Enterprise Risk Management ASSE Using Risk Principles March 24th, 2005 James Lam President phone: 781.772.1961 Email: jameslam@comcast.net Website: www.jameslam.com
Our president, James Lam, has spent 20 years in risk management Professional President, James Lam & Associates Founder and President, ERisk Partner, Oliver, Wyman & Company CRO, Fidelity Investments CRO, Capital Markets Services Inc., a GE Capital company Industry Activities PRMIA Blue Ribbon Panel Member GARP Inaugural Financial Risk Manager of the Year (1997) Published over 50 articles and book chapters Quoted in Wall Street Journal, Financial Times, Risk Magazine, and CFO Magazine Academic Senior Research Fellow, Beijing University Adjunct Professor, Babson College Lectured at Harvard Business School as the subject of a HBS case study MBA, UCLA School of Business BBA, Baruch College Client Solutions Consulting – ERM, strategic risk, financial risk, and operational risk Software – Operational risk (with OpenPages) and ERM Dashboard (CXO Systems) Training – board and management workshops
We are singularly focused on risk management Client Solutions Consulting services Software products CXO Systems OpenPages Training programs Areas of Expertise Enterprise risk management Market risk management Credit risk management Operational risk management KRIs and risk reporting
As discussed in James’ recent book, we define ERM as a value added function Definition of ERM: “An integrated framework for managing credit risk, market risk, operational risk, economic capital, and risk transfer in order to maximize firm value.”
Discussion outline Key trends and requirements Best practices and practical applications ERM in the future
ERM is useful because the risks faced by companies are highly interdependent Enterprise-Wide Risks Financial Risks Market Risk Liquidity Risk Credit Risk Credit Risk Associated with Investments FX risk in a new foreign market Financial Risk Asset Liquidity Derivatives documentation and counterparty risk Business Risk Operational Risk IT and business process outsourcing Credit Risk Associated with Borrowers and Counterparties Funding Liquidity
Traditionally, risks were managed within organizational “silos” Strategic Risk Business Risk Financial Risk Operational Risk Board of Directors CEO Business Managers Project Managers CFO Treasurer Internal Audit Compliance IT Who Strategic planning EVA Balanced scorecard Product plans Business reviews Project management Country and credit limits Trading and ALM Limits Financial derivatives Controls Audits Contingency planning Insurance How
ERM provides an integrated value-added approach Enterprise Risk Management Chief Executive Officer/Chief Fisk Officer Financial Institutions Barclays GE Capital JP Morgan Chase Fidelity Investments Non-Financial Corporations Microsoft Boeing Duke Energy Ford Strategic Risk Board CEO Business Risk Line managers Project Managers Financial Risk CFO Treasurer Operational Risk Internal Audit Compliance IT Benefits Broadens risk awareness Aligns risk profile and strategy Minimizes surprises and losses Rationalizes capital requirements Assures regulatory compliance Improves ROE and shareholder value
Case study: Microsoft’s risk intranet is central to their ERM program Background American software giant initiated its ERM program in 1994 Mike Brown, CFO: “The web is an incredible opportunity to take costs out of your model, to provide higher quality services and to be much more informed about company issues.” Initiated ERM with a comprehensive inventory of risks Recognized that its insurance strategies only covered 30% of risks Applied advanced technologies to support risk analysis and communication Incorporated into product pricing of the expected litigation costs of “repetitive stress injuries” associated with a new keyboard
The growing acceptance of ERM is driven by four key forces Corporate Disasters Enron WorldCom Adelphia Mutual Funds Best Practices Banks Asset Managers Energy Firms Corporations Regulatory Actions S.E.C. Sarbanes-Oxley Basel II Enterprise Risk Management Industry Initiatives Treadway Report, US Turnbull Report, UK Dey Report, Canada
Companies are faced with an influx of new requirements New accord consists of three pillars: Minimum capital requirements Supervisory review Public disclosure Explicit treatment of operational risk More granular analyses of credit risk Basel II Section 404: Management assessment of internal controls for financial reporting attestation by auditor Section 302: CEO/CFO certification of financial statements Establish criminal penalties for executives and independence requirements of auditors Sarbanes-Oxley Act of 2002 SEC/NYSE/NASDAQ corporate governance rules State attorney general probes Patriot Act; anti-money laundering and bank secrecy act Other Requirements
