Risk Governance Evolving beyond the traditional ‘Three lines of defense’ model – Implications...
-
Upload
emerald-fletcher -
Category
Documents
-
view
219 -
download
0
Transcript of Risk Governance Evolving beyond the traditional ‘Three lines of defense’ model – Implications...
Risk GovernanceEvolving beyond the traditional ‘Three lines
of defense’ model – Implications for Internal Audit
Leon BloomPartner
May, 2015
Agenda
– Emerging risk governance requirements – Context and expectations– Current practices in risk governance – Issues, challenges and
shortcomings– Guiding principles – Roles, responsibilities and accountabilities– Guiding principles – Policies, processes and practices– Three lines of defense – Definition vs. effective application and the
case for redesign– Aligning the risk governance model with the business model and risk
and capital management processes– Structures for risk taking, risk oversight, risk assurance (Internal Audit)
and board oversight – The business case for transition, challenges and benefits
2
Among other things, regulators are giving emphasis to four high priority areas
– The inherent riskiness of the business model – Where and how are earnings generated and is there is an extreme or concentrated dependency on a particular source or sources and how is the associated risk(s) articulated and addressed/mitigated?
– Tail risk – Has a competent process been established to identify tail risks and have the risks been objectively and realistically assessed vs. being underestimated?
– Risk Governance – How well defined and embedded is the risk governance model? Is the assurance function (Internal Audit) being used as a management control or substitute for quality assurance and peer review practices by risk taking areas and the risk management function? Does the governance model in practice align with and support the principals of a sound risk management and control culture?
– Operating culture – the degree of awareness, attitudes, and behaviors of an organization’s employees toward risk and how risk is managed within the organization. Risk culture is a key indicator of how widely an organization’s risk management policies and practices have been adopted.
3
Risk governance requirements
4
Emerging risk governance requirements
The significantly changed environment resulting from the continuing global financial crisis has resulted in a ‘higher hurdle’ of regulatory requirements and Board expectations pertaining to the timeliness and quality of risk information, and robustness of risk management processes and practices.
GovernanceIncreased emphasis on a clear, transparent risk governance model – Clear accountability and role and responsibility structures and segregation of duties as in
the so called ‘three lines of defense’ model
Closer alignment of risk and business considerations
Many global institutions are visibly benefiting of having an enterprise-wide riskmanagement function– CRO works closely with other senior executives to strengthen the management of the
business, by explicitly incorporating consideration of risk into decision-making and performance measurement
Holistic risk governance approach
Driven by need to generate suitable investor returns in the face of greatly increased regulatory capital requirements, some organizations are pursuing risk optimization which requires a foundation of strengthened financial governance– Closer alignment/harnessing of synergies between functions involved in risk management
and risk measurement, capital management, financial performance measurement and management and tax
5
Risk governance – Challenges
Governance observations– Roles, responsibilities and accountability are
often unclear– Second and third line functions being used as
management assurance and quality control functions
– Communication paths are not defined – Committee structures, responsibilities and
mandates lack clarity – Objectives and the target end state for ERM
is unclear– Insufficient focus and time spent discussing
risks across the organization – Monitoring fails to identify risk conditions
and provide a competent understanding of exposure status
– ERM programs are often not dynamic and fail to proactively identify and adapt to unexpected events
Common framework to manage
all types of risk
Providing accountability and
transparency
Supports decision making and capital management decisions
Relative to institution-wide business strategies and objectives
ERM is a continuous
activity that aggregates and integrates risk
management activities in order to better optimize
risk-adjusted returns
6
Guiding principles – Roles and responsibilities
– The governance model should promote transparency of accountability, communication, decision making, and information flows
– Decisions and accountability should reside with individuals, not committees,wherever possible
– Business areas retain accountability for managing their own risks – That responsibility is not ‘transferred’ to the risk oversight function
– All classes of risk should have clearly assigned responsible/accountable parties in the governance model (e.g., should not be purely focused on product risk)
– Decisions should be made with appropriate consideration of the ‘enterprise’ impact - not just the impact of individual lines
– Risk governance structure should clearly reflect the roles and interaction with pricing, underwriting, reserving, and other critical, interdependent functions
– The structure should enable risks to be appropriately considered and factored in to broader business decisions
– Should clearly articulate the requirements for independent assurance (e.g., Independent Audit)
7
Guiding principles – Processes and policies
– Risk governance must be supported and enabled by explicit policies with transparent accountabilities and authorities
– The governance processes should be as streamlined as possible, avoiding unnecessary levels of decision-making bureaucracy
– Risks should ‘aggregate’ and integrate at the appropriate level of governance, including cross line, cross business unit, enterprise; the governance model should include ‘owners’ of the aggregated risk at each level within an aggregation hierarchy
– Monitoring process must be clearly articulated in the governance model (including responsibilities, frequency, etc.)
