Enterprise Risk Management How Does ERM Apply to your Credit Union? Presented by Louise Hanson, Partner, Moss Adams LLP Shannon Haas, Senior Manager, Moss Adams LLP
Moss Adams at a Glance • Full service public accounting firm with assurance, tax, and consulting services for middle-market public and private companies • Largest accounting firm headquartered in the West and one of the 15 largest in the United States • 21 offices in California, Arizona, New Mexico, Oregon, Washington and Kansas • More than 230 partners and over 1,800 staff • Founded in 1913 and headquartered in Seattle, Washington • A founding member of Praxity, a global alliance of accounting firms • We are the 4th largest firm servicing credit unions in the nation (based on assets)
Today’s Discussion Objectives • What is Enterprise Risk Management? – an Overview of ERM • What is Driving ERM? • ERM & the Regulators • How ERM Can Benefit My Institution • How My Institution Can Build an ERM Strategy: Implementation Overview • Phase 1 – Planning • Phase 2 – Implementing the Plan • Phase 3 – Refining • Summary
In today’s credit union environment what risks or “watch out fors” would you suggest directors, supervisory committees (or even executive management) focus on? What would you be looking for in Board Report packages today? Do we understand these issues enough to appropriately report on them in each of our credit unions today? Questions to ponder…
What is the Nature of Banking? Risk Management What should Credit Unions be doing? Intermediate Risks For Members and Borrowers What are Directors Expected to do? Create & Protect Member funds and opportunities Governance Process and Risk Policies How are Risks Portrayed in an Institution? Via Financial Statements Via Processes At the Core…
“The decline and ultimate failure of some great companies has been a historical fact. But such decline is not inevitable. Rather, it results when corporate leaders (CEO’s and directors alike) don’t anticipate and deal with the long term threats facing their companies.” Harvard Business Review (5/08), “Leading from the Boardroom” Enterprise Risk Management
What is “Enterprise Risk Management”? “Enterprise risk management (ERM) is a process, effected by an entity’s board of directors, management and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” The Committee of Sponsoring Organizations (COSO) of the Treadway Commission, (Sept. 2004)
A structured, consistent, and continuous risk management process that is applied across the entire organization Identifies, assesses, prioritizes, and manages the internal and external risks that impact the organization Driven by a decision-support process that is aligned with the management and execution of strategic objectives Enhanced by the assignment of roles and responsibilities, reporting and communication, policies and procedures, and adoption of a risk-based culture What is ERM? • Measure, Monitor & Report • Identify & • Assess Business Objectives • Planning & Management
Enterprise Risk Management“What might get in the way of my duty to deliver value and protect the members?” The potential that events, expected or unanticipated, may have an adverse impact on capital or earnings. The employment of systems and processes to manage the critical tradeoff between risk and return in financial decision-making. The formal mechanism or structure for managing risks across the entire institution on an integrated basis. Risk Risk Management Enterprise-Wide Risk Management
Enterprise Risk Management (ERM) Components Keys to a good ERM program – must include: • Risk Identification • What are our key risks? • What level of risk are we willing to allow/accept (“risk appetite”)? • Risk Measurement • Risk measurement models (ALM, Credit Stress) • Guidelines and quantification tools (Credit Risk Classification, Operational and Credit Losses)
Enterprise Risk Management (ERM) Components • Risk Control • Policies (Required and Best Practice) • System of risk limitations • Authorities and oversight systems • Risk Monitoring • System of risk reporting – key measurements • Board driven assessments (internal and external audits, monitoring reports) • Management Self assessments (management generated reporting against pre-set standards)
In a Nutshell… 13 ERM is a process for managing and controlling risks across an entire organization, both within and across business lines and legal entities.