A proactive approach to ERM is driven by best practices, not regulations Reactive Approach Proactive Approach Current state CEO ? ? ? ? ? Benchmarking Gap analysis Recommendations Desired state (best practices or best-in-class practices) Sarbanes- Oxley Basel II Common themes Unique standards New industry standards Sarbanes- Oxley Governance Requirements Basel II New industry standards Governance Requirements
Early adopters of ERM have reported significant and tangible benefits Company Actual Results Market value improvement Top money center bank Outperformed S&P 500 banks by 58% Early warning of risks Large investment bank Global risk limits cut by 1/3 prior to Russian crisis Loss reduction Top asset management company Loss-to-revenue ratio declined by 30% Regulatory capital relief Large commercial bank $1 billion regulatory capital relief Insurance cost reduction Large manufacturing company 20-25% reduction in insurance premium
Source: PA Consulting Survey of Global Banks Annualized total shareholder returns (1998-2003) for differing degrees of risk model sophistication and risk tool usage Source: PA Consulting Survey of Global Banks
Discussion outline Key trends and requirements Best practices and practical applications ERM in the future
An ERM framework should encompass seven key building blocks 1. Corporate Governance Establish top-down risk management 2. Line Management Business strategy alignment 3. Portfolio Management Think and act like a “fund manager” 4. Risk Transfer Transfer out concentrated or inefficient risks 5. Risk Analytics Develop advanced analytical tools 6. Data and Technology Resources Integrate data and system capabilities 7. Stakeholders Management Improve risk transparency for key stakeholders
The enterprise risk management process ERM Foundations Risk Identification and Assessment Risk Measurement and Reporting Risk Mitigation and Management Senior management and board participation (“tone from the top”) Governance structure Resource allocation Culture, principles, and values ERM framework and policies Linkage to strategy, performance measurement and incentives Organizational learning Top-down assessments Barriers to strategic and financial goals Executive team CSAs Bottom-up assessments Barriers to business, customer, and product goals Business unit CSAs Functional unit CSAs Independent assessments Internal audit External audit Regulators Customers Other stakeholders ERM dashboard Earnings volatility Key risk metrics Policy compliance Real-time event escalation Drill-down capabilities Scenario analysis Historical Managerial Simulation-based Disclosure Board reporting External reporting Policy enforcement Value-based growth and restructuring strategies Risk transfer strategies Contingency planning and testing Event and crisis management
Internal and External Data An ERM system should address all risk types, qualitative and quantitative data, and risk monitoring and management applications Data Mining CREDIT RISK MARKET RISK BUSINESS RISK OPERA-TIONAL RISK ERM Dashboard RISK “PILLARS” Internal and External Data Basic ERM applications: Executive reporting Key risk indicators Loss/incident tracking Control self assessments Early warning indicators Risk mitigation projects tracking ERM content management Advanced ERM applications: Risk transfer Economic capital Scenario analysis Shareholder value management
Characteristics and sources of effective key risk indicators 1 7 4 Reflect objective measurement Track in time series against standards or limits 6 Be useful – support business decisions and actions Balance of leading and lagging indicators 9 Timely and cost effective 8 Incorporate risk drivers: Exposure Probability Severity Correlation 5 Can be benchmarked internally or externally 2 Tie to objectives, risk owners, and risk categories 10 Simplify risk without being simplistic Key Risk Indicators 3 Be quantifiable – $, %, # Strategies/ Objectives Regulations & Policies Losses & Incidents Stakeholder Requirements Business plans Management goals Performance metrics Legal requirements Regulatory standards Policy limits Actual losses Incidents Industry data Customers Vendors Other
An ERM dashboard should address five key questions for senior management Are any of our strategic, business, and financial objectives at risk? Are we in compliance with policies, limits, laws, and regulations? What risk incidents have been escalated by our risk functions and business units? What key risk indicators and trends that require immediate attention? What are the risk assessments that we should review?
