Risk GovernanceEvolving beyond the traditional ‘Three lines

of defense’ model – Implications for Internal Audit

Leon BloomPartner

lebloom@deloitte.ca

May, 2015

Agenda

– Emerging risk governance requirements – Context and expectations– Current practices in risk governance – Issues, challenges and

shortcomings– Guiding principles – Roles, responsibilities and accountabilities– Guiding principles – Policies, processes and practices– Three lines of defense – Definition vs. effective application and the

case for redesign– Aligning the risk governance model with the business model and risk

and capital management processes– Structures for risk taking, risk oversight, risk assurance (Internal Audit)

and board oversight – The business case for transition, challenges and benefits

2

Among other things, regulators are giving emphasis to four high priority areas

– The inherent riskiness of the business model – Where and how are earnings generated and is there is an extreme or concentrated dependency on a particular source or sources and how is the associated risk(s) articulated and addressed/mitigated?

– Tail risk – Has a competent process been established to identify tail risks and have the risks been objectively and realistically assessed vs. being underestimated?

– Risk Governance – How well defined and embedded is the risk governance model? Is the assurance function (Internal Audit) being used as a management control or substitute for quality assurance and peer review practices by risk taking areas and the risk management function? Does the governance model in practice align with and support the principals of a sound risk management and control culture?

– Operating culture – the degree of awareness, attitudes, and behaviors of an organization’s employees toward risk and how risk is managed within the organization. Risk culture is a key indicator of how widely an organization’s risk management policies and practices have been adopted.

3

Risk governance requirements

4

Emerging risk governance requirements

The significantly changed environment resulting from the continuing global financial crisis has resulted in a ‘higher hurdle’ of regulatory requirements and Board expectations pertaining to the timeliness and quality of risk information, and robustness of risk management processes and practices.

GovernanceIncreased emphasis on a clear, transparent risk governance model – Clear accountability and role and responsibility structures and segregation of duties as in

the so called ‘three lines of defense’ model

Closer alignment of risk and business considerations

Many global institutions are visibly benefiting of having an enterprise-wide riskmanagement function– CRO works closely with other senior executives to strengthen the management of the

business, by explicitly incorporating consideration of risk into decision-making and performance measurement

Holistic risk governance approach

Driven by need to generate suitable investor returns in the face of greatly increased regulatory capital requirements, some organizations are pursuing risk optimization which requires a foundation of strengthened financial governance– Closer alignment/harnessing of synergies between functions involved in risk management

and risk measurement, capital management, financial performance measurement and management and tax

5

Risk governance – Challenges

Governance observations– Roles, responsibilities and accountability are

often unclear– Second and third line functions being used as

management assurance and quality control functions

– Communication paths are not defined – Committee structures, responsibilities and

mandates lack clarity – Objectives and the target end state for ERM

is unclear– Insufficient focus and time spent discussing

risks across the organization – Monitoring fails to identify risk conditions

and provide a competent understanding of exposure status

– ERM programs are often not dynamic and fail to proactively identify and adapt to unexpected events

Common framework to manage

all types of risk

Providing accountability and

transparency

Supports decision making and capital management decisions

Relative to institution-wide business strategies and objectives

ERM is a continuous

activity that aggregates and integrates risk

management activities in order to better optimize

risk-adjusted returns

6

Guiding principles – Roles and responsibilities

– The governance model should promote transparency of accountability, communication, decision making, and information flows

– Decisions and accountability should reside with individuals, not committees,wherever possible

– Business areas retain accountability for managing their own risks – That responsibility is not ‘transferred’ to the risk oversight function

– All classes of risk should have clearly assigned responsible/accountable parties in the governance model (e.g., should not be purely focused on product risk)

– Decisions should be made with appropriate consideration of the ‘enterprise’ impact - not just the impact of individual lines

– Risk governance structure should clearly reflect the roles and interaction with pricing, underwriting, reserving, and other critical, interdependent functions