What’s Driving ERM?- Environmental - ERM can be the key for how to win • Growing size and organizational structure • Increasing diversity of business lines and complexity of products • Increasing number of regulations • Increasingly competitive marketplace
What’s Driving ERM - Institutional - • Fragmented or “silo” risk management efforts • fail to recognize interrelationships of risk across businesses or products • Lack of aggregation of common risks and reporting • fail to keep Board and management informed of organization-wide risks • Lack of attention to how risks are correlated • fails to identify how loans, securities, businesses, etc. might be affected by common factors and create large exposures
Post Downturn, ERM is MoreImportant than Ever • Bankers, regulators, investors, members and counterparties will not soon forget the near-collapse in late 2008 • So far, the new era in financial services is a very strong emphasis on safety and risk management • Those who can demonstrate superior risk management will have a competitive advantage • Greater opportunities in the market due to goodwill from regulators and investors • More and better members • Key ERM implementation challenges for most credit unions • Culture • Right expertise • Data and Measurement • Transparency/Reporting
Drivers of ERM – a Summary Board of Directors • Demand increased financial disclosure and transparency Members as Stakeholders • Demand evidence that management understands and manages risk Regulators/Rating Agencies • Seek assurance around compliance and risk assessment processes Activists • Demand social awareness, safety & environmental consciousness Members as Customers • Make decisions based on differentiating factors Peers • Comparison with others drives industry- wide practice Competitors • Push innovation, drive leadership
Regulatory Expectations for ERMERM starts with the fundamental of strong risk management: Adequate Policies, Procedures, and Limits Active Board and Senior Management Oversight Comprehensive Internal Controls Adequate Risk Measurement, Monitoring, and MIS From “Rating the Adequacy of Risk Management Processes and Internal Controls at State Member Banks and Bank Holding Companies” (SR95-51 (SUP))
NCUA ERM Guidance NCUA advises an effective system of Enterprise Risk Management includes consideration of: • Market Condition • Field of Membership • Credit Union Structure • Size • Complexity • Geographic diversity
Increasing Emphasis on ERM Perspective Basel Committee’s Core Principles for Effective Banking Supervision (2006) Principle 7 – Risk management process: “Supervisors must be satisfied that banks and banking groups have in place a comprehensive risk management process (including Board and senior management oversight) to identify, evaluate, monitor, and control or mitigate all material risks and to assess their overall capital adequacy in relation to their risk profile. These processes should be commensurate with the size and complexity of the organization.” http://www.bis.org/publ/bcbs129.pdf Principles for Effective Operational Risk Management (2003) http://www.bis.org/publ/bcbs96.pdf Principles for Sound Liquidity Risk Management and Supervision (Sept. 2008) http://www.bis.org/publ/bcbs144.pdf
Principles of Effective Operational Risk Management(Basel Committee on Banking Supervision) Board should approve and periodically review the Operating Risk Framework. Board should ensure that Framework is subject to independent, competent audit staff review. Senior management responsible for implementation Process to identify and assess operational risk inherent in products, activities, processes and systems. Process to monitor operational risk profiles and material exposure to losses.
Principles of Effective Operational Risk Management(Basel Committee on Banking Supervision) Policies, processes and procedures should exist to control and/or mitigate material operational risks. A contingency and business continuity plan should exist. The regulators should require that all banks, regardless of size, have an effective framework in place to identify, assess, monitor and control/mitigate material operational risk as part of an overall approach to risk management. Regulators should conduct regular, independent evaluation of bank’s policies, procedures and practices related to operational risks. Banks should make sufficient public disclosure to allow market participants to assess their approach to operational risk management.
It Takes 3 to Fly this Plane Time & Activities Time & Activities Audit Compliance Risk Past Do we do as we say? Future What can go wrong? Present Are we in compliance? • Risk Manager – looks thru the cockpit window to identify and assess current threats and future risks to the flight path and plane, and glances at the gauges for reassurance • Compliance Manager – assists the pilot in maintaining the proper flight path and plane operating procedures by using the manual and FAA regulations • Auditor – uses the cockpit gauges and controls to inform the pilot of how the plane is operating relative to its predetermined flight path
In Summary Boards of Directors/Supervisory Committees are responsible for ensuring that their credit unions are managed in a safe and sound manner. (This hasn’t changed) In today’s environment (and increasingly in the future), safety an soundness means that risks need to be well-managed given the credit unions’ risk environment and business model. You need to be able to answer “Yes” to this regulator question: “Do you have a program that appropriately identifies emerging risks in a timely manner?” Therefore: Safety/Soundness = Risk Management Consequently, the foundation for modern Corporate Governance is Enterprise Risk Management.
Organizational Goals of ERM Protect/Enhance Members’ funds and opportunities Link Strategy and Risk Profile Recognize and Manage integrated/cross organizational risks Enhance Risk Based Decisions Capital Management/Preservation Seize Opportunities Disciplined Culture For a director/committee member, do these sound familiar?
