World Bank Risk Management Seminar

Corporate Governance and ERM:

A Framework for Integrating Risk and Performance Management

May 21, 2004

Presented by: Richard C. Reynolds, PwC Partner

PricewaterhouseCoopers LLP

2

Agenda

I. Overview of Enterprise-wide Risk Management

II. Designing and Implementing an ERM Framework

and Organization Structure

III. Impact of International Financial Reporting

Standards on ERM

3

Overview of COSO ERM Framework

FrameworkApplicationGuidance

• COSO ERM project launched in 2001 (PwC Authored)• Builds on COSO Internal Control Framework (PwC Authored)• Consists of conceptual framework and application guidance

4

Why ERM is Important

Underlying principles: Every entity, whether for-profit or not, exists to realize

value for its stakeholders.

Value is created, preserved, or eroded by management decisions in all activities, from strategy setting to operating the enterprise day-to-day.

ERM supports value creation by enabling management to: Deal effectively with potential future events that create

uncertainty.

Respond in a manner that reduces the likelihood of downside outcomes and increases the upside.

5

Enhancing Management Capabilities

Enterprise risk management provides enhanced capabilities to:

Align risk appetite and strategy

Link growth, risk and return

Enhance risk response decisions

Minimize operational surprises and losses

Identify and manage cross-enterprise risks

Provide integrated responses to multiple risks

Seize Opportunities

Rationalize capital

6

Framework Components

The Framework Has Eight Interrelated Components

7

The COSO ERM Framework lays the foundation for organizations to advance ERM.

Improving shareholder value

Improving/maintaining credit rating

Economic capital savings

Improved risk management strategy

Closer working relationship between

Finance & Risk functions

Alignment of individual’s compensation

to risk-sensitive behaviour

Improved MI in other related areas

Cost reduction through organisational

realignment and/or process

improvement

Link executive remuneration to value

creation to align management and

shareholder interests

Set performance measures to drive

creation

Set value targets to satisfy investor and

analyst expectations in line with well

articulated risk appetite

Ensure market understands risk

adjusted performance

RewardSchemes

Investor andcredit rating

agencycommunication

Strategyselection

Capitalallocation

Performancereporting

Value and riskmanagement

principles

Opportunities

8

Leading organizations have many building blocks in place. The challenge is in creating seamless connectivity top to bottom.

Portfolio reporting and analysis Aggregation of exposure (notional & risk adjusted) Analysis of Loss & default experience Data management / MIS

Rebalance, hedge the portfolio (capital optimization) Correlation, VaR, marginal contribution

Manage concentrations through limits Establish allowances (capital preservation)

Transactional risk identification

Portfolio Risk Identification

Active PM

Port

folio

Ris

k

Tran

sact

ion

Ris

k

Transactional risk management

Relationship profitability analysis Risk adjusted pricing (value creation - MTM / RAROC) Structuring individual transactions Allocation of limits to clients / products

Risk Assessment Risk Modeling Pricing Analysis Client, Industry and Market information

Link risk adjusted performance measurement to shareholder value and planning processes

Align performance measures with desired behavior

Linking the B

uilding Blocks

Traditional PM

SVA / Risk AdjustedPerformance Measurement

Data Management Data acquisition, maintenance and distribution

9

However, beyond financial risks, executives have a much different view as to what are the most significant risks.

• Source: Economic Intelligence Unit and PricewaterhouseCoopers survey of 160 senior financial executives

How important are the following risks to your institution’s financial services business? (percentage of respondents rating each risk as the biggest their organization faces)

Reputational Risk 53%

Regulatory Risk 28%

Operational Risk 24%

Political/external risk 11%

Credit Risk 34%

Market Risk 23%

Financial Risks Non-Financial Risks

10

Enterprise Risk ManagementEnterprise Risk ManagementIdentifying Risks That May Affect Our Ability to Identifying Risks That May Affect Our Ability to

Achieve ObjectivesAchieve ObjectivesAnd Determining How to RespondAnd Determining How to Respond

ComplianceComplianceExecuting as Expected To Support Achievement of All Objectives Executing as Expected To Support Achievement of All Objectives

GovernanceGovernanceDetermining Determining Objectives Objectives

and Knowing and Knowing We Are Executing We Are Executing

AppropriatelyAppropriately

Leading organizations are moving towards an integrated approach to governance, risk and compliance.

11

Shareholder Value Drivers Org

aniz

atio

nal

Lev

el

Leg

al E

nti

ty L

evel

Cu

sto

mer

Lev

el

Bu

sin

ess

Un

it L

evel

Profitability Risk

Risk-adjusted Performance Pro

du

ct L

evelCostRevenue Market Credit Op.

Enabling consistent business management

Tactical, operational and strategic

decision support

Integrated Planning Cycle

Achieving Strategic Excellence

Shareholder Value Creation

Best Practice Methodologies for Managing business functions

Achieving operational excellence

They are also implementing frameworks that deliver integrated profitability and risk information for decision making…

12

…and support forward looking analysis for strategic planning.

Shareholder Value Drivers Org

aniz

atio

nal

Lev

el

Leg

al E

nti

ty L

evel

Cu

sto

mer

Lev

el

Bu

sin

ess

Un

it L

evel

Profitability Risk

Risk-adjusted Performance Pro

du

ct L

evelCostRevenue Market Credit Op.

Sce

nar

io a

nal

ysis

Co

mp

lexi

ty M

od

elin

g

Ear

nin

gs

Sen

siti

vity

Impact on future earnings and Shareholder Value

13

Escalation Triggers – are reported after a predetermined trigger is tripped, they are designed to facilitate management intervention prior to day-to-day risks manifesting beyond an expected or acceptable tolerance.

* PwC defines key risk indicators as measures that can be collected at ANY time during the period as required by management

Types of Measures:

Value Metrics – financial and non-financial measures that demonstrate value creation for investment community

Corporate Dashboard – provide management with insight into actions that need to be taken to achieve strategy

Leading/Risk Indicators – identify systemic issues or causal factors related to strategy; and they are tactical and predictive

Lagging Measures – are after the fact

Focus: Strategy

Value Metrics

Escalation Criteria(Reactive)

Dashboard

Leading Indicators(Proactive)

Transactions and Data

Focus: SteadyState Lagging Indicators

Key Risk Indicators*Key Risk Indicators

Risk measures are aligned with both control objectives and value creation targets to provide management a dynamic view of current financial results and risks to the strategic plan.

14

StructureStructure

ReportReport

MonitorMonitor

MeasureMeasure

Capital PreservationCapital Preservation

RelationshipRelationship

EnterpriseEnterprise

PortfolioPortfolio

Line of BusinessLine of Business

Capital OptimizationCapital Optimization

TransactionTransaction

AnalyzeAnalyze

Too often, the pendulum swings; towards lax controls and overly aggressive risk taking in good times, and overly restrictive controls and risk aversion in bad times.

Strategic risk management focuses on balancing capital optimization with capital preservation.

15

Risk Management Systems Infrastructure

Capital Policy ReportingKey

Controls

Limits Procedures Analysis

Re-allocate capital/limits

BusinessCycle

Validate/refine strategy

Business Strategy and Planning

Business Processand Execution

Evaluation

Business mission and strategy

Value proposition and risk appetite

Organization and governance

Business planning and budgeting processes

Capital allocation and balance sheet management

Business and individual performance objectives

Risk policies and procedures

Risk measurement methodologies

Risk-based pricing and customer profitability

Risk aggregation and reporting

Active portfolio and balance sheet management strategies

Value drivers Internal reporting Performance

measures External disclosure

We have utilized the following framework with several leading financial institutions to gain better role clarity, particularly around the integration of strategic, financial and risk management planning.

16

ERM is a key enabler of value creation and preservation

RiskValue

Transparency

Trust

Performance

Reputation

Brand

Value is created, preserved, or eroded by management decisions, from strategy setting to operating the enterprise day-to-day.

17

Agenda

I. Overview of Enterprise-wide Risk Management

II. Designing and Implementing an ERM Framework

and Organization Structure

III. Impact of International Financial Reporting

Standards on ERM

18

A thorough understanding of your business objectives is critical to designing an infrastructure that meets your specific needs and fits within your culture and environment.

EnvironmentInfrastructure

ProcessStrategy

Organization& People

Limits &Controls ReportingPolicies

Culture Training Communi-cations

PerformanceMeasures Rewards

Validation/Reassessment

Risk Awareness

Risk Assessment and Action

Operations Measurement and Control

ValueEvaluation

Environment

SystemsMethodologies Data

EnvironmentInfrastructure

ProcessStrategy

Organization& People

Limits &Controls ReportingPolicies

Culture Training Communi--cations

PerformanceMeasures Rewards

Validation/Reassessment

Risk Awareness

Risk Assessment and Action

Operations Measurement and Control

ValueEvaluation

SystemsMethodologies Data

Value Proposition

Risk Strategy

Business Missionand Strategy

Risk Appetite

Environment

Enterprise-wide Risk Management Framework

19

Protect the franchise

Avoid surprises, no unexpected losses

Acknowledge the sources of earnings volatility

Facilitate risk taking

Support efficiency of capital usage and performance evaluation processes

Mold the risk culture Partner with the business Build a risk management network

Report v. manage

Devolve risk management from the corporate level into the business units

Key themes in a Mission Statement of the Corporate Risk Manager

The starting point is to define a clear mission statement for the Corporate Risk Manager.

20

Ris

k M

anag

emen

t S

tyl e

Risk Profile

Str

ateg

icC

ontr

ol F

ocus

ed

Simple Complex

Your Company????

Strategic:• Assist in molding views of

regulators• Frequent global stress testing to

analyze potential impacts of market events

• Risk Management partners with the business in decision-making

• True understanding of positions and risks

• Development and analysis of risk-adjusted returns

Control Focused:• Respond to requests by

regulators• Quarterly stress testing at the

desk or business unit level (to meet regulatory requirements)

• Risk Management performs a purely limit monitoring role

• Monitoring of positions and risks against limits

Risk Management Styles

M

E

C

D

L

B

A

J

K

F

G

H

I

The mission must balance the risk management objectives and the complexity of the risks assumed by the organization.

21

The next step is to define the overall approach for corporate risk management. Below is an illustration of a risk management framework.

The allocation of capital to the business units: signifies approval of the business plan serves as an overall limit on risk taking activities provides a benchmark for required returns

Risk management policies and procedures: define and set the standards for Client risk taking activities set parameters for permissible risk taking clearly define roles, responsibilities and accountabilities

An effective risk and performance reporting framework: provides timely feedback to evaluate the business strategy effectively communicates risk, elevates awareness and promotes consistency

and transparency ensures monitoring of policy compliance

Capital

Policy

Reporting

Risk ControlFramework

Limits

Procedures

Analysis

Re-

allo

cate

cap

ital

/lim

its

22

Integrating risk into the strategic planning and budgeting process is also key. Annual business plans form a contract with shareholders for the management of capital and required returns.

Annual Business and Risk Management Planning Process

Business Units

Corporate Risk

Management

Financial Control

Shareholders

Total Return

Capital

Annual Business Plan• Strategy• Product and service offerings• Capital budget• Forecasted absolute and risk

adjusted returns• Key risks and limits• Infrastructure weaknesses and

action plans• Other information

Formulate

Assist

Approve

23

RISK REPORTING OBJECTIVES:

Do we acknowledge, understand and articulate our risks clearly, accurately and comprehensively?

Are these risks aligned with our stated risk appetite and strategy?

Are we being adequately compensated for these risks?

Are we overly reliant on any revenue, risk or other concentrations that could adversely impact the quality or sustainability of earnings?

What is the quality and sustainability of our earnings stream?

What is the impact of the current and potential external environment on our business?

ERM reports should clearly articulate the nature of the business, including key risks, profitability, the risk-reward relationship and the impact of external events.

24

Risk Reporting Objectives:

• Heighten Awareness and Transparency of ALL Risks• Include Quantitative and Qualitative Information

• Promote Shareholder Value Creation

Risk Reporting Objectives:

• Heighten Awareness and Transparency of ALL Risks• Include Quantitative and Qualitative Information

• Promote Shareholder Value Creation

Daily Risk SummariesDaily Risk Summaries Quarterly Risk PackageQuarterly Risk PackageMonthly Risk PackagesMonthly Risk Packages

Key Objectives:• Reaffirm risk appetite, business

propositions and boundaries by assessing:

- risk profile- performance- internal and external

business environment and risk implications

Target Audience:• Senior Management

Contents:• Summary market risk• Detailed credit, liquidity,

valuation and operational risk• Trend analyses• Business and market outlook

Scope:• Business units globally

Key Objectives:• Reaffirm risk appetite, business

propositions and boundaries by assessing:

- risk profile- performance- internal and external

business environment and risk implications

Target Audience:• Senior Management

Contents:• Summary market risk• Detailed credit, liquidity,

valuation and operational risk• Trend analyses• Business and market outlook

Scope:• Business units globally

Key Objectives:• Promote shareholder value

creation by evaluating:- capital/resource allocation

decisions- earnings reliability and

sustainability- short and long term

business opportunities and their risks

Target Audience:• Executive Management

Contents:• Summary of all business and

customer risks• Risk-adjusted performance

measurement• Trend analyses• Business and market outlook• Status of key initiatives

Scope:• Global Markets consolidated

Key Objectives:• Promote shareholder value

creation by evaluating:- capital/resource allocation

decisions- earnings reliability and

sustainability- short and long term

business opportunities and their risks

Target Audience:• Executive Management

Contents:• Summary of all business and

customer risks• Risk-adjusted performance

measurement• Trend analyses• Business and market outlook• Status of key initiatives

Scope:• Global Markets consolidated

Key Objectives:• Identify risk issues that require

immediate attention and potential management action by reviewing:

- limit excesses- risk concentrations- P&L changes- market/credit/operational

risk events

Target Audience:• Business, Line and Risk

Managers

Contents:• Detailed market risk• Selected credit, liquidity,

valuation and operational risk metrics and issues

• P&L attribution analysis

Scope:• Desk level

Key Objectives:• Identify risk issues that require

immediate attention and potential management action by reviewing:

- limit excesses- risk concentrations- P&L changes- market/credit/operational

risk events

Target Audience:• Business, Line and Risk

Managers

Contents:• Detailed market risk• Selected credit, liquidity,

valuation and operational risk metrics and issues

• P&L attribution analysis

Scope:• Desk level

Enterprise-Wide Risk Reporting Framework

An effective ERM reporting framework should address the daily, monthly and quarterly objectives of the target risk management audience.

25

Economic Capital represents capital needs based on monthly revenue volatility of each business. The higher the volatility of a business’ revenues the higher the economic capital required for the business (annualized monthly revenue volatility x 2.33).

Marginal Capital represents the relative contribution of each business to the total capital of the Fixed Income business. It takes into account diversification/correlation effects across businesses (2.33* 12-month Revenue volatility *Correlation).

Revenue Quality is the ratio between average monthly revenue and monthly revenue volatility. It provides an assessment of the quality and sustainability of earnings over time. The higher the ratio, the better the quality of earnings.

Return on Economic Capital measures risk adjusted profitability across businesses. YTD return on capital represents YTD annualized revenue divided by last 12 months economic capital.

Revenue/Expense Ratio measures the degree of operational efficiency. These ratios were estimated based on 1997 financial performance.

0

1

2

3

4

5

6

7

-75 -50 -25 0 25 50 75 100 125 150 175 200

$MM Monthly Revenue

Frequency Over the Last 18 Months

$MM Economic Capital Marginal Capital Revenue Quality Return on Economic Capital Revenue/Expense2002 Last 12 m 2002 Last 12 m 2002 Last 12 m 2002 YTD

Commercial 90.6 66.0 22.4 25.4 3.0 4.6 263% 459% 2.5Personal 147.0 156.7 130.5 134.6 1.3 1.3 115% 149% 2.5Life and Annuities 49.1 46.2 33.7 34.8 4.9 5.1 506% 549% 3.3Investments 60.8 63.4 35.1 20.6 1.9 1.6 111% 93% 1.7Banking 63.1 94.5 (20.5) 8.3 0.5 0.9 40% 110% 2.0Treasury 30.7 17.3 7.7 (0.5) 0.3 0.4 21% 40% 2.0International 298.4 306.1 249.3 268.8 (0.0) 0.1 0% 24% 2.0

TOTAL 458.3 491.9 458.3 491.9 1.9 1.9 138% 181% 2.0

Commercial

An Illustration….

26

Set standards• Policies• Corporate data requirements• Reporting to business managers, senior

management and the Board• Risk measurement

Aggregation of common risk factors across

business lines• Scenario analysis / Stress testing• Limit Setting

Macro assessments of the risk profile and the

drivers of change (Windows on Risk)Capital allocation methodology, calculations

and decisionsSupport management of stakeholder relations

Corporate Risk Manager

Risk identification

Communicate key risk factors

Risk aggregation by risk factor within the business

line

Adhere to reporting and other standards

Proactive implementation of appropriate policies and

procedures

Support decisions regarding new products, new

businesses and new geographies

Degree of Decentralization in Risk Management Approach

Business Unit Risk Managers

Credit Cards

ConsumerLoans

International

To implement ERM, a clear line between the responsibilities and accountabilities of the corporate risk manager and the business unit risk managers must be drawn.

Treasury

27

Some of our clients employ a decentralized approach that includes company-level standards, endorsed by the board, with business-specific delegations and accountabilities.

Business Risk Management

Corporate Risk Management

InvestmentRisk

UnderwritingRisk

Operat-ionalRisk

Asset/ Liability

Risk

RiskCapital

Board of Directors• Audit Committee• Risk Committee

Office of the

Chairman

Board of Directors Provides broad, independent oversight of Company activities Endorses Company Risk Management Standards and acknowledges

aggregate Group risk profileBoD Audit Committee Reviews unintended exposures/risks that result from control

weaknesses, process fails or other shortcomingsBoD Risk Management Committee Reviews risks consciously taken through business decisions and

plans Reviews the overall Company exposure/risk profile, risk appetite,

and risk capacity Reviews Company Risk Management StandardsCorporate Risk Management Establishes Company Risk Management Standards Approves broad Company risk parameters and limits; allocates risk

limits to businesses Approves business-specific risk management standards and

practices and endorses the risk management culture embedded in those standards and practices

Maintains overall accountability and authority for the adequacy and appropriateness of all aspects of the Company risk management process

Business Risk Management Establish business-specific risk management standards, policies and

practices for the approval, measurement, reporting, monitoring, limiting and analysis of exposure/risk

Establish business-specific risk limits within allocated capital levels

P&C Life TreasuryInternational

28

Business Units

Business Operations

Business Unit Risk Managers

Financial Control

Other Support Groups

Corporate Risk Management

•Market Risk•Credit Risk

•Operational Risk•Insurance Risk

•Country Risk

Global Risk Managers

Risk Architecture

Other Support Groups

Operations & Technology

Legal and Compliance

Human Resources

Tax

Other

Corporate Audit

To be defined

Financial Control

To be defined

The business units are responsible for establishing a comprehensive risk organization within their businesses that interacts with other risk management and support groups.

29

The business units, financial control, corporate risk and audit should have clearly defined, collaborative roles supported by appropriate infrastructure elements.

Business Units

Financial Control

Corporate Risk Management

BusinessCycle

Capital Policy ReportingKey

Controls

Risk Management Infrastructure (O&T, HR, Legal, Compliance, Tax, other)

Set Strategy

Budget/ Plan

Execute Control Evaluate

Validate/refine strategy

Limits Procedures Analysis

Re-allocate capital/limits

Corporate Audit

Formulate

Request

Formulate

Request

Manage

Formulate

Manage

Formulate

Validate

Reconcile

Review

Request

Approve

Review

Facilitate

Review

Manage

Review

Review

Produce

Review

Review

Review

Review Test

Test

Test

Review

Test

Review

Approve

Review

Approve

Facilitate

Approve

Formulate

Approve

Analyze

Analyze

Test

30

Agenda

I. Overview of Enterprise-wide Risk Management

II. Designing and Implementing an ERM Framework

and Organization Structure

III. Impact of International Financial Reporting

Standards on ERM

31

Why talk about IFRS?

• Many non-US banks move to IFRS

• Similar to US GAAP – often subtle yet important differences

• No more avoiding of “difficult” accounting Interest Method

Hedge Accounting

Impairment

• Implementation: new accounting, systems, data requirements

32

IFRS and Risk Management

Spotlight on transparency – more detailed analysis and disclosures on: Concentrations of risk

Sensitivity of cash flows to risk scenarios and market variables

Failure to manage earnings and investment risks associated with IFRS could seriously undermine financial stability and credibility

IFRS will have an impact on credit, funding and liquidity risks

IFRS will have extra demands on data capture, modelling and other information systems

Complying with IFRS will be fraught with potentially costly pitfalls

A broader and more integrated approach to risk management could help companies to turn IFRS compliance into shareholder value

33

IFRS - Key Aspects for Banks

Expected IFRS impact – Relevant accounting issues

Financial statement presentation – Flows and disclosures

Fair value of financial instruments

Investment securities – Classification and transfers

Impairment (investments, loans, other assets)

Hedge Accounting

Provisions – Recognition criteria

Income and expense recognition – interest and commissions

Deferred taxes

Other complex issues?

34

Impact of IAS/IFRS on consolidated financial statements

Complexity of implementation

Segment Information (IAS 14)

Commissions (IAS 18)

Property, plant and equipment (IAS 16)

Business Combination (IAS 22)

Employee Benefits (IAS 19)

Investments/ consolidation(IAS 27/28, SIC 12)

Provisions (IAS 37)

Financial Instruments(IAS 39/ IAS 32)

Financial statements and cash flow(IAS 1, 30 et 7)

Deferred taxes (IAS 12)

Fin

anci

al I

mp

act

++

++--

--

Impairment and intangibles (IAS 38/IAS 36)

35

Expected IFRS Impact – Business impacts

Complexity of implementation ++--

Overall Business Impacts

• Volatility of earnings

• Difficulty in forecasting and budgeting

• Product profitability/design

• Regulatory compliance

• Performance measurement and reporting

• Tax planning strategies

• Debt covenants

• Share-based compensation plans

• Transparency

Fin

an

cia

l Im

pa

ct

++

--

36

Top 15 implementation issues

1. Shareholder and analyst understanding

2. Understanding and analysing impact on financial performance

3. Commitment and involvement at all levels of the organisation

4. Significant resources required

5. Underestimation of the amount of work involved

6. Costly and time consuming to embed into the organisation

7. Data availability and system requirements

8. Re-alignment of management information reporting / systems

9. Co-ordination with regulator reporting requirements

37

Top 15 implementation issues

10. Training (“Knowledge transfer”) of management as well as

finance functions in all locations

11. Regulatory environment continues to change

12. Risk management

13. Earnings management

14. IAS continues to evolve

15. Minimal expertise

Your worlds Our people

This document is protected under the copyright laws of the United States and other countries as an unpublished work. The document contains information that is proprietary and confidential to PricewaterhouseCoopers LLP, which shall not be disclosed outside of the recipient's company or duplicated, used or disclosed, in whole or in part, by the recipient for any purpose other than to review the document. Any other use or disclosure, in whole or in part, of this information without the express written permission of PricewaterhouseCoopers LLP is prohibited.