– The structure should enable risks to be appropriately considered and factored in to broader business decisions

– Should clearly articulate the requirements for independent assurance (e.g., Independent Audit)

7

Guiding principles – Processes and policies

– Risk governance must be supported and enabled by explicit policies with transparent accountabilities and authorities

– The governance processes should be as streamlined as possible, avoiding unnecessary levels of decision-making bureaucracy

– Risks should ‘aggregate’ and integrate at the appropriate level of governance, including cross line, cross business unit, enterprise; the governance model should include ‘owners’ of the aggregated risk at each level within an aggregation hierarchy

– Monitoring process must be clearly articulated in the governance model (including responsibilities, frequency, etc.)

– Governance must be linked to a philosophy/vision/or governing objective at the top – Governance should enable making risk management processes proactive rather

than reactive– The governance model should not be static – it should be re-evaluated every year to

ensure appropriate evolution

8

The evolution of the ‘lines of defense’ model

9

Framework provides a design for the governance infrastructure and governance operating model. The top part of the framework depicts areas where responsibility of the board is typically heightened.

A risk governance framework provides the foundation for oversight and establishingthe necessary ‘checks and balances’ regarding risk taking

A risk governance framework helps clarify oversight responsibilities by establishing a

common foundation

10

A focused assessment is needed to fully understand an organization’s current Risk Culture and to track progress of cultural change

Measuring the risk and control culture

11

Maturity Model Levels‘Unaware’ It is a characteristic of the processes/practices at this level that they are either non existent, not

implemented, not commonly/clearly defined; lack formal process, and the enterprise is not conscious or aware of their importance.

Fragmented It is a characteristic of the processes/practices at this level that they are at the starting point or are inconsistent across various business lines. The processes/practices exist in silos, or are defined differently at different levels and are not considered important within the enterprise.

Integrated It is a characteristic of the processes/practices at this level that they are defined, documented and communicated to the entire enterprise. The processes/practices mostly exists at the enterprise level but are not implemented, leveraged or embraced across enterprise.

Comprehensive It is a characteristic of the processes/practices at this level that they are mature, widely adopted and understood, repeatable, clearly defined, well-documented and aligned with an enterprise’s risk management framework. The processes/practices are consistent, effective and widely applied across the enterprise.

Optimized It is a characteristic of the processes/practices at this level that they well entrenched in business as usual, and the focus is on continually improving them. The processes/practices are at the optimum level and enterprise is able to sustain or strengthen such processes/practices.

Risk practices maturity model

12

Three lines of defense – Issues and challenges

Enable

Validation & assurance reporting Internal

Audit– Validation of controls

– Objective review of risk management process

– Assurance to senior executive management and Board on assertions of risk exposure

Risk Management

– Policies, governance and information flow

– Risk assessment methods

– Measurement, aggregation rules and tools

– Monitor risk exposure status and report to Board

Assure

Board of Directors & Senior Executive Management

Report AssertAssertions on status of risk exposure

Business Unit Managementand StaffRisk identification and

assessments– Actions to exploit,

reduce, transfer, or avoid risk

– Provide assertions on risk exposure for each business unit or functional area within NFS

3rd line2nd line 1st line

13

Evolution of the three lines of defense

Identifies and assesses relevant regulatory changes Supports any updates requiredMonitors execution of change

Reviews the impact of regulatory requirements to processes, policies and controls

Tests implementation of process, policy and control

Regulatory change

Supports the business in the design of the capital model Completes regular risk model validationMonitors capital adequacy

Provides independent assurance for the Board and senior management on assertions of risk exposureTests implementation of model

Provides capital adequacy calculation inputsDefines the capital model and allocation process and tools

Risk capital calculation & allocations

Provides input for risk reportingImplements reporting framework

Develops and maintains reporting frameworkImplements reporting frameworkMonitors data accuracyMonitors risk reporting trends and issues

Independent monitoring of the risk reporting frameworkTests implementation and data accuracy

