The Canadian Society of Corporate Secretaries 16th Annual Corporate Governance Conference Banff Springs Hotel | Banff, AB | August 24 ‐ 27, 2014 The Role of the Chief Risk Office and the Board’s Role in Risk Oversight John Fraser Senior Vice President, Internal Audit & former Chief Risk Officer Hydro One Network Inc. August 25, 2014
Objectives of this Session • Provide some background on Enterprise Risk Management, how it evolved and why it is now a hot topic for board rooms • Introduce the core fundamentals of Enterprise Risk Management, what it is, some of the tools and how to explain it to executive management and the board • Explain the Chief Risk Officer’s role and how it interacts with the board or a board sub-committee • Address the board’s role in risk oversight – increased expectations and what to do
How W ell is ‘Risk’ Understood ( 2 0 0 6 ) ? “ In 2006, 60% of directors felt they had an understanding of their company’s risks, while executives say that only 18% of directors understand their company’s risks.” Source: KPMG in “Raising the Bar” (April 2008) quoting the February 2006 McKinsey Quarterly Survey
How W ell is Risk Understood ( 2 0 1 3 ) ? In 2013, directors surveyed said their knowledge of the risks that the company faced was as follows: • 15% of directors said they have a complete understanding • 54% said they had a good understanding, and • 29% said they had a limited or no understanding McKinsey & Company in “Improving board governance” via an on line survey in April 2013 of 772 corporate directors, 34 % of whom were chairs. 22% were public companies78% were private companies.
W hat is risk m anagem ent’s contribution to your organization? • 47% said “It is essential for adding value to our overall business” • 34% said “It can occasionally help us improve the way we do business” • 15% said “Its contribution to our overall organization is only marginal” • 4% said “It does not contribute to our overall business” Source: Based on a December 2012 survey by the Economist Intelligence Unit and published by KPMG in 2013 in “Expectations of Risk Management Outpacing Capabilities – It’s Time for Action”
Som e of the Challenges of I m plem enting ERM • The Business Case: Regulatory or Effectiveness? • Culture change • Agreeing Risk Criteria (Appetite / Tolerances etc.) • Staffing: who should lead, skills, workshops, how much data to analyse • Level of detail (quantitative and/ or qualitative) • Software needs and selection
Benchm arking ERM Source: Current State of Enterprise Risk Oversight – 5 th Edition (June 2014) AICPA & NCSU
Benchm arking ERM – con: 2 1 3 4 Source: Current State of Enterprise Risk Oversight – 5 th Edition (June 2014) AICPA & NCSU
Benchm arking ERM – con: 1 2 Source: Current State of Enterprise Risk Oversight – 5 th Edition (June 2014) AICPA & NCSU
Benchm arking ERM – con: 2009 2013 Companies with a designated Chief Risk Officer 18 31 Financials with a designated Chief Risk Officer 53 Separate Risk Committees 22 43 Risk Inventories kept at an enterprise level ‐ all 20 37 Risk Inventories kept at an enterprise level – Large Co’s 72 Risk Inventories kept at an enterprise level – Public Co’s 66 Risk Inventories kept at an enterprise level ‐ Financials 44 Source: Current State of Enterprise Risk Oversight – 5 th Edition (June 2014) AICPA & NCSU
I ntegrating a Risk Fram ew ork into the Business 1. ERM Policy and Framework 2. Accountabilities (and the Chief Risk Officer role) 3. Risk Criteria (and appetite / tolerances) 4. Risk Identification (and the use of Risk Workshops) 5. Corporate Risk Profile 6. Business Planning
ERM Policy Fram ew ork and
ERM Policy and Fram ew ork • ERM Policy: • “ERM provides uniform processes to identify, measure, treat and report on key risks.” • This is the umbrella policy under which all other risk policies fall. • Key principles include: portfolios of ALL types of risks, integrated with strategic and business planning, annual risk assessments, everyone’s responsibility. • Key accountabilities: Board and/ or board committee, the Chief Executive Officer, Chief Financial Officer, Management and Chief Risk Officer. • Key definitions, e.g. of “risk”. • ERM Framework: • Establishes the basic process for all risk assessments etc.
