

Italy Dominican Republic Bolivia Ecuador Costa Rica Colombia Indonesia Argentina Philippines Madagascar Uganda India Malawi El Salvador Singapore Uruguay Angola

IORWG Collaboration Efforts

Expert Group Process:

• Expert Group studies: 35 completed to date, e.g. last year’s topics:

p p p , g y p – ORM Trends and Best Practices (Phase II). – Risk Culture and Awareness. – Incident Management and Reporting. – ORM Interdependencies with Management of Other Enterprise Risks. – Existing Governance Structures in the Area of Risk Management. – Risk Repository (Phase IV).

• 2015 topics will focus on continuing work associated with trends and best

practices, reporting, advancement of the risk repository, information and cyber security, training practices and building a maturity model.

5

y y g p g y

• Research topics use industry literature, conduct member surveys,

profile central bank practices in greater detail and summarize results at the conference (4-5 month effort).

• Use breakout groups on expert group topics to further discuss key items and

report back to the group.

Risk Governance Structures

6

Three lines of defense model

Central banks governance structures generally rely on three lines of defense by which governing bodies and senior management in their responsibility for i k t f k d b th f ll i “li ” risk management framework are served by the following “lines”: business line management risk management function internal audit function

“Owners” of risk. Responsible for identifying and managing the risks Responsible for providing the risk framework and for Responsible for independently opining

• n the overall

appropriateness and

7

g g inherent in the products, activities, processes and systems for which they are accountable. framework and for independently

• verseeing risk-taking

activities bank-wide. adequacy of the framework and the associated governance processes.

Board / board subcommittee

• Ultimate responsibility for risk

management is generally assigned to th i b di (

• Common subcommittees:

– The audit committee and, to a

h l t t th i k the governing bodies (e.g. governor, board, executive committee).

• The board or a subcommittee of the

board is often responsible for providing oversight and direction with regard to risk management (in some Central Banks (CBs), oversight is provided by the governor or a RMC* at the executive level) much lesser extent, the risk

• versight committee.
• Common duties :

– Ensure the establishment and

maintenance of the framework.

– Provide oversight over the

program

– Review reports – activities and

status of risk management risk

8

RMC at the executive level).

(*) RMC stands for Risk Management Committee

• Improve the focus and dialogue on risk, challenge

and dig deeper into emerging risks status of risk management, risk profile, key risks, response to the most significant risks.

Committees involved in the risk governance

Four different approaches Th B d d t d l t th 1 2

• The Board does not delegate the

risk oversight responsibilities to a sub-committee.

• The Board is supported by existing

committees, with a broad mandate, not dedicated to risk issues.

• The Board delegates to an

executive sub-committee which is responsible for all risks and in some cases for operational risks

• nly.

The Board delegates to a board The Board delegates to a board 3 4

9

• The Board delegates to a board

subcommittee.

• In addition a RMC has an

executive role – establish and maintain the risk management framework.

• The Board delegates to a board

sub-committee.

• In addition there are:
• RMC (executive risk committee)

and

• Specialized Risk Committees.

Note: an Audit Committee generally exists in all approaches.

Governance (cont.)

• Governance is often not well documented or understood; responsibilities,

particularly advisory roles, are not consistently applied. H l ti hi k i ti i t l i t t ith

• How governance relationships work in practice is not always consistent with

charter documentation.

• Formal guidance needs to be provided to ensure committees are

consistently established, operated, and reviewed.

• Structure, roles, and decision rights across bodies are interpreted

differently.

• Complex or undefined governance can result in confusion regarding

accountability and prolonged decision making. This can increase operational risk and can lead to reputational risk

10

risk and can lead to reputational risk.

• Conduct self-assessments of governance practices

Operational risk function

• Most CBs have centralized

independent ORM unit; several have t li d li it

• Main responsibilities:

– Provide risk management

th d l i centralized compliance units.

– In some cases, the functions are

combined with other risk and control-related disciplines, e.g. Business continuity, IT security.

• Usually deals with legal, reputational

and compliance risks. To a lesser extent with financial and strategic risks.

• Sample of central banks have on

methodologies.

– Facilitate and consolidate the

results of risk assessments.

– Assisting in developing

processes and controls.

– Track risk incidents and report

• n mitigation.

– Coordinate reporting board,

RMC and senior management

11

Sample of central banks have on average 4 full-time equivalent in risk units.

• Challenge the business lines outputs from risk

management activities RMC and senior management.

– Provide guidance and training. – Few include the operational

risk measurement.

Internal audit

• Central banks have an independent internal audit unit from 1st and 2nd

line of defense. Alth h ORM / till l h d d h i d

–

Although some ORM programs were/are still launched and championed by the internal audit.