Risk management reporting

Develops business processes, controls and policies aligned with the risk appetite (e.g. underwriting guidelines, trading policies) Executes tasks adhering to policies definedProvides feedback on the controls and policies in place

Defines the risk controls and processes Monitors effectiveness of controls and residual riskMonitors ongoing application & operation of methodologiesManages risk IT systems

Independent review of appropriateness of and compliance with controls and processesTests implementation of any changes to methodologies

Risk management methodologies

Line of Business(1st line of defense):

Day to day management & risk control

Internal Audit(3rd line of defense):

Independent assurance

Adheres with defined processes and complies with limits

Monitors compliance with regulatory requirements Supports the business in the development of a risk appetite and strategy

Independent monitoring of articulation of risk appetite and organizational compliance with limits framework

Risk appetite & strategy

Risk management

framework

Risk & Compliance(2nd line of defense):

Risk policies, methodologies & oversight

Executes tasks adhering to policiesProvides feedback on the controls and policies in place

Input to the business to develop and maintain policiesMonitors complianceDevelops and enforce risk governance model

Independent monitoring of compliance with policies

Risk management policies

Regu

lar r

isk m

odel

mon

itorin

g, p

eer o

r man

agem

ent c

ompl

ianc

e re

view

s of

pol

icie

s an

d co

ntro

ls,

regu

lar s

tatu

s re

porti

ng, m

onito

rs ri

sk p

rofil

e, e

ffecti

vene

ss o

f con

trol

s &

resi

dual

risk

, mon

itors

&

ensu

res c

apita

l ade

quac

y, e

nsur

es d

ata

accu

racy

, im

plem

ents

con

trol

s an

d re

porti

ng fr

amew

ork,

re

view

s th

e im

pact

of r

egul

ator

y re

quire

men

ts to

pro

cess

es, p

olic

ies

and

cont

rols

Com

plet

es re

gula

r risk

mod

el v

alid

ation

, ann

ual r

evie

ws

of p

olic

ies

and

cont

rols

, add

ress

es

esca

late

d ris

ks, r

evie

ws

and

chal

leng

es ri

sk a

ppeti

te c

onsi

derin

g em

ergi

ng ri

sks

and

chan

ge ri

sk

profi

le, r

evie

w p

olic

ies

regu

larly

to e

nsur

e al

ignm

ent w

ith b

usin

ess

stra

tegy

, ens

ures

reg

ulat

ory

chan

ges a

re d

evel

oped

and

impl

emen

ted

in a

tim

ely

man

ner

Qua

lity

assu

ranc

e re

view

for i

nter

nal c

ontr

ols,

revi

ews

com

plia

nce

resu

lts, r

evie

ws

over

all

appr

oach

to re

gula

tory

cha

nges

, pee

r rev

iew

/per

iodi

c se

lf as

sess

men

t on

the

effec

tiven

ess o

f in

tern

al a

udit

Executive Management: Reviews and updates risk appetite and strategy, processes, risk model and reporting framework

The Board of Directors: Reviews and approves risk appetite, processes, risk model and reporting framework

14

Risk taking structure

Board of Directors

– Overall accountability for the enterprise risk profile– Delegates responsibility for risk management to Senior Management/Executive Management

Committee– Approves overall risk appetite and the philosophy on risk taking

Executive Management Committee

– Ultimately responsible for accepting the risks taken by the businesses within the context of defined risk appetite and philosophy on risk taking

– Responsible for ensuring the proper management of those risks taken by the businesses

Business/Functional Head

– Responsible for the management and control of risks assumed by business unit or functional areas in accordance with approved risk appetite and limits

Business Leadership Groups

– Forum for discussing and deciding on appropriate risk taking strategy in accordance with constraints established by the risk oversight structure

– Responsible for evidencing the ‘in control’ status of the risks assumed by the businesses

Individual Risk Takers

– Risk taking as governed by approved risk appetite and limits

Key Objectives & Responsibilities

15

Risk oversight structure

Board of Directors– Overall accountability for the enterprise risk profile– Delegates responsibility and authority for risk management to Senior Management/Executive Management Committee– Approves overall risk appetite and the philosophy on risk taking

