Operational Risk---Managing and Measuring The Chief Risk Officer July 2002 Mcharron@deloitte.com 860.543.7337
To better understand the evolution of risk management and the development of the Chief Risk Officer function To share our Point of View on emerging trends in Risk Management and the Risk Intelligent Organization A large number of companies in search of similar ideas and solutions Share what we are hearing and incorporate our thoughts to validate or enhance direction that the financial services industry is pursuing CAS definition of ERM The process by which organizations in all industries assess, control, exploit, finance and monitor risks from all sources for the purpose of increasing the organization’s short and long term value to it’s stakeholders Introduction
Why is integration required? Risks are often interrelated but are being managed as single impact events. Organizational complexity and ineffective communication processes result in an incomplete or incorrect understanding of risks actually faced. Varying levels of risk appetites exist across an organization – Are managers taking on risk levels consistent with the expectations of executives? How much risk does the organization have the capacity to take on? Opportunities to offset unrelated risks within the organization are not taken advantage of. Lack of learning from common risk management practices and experiences.
What is Enterprise Risk Management? A systematic and disciplined way to: Identify, assess and prioritize the major risks associated with the organization’s key values and corporate goals Gather risk intelligence about current operations and future growth opportunities within and across the extended enterprise Install a risk infrastructure that is appropriate to the enterprise and the volatility of its business Integrate risk intelligence into decision-making across the organization Identify inter-dependencies and correlations across risks and specializations Establish early warning and rapid response systems Provide assurance that key risks and exposures are understood, appropriately mitigated and cost-effectively controlled
Chaotic environment / post Sept 11 Common Needs Organizations today are challenged with a set of common needs as well as those unique to their organization. All organizations must manage risk whether or not they choose to do so systematically Chaotic environment / post Sept 11 Risk and risk management are “top of mind” for everyone Board does not know what to expect from senior management re: risk management Need “Risk Intelligence” for better decision-making and governance Risk exposures increase as interconnectedness and interdependencies increase Organizations need to be able to understand interrelatedness, correlations and domino effects of risks Increasing scrutiny from key stakeholders A new approach is required because of weaknesses in traditional approaches – need to protect profitability from existing operations (Assets in Place) as well as grow future opportunities Risk and risk management are “top of mind” for everyone A sense of urgency but lack of clarity about how to proceed High impact events / High uncertainty / Probabilities difficult to estimate Challenge is to achieve a high state of preparedness Real and present danger to global organizations High concerns about physical threats, crisis preparedness, security and business continuity Higher cost (2-3 times) and reduced availability of insurance – increase in retained risk and risk transfer / risk pooling will become even more attractive Risk exposures increase as interconnectedness and interdependencies increase and can result in: Big surprises / Big mistakes / Big missed opportunities Increasing scrutiny Regulators / Boards of Directors / Shareholders / Stakeholders Organizations need to be able to understand interrelatedness, correlations and domino effects of risks Within both the enterprise and the extended enterprise A new approach is required because traditional approaches: Typically remain in silos and therefore do not look the interdependencies Emphasize protection of Assets in Place (AIP) not Future Growth Value (FGV) Fail to recognize the importance of FGV as a driver of share price growth Lack the new tools required to look at risks associated with FGV
Common Questions CEO What unforeseen events might disrupt our strategy? CFO What risks could materially impact our financial results? How much capital do I need? Board/Audit How are we managing business risks? How are we assured they are being managed appropriately? What are the results? What assurance do we have? General Counsel What could we do to further minimize our legal liabilities? Chief Actuary How much risk am I allowed to take? What is our corporate risk appetite? Chief Underwriter How much aggregation risk am I exposed to? Does the current risk management strategy adequately capture the key risks? Rating Agencies How well does senior management understand risk? How great is management’s risk awareness? What is their ability to manage risks as they emerge?