– Governance must be linked to a philosophy/vision/or governing objective at the top – Governance should enable making risk management processes proactive rather
than reactive– The governance model should not be static – it should be re-evaluated every year to
ensure appropriate evolution
8
The evolution of the ‘lines of defense’ model
9
Framework provides a design for the governance infrastructure and governance operating model. The top part of the framework depicts areas where responsibility of the board is typically heightened.
A risk governance framework provides the foundation for oversight and establishingthe necessary ‘checks and balances’ regarding risk taking
A risk governance framework helps clarify oversight responsibilities by establishing a
common foundation
10
A focused assessment is needed to fully understand an organization’s current Risk Culture and to track progress of cultural change
Measuring the risk and control culture
11
Maturity Model Levels‘Unaware’ It is a characteristic of the processes/practices at this level that they are either non existent, not
implemented, not commonly/clearly defined; lack formal process, and the enterprise is not conscious or aware of their importance.
Fragmented It is a characteristic of the processes/practices at this level that they are at the starting point or are inconsistent across various business lines. The processes/practices exist in silos, or are defined differently at different levels and are not considered important within the enterprise.
Integrated It is a characteristic of the processes/practices at this level that they are defined, documented and communicated to the entire enterprise. The processes/practices mostly exists at the enterprise level but are not implemented, leveraged or embraced across enterprise.
Comprehensive It is a characteristic of the processes/practices at this level that they are mature, widely adopted and understood, repeatable, clearly defined, well-documented and aligned with an enterprise’s risk management framework. The processes/practices are consistent, effective and widely applied across the enterprise.
Optimized It is a characteristic of the processes/practices at this level that they well entrenched in business as usual, and the focus is on continually improving them. The processes/practices are at the optimum level and enterprise is able to sustain or strengthen such processes/practices.
Risk practices maturity model
12
Three lines of defense – Issues and challenges
Enable
Validation & assurance reporting Internal
Audit– Validation of controls
– Objective review of risk management process
– Assurance to senior executive management and Board on assertions of risk exposure
Risk Management
– Policies, governance and information flow
– Risk assessment methods
– Measurement, aggregation rules and tools
– Monitor risk exposure status and report to Board
Assure
Board of Directors & Senior Executive Management
Report AssertAssertions on status of risk exposure
Business Unit Managementand StaffRisk identification and
assessments– Actions to exploit,
reduce, transfer, or avoid risk
– Provide assertions on risk exposure for each business unit or functional area within NFS
3rd line2nd line 1st line
13
Evolution of the three lines of defense
Identifies and assesses relevant regulatory changes Supports any updates requiredMonitors execution of change
Reviews the impact of regulatory requirements to processes, policies and controls
Tests implementation of process, policy and control
Regulatory change
Supports the business in the design of the capital model Completes regular risk model validationMonitors capital adequacy
Provides independent assurance for the Board and senior management on assertions of risk exposureTests implementation of model
Provides capital adequacy calculation inputsDefines the capital model and allocation process and tools
Risk capital calculation & allocations
Provides input for risk reportingImplements reporting framework
Develops and maintains reporting frameworkImplements reporting frameworkMonitors data accuracyMonitors risk reporting trends and issues
Independent monitoring of the risk reporting frameworkTests implementation and data accuracy
Risk management reporting
Develops business processes, controls and policies aligned with the risk appetite (e.g. underwriting guidelines, trading policies) Executes tasks adhering to policies definedProvides feedback on the controls and policies in place
Defines the risk controls and processes Monitors effectiveness of controls and residual riskMonitors ongoing application & operation of methodologiesManages risk IT systems
Independent review of appropriateness of and compliance with controls and processesTests implementation of any changes to methodologies
Risk management methodologies
Line of Business(1st line of defense):
Day to day management & risk control
Internal Audit(3rd line of defense):
Independent assurance