Executive Management Committee

– Ultimately responsible for accepting the risks taken by the businesses within the context of the approved risk appetite and risk philosophy

– Responsible for ensuring the effective management and control of risk by the business

Enterprise Risk Management Committee

– Establishes risk management policy and recommends to the Executive Management Committee prior to submission to the Board for approval

– Provides oversight of risk identification, assessment, mitigation and exposure status monitoring, supporting analysis, and risk issue escalation/resolution

– Serves as a risk ‘clearing house’ and forum for the evaluation of enterprise risk issues– Monitors the exposure status of the enterprise risk profile and reports to Senior Management and the Board

Individual Business ‘CRO’ or Risk Leads

– Responsible for ensuring that individual business unit or functional risk governance structures are effective in accordance with Board, Senior Management, and Enterprise Risk Management Committee mandates

– ‘Owns’ development and implementation of risk policy, processes and practices for individual business units or functional areas– Monitors exposure status of the risk profile of the business, and reports to the Enterprise Risk Management Committee

Matrixed Risk Management Staff/Corp ERM

– Performs information aggregation, reporting, and analysis to support the risk governance structure

Key Objectives & Responsibilities

16

Risk assurance structure i.e. Internal Audit

Board of Directors

– Overall accountability for the enterprise risk profile– Delegates responsibility for risk management to senior management i.e. to the Senior Executive

Management Committee– Approves overall risk appetite, authority for risk taking and philosophy on risk taking– Reviews and challenges assertions by management on the exposure of the risk profile

Audit and/or Risk Committee of the Board

– Reviews and approves governing policies and limits with respect to risk management and risk taking– Reviews and challenges assertions regarding the risk profile and its exposure status that are provided

by management, the risk management function and internal audit – Engagement and oversight of independent auditors– Oversight of financial reporting activities– Oversight of Internal Audit function

Internal Auditand Compliance

– Periodic validation of control and compliance with laws , regulations and governing internal policies (Internal Audit)

– Periodic validation of risk management processes (Internal Audit or external expert review(s)– Periodic assurance to senior executive management and Board on assertions regarding risk

exposure (Internal Audit)– Identify and communicate regulatory compliance policies and expectations (Compliance)

Key Objectives & Responsibilities

17

How effective is an organization’s governance and how ethical and risk intelligent is its operating culture?

Reporting and Monitoring

Communication and Awareness

Performance Management

Organization Model

Governance and Culture

Training

People

Governance and culture

18

Unaware Fragmented Integrated Comprehensive OptimizedThe Board and its committees do not have a defined governance structure to oversee enterprise wide risk management

Some of the Board's committees have written charters that include risk management roles and responsibilities of those committees

The Board has written and detailed Board approved corporate governance guidelines and its committees have charters that explicitly include their risk management roles and responsibilities but these guidelines have not been communicated throughout the enterprise

The Board has written and detailed Board approved corporate governance guidelines and its committees have charters that explicitly include their risk management roles and responsibilities that have been communicated throughout the enterprise

The Board has written and detailed Board approved corporate governance guidelines and its committees have charters that explicitly include their risk management roles and responsibilities and these guidelines are clearly communicated and understood throughout the enterprise

Lacks a structured executive-level risk committee in the enterprise

A few senior executives have limited consideration for the risk of action or inaction as part of their core decision making processes

A few senior executives periodically request information from management when they consider the risk of action or inaction as part of their core decision making processes

Appropriate senior executives systematically consider the risk of action or inaction as part of their core decision making processes

The executive-level risk committee holistically analyzes key factors and considers the risk of action or inaction as part of the core decision making processes

Roles, responsibility and delegation of authority of the governance structure have not been clearly defined

Discrete roles, responsibility and delegation of authority have been defined for a limited set of risks as a part of the governance structure