Accountabilities ( and the Chief Risk Officer Role)
Accountabilities in ERM BOARD ( OR COMMI TTEE) CORPORATE RI SK POLI CY & PROFI LE FRAMEW ORK RI SK EXECUTI VE CRI TERI A MANAGEMENT ( TOLERANCES) RI SK MANAGE PROFI LES & RI SKS, $ $ BUSI NESS PLANS LI NE MANAGEMENT
The Chief Risk Officer Role • Alternative models, banks versus others • Decision maker, facilitator or “opinionator”? • Centralized/ holistic view of the organization • Some issues: • Who does the CRO work for? Management or the Board? • Is the CRO a facilitator or a policeman? Additional reading: “ Managing the Multiple Dimensions of Risk—Part II: The Office of Risk Management ” b y Anette Mikes, Assistant Professor, and Robert S. Kaplan, Baker Foundation Professor, Harvard Business School (2011) “ Becoming the Lamp Bearer: The Emerging Role of the Chief Risk Officer ” b y Anette Mikes, Assistant Professor, Harvard Business School (2009) “ Enterprise Risk management – From Incentives to Controls ” by James Lam, John Wiley & Sons (2003)
Accountabilities of Risk versus I nternal Audit Core internal audit roles Roles with safeguards Audit should not undertake Source: “ The Role of Internal Auditing in Enterprise-wide Risk Management ” Institute of Internal Auditors (2004) “Internal Auditing’s Role in Risk Management ” Institute of Internal Auditors (2011)
The Chief Risk Officer and the Board • Touch-points between the Board and the CRO: • The ERM Policy and Framework approval • Strategic Planning & Business Planning (Objectives) • Risk Criteria (e.g. impact scale, tolerances etc) • Formal Risk Profiles • Frequent Updates • Educator (e.g. best practices, benchmarking) • Advisor (e.g. hot topics, emerging risks) • Whistleblower (not recommended) • To be determined (e.g. risk workshops)
and appetite/ tolerances Risk Criteria
Appetite/ Tolerances/ Criteria Term < 2004 2004+ 2009 2011 Used Canada* COSO Appetite Interchangeably Canada* COSO Tolerance Canada* ISO Criteria Canada* 31000 Attitude * = Implementation guide to CAN/CSA-ISO 31000, Risk management — Principles and guidelines (2011)
Use of Risk Criteria ( Appetite & Tolerances etc.) • In order to run effective risk workshops • In order to create a common understanding of risks by the leadership team, the board and managers • Criteria for Business Planning / Resource Allocation prioritization “Risk is the effect of uncertainty on objectives ” ISO 31000
Risk Criteria* I nclude: • the nature and types of causes and consequences that can occur and how they will be measured; • how likelihood will be defined; • the timeframe(s) of the likelihood and / or consequence(s); • how the level of risk is to be determined; • the views of stakeholders; • the level at which risk becomes acceptable or tolerable; and • whether combinations of multiple risks should be taken into account and, if so, how and which combinations should be considered. Note: Underlines for emphasis by John Fraser * = Per ISO 31000
Turning Strategy into Risk Criteria ( inc. Tolerances) How w ill w e m easure success Strategic for each Business Planning Objective? Business Objectives Key Performance How are w e going W hat 6 -1 0 Indicators to achieve our objectives overall Corporate do w e w ant to aim s?? factor in to decision-m aking? W hat is our attitude tow ard Risk Criteria failure for each (inc. Key Perform ance Tolerances) I ndicator??
Exam ple of “Risk Tolerances” ( Criteria) Risk Tolerances Business Event Impact Objectives Description 5 4 3 2 1 Worst Case Severe Major Moderate Minor Net Income shortfall (after $25-75M Financial tax, in one $>150M shortfall $75-150M shortfall $5-25M shortfall <$5M shortfall shortfall year) Credible letter(s) Negative Significant local to Ministry of National media Provincial media Media attention; Energy, to attention; opinion attention; most Letter(s) to Attention; Several opinion Premier, to Chair Reputation leaders/customers opinion Senior Opinion leader leaders/ of OEB, or to nearly unanimous in leaders/customers Management and Public customers Minister of public criticism publicly critical Criticism publicly critical Environment, that require action One of: One of: One of: One of: One of: Outages on the >100,000 Customers 40k-100k 10k-40k 1k-10k Customers Customer <1000 Customers Hydro One Distribution or Customers Dx or Customers Dx or Dx or /Reliability Dx or <10MW Tx >1000MW Tx for 400-1000MW Tx 100-400MW Tx 10-100MW Tx for system for <4 Hrs more than 7 days for 4-7 days for 2-4 days 4-24 Hrs Intolerable Tolerable
Actual “Risk Criteria” I m pact Scale Tolerable Intolerable
Risk I dentification and Evaluation • The use of Risk Workshops • The use of Interviews • The use of Surveys
Recommend
More recommend