Adheres with defined processes and complies with limits
Monitors compliance with regulatory requirements Supports the business in the development of a risk appetite and strategy
Independent monitoring of articulation of risk appetite and organizational compliance with limits framework
Risk appetite & strategy
Risk management
framework
Risk & Compliance(2nd line of defense):
Risk policies, methodologies & oversight
Executes tasks adhering to policiesProvides feedback on the controls and policies in place
Input to the business to develop and maintain policiesMonitors complianceDevelops and enforce risk governance model
Independent monitoring of compliance with policies
Risk management policies
Regu
lar r
isk m
odel
mon
itorin
g, p
eer o
r man
agem
ent c
ompl
ianc
e re
view
s of
pol
icie
s an
d co
ntro
ls,
regu
lar s
tatu
s re
porti
ng, m
onito
rs ri
sk p
rofil
e, e
ffecti
vene
ss o
f con
trol
s &
resi
dual
risk
, mon
itors
&
ensu
res c
apita
l ade
quac
y, e
nsur
es d
ata
accu
racy
, im
plem
ents
con
trol
s an
d re
porti
ng fr
amew
ork,
re
view
s th
e im
pact
of r
egul
ator
y re
quire
men
ts to
pro
cess
es, p
olic
ies
and
cont
rols
Com
plet
es re
gula
r risk
mod
el v
alid
ation
, ann
ual r
evie
ws
of p
olic
ies
and
cont
rols
, add
ress
es
esca
late
d ris
ks, r
evie
ws
and
chal
leng
es ri
sk a
ppeti
te c
onsi
derin
g em
ergi
ng ri
sks
and
chan
ge ri
sk
profi
le, r
evie
w p
olic
ies
regu
larly
to e
nsur
e al
ignm
ent w
ith b
usin
ess
stra
tegy
, ens
ures
reg
ulat
ory
chan
ges a
re d
evel
oped
and
impl
emen
ted
in a
tim
ely
man
ner
Qua
lity
assu
ranc
e re
view
for i
nter
nal c
ontr
ols,
revi
ews
com
plia
nce
resu
lts, r
evie
ws
over
all
appr
oach
to re
gula
tory
cha
nges
, pee
r rev
iew
/per
iodi
c se
lf as
sess
men
t on
the
effec
tiven
ess o
f in
tern
al a
udit
Executive Management: Reviews and updates risk appetite and strategy, processes, risk model and reporting framework
The Board of Directors: Reviews and approves risk appetite, processes, risk model and reporting framework
14
Risk taking structure
Board of Directors
– Overall accountability for the enterprise risk profile– Delegates responsibility for risk management to Senior Management/Executive Management
Committee– Approves overall risk appetite and the philosophy on risk taking
Executive Management Committee
– Ultimately responsible for accepting the risks taken by the businesses within the context of defined risk appetite and philosophy on risk taking
– Responsible for ensuring the proper management of those risks taken by the businesses
Business/Functional Head
– Responsible for the management and control of risks assumed by business unit or functional areas in accordance with approved risk appetite and limits
Business Leadership Groups
– Forum for discussing and deciding on appropriate risk taking strategy in accordance with constraints established by the risk oversight structure
– Responsible for evidencing the ‘in control’ status of the risks assumed by the businesses
Individual Risk Takers
– Risk taking as governed by approved risk appetite and limits
Key Objectives & Responsibilities
15
Risk oversight structure
Board of Directors– Overall accountability for the enterprise risk profile– Delegates responsibility and authority for risk management to Senior Management/Executive Management Committee– Approves overall risk appetite and the philosophy on risk taking
Executive Management Committee
– Ultimately responsible for accepting the risks taken by the businesses within the context of the approved risk appetite and risk philosophy
– Responsible for ensuring the effective management and control of risk by the business
Enterprise Risk Management Committee
– Establishes risk management policy and recommends to the Executive Management Committee prior to submission to the Board for approval
– Provides oversight of risk identification, assessment, mitigation and exposure status monitoring, supporting analysis, and risk issue escalation/resolution
– Serves as a risk ‘clearing house’ and forum for the evaluation of enterprise risk issues– Monitors the exposure status of the enterprise risk profile and reports to Senior Management and the Board
Individual Business ‘CRO’ or Risk Leads
– Responsible for ensuring that individual business unit or functional risk governance structures are effective in accordance with Board, Senior Management, and Enterprise Risk Management Committee mandates
– ‘Owns’ development and implementation of risk policy, processes and practices for individual business units or functional areas– Monitors exposure status of the risk profile of the business, and reports to the Enterprise Risk Management Committee
Matrixed Risk Management Staff/Corp ERM
– Performs information aggregation, reporting, and analysis to support the risk governance structure
Key Objectives & Responsibilities
16
Risk assurance structure i.e. Internal Audit
Board of Directors