Clearly defined roles, responsibilities and delegation of authority for risk management exist at the top but have not been embraced broadly as part of the governance structure

Well defined and delineated roles, responsibility and delegation of authority for developing a governance structure exists throughout the enterprise

Well defined and delineated roles, responsibility and delegation of authority promote collaboration and coordination for developing and sustaining a governance structure and executing on the enterprise's risk management strategy

Enterprise-wide policies, procedures and controls to mitigate risks are lacking

Enterprise-wide policies, procedures and controls to mitigate risks exists in discrete and unstructured manner in select silos

Enterprise-wide policies, procedures and controls to mitigate risks are developed and communicated across all business units but not embraced or fully implemented

Enterprise-wide policies, procedures and controls to mitigate risks are standardized, communicated and implemented across the organization; and are being used as a part of structured risk management

Enterprise-wide policies, procedures and controls to mitigate risks are constantly reviewed and enhanced that lead to effective and optimized risk management

Risk has not been commonly defined throughout the enterprise

Risk is defined differently at different levels in the enterprise

The enterprise has a common definition of risk and it is communicated to the rest of the enterprise using a top down approach

The enterprise has a common definition of risk which addresses value preservation is used throughout the enterprise

The enterprise has a common definition of risk and a clearly articulated risk management strategy, which addresses both value preservation and value creation, is used consistently throughout the enterprise globally

Governance and culture – Organizational model characteristics

19

Unaware Fragmented Integrated Comprehensive OptimizedThe Board does not communicate the expectations about completeness, accuracy and transparency of risk management information to executive management

The Board inconsistently communicates expectations to siloed business units about completeness, accuracy and transparency of risk management information

The Board periodically communicates expectations to executive management about completeness, accuracy and transparency of risk management information

The Board regularly communicates expectations to executive management about completeness, accuracy and transparency of risk management information

The Board proactively communicates expectations to executive management about completeness, accuracy and transparency of risk management information

The Board has not set the tone for managing risks and the culture of risk awareness does not exist in the enterprise

The Board sets the tone for managing risks but the culture of risk awareness exists in silos

The Board sets the tone for managing risks and demonstrates a culture of risk awareness but it has not been embraced broadly

The Board sets the tone for managing risks and establishes a culture of risk awareness, which is widely adopted and understood throughout the enterprise

The Board sustains and strengthens the risk intelligent tone and promotes a risk intelligent culture

The Board and other governing bodies lack transparency and visibility into the enterprise's risk management practices

The Board and other governing bodies have limited transparency and visibility into the enterprise's risk management practices

The Board and other governing bodies request and receive periodic updates into the enterprise's risk management practices

The Board and other governing bodies receive regular updates on the enterprise's risk management practices

The Board and governing bodies authorize the formation of an executive-level risk committee, with a composition including representatives from all business units or departments, to have transparency and visibility into the enterprise's risk management practices

The Board does not assess the ethical culture of the enterprise and attitudes towards risk throughout the enterprise

The Board performs a limited assessment of the ethical culture of the enterprise and attitudes towards risk

The Board infrequently assesses the ethical culture of the enterprise and attitudes towards risk through a top down approach

The Board regularly assesses the ethical culture of the enterprise and attitudes towards risk throughout the enterprise

The Board assesses the ethical culture of the enterprise and attitudes towards risk throughout the enterprise through mechanisms such as employee and vendor surveys on an ongoing basis

Minimal awareness of lessons learnt in risk related activities

Lessons learned in risk related activities are identified and communicated in silos

Lessons learned are identified and periodically communicated from the top down

Lessons learned are identified and regularly communicated to appropriate personnel

Lessons learned and feedback provided through whistleblower hotlines or other channels are identified and communicated to appropriate personnel on an ongoing basis

Governance and culture – Communication and awareness characteristics

20

Unaware Fragmented Integrated Comprehensive OptimizedRisk management is minimally monitored in the enterprise

Risk management is monitored through separate and disconnected evaluations in the enterprise