Example: monthly risk report Gross Losses Current YTD Operational Losses Credit Losses Market Losses Other Losses Sub-Total: Loss/Revenue Ratio: Risk Incidents Management Assessment Current YTD Operational Losses Credit Losses Market Losses Other Losses Sub-Total: Loss/Revenue Ratio: Incident Exposure Response 1. 2. 3. 4. 1._____________________________________________________________________ 2. 3. 4. Accounting for actual losses incurred Management discussion of major risk issues (“what keeps me up at night”) Reporting of risk incidents, exposures, and near misses Losses 1992 1993 1994 1995 1996 Q1 97 1
Example: monthly risk report (cont’d)
Case study: Background 3-Year ERM Program $1 trillion of assets under management Private company Decentralized business culture Background 3-Year ERM Program Organized Global Risk Forum Implemented annual Global Risk Review Automated loss accounting Developed ERM framework Implemented intranet-based Global Risk MIS Experienced significant reduction in loss ratio
Basic risk management processes can lead to significant improvements Education New associates Management Business/Operational processes Best practices Lessons learned Actual Loss Experience Risk Event Log 85% Decline Root Controls Event Loss Causes Needed Risk Metrics Goal MAP Post Operational Risk polling question: “Does your company have an operational risk program?”
ERM requires balancing the hard and soft side of risk management Hard Side Measures and reporting Risk oversight committees Policies & procedures Risk assessments Risk limits Audit processes Systems Soft Side Risk awareness People Skills Integrity Incentives Culture & values Trust & communication
An company’s “risk culture” provides the foundation of its ERM program Definitions of “risk culture” In a typical risk culture, people will do the right things when risk policies and controls are in place In a good risk culture, people will do the right things even when risk policies and controls are not in place In a bad risk culture, people will not do the right things regardless of risk policies and controls
Case study: Background 2-Year ERM Program New capital markets business Traders hired from foreign bank Aggressive business and growth targets Background 2-Year ERM Program Established risk policies and systems Instilled risk culture Survived “Kidder” disaster Captured 25% market share with zero policy violations Recognized as best practice
Hallmarks of success in ERM Engaged senior management and board of directors Established policies, systems, and processes, supported by a strong risk culture Clearly defined risk appetite with respect to risk limits and business boundaries Robust risk analytics for intra- and inter-risk measurement, summarized in an “ERM dashboard” Risk-return management via integration of ERM into strategic planning, business processes, performance measurement, and incentive compensation
Discussion outline Key trends and requirements Best practices and practical applications ERM in the future
Ten predictions on the future of enterprise risk management ERM will become the industry standard CROs prevalent in risk-intensive companies Audit committees will evolve into risk committees Economic capital in; VaR out Risk transfer executed at enterprise level Advanced technologies key to advancement A measurement standard will emerge for operational risk Risk-based or economic reporting becomes standard Risk becomes part of corporate and college programs Salary gap among risk professionals continues to widen
The role of a Chief Risk Officer Must have! Evangelist Motivate Leader Change Steward Control Consultant Help Technician Teach Nice to have
What makes a good CRO? Organizational and leadership skills to effect change Communication skills – “to simplify without being simplistic” Technical skills in credit, market, and operational risk Judgment to balance business and risk requirements Courage to push back and “say no” High EQ (emotional quotient) in addition to high IQ Ultimate CRO test: ability to integrate risk management into strategic planning and day-to-day business processes
ASSE defined functions for safety professionals Anticipate, identify and evaluate hazardous conditions and practices Develop hazard control methods, procedures and programs Implement, administer and advise others on hazard controls and hazard control programs Measure, audit and evaluate the effectiveness of hazard controls and hazard control programs
Role for safety professionals in enterprise risk management Promote awareness of hazard risks, as well as the interdependencies with other key risks Integrate hazard risks into control self assessments and audit findings Develop key risk indicators and management dashboards for hazard risk Participate in ERM initiatives to mitigate and manage enterprise-wide risks