– Overall accountability for the enterprise risk profile– Delegates responsibility for risk management to senior management i.e. to the Senior Executive
Management Committee– Approves overall risk appetite, authority for risk taking and philosophy on risk taking– Reviews and challenges assertions by management on the exposure of the risk profile
Audit and/or Risk Committee of the Board
– Reviews and approves governing policies and limits with respect to risk management and risk taking– Reviews and challenges assertions regarding the risk profile and its exposure status that are provided
by management, the risk management function and internal audit – Engagement and oversight of independent auditors– Oversight of financial reporting activities– Oversight of Internal Audit function
Internal Auditand Compliance
– Periodic validation of control and compliance with laws , regulations and governing internal policies (Internal Audit)
– Periodic validation of risk management processes (Internal Audit or external expert review(s)– Periodic assurance to senior executive management and Board on assertions regarding risk
exposure (Internal Audit)– Identify and communicate regulatory compliance policies and expectations (Compliance)
Key Objectives & Responsibilities
17
How effective is an organization’s governance and how ethical and risk intelligent is its operating culture?
Reporting and Monitoring
Communication and Awareness
Performance Management
Organization Model
Governance and Culture
Training
People
Governance and culture
18
Unaware Fragmented Integrated Comprehensive OptimizedThe Board and its committees do not have a defined governance structure to oversee enterprise wide risk management
Some of the Board's committees have written charters that include risk management roles and responsibilities of those committees
The Board has written and detailed Board approved corporate governance guidelines and its committees have charters that explicitly include their risk management roles and responsibilities but these guidelines have not been communicated throughout the enterprise
The Board has written and detailed Board approved corporate governance guidelines and its committees have charters that explicitly include their risk management roles and responsibilities that have been communicated throughout the enterprise
The Board has written and detailed Board approved corporate governance guidelines and its committees have charters that explicitly include their risk management roles and responsibilities and these guidelines are clearly communicated and understood throughout the enterprise
Lacks a structured executive-level risk committee in the enterprise
A few senior executives have limited consideration for the risk of action or inaction as part of their core decision making processes
A few senior executives periodically request information from management when they consider the risk of action or inaction as part of their core decision making processes
Appropriate senior executives systematically consider the risk of action or inaction as part of their core decision making processes
The executive-level risk committee holistically analyzes key factors and considers the risk of action or inaction as part of the core decision making processes
Roles, responsibility and delegation of authority of the governance structure have not been clearly defined
Discrete roles, responsibility and delegation of authority have been defined for a limited set of risks as a part of the governance structure
Clearly defined roles, responsibilities and delegation of authority for risk management exist at the top but have not been embraced broadly as part of the governance structure
Well defined and delineated roles, responsibility and delegation of authority for developing a governance structure exists throughout the enterprise
Well defined and delineated roles, responsibility and delegation of authority promote collaboration and coordination for developing and sustaining a governance structure and executing on the enterprise's risk management strategy
Enterprise-wide policies, procedures and controls to mitigate risks are lacking
Enterprise-wide policies, procedures and controls to mitigate risks exists in discrete and unstructured manner in select silos
Enterprise-wide policies, procedures and controls to mitigate risks are developed and communicated across all business units but not embraced or fully implemented
Enterprise-wide policies, procedures and controls to mitigate risks are standardized, communicated and implemented across the organization; and are being used as a part of structured risk management
Enterprise-wide policies, procedures and controls to mitigate risks are constantly reviewed and enhanced that lead to effective and optimized risk management
Risk has not been commonly defined throughout the enterprise
Risk is defined differently at different levels in the enterprise