Risk management is monitored through separate evaluations by top management in the enterprise

Risk management is monitored through standardized separate evaluations throughout the enterprise

Risk management is monitored through extensive ongoing management activities and separate evaluations throughout the enterprise

Risk events that have high impact and high vulnerability are not reported or minimally reported

Limited number of risk events that have high impact and high vulnerability are inconsistently reported

Risk events that have high impact and high vulnerability are reported

Attention is drawn to risk events other than those that have high impact and high vulnerability

Attention is drawn and resources are advocated to address risk events other than those that have high impact and high vulnerability

Lack of data integrity in the reports

Limited data integrity in the reports

Moderate data integrity in the reports

Adequate data integrity in the reports

High data integrity in the reports due to adoption of technology and a focus on meeting data quality requirements

Minimal consideration of the limitations of risk metrics and models used in the enterprise

A few senior executives have limited consideration of the limitations of risk metrics and models used in the enterprise but these limitations are not addressed

A few senior executives consider the limitations of risk metrics and models used in the enterprise but these limitations are not addressed

Appropriate senior executives incorporate in risk management procedures the limitations of risk metrics and models used in the enterprise but these limitations are not addressed

The executive-level risk committee explicitly incorporates in its procedures the limitations of risk metrics and models used in the enterprise; limitations are addressed by qualitative means, including expert judgment

Minimal participation of business units in risk oversight

Limited participation and accountability of business units in overseeing the risk management program

A few business units are primarily held responsible by management for overseeing the risk management program and provide updates to management

Appropriate business units oversee the risk management program and provide regular updates to management

Appropriate business units gather, analyze, aggregate, communicate and report to management on the enterprise's risk management process on a ongoing basis

Governance and culture – Reporting and monitoring characteristics

21

Unaware Fragmented Integrated Comprehensive OptimizedThere is a reluctance to learn from the past mistakes when in comes to risks

Opinions of others are sought only for a segment of risks

Opinions of only the top management is sought for risks

There exists a culture of consulting others when in doubt

There is a pro-active sharing of best practices

There is a culture of unnecessary risk taking

Risk taking is done separately for each of the business units and there is no risk appetite defined

Only the top management takes risks as per the defined risk appetite of the organization

Calculated risks are taken and managed and there is a culture to admit to having made mistakes

Risks are taken as per the risk appetite of the organization and people are personally accountable for managing risks

Risks from/to actions are not considered while decision making

Only some risks are considered while decision making

Top management considers a set of risks while decision making

All employees follow risk management practices in effectively weighing their actions during decision making

There is a culture of involving risk experts in decision making

Culture of integrity and ethical behavior is based on individual perceptions

Culture of integrity and ethical behavior is not pervasive

Culture of integrity and ethical behavior is proscribed by management

Business units create an internal environment that is committed to promoting ethical behavior, trust, integrity and accountability

Business units hold individuals accountable for supporting and sustaining a culture of integrity

There is a reluctance to learn from the past mistakes when in comes to risks

Opinions of others are sought only for a segment of risks

Opinions of only the top management is sought for risks

There exists a culture of consulting others when in doubt

There is a pro-active sharing of best practices

Governance and culture – People characteristics

22

Unaware Fragmented Integrated Comprehensive OptimizedThe Board receives no training to understand and execute its fiduciary responsibilities for risk oversight

The Board receives limited training to understand and execute its fiduciary responsibilities for risk oversight

The Board receives occasional training to understand and execute its fiduciary responsibilities for risk oversight

The Board receives regular training to understand and execute its risk management responsibilities

The Board receives regular and focused training to understand and execute its risk management responsibilities, such as ethics and fraud awareness training

Provide pertinent individuals minimal or no training to understand and execute their risk management responsibilities

Provide pertinent individuals with limited training to understand and execute their risk management responsibilities

Provide pertinent individuals with occasional training to understand and execute their risk management responsibilities

Provide pertinent individuals regular and appropriate training to understand and execute their risk management responsibilities