• Main responsibilities:

– Verify that the risk framework has been implemented as intended and is

functioning appropriately.

– Assess the effectiveness of the bank’s operational risk management

controls, processes and systems, as well as governance.

– Review the management and reporting of key risks.

12

• Ensure independence of risk management and

internal audit although they may collaborate in activities such as awareness programs

Interdependencies

• Generally the tendency of disciplines is to operate in silos due mainly to a

weak governance structure and immature risk culture. Th t t t t f li t ith ORM i i t d ith b i

• The greatest extent of alignment with ORM is associated with business

continuity, and IT and information security risks.

• There is also high interaction, meetings, exchange of reports with the internal

audit unit.

– Building a common risk taxonomy, using the same process map,

exchange of information, …

– In a few cases, permanent access to ORM/IA databases.

13

• Challenges with aligning ORM with other disciplines
• Get acceptance for an integrated approach
• Overcome differences in terminologies and views

regarding approaches and methodologies e.g. IT framework too technical and granular to integrate

Risk Practices

14

Central Banks ORM current status

• Generally ORM programs are fully or almost fully implemented in CBs.
• Most ORM frameworks are internally developed.

Al f t COSO ESCB ISO B l t d d

– Also some refer to COSO, ESCB, ISO or Basel standards.

• Common ORM framework for all areas across the central bank.

– Different frameworks in few central banks still co-exist.

• “ERM” approach is not generally implemented.

– Although major integration is seen in risk reporting.

• Central banks follow a standardized phased approach for risk management

procedure: risk identification, assessment, responding to, reporting on and monitoring.

• Most banks use different IT solutions (mainly SharePoint MS Office or

15

Most banks use different IT solutions (mainly SharePoint, MS Office or internally developed) for different ORM activities, some do not use any tools.

– The use of an integrated IT tool to support the whole risk management

procedure is rare (often cost prohibitive).

Central banks ORM practices

Ri k tit /

[Non exhaustive]

ORM development

• Risk and

control self

• Risk appetite/

tolerance

• Risk awareness

and culture

• +
• Risk

quantification

• Impactful/ value-

added reports

• KRIs
• Scenario

analysis

• Risk

identification

16

control self assessment q added reports

• Incident

reporting

Developing and reviewing central banks’ risk appetite/tolerance

• Risk Appetite is defined as “the
• Risk Tolerance is “a series of limits

Risk Appetite Risk Tolerance

amount of risk, on a broad level, that an organization is willing to accept in the pursuit of its mission, vision, business objectives and overall strategic goals.”

– Approved at the senior level,

embraced by the board, easy to communicate and embedded and understood at all levels. Set clear boundaries qualitative which may either be set as not to be breached, or as an alert mechanism.”

– While risk appetite is broad, risk

tolerance is tactical and

• perational.

– Tolerances form part of the risk

appetite framework for specific risks, by guiding operational areas for appropriate risk taking and select the types of controls which

17 – Set clear boundaries – qualitative

statements and quantitative measures.

– Reportable: through monitoring,

action defined for any breaches (escalation, review, approval). select the types of controls which are needed to ensure that limits are not exceeded.

Risk appetite/tolerance experiences

• Experiences

– There is evidence of the gap between the financial system and central

b k di th d t di d t f th t banks regarding the understanding and management of the concept

– The concept of Risk Appetite / Tolerance has not yet been embraced in

CBs because of the reputational impact and the conservative profile of the CBs

– Nevertheless, generally CBs have incorporated some elements of risk

appetite into their framework; different levels of maturity are noticed.

– Expressed as a statement, embedded in policies or part of risk matrix. – Some CBs publish their risk appetite on their main website to illustrate to

the public how their risk framework works

18

the public how their risk framework works.

• Introducing a clear distinction between appetite and

tolerance should be the first step.

• Risk (all types of) appetite shall be more formally

documented.

Central banks risk culture / awareness

• This topic remains the most challenging for IORWG central banks, as it

is and will be the core driver of the business areas’ motivation to manage i k risks.

– Few central banks rank culture as excellent; almost 70% see culture as

good and more than 20% as inadequate.

• Generally staff in key functions have the appropriate level of skills,

knowledge and experience to enable sound risk management practices.

–

Senior management and key business heads have been trained in most cases.

–

Training to all staff is in place only in some central banks.

• Risk awareness activities are regularly performed:

19

Risk awareness activities are regularly performed:

– Monthly/quarterly risk bulletins, newsletters, quizzes to staff. – Periodic incident reporting. – Risk articles in the quarterly Bank magazine.

Central banks risk culture / awareness (cont.)

• Risk awareness activities are regularly performed (cont.):

– Risk awareness week and other activities.