Benefits of Enterprise Risk Management Enhances integrated decision-making better deal with the risk from growth, mergers, new products, etc. Better align risk and strategy. Framework for identifying enhance return opportunities – improved risk mitigation. Improve deployment of capital resources – allocating capital to business areas to achieve superior risk returns (RAROC). Credibility and confidence in governance and risk management – members, regulators, external auditors. Anticipate risk – seize opportunities/minimizing cost. Improved understanding and management of interactions and interrelationships between risks. Clear accountability and ownership of risk. Regulatory compliance with safety and soundness guidelines, foundation for a strong internal control environment.
Benefits of Enterprise Risk Management (continued…) All the previous positively impact: Protection of capital. Enhancement of earnings. Reduction of losses (Fraud, Credit, Operational). Greater efficiency in process flows. Better defined/more efficient internal audit programs. Better understanding of effect of market movements.
What We are Observing: Industry ERM Themes so Far for 2012+ • ERM • Managing an acquisition (valuation, financial integration, change in risk profile, culture, data integration, etc.) • Model validation • Incentive programs that incorporate risk and are better aligned with organizational performance • Compliance and regulatory • Regulatory reform outcomes • Stress testing • Compliance: fair lending, BSA, AML • Credit • Provision and reserve going forward • Growing the loan portfolio • Diversifying away from risk concentrations in the portfolio • Market Risk • The investments portfolio – understanding the risks going forward • Interest rate risk management
ERM Implementation Phases Proactive planning and improvement Preventative Controls and processes Detective controls and processes Strategic ERM Operating Performance Enhanced Member Benefits Compliance and Prevention GRADUAL EVOLUTION OF THE PROCESS
Developing ERM Capabilities is an Evolution, Not an Event Add Capabilities as Risk/Complexity are Added
Let’s do a Quick Self Assessment • Go to the separate handout • Complete the “Risk Oversight Self Assessment” survey • There are no right or wrong answers • Try to objectively answer each question for a credit union you have in mind
Self Assessment - Implications Q 1-12Q 13-28Implications Yes No Lots of focus on strategic planning, lots of risks, but few risk management processes Yes Yes Strategic planning and risk management are reasonably integrated and organization making great ERM progress No Yes Few perceived strategic risks but overspending on ERM processes No No Few perceived risks, but no system to be sure or to identify risks-opportunities
Linking ERM to Strategy High Risk appetite articulated Strategic Integration Risk vs. Return Optimization Risk Management Maturity Level Risk Measurement Loss Minimization Compliance/Monitoring Low Time
ERM – Strengthening Focus on Strategic Risk Exposures Risk Drivers Risk Metrics? Increased Loan Yield (Rate & Volume) Risk Drivers Increased Revenues Risk Metrics? Non-interest Income Products Risk Drivers Risk Metrics? Profitability Reduce Head Count Expense Savings Risk Drivers Risk Metrics? Other Cost Savings Measures – Vendor Mgmt. Risk Drivers Risk Metrics?
The Moss Adams Phases to ERM Implementation • STEP 1 – PLANNING – (a.k.a., “putting your best foot forward, knowing the process isn’t going to be perfect because it’s a new area of focus, and every institution is unique”) • STEP 2 – IMPLEMENTING – (a.k.a., “executing on your plan, making slight adjustments as needed; saving significant revisions to the process for the “refining” stage”) • STEP 3 – REFINING – (a.k.a., “fixing what needs to be fixed and/or what wasn’t addressed after implementing your plan”) • A simple 3-step process for getting your ERM program off the ground
Building Your ERM Roadmap/ Implementation Plan: STEP #1 – PLANNING • Gain Board/Committee/Executive level of support - “Tone at the Top” might be the single biggest factor in being successful at implementing; start to build consensus/ buy-in • Revisit/review your strategic plan – the ERM vision s/b aligned with your organization’s size/complexity • Start thinking about how you are going to identify (and categorize) risk • TIPS: • Define plan owners, roles and responsibilities for execution, timelines, resource alignment • Prioritize key tasks – look for up-front, early wins • Utilize existing management structures • Think about existing organizational design/structure • Other: degree of alignment with finance, specific control tools, etc? • Start to build consensus among key internal and external parties (including regulators*) • Preliminary risk assessment – work on the “completeness” of the risks inventory • Look for risk concentrations • Understand management’s current risk activities – functions, controls, what is tracked, who does it, etc.?