Have sustainable communication mechanisms internally, such as fraud awareness training and tax risk awareness to help people understand risks, develop their skills to perform their duties and externally to seek input from external sources

Governance and culture – Training characteristics

23

Unaware Fragmented Integrated Comprehensive Optimized

Risk management is not included in performance management systems

Risk management has limited inclusion in performance management systems

Risk management is included in performance management systems for management and not at lower levels

Risk management is regularly included in performance management systems

Risk management is integrated with performance management systems such as balanced scorecards, Key Performance Indicators, rewards and compensation and executive performance assessments

Minimal improvement initiatives resulting from activities such as internal reviews, internal or external assessments, user feedback, complaints and other issues

There are individual and inconsistent improvement initiatives resulting from activities such as internal reviews, internal or external assessments, user feedback, complaints and other issues

There is a high level program of improvement resulting from activities such as internal reviews, internal or external assessments, user feedback, complaints and other issues

There is a consistent and systematic program of improvement resulting from activities such as internal reviews, internal or external assessments, user feedback, complaints and other issues

There is an integrated and detailed program of improvement resulting from activities such as internal reviews, internal or external assessments, user feedback, complaints and other issues

Governance and culture – Performance management characteristics

24

Board level governance considerations

Consideration

Audit CommitteeAssign risk management review to Audit Committee

– Centralization of risk management review and challenge in a Risk Committee or Audit and Risk Committee ) can promote effective risk oversight which can be achieved despite other significant committee responsibilities e.g., financial reporting

– The Audit Committee’s existing responsibilities can provide solid foundation for comprehensive risk coverage

– All risk management oversight included among other duties legally required of the Audit Committee

Entire BoardMake risk management review the purview of the entire Board rather than a separate committee

– Enterprise risk is an accountability for all Board members requiring them to be explicitly and directly focused on it vs. it being the focus of a Board sub-committee

– Regular reports to the entire Board will be sufficient to provide overall ERM oversight– Full Board has capacity to comprehend and adequately deal with enterprise-wide risk issues

– Regular briefings at full Board meetings on the exposure status of the risk profile with periodic updates on specific significant risk related issues i.e. deeper dives

Multiple CommitteesSegment risk oversight by risk category across distinct Board sub-committees, with an aggregated and integrated view at the full Board level

– Separately focused committees are required to achieve adequate coverage of distinct types of risk e.g. a Credit Committee for credit risk

– Audit Committee may already be overloaded with other responsibilities; potential overlap with Audit Committee will be minimal

– Effective Board oversight of the risk profile and its exposure status can be achieved despite a ‘siloed’ Board structure

– Multiple Board committees will review different aspects of the overall risk profile

Risk CommitteeEstablish Risk Committee of the Board

– Single Board committee dedicated to comprehensive risk oversight

– A Board Risk Committee will have sufficient capacity and technical depth to effectively oversee all categories and types of risk

– It is important to ensure an integrated view of all risk categories and the overall risk profile at the Board committee level

– Dedicated risk committee will evidence an explicit and strong commitment to risk management to external and internal stakeholders and interested parties

– Risk related responsibilities currently resident in other Board committees could be merged into the Risk Committee of the Board

It is critical to consider the most effective design of Board level oversight of risk, including the establishment of Board committeesWhat you have to believe

25

The business case for risk governance

– Risk governance should enable:– optimized use of capital and resources through their allocation to business areas which

will achieve superior risk/reward results.– Improved understanding of interactions and interrelationships between risks.– improved risk adjusted returns.– clear accountability or ownership of risk.– reduced likelihood of unpleasant earnings surprises.– Anticipation risk thus minimizing the cost and effort in dealing with it.– Demonstration and evidencing of the “in control” status of significant risks.– Strengthened perceptions regarding governance and risk management by investors,

supervisors, rating agencies and others.

Risk governance is intended to help improve the odds in taking risk: reducing surprises, optimizing risk and return, thus improving shareholder value

26