Monthly departmental/ business unit awareness

– Monthly departmental/ business unit awareness. – Risk management workshops. – Monthly risk managers’ meetings. – Displaying messages or banners that promote a strong risk culture in

strategic areas.

– Playing recorded risk messages in the elevators.

• Key levers for risk culture fostering:

– Strong support from board and senior management. – ORM training.

Increased communication/cooperation with board senior management

20

– Increased communication/cooperation with board, senior management,

business areas and staff.

– Enhanced risk methodology (clear and practical).

• Fostering a risk aware culture at all levels of the
• rganization

Risk reporting practice

• Most common components:

– Risk Control Self Assessments.

I id t R ti

• Most popular scoring method

used is risk matrices.

– Incident Reporting. – Business Continuity

Management.

– Market and credit risks. – Top organizational risks. – Risk Tolerance. – Emerging Risks.

• To a lesser extent:

5 4 3 2 1 1 2 3 4 5 Impact Likelihood 21

To a lesser extent:

– KRIs. – Project risks. – Scenario Analysis. – Liquidity risks. – KPIs. Likelihood

Risk reporting practice (cont.)

Risk Reporting Receiver Board or dedicated risk management committee Receiver Board or dedicated risk management committee Senior management/business areas for information, also internal audit Frequency At least annually for approval Frequent reporting on dedicated risks/incidents Media Usually hard copy, some via e-mail Include additional presentations Only a few provide information to all staff

22

Only a few provide information to all staff Content Most focus only on operational risk

• Major risks, mitigation, risk heat map, major incidents

Overview to Board/risk management committee about the risk profile of the Bank

Risk reporting practice (cont.)

Risk reporting remains a key challenge for central banks: how to create impactful and value-added reports along with data limitations? Frequency Accuracy Appropriateness Characteristics Leading Indicators – Forward Looking Lagging indicators and incident reports – trend analysis Key tools

23

Comprehensiveness Timeliness Truthfulness Dashboards and Heat maps Identification of thresholds and trigger points

Incident management & reporting practice

• Only some central banks have a mature practice in place.

– There are still many central banks at an early stage and few have no

f l i l t d t formal process implemented yet.

• Incident management and reporting procedure:

– Most CBs utilize standardized templates. – Reporting includes “near misses”. – For the grading of the incidents most of the CBs use a scale of 1 to 5 – Only a few CBs work with financial thresholds. – Generally decentralized – submission from business areas to ORM

function.

– Incidents are analyzed – by the business units and/or ORM function –

24

– Incidents are analyzed

by the business units and/or ORM function and appropriate action plans are agreed on.

– In the majority of the CBs, the business unit is in charge of any action

plan follow up and the reporting.

Incident management & reporting practice (cont.)

• Major challenges

– As regards the procedure, clear guidelines and a process description are

d d needed.

– As regards the awareness, there are major challenges to overcome: – Overall Bank’s risk awareness and culture. – “Shame culture” or “blame game”. – Get a strong support from senior management. – Timeliness of reporting by business area. – Technical difficulties: – Evaluation of financial impact is sometimes difficult. – Difficulties in determining a near miss

25

– Difficulties in determining a near miss. – Quality of the reports and the level of details.

Conclusions

26

Concluding remarks

• Central banks governance structures often rely on three lines of defense; a

range of practice exists relating to the implementation of those. Th b d b itt f th b d i ft ibl f idi

• The board or a subcommittee of the board is often responsible for providing
• versight and direction to risk management.

–How should we improve the focus and dialogue on risk?

• Risk committees are generally in place to support board and senior

management’s risk management responsibilities. –Are the RMCs operating effectively?

• Most central banks have a centralized independent unit dealing with ORM.

– How should we substantiate an independent review of the business lines

• utputs?

27

• utputs?
• The greatest extent of alignment with ORM is associated with business

continuity and IT and information security risks. There is also high interaction, meetings, exchange of reports with internal audit. –How should we evolve into an enterprise-wide/integrated risk management?

Concluding remarks (cont.)

• Generally ORM programmes are fully or almost fully implemented in central

banks. H h ld h t dit th i l t ti j f –How should we shorten or expedite the implementation journey for new- comers?

• Few ORM techniques are mature.
• Some techniques still need to improve:

–Risk appetite shall be more formally documented. –Continue enhancement of risk awareness / culture. –Improve quality of risk information. –Enhance incident reporting from a procedural, cultural and technical point of view

28

view.

• Few techniques are still at infancy:

–KRIs, Scenario Analysis and Risk Quantification.

Thank you for your attention Thank you for your attention

Helena Tejero IORWG helena.tejero@bde.es iorwg@bde.es

29