No big missed opportunities Why Do It? No big mistakes Avoid unrewarded risks Establish a common understanding and language of risk across business units No big surprises Establish safeguards against earnings-related surprises Prevent / rapidly respond to potential catastrophic failures No big missed opportunities Ensure strategic and tactical risks are both rewarded and appropriately mitigated Maximize chances of success of business plan goal achievement Improve ability to anticipate change Early warning signals Everyone is alert to risk causes and effects Forward looking approach to managing risk Accelerate ability to respond to change Improved, faster decision-making Better informed choices, clear rationale and less uncertainty More organizational learning – less chance of repeat problems in other areas D&T’s Point of View
Evolution of Risk Management Strategic Economic Strategic Risk Management Capital Markets/Treasury Risk Market Risk, Liquidity Risk Analytics & Modeling Credit Analytics Enterprise Risk Management Operational Risk Management Property, Casualty, Liability Risk Management Asset Protection Multi-line, Multi-risk Insurance Products Insurance Security Physical & Information Corporate Compliance Internal Audit Operations Compliance Business Profit Recovery Inter-dependencies Integration Offsets Correlations Domino Effects Corporate Ethics Financial Internal Control Process Culture D&T’s Point of View
Evolving Role and Responsibility of the Chief Risk Officer “… risk management will begin to act as a kind of central nervous system for the financial institution, with ‘nerves’ relaying information back and forth and warning of potential hazards, as well as ‘brains’ performing high-level risk calculations on enterprise-wide data. These functions will work tightly together - and be constantly aware of what is going on in the rest of the institution.” Risk Professional March 2000
Why a Chief Risk Officer? Assure continuity and consistency in risk management with a single organizational unit that bears direct responsibility for directing the organization’s entire risk management process. Provide a solid foundation for developing and implementing a successful risk management strategy, process and culture. Centralize risk management to ensure that a common risk framework, policies, and measurement methodologies are implemented and sustained: Provide senior management and decision-makers a more clear, consistent and complete view of the organization’s risks and its readiness to manage them Enable the company to make better cost/benefit decisions in its risk management and mitigation efforts Increase board and management confidence that its current operations and facilitates proactive thinking about future risks.
The role of the CRO Developing a common risk management strategy and instilling a consistent level of risk awareness throughout the company. Provide the focal point for risk management strategy development, deployment and communication. Should have close reporting ties to the CFO, CEO and the board of directors and have direct reporting from the heads of the major risk management disciplines (e.g. Internal Audit, Ethics, Compliance, Legal, Health & Safety, Loss Prevention, etc.). Risk committees developed within the organization typically report to the CRO. This includes the IT function, internal audit, market risk, credit risk, insurance, ethics, and strategy.
maintaining an awareness of risk issues throughout the organization The role of the CRO Responsible for: maintaining an awareness of risk issues throughout the organization developing a risk management strategy and setting risk policy measuring risk, reporting exposures, and proactively thinking about operational and other related risk Should not be responsible for the day to day performance of risk management activities or for directing or managing business operations or administrative areas. Responsibility for actively managing and mitigating risk on a day to day basis remains the responsibility of each business unit manager and staff person.
Skills vary by corporate objectives and strategies. The role of the CRO The primary core functions necessary for success depend on the industry Skills vary by corporate objectives and strategies. Typically, CRO’s have strong skills and experience in market and credit risk. This is primarily due to the strong influence of CRO positions in the financial and utility industries. A growing trend for CRO’s to posses a strong operational risk perspective. The CRO typically is a member of risk governance and approval committees and has authority for specific risk management policies, such as strategic and operational risk. The CRO is the one who is trusted to make decisions about how the organization’s various risks tie to its strategy and initiatives.
Building Blocks for Effective Risk Management & Control Future Growth Value Strategy Tactics Assets -in-Place Operations D&T’s Point of View
Intangibles Matter More Than Tangibles Share value has two major components Assets in Place Profitability from current operations = tangible Future Growth Opportunities Intangibles – people, relationships, brands, reputation Drive the multiples of valuation Anything associated with the word “NEW” The market disproportionately rewards Future Growth Opportunities It under-rewards the growth of Assets in Place and severely punishes any deterioration D&T’s Point of View
The Risk Intelligent Organization Organizations are increasingly seeking risk as a source of competitive advantage to exploit the upside and protect the downside Success demands excellent risk management as a core competency More and more organizations are demonstrating a desire to become Risk Intelligent Risk intelligence is the ability to think and learn about outcomes - it is how an organization gathers information, analyses, applies and then learns from the results Risk intelligence requires effective systems, information and timely reporting to enable organizational learning and successful adaptation – a “risk nervous system” D&T’s Point of View
The Risk Intelligent Organization Characteristics of the Risk Intelligent Organization: Risk analysis is built-in to the decision-making process There is a systematic process for identifying, assessing and prioritizing business risks There is an appropriate risk infrastructure to support