1 / 34

Enterprise Risk Management

Enterprise Risk Management. ASSE Using Risk Principles March 24 th , 2005. James Lam President phone: 781.772.1961 Email: jameslam@comcast.net Website: www.jameslam.com. Our president, James Lam, has spent 20 years in risk management. Professional President, James Lam & Associates

Download Presentation

Enterprise Risk Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.


Presentation Transcript

  1. Enterprise Risk Management ASSE Using Risk Principles March 24th, 2005 James Lam President phone: 781.772.1961 Email: jameslam@comcast.net Website: www.jameslam.com

  2. Our president, James Lam, has spent 20 years in risk management Professional • President, James Lam & Associates • Founder and President, ERisk • Partner, Oliver, Wyman & Company • CRO, Fidelity Investments • CRO, Capital Markets Services Inc., a GE Capital company Industry Activities • PRMIA Blue Ribbon Panel Member • GARP Inaugural Financial Risk Manager of the Year (1997) • Published over 50 articles and book chapters • Quoted in Wall Street Journal, Financial Times, Risk Magazine, and CFO Magazine Academic • Senior Research Fellow, Beijing University • Adjunct Professor, Babson College • Lectured at Harvard Business School as the subject of a HBS case study • MBA, UCLA School of Business • BBA, Baruch College Client Solutions • Consulting – ERM, strategic risk, financial risk, and operational risk • Software – Operational risk (with OpenPages) and ERM Dashboard (CXO Systems) • Training – board and management workshops

  3. We are singularly focused on risk management Client Solutions • Consulting services • Software products • CXO Systems • OpenPages • Training programs Areas of Expertise • Enterprise risk management • Market risk management • Credit risk management • Operational risk management • KRIs and risk reporting

  4. As discussed in James’ recent book, we define ERM as a value added function Definition of ERM: “An integrated framework for managing credit risk, market risk, operational risk, economic capital, and risk transfer in order to maximize firm value.”

  5. Discussion outline • Key trends and requirements • Best practices and practical applications • ERM in the future

  6. Financial Risks Credit Risk Associated with Investments FX risk in a new foreign market MarketRisk Asset Liquidity CreditRisk LiquidityRisk Credit Risk Associated with Borrowers and Counterparties Derivatives documentation and counterparty risk Funding Liquidity IT and business process outsourcing ERM is useful because the risks faced by companies are highly interdependent Enterprise-Wide Risks FinancialRisk Business Risk OperationalRisk

  7. Traditionally, risks were managed within organizational “silos” Strategic Risk Business Risk Financial Risk Operational Risk • Business Managers • Project Managers • CFO • Treasurer • Internal Audit • Compliance • IT • Board of Directors • CEO Who • Product plans • Business reviews • Project management • Strategic planning • EVA • Balanced scorecard • Country and credit limits • Trading and ALM Limits • Financial derivatives • Controls • Audits • Contingency planning • Insurance How

  8. Broadens risk awareness Aligns risk profile and strategy Minimizes surprises and losses Rationalizes capital requirements Assures regulatory compliance Improves ROE and shareholder value ERM provides an integrated value-added approach Financial Institutions Barclays GE Capital JP Morgan Chase Fidelity Investments Non-Financial Corporations Microsoft Boeing Duke Energy Ford Enterprise Risk Management Chief Executive Officer/Chief Fisk Officer Operational Risk Internal Audit Compliance IT Financial Risk CFO Treasurer Business Risk Line managers Project Managers Strategic Risk Board CEO Benefits

  9. Case study: Microsoft’s risk intranet is central to their ERM program ERM Program Background • Initiated ERM with a comprehensive inventory of risks • Recognized that its insurance strategies only covered 30% of risks • Applied advanced technologies to support risk analysis and communication • Incorporated into product pricing of the expected litigation costs of “repetitive stress injuries” associated with a new keyboard • American software giant initiated its ERM program in 1994 • Mike Brown, CFO: “The web is an incredible opportunity to take costs out of your model, to provide higher quality services and to be much more informed about company issues.”