Tone at the Top & Culture • It’s that CULTURE thing!! • Mutual Expectations, Respect, Reliance • Model the Standard Legally: Duty of Loyalty and Care Business Judgment Disclosure / Transparency • Open Communications, Debate • Brainstorm risks at various management levels - what risk is coming around the corner? • Welcome the Messenger • Welcome Dumb Questions • Draft Policies
ERM Policy • Risk Metrics and tools • Risk Assessments • Measures • Controls & Monitoring • Risk Response • Communication & Reporting • Policy Exceptions • Policy Statement • Purpose/objectives • Integrated mgmt of risk • Governance of risk oversight • Independent review and monitoring • Best practice risk control • Responsibilities • Board of Directors • Supervisory Committee • Board Risk Committee • Management Risk Committee • CEO • CRO • Internal Auditor • Department Heads • Risk Categories • ERM Process • Policy Guidelines/Limits
ERM Charter • Purpose/Objectives – Board/Committee delegation to: Identify and Manage risks Adhere to policies • Committee Members and Chair Chief Risk Officer direct report • Meetings Full Board reporting • Duties and responsibilities Supervisory Committee interaction Oversight of Management Risk Committees • Performance Evaluation • Committee Resources
CFO • Internal Controls • Economic Capital • Performance Measurement • CRO (Larger) • ERM Roadmap • Policies/Limits/Appetite • Risk Quantification • Dashboards • Board of Directors • Governance • Reputational Risk • Board Training • CEO/COO • Business Risk • Execution Risk • Strategy/Mergers ERM is a Shared Responsibility: Typical Roles/Needs • Functional Risk Managers/Delegated Responsibilities: • Credit Risk- Market Risk- Interest Rate Risk- Operational Risk • Compliance Risk- Technology Risk • Etc.
A Vision for ERM is Fundamentally Linked to Strategic Goals for Your Organization • What are your core competencies? What is your market? What does your credit union want to be? Who are your members? • What are your return goals? • (Risk vs. Reward = Credit & IRR; Capital Adequacy; Regulatory; Fraud; Other?) • Identify Risks to your credit union – What risks do you take-on to generate these returns? Focus on “key” risks. • Credit risks in lending? • Credit risks in your investments portfolio? • Market risks through interest rates? • Market risks through your investments portfolio? • Operational risks through providing processing/cash management services? • Compliance risks in highly regulated markets? • Other? • How much of each risk type will you take on? Is your level of risk appropriate given your return goals (risk appetite)? Do you have sufficient capital and liquidity to support these risks?
ERM Risk Components • Credit Risk and Market Risk are typically called ‘financial risks’ – return and risk are usually directly correlated here • Greater risk will lead to higher returns in the long run, but will also result in significantly greater earnings volatility and require much more capital. A risk appetite is needed to decide how much risk and what types of risk are appropriate • Operational Risks can also be financial risks, but the risk/return relationship can be very different • Some operational risks such as regulatory and compliance concerns are not related to returns, only protection against future loss or are a cost of doing business • Fee-based businesses such as payment processing are operational-risk driven businesses with a direct relation to returns • Regardless of the risk type, ERM practices can enable management and the board to: • Develop a consolidated view of their risk profile across all risk types and understand hot spots • Measure risk exposure using quantitative and qualitative methods • Set a risk appetite and manage to it • Better understand where returns are generated
Regulatory Capital Rules Have Created a Framework for Classification of Risk Types (Risks Example 2)
Many Institutions Have Adopted These Definitions for a Functional ERM Structure (Risks Example 2.1) Enterprise Risk Management Functional Structure (Not Organizational Structure) Credit Risk Market Risk Operational Risk Commercial Retail Counterparty Change in Fair Value Interest Rate Risk Currency Risk Liquidity Risk Compliance Risk Int. and Ext. Fraud Business Process Failure HR Litigation Data Security Technology/Systems Natural Disaster Etc. Other Risk Category Possibilities: Business, Strategic, Concentrations, Reputation, etc.