Operational Risk---Managing and Measuring The Chief Risk Officer July 2002 [email protected]...

Operational Risk---Managing and Measuring

The Chief Risk Officer

July [email protected]

mailto:[email protected]

Deloitte & Touche 2

To better understand the evolution of risk management and the development of the Chief Risk Officer function

To share our Point of View on emerging trends in Risk Management and the Risk Intelligent Organization

A large number of companies in search of similar ideas and solutions

Share what we are hearing and incorporate our thoughts to validate or enhance direction that the financial services industry is pursuing

CAS definition of ERM

The process by which organizations in all industries assess, control, exploit, finance and monitor risks from all sources for the purpose of increasing the organization’s short and long term value to it’s stakeholders

Introduction

Deloitte & Touche 3

Why is integration required?

• Risks are often interrelated but are being managed as single impact events.

• Organizational complexity and ineffective communication processes result in an incomplete or incorrect understanding of risks actually faced.

• Varying levels of risk appetites exist across an organization – Are managers taking on risk levels consistent with the expectations of executives? How much risk does the organization have the capacity to take on?

• Opportunities to offset unrelated risks within the organization are not taken advantage of.

• Lack of learning from common risk management practices and experiences.

Deloitte & Touche 4

What is Enterprise Risk Management?A systematic and disciplined way to:

Identify, assess and prioritize the major risks associated with the organization’s key values and corporate goals

Gather risk intelligence about current operations and future growth opportunities within and across the extended enterprise

Install a risk infrastructure that is appropriate to the enterprise and the volatility of its business

Integrate risk intelligence into decision-making across the organization

Identify inter-dependencies and correlations across risks and specializations

Establish early warning and rapid response systems

Provide assurance that key risks and exposures are understood, appropriately mitigated and cost-effectively controlled

Deloitte & Touche 5

Common Needs

Organizations today are challenged with a set of common needs as well as those unique to their organization.

All organizations must manage risk whether or not they choose to do so systematically

Chaotic environment / post Sept 11

Risk and risk management are “top of mind” for everyone

Board does not know what to expect from senior management re: risk management

Need “Risk Intelligence” for better decision-making and governance

Risk exposures increase as interconnectedness and interdependencies increase

Organizations need to be able to understand interrelatedness, correlations and domino effects of risks

Increasing scrutiny from key stakeholders

A new approach is required because of weaknesses in traditional approaches – need to protect profitability from existing operations (Assets in Place) as well as grow future opportunities

Deloitte & Touche 6

CEO What unforeseen events might disrupt our strategy?

CFOWhat risks could materially impact our financial results?

How much capital do I need?

Board/Audit

How are we managing business risks?

How are we assured they are being managed appropriately?

What are the results? What assurance do we have?

General Counsel What could we do to further minimize our legal liabilities?

Chief ActuaryHow much risk am I allowed to take?

What is our corporate risk appetite?

Chief UnderwriterHow much aggregation risk am I exposed to?

Does the current risk management strategy adequately capture the key risks?

Rating Agencies

How well does senior management understand risk?

How great is management’s risk awareness?

What is their ability to manage risks as they emerge?

Common Questions

Deloitte & Touche 7

Why Do It?

No big mistakesAvoid unrewarded risks

Establish a common understanding and language of risk across business units

No big surprisesEstablish safeguards against earnings-related surprises

Prevent / rapidly respond to potential catastrophic failures

No big missed opportunitiesEnsure strategic and tactical risks are both rewarded and appropriately mitigated

Maximize chances of success of business plan goal achievement

Improve ability to anticipate changeEarly warning signals

Everyone is alert to risk causes and effects

Forward looking approach to managing risk

Accelerate ability to respond to changeImproved, faster decision-making

Better informed choices, clear rationale and less uncertainty

More organizational learning – less chance of repeat problems in other areas

D&T’s Point of View

Deloitte & Touche 8

Evolution of Risk Management

EnterpriseRisk

Management

Strategic

Economic

Insurance

Business

ProcessCulture

Strategic RiskManagementCapital Markets/Treasury Risk

Market Risk, Liquidity RiskAnalytics & Modeling Credit

Analytics

Property, Casualty,Liability

Risk ManagementMulti-line, Multi-riskInsurance Products

Asset ProtectionOperations

Compliance

FinancialInternalControl

ProfitRecovery

CorporateEthics

CorporateCompliance

Operational Risk

ManagementInternalAudit

Physical & InformationSecurity

Inter-dependenciesIntegration

OffsetsCorrelations

Domino EffectsD&T’s Point of View

Deloitte & Touche 9

Evolving Role and Responsibility of the Chief Risk Officer

“… risk management will begin to act as a kind of central nervous system for the financial institution, with ‘nerves’ relaying information back and forth and warning of potential hazards, as well as ‘brains’ performing high-level risk calculations on enterprise-wide data. These functions will work tightly together - and be constantly aware of what is going on in the rest of the institution.”

Risk Professional March 2000

Deloitte & Touche 10

Why a Chief Risk Officer?

Assure continuity and consistency in risk management with a single organizational unit that bears direct responsibility for directing the organization’s entire risk management process.

Provide a solid foundation for developing and implementing a successful risk management strategy, process and culture.

Centralize risk management to ensure that a common risk framework, policies, and measurement methodologies are implemented and sustained:

Provide senior management and decision-makers a more clear, consistent and complete view of the organization’s risks and its readiness to manage them

Enable the company to make better cost/benefit decisions in its risk management and mitigation efforts

Increase board and management confidence that its current operations and facilitates proactive thinking about future risks.


The role of the CRO

Developing a common risk management strategy and instilling a consistent level of risk awareness throughout the company.

Provide the focal point for risk management strategy development, deployment and communication.