  10. Enron • WorldCom • Adelphia • Mutual Funds Corporate Disasters • Banks • Asset Managers • Energy Firms • Corporations Best Practices RegulatoryActions • S.E.C. • Sarbanes-Oxley • Basel II • Treadway Report, US • Turnbull Report, UK • Dey Report, Canada IndustryInitiatives The growing acceptance of ERM is driven by four key forces EnterpriseRiskManagement

  11. Companies are faced with an influx of new requirements • New accord consists of three pillars: • Minimum capital requirements • Supervisory review • Public disclosure • Explicit treatment of operational risk • More granular analyses of credit risk Basel II • Section 404: Management assessment of internal controls for financial reporting attestation by auditor • Section 302: CEO/CFO certification of financial statements • Establish criminal penalties for executives and independence requirements of auditors Sarbanes-Oxley Act of 2002 • SEC/NYSE/NASDAQ corporate governance rules • State attorney general probes • Patriot Act; anti-money laundering and bank secrecy act Other Requirements

  12. A proactive approach to ERM is driven by best practices, not regulations Proactive Approach Reactive Approach Currentstate CEO ? ? ? • Benchmarking • Gap analysis • Recommendations ? ? Desired state (best practices or best-in-class practices) Sarbanes- Oxley Basel II • Common themes • Unique standards New industry standards Sarbanes- Oxley New industry standards Basel II Governance Requirements Governance Requirements

  13. Early adopters of ERM have reported significant and tangible benefits

  14. Annualized total shareholder returns (1998-2003) for differing degrees of risk model sophistication and risk tool usage Source: PA Consulting Survey of Global Banks

  15. Discussion outline • Key trends and requirements • Best practices and practical applications • ERM in the future

  16. 1. Corporate Governance Establish top-down risk management 3. Portfolio Management 4. Risk Transfer 2. Line Management Transfer out concentrated or inefficient risks Business strategy alignment Think and act like a “fund manager” 6. Data and Technology Resources 5. Risk Analytics Develop advanced analytical tools Integrate data and system capabilities 7. Stakeholders Management Improve risk transparency for key stakeholders An ERM framework should encompass seven key building blocks

  17. The enterprise risk management process Risk Identification and Assessment Risk Measurement and Reporting Risk Mitigation and Management ERM Foundations • Top-down assessments • Barriers to strategic and financial goals • Executive team CSAs • Bottom-up assessments • Barriers to business, customer, and product goals • Business unit CSAs • Functional unit CSAs • Independent assessments • Internal audit • External audit • Regulators • Customers • Other stakeholders • Senior management and board participation (“tone from the top”) • Governance structure • Resource allocation • Culture, principles, and values • ERM framework and policies • Linkage to strategy, performance measurement and incentives • Organizational learning • ERM dashboard • Earnings volatility • Key risk metrics • Policy compliance • Real-time event escalation • Drill-down capabilities • Scenario analysis • Historical • Managerial • Simulation-based • Disclosure • Board reporting • External reporting • Policy enforcement • Value-based growth and restructuring strategies • Risk transfer strategies • Contingency planning and testing • Event and crisis management

  18. ERM Dashboard BUSINESS RISK CREDIT RISK MARKET RISK OPERA-TIONAL RISK RISK “PILLARS” Data Mining Internal and External Data An ERM system should address all risk types, qualitative and quantitative data, and risk monitoring and management applications • Basic ERM applications: • Executive reporting • Key risk indicators • Loss/incident tracking • Control self assessments • Early warning indicators • Risk mitigation projects tracking • ERM content management • Advanced ERM applications: • Risk transfer • Economic capital • Scenario analysis • Shareholder value management

  19. Characteristics and sources of effective key risk indicators 1 7 4 Track in time series against standards or limits 6 Be useful – support business decisions and actions Reflect objective measurement Balance of leading and lagging indicators 9 Timely and cost effective 8 5 • Incorporate risk drivers: • Exposure • Probability • Severity • Correlation Can be benchmarked internally or externally 2 Tie to objectives, risk owners, and risk categories 10 Simplify risk without being simplistic Key Risk Indicators 3 Be quantifiable – $, %, # Strategies/ Objectives Regulations & Policies Losses & Incidents Stakeholder Requirements • Actual losses • Incidents • Industry data • Business plans • Management goals • Performance metrics • Legal requirements • Regulatory standards • Policy limits • Customers • Vendors • Other

  20. An ERM dashboard should address five key questions for senior management • Are any of our strategic, business, and financial objectives at risk? • Are we in compliance with policies, limits, laws, and regulations? • What risk incidents have been escalated by our risk functions and business units? • What key risk indicators and trends that require immediate attention? • What are the risk assessments that we should review?

  21. Example: monthly risk report Risk Incidents Gross Losses CurrentYTD Operational Losses Credit Losses Market Losses Other Losses Sub-Total: Loss/Revenue Ratio: Management Assessment CurrentYTD Operational Losses Credit Losses Market Losses Other Losses Sub-Total: Loss/Revenue Ratio: IncidentExposureResponse 1. 2. 3. 4. 1._____________________________________________________________________ 2. 3. 4. Management discussion of major risk issues (“what keeps me up at night”) Accounting for actual losses incurred Reporting of risk incidents, exposures, and near misses Losses 1992 1993 1994 1995 1996 Q1 97

  22. Example: monthly risk report (cont’d)

  23. Background 3-Year ERM Program • $1 trillion of assets under management • Private company • Decentralized business culture • Organized Global Risk Forum • Implemented annual Global Risk Review • Automated loss accounting • Developed ERM framework • Implemented intranet-based Global Risk MIS • Experienced significant reduction in loss ratio Case study:

  24. Basic risk management processes can lead to significant improvements Education • New associates • Management • Business/Operational processes • Best practices • Lessons learned Actual Loss Experience Risk Event Log 85% Decline Root Controls Event Loss Needed Causes Risk Metrics Goal MAP

  25. Hard Side Soft Side • Measures and reporting • Risk oversight committees • Policies & procedures • Risk assessments • Risk limits • Audit processes • Systems • Risk awareness • People • Skills • Integrity • Incentives • Culture & values • Trust & communication ERM requires balancing the hard and soft side of risk management

  26. An company’s “risk culture” provides the foundation of its ERM program • Definitions of “risk culture” • In a typical risk culture, people will do the right things when risk policies and controls are in place • In a good risk culture, people will do the right things even when risk policies and controls are not in place • In a bad risk culture, people will not do the right things regardless of risk policies and controls

  27. Background 2-Year ERM Program • New capital markets business • Traders hired from foreign bank • Aggressive business and growth targets • Established risk policies and systems • Instilled risk culture • Survived “Kidder” disaster • Captured 25% market share with zero policy violations • Recognized as best practice Case study:

  28. Hallmarks of success in ERM • Engaged senior management and board of directors • Established policies, systems, and processes, supported by a strong risk culture • Clearly defined risk appetite with respect to risk limits and business boundaries • Robust risk analytics for intra- and inter-risk measurement, summarized in an “ERM dashboard” • Risk-return management via integration of ERM into strategic planning, business processes, performance measurement, and incentive compensation

  29. Discussion outline • Key trends and requirements • Best practices and practical applications • ERM in the future

  30. Ten predictions on the future of enterprise risk management • ERM will become the industry standard • CROs prevalent in risk-intensive companies • Audit committees will evolve into risk committees • Economic capital in; VaR out • Risk transfer executed at enterprise level • Advanced technologies key to advancement • A measurement standard will emerge for operational risk • Risk-based or economic reporting becomes standard • Risk becomes part of corporate and college programs • Salary gap among risk professionals continues to widen

  31. Must have! Nice to have The role of a Chief Risk Officer • Evangelist  Motivate • Leader  Change • Steward  Control • Consultant  Help • Technician  Teach

  32. What makes a good CRO? • Organizational and leadership skills to effect change • Communication skills – “to simplify without being simplistic” • Technical skills in credit, market, and operational risk • Judgment to balance business and risk requirements • Courage to push back and “say no” • High EQ (emotional quotient) in addition to high IQ • Ultimate CRO test: ability to integrate risk management into strategic planning and day-to-day business processes

  33. ASSE defined functions for safety professionals • Anticipate, identify and evaluate hazardous conditions and practices • Develop hazard control methods, procedures and programs • Implement, administer and advise others on hazard controls and hazard control programs • Measure, audit and evaluate the effectiveness of hazard controls and hazard control programs

  34. Role for safety professionals in enterprise risk management • Promote awareness of hazard risks, as well as the interdependencies with other key risks • Integrate hazard risks into control self assessments and audit findings • Develop key risk indicators and management dashboards for hazard risk • Participate in ERM initiatives to mitigate and manage enterprise-wide risks

More Related