The enterprise has a common definition of risk and it is communicated to the rest of the enterprise using a top down approach
The enterprise has a common definition of risk which addresses value preservation is used throughout the enterprise
The enterprise has a common definition of risk and a clearly articulated risk management strategy, which addresses both value preservation and value creation, is used consistently throughout the enterprise globally
Governance and culture – Organizational model characteristics
19
Unaware Fragmented Integrated Comprehensive OptimizedThe Board does not communicate the expectations about completeness, accuracy and transparency of risk management information to executive management
The Board inconsistently communicates expectations to siloed business units about completeness, accuracy and transparency of risk management information
The Board periodically communicates expectations to executive management about completeness, accuracy and transparency of risk management information
The Board regularly communicates expectations to executive management about completeness, accuracy and transparency of risk management information
The Board proactively communicates expectations to executive management about completeness, accuracy and transparency of risk management information
The Board has not set the tone for managing risks and the culture of risk awareness does not exist in the enterprise
The Board sets the tone for managing risks but the culture of risk awareness exists in silos
The Board sets the tone for managing risks and demonstrates a culture of risk awareness but it has not been embraced broadly
The Board sets the tone for managing risks and establishes a culture of risk awareness, which is widely adopted and understood throughout the enterprise
The Board sustains and strengthens the risk intelligent tone and promotes a risk intelligent culture
The Board and other governing bodies lack transparency and visibility into the enterprise's risk management practices
The Board and other governing bodies have limited transparency and visibility into the enterprise's risk management practices
The Board and other governing bodies request and receive periodic updates into the enterprise's risk management practices
The Board and other governing bodies receive regular updates on the enterprise's risk management practices
The Board and governing bodies authorize the formation of an executive-level risk committee, with a composition including representatives from all business units or departments, to have transparency and visibility into the enterprise's risk management practices
The Board does not assess the ethical culture of the enterprise and attitudes towards risk throughout the enterprise
The Board performs a limited assessment of the ethical culture of the enterprise and attitudes towards risk
The Board infrequently assesses the ethical culture of the enterprise and attitudes towards risk through a top down approach
The Board regularly assesses the ethical culture of the enterprise and attitudes towards risk throughout the enterprise
The Board assesses the ethical culture of the enterprise and attitudes towards risk throughout the enterprise through mechanisms such as employee and vendor surveys on an ongoing basis
Minimal awareness of lessons learnt in risk related activities
Lessons learned in risk related activities are identified and communicated in silos
Lessons learned are identified and periodically communicated from the top down
Lessons learned are identified and regularly communicated to appropriate personnel
Lessons learned and feedback provided through whistleblower hotlines or other channels are identified and communicated to appropriate personnel on an ongoing basis
Governance and culture – Communication and awareness characteristics
20
Unaware Fragmented Integrated Comprehensive OptimizedRisk management is minimally monitored in the enterprise
Risk management is monitored through separate and disconnected evaluations in the enterprise
Risk management is monitored through separate evaluations by top management in the enterprise
Risk management is monitored through standardized separate evaluations throughout the enterprise
Risk management is monitored through extensive ongoing management activities and separate evaluations throughout the enterprise
Risk events that have high impact and high vulnerability are not reported or minimally reported
Limited number of risk events that have high impact and high vulnerability are inconsistently reported
Risk events that have high impact and high vulnerability are reported
Attention is drawn to risk events other than those that have high impact and high vulnerability
Attention is drawn and resources are advocated to address risk events other than those that have high impact and high vulnerability
Lack of data integrity in the reports
Limited data integrity in the reports
Moderate data integrity in the reports
Adequate data integrity in the reports
High data integrity in the reports due to adoption of technology and a focus on meeting data quality requirements
Minimal consideration of the limitations of risk metrics and models used in the enterprise
A few senior executives have limited consideration of the limitations of risk metrics and models used in the enterprise but these limitations are not addressed
A few senior executives consider the limitations of risk metrics and models used in the enterprise but these limitations are not addressed
Appropriate senior executives incorporate in risk management procedures the limitations of risk metrics and models used in the enterprise but these limitations are not addressed
The executive-level risk committee explicitly incorporates in its procedures the limitations of risk metrics and models used in the enterprise; limitations are addressed by qualitative means, including expert judgment
Minimal participation of business units in risk oversight
Limited participation and accountability of business units in overseeing the risk management program
A few business units are primarily held responsible by management for overseeing the risk management program and provide updates to management
Appropriate business units oversee the risk management program and provide regular updates to management
Appropriate business units gather, analyze, aggregate, communicate and report to management on the enterprise's risk management process on a ongoing basis
Governance and culture – Reporting and monitoring characteristics
21
Unaware Fragmented Integrated Comprehensive OptimizedThere is a reluctance to learn from the past mistakes when in comes to risks
Opinions of others are sought only for a segment of risks
Opinions of only the top management is sought for risks
There exists a culture of consulting others when in doubt
There is a pro-active sharing of best practices
There is a culture of unnecessary risk taking
Risk taking is done separately for each of the business units and there is no risk appetite defined
Only the top management takes risks as per the defined risk appetite of the organization
Calculated risks are taken and managed and there is a culture to admit to having made mistakes
Risks are taken as per the risk appetite of the organization and people are personally accountable for managing risks
Risks from/to actions are not considered while decision making
Only some risks are considered while decision making
Top management considers a set of risks while decision making
All employees follow risk management practices in effectively weighing their actions during decision making
There is a culture of involving risk experts in decision making
Culture of integrity and ethical behavior is based on individual perceptions
Culture of integrity and ethical behavior is not pervasive
Culture of integrity and ethical behavior is proscribed by management
Business units create an internal environment that is committed to promoting ethical behavior, trust, integrity and accountability
Business units hold individuals accountable for supporting and sustaining a culture of integrity
There is a reluctance to learn from the past mistakes when in comes to risks
Opinions of others are sought only for a segment of risks
Opinions of only the top management is sought for risks
There exists a culture of consulting others when in doubt
There is a pro-active sharing of best practices
Governance and culture – People characteristics
22
Unaware Fragmented Integrated Comprehensive OptimizedThe Board receives no training to understand and execute its fiduciary responsibilities for risk oversight
The Board receives limited training to understand and execute its fiduciary responsibilities for risk oversight
The Board receives occasional training to understand and execute its fiduciary responsibilities for risk oversight
The Board receives regular training to understand and execute its risk management responsibilities
The Board receives regular and focused training to understand and execute its risk management responsibilities, such as ethics and fraud awareness training
Provide pertinent individuals minimal or no training to understand and execute their risk management responsibilities
Provide pertinent individuals with limited training to understand and execute their risk management responsibilities
Provide pertinent individuals with occasional training to understand and execute their risk management responsibilities
Provide pertinent individuals regular and appropriate training to understand and execute their risk management responsibilities
Have sustainable communication mechanisms internally, such as fraud awareness training and tax risk awareness to help people understand risks, develop their skills to perform their duties and externally to seek input from external sources
Governance and culture – Training characteristics
23
Unaware Fragmented Integrated Comprehensive Optimized
Risk management is not included in performance management systems
Risk management has limited inclusion in performance management systems
Risk management is included in performance management systems for management and not at lower levels
Risk management is regularly included in performance management systems
Risk management is integrated with performance management systems such as balanced scorecards, Key Performance Indicators, rewards and compensation and executive performance assessments
Minimal improvement initiatives resulting from activities such as internal reviews, internal or external assessments, user feedback, complaints and other issues
There are individual and inconsistent improvement initiatives resulting from activities such as internal reviews, internal or external assessments, user feedback, complaints and other issues
There is a high level program of improvement resulting from activities such as internal reviews, internal or external assessments, user feedback, complaints and other issues
There is a consistent and systematic program of improvement resulting from activities such as internal reviews, internal or external assessments, user feedback, complaints and other issues
There is an integrated and detailed program of improvement resulting from activities such as internal reviews, internal or external assessments, user feedback, complaints and other issues
Governance and culture – Performance management characteristics
24
Board level governance considerations
Consideration
Audit CommitteeAssign risk management review to Audit Committee
– Centralization of risk management review and challenge in a Risk Committee or Audit and Risk Committee ) can promote effective risk oversight which can be achieved despite other significant committee responsibilities e.g., financial reporting
– The Audit Committee’s existing responsibilities can provide solid foundation for comprehensive risk coverage
– All risk management oversight included among other duties legally required of the Audit Committee
Entire BoardMake risk management review the purview of the entire Board rather than a separate committee
– Enterprise risk is an accountability for all Board members requiring them to be explicitly and directly focused on it vs. it being the focus of a Board sub-committee
– Regular reports to the entire Board will be sufficient to provide overall ERM oversight– Full Board has capacity to comprehend and adequately deal with enterprise-wide risk issues
– Regular briefings at full Board meetings on the exposure status of the risk profile with periodic updates on specific significant risk related issues i.e. deeper dives
Multiple CommitteesSegment risk oversight by risk category across distinct Board sub-committees, with an aggregated and integrated view at the full Board level
– Separately focused committees are required to achieve adequate coverage of distinct types of risk e.g. a Credit Committee for credit risk
– Audit Committee may already be overloaded with other responsibilities; potential overlap with Audit Committee will be minimal
– Effective Board oversight of the risk profile and its exposure status can be achieved despite a ‘siloed’ Board structure
– Multiple Board committees will review different aspects of the overall risk profile
Risk CommitteeEstablish Risk Committee of the Board
– Single Board committee dedicated to comprehensive risk oversight
– A Board Risk Committee will have sufficient capacity and technical depth to effectively oversee all categories and types of risk
– It is important to ensure an integrated view of all risk categories and the overall risk profile at the Board committee level
– Dedicated risk committee will evidence an explicit and strong commitment to risk management to external and internal stakeholders and interested parties
– Risk related responsibilities currently resident in other Board committees could be merged into the Risk Committee of the Board
It is critical to consider the most effective design of Board level oversight of risk, including the establishment of Board committeesWhat you have to believe
25
The business case for risk governance
– Risk governance should enable:– optimized use of capital and resources through their allocation to business areas which
will achieve superior risk/reward results.– Improved understanding of interactions and interrelationships between risks.– improved risk adjusted returns.– clear accountability or ownership of risk.– reduced likelihood of unpleasant earnings surprises.– Anticipation risk thus minimizing the cost and effort in dealing with it.– Demonstration and evidencing of the “in control” status of significant risks.– Strengthened perceptions regarding governance and risk management by investors,
supervisors, rating agencies and others.
Risk governance is intended to help improve the odds in taking risk: reducing surprises, optimizing risk and return, thus improving shareholder value
26