Should have close reporting ties to the CFO, CEO and the board of directors and have direct reporting from the heads of the major risk management disciplines (e.g. Internal Audit, Ethics, Compliance, Legal, Health & Safety, Loss Prevention, etc.).

Risk committees developed within the organization typically report to the CRO. This includes the IT function, internal audit, market risk, credit risk, insurance, ethics, and strategy.


The role of the CRO

Responsible for:

maintaining an awareness of risk issues throughout the organization

developing a risk management strategy and setting risk policy

measuring risk, reporting exposures, and proactively thinking about operational and other related risk

Should not be responsible for the day to day performance of risk management activities or for directing or managing business operations or administrative areas.

Responsibility for actively managing and mitigating risk on a day to day basis remains the responsibility of each business unit manager and staff person.


The role of the CRO

The primary core functions necessary for success depend on the industry

Skills vary by corporate objectives and strategies.

Typically, CRO’s have strong skills and experience in market and credit risk. This is primarily due to the strong influence of CRO positions in the financial and utility industries.

A growing trend for CRO’s to posses a strong operational risk perspective.

The CRO typically is a member of risk governance and approval committees and has authority for specific risk management policies, such as strategic and operational risk.

The CRO is the one who is trusted to make decisions about how the organization’s various risks tie to its strategy and initiatives.


Building Blocks for Effective Risk Management & Control

Assets-in-Place

FutureGrowth

Value

Operations

Strategy

Tactics



Intangibles Matter More Than Tangibles

Share value has two major components

Assets in Place

Profitability from current operations = tangible

Future Growth Opportunities

Intangibles – people, relationships, brands, reputation

Drive the multiples of valuation

Anything associated with the word “NEW”

The market disproportionately rewards Future Growth Opportunities

It under-rewards the growth of Assets in Place and severely punishes any deterioration



The Risk Intelligent Organization

Organizations are increasingly seeking risk as a source of competitive advantage to exploit the upside and protect the downside

Success demands excellent risk management as a core competency

More and more organizations are demonstrating a desire to become Risk Intelligent

Risk intelligence is the ability to think and learn about outcomes - it is how an organization gathers information, analyses, applies and then learns from the results

Risk intelligence requires effective systems, information and timely reporting to enable organizational learning and successful adaptation – a “risk nervous system”




Characteristics of the Risk Intelligent Organization:

Risk analysis is built-in to the decision-making process

There is a systematic process for identifying, assessing and prioritizing business risks

There is an appropriate risk infrastructure to support sustainable risk management capability



Assessing Risk Intelligence

Our definition of risk includes strategic, tactical, and operational risks (not just financial and accounting or insurance)

Our risk identification process adequately addresses current operations as well as future growth opportunities

We make appropriate use of qualitative and quantitative assessment methods

We have established our risk tolerance policy applicable to all areas of the company

We apply a consistent company-wide risk–reward trade-off rule to all of our decisions

Risk assessment and prioritization are integral parts of the organization’s business planning, budgeting, capital allocation, and audit planning processes.

The Board, Audit Committee or Executive are asking broader questions about risk and exposure e.g., strategic and tactical not just operational

Senior management and board members are promptly informed of issues that may have a significant impact on risk management and control.

We have appropriate oversight of the key risks faced by the company.

Risks, controls, and exposures are systematically reviewed at intervals that are appropriate to the volatility of our organization’s business conditions.

Timely and reliable information is available to personnel to manage the risk inherent in current and future growth objectives.

Our disaster recovery plan enables us to be up and running within 24 hours or less.

We have clearly defined metrics and early-warning indicators to identify when risk thresholds are about to be exceeded.

We use appropriate risk-based valuation methodologies to assess current operations and future growth opportunities.

Credit risk is coordinated and integrated across the entire organization

Risk / reward calculations are an explicit part of our decision model.

Risk / reward trade-offs are systematically evaluated from a portfolio perspective

When a risk occurs, the organization systematically conducts reviews to identify and correct root causes.

The organization follows up to ensure that mitigation strategies and corrective actions are effective.

Risk-management and internal-control best practices are shared to accelerate organizational learning.

Risk management is accepted as an integral part of everyone’s job

There are effective processes in place for communicating and managing change

Authority, responsibility and accountability are clear.

We trust each other and communicate openly about our objectives and risks.

We understand what is expected of us and the scope of our freedom to act.




Step 1. Building the Risk-based Decision Model

Risk Decision Analysis

Gap analysis between existing & required

Common process with local application

Migration Model

Step 2. Assessing Business Risks

Risk Prioritization Methodology

Risk Identification / Risk Assessment / Risk Prioritization

Risk Alignment to Corporate Strategy

Step 3. Assessing Risk Infrastructure

Governance / Control / Information Technology / Valuation and Risk Measurement / Credit / Accounting and Disclosure

Gap Analysis between existing and industry leading practices



Generic Risk Framework

Proprietary Information: This presentation contains concepts, ideas and materials which are proprietary and may not be used, copied, provided to others or referred to without the express written permission of Deloitte and Touche. This presentation is incomplete without the accompanying discussion.


Example Risk Categories

Business Strategy & Organization

General BusinessConditions

Operations

Financial

InformationTechnology

Asset Management

Regulatory& Legal

Political

StakeholderRelations

Human Resources

Public Safety & Environmental

Customer Value

Supplier Relations Distribution &

Dealer Relations Joint Ventures /

Alliances

Accounting & Disclosure

Credit Insurance

Safety & Security

Business Continuity

E-business

Competitors

Ethics

Compliance

D&T’s Generic Risk Framework

Operational Risk---Managing and Measuring The Chief Risk Officer July 2002 [email protected]...

Documents

Transcript of Operational Risk---Managing and Measuring The Chief Risk Officer July 2002 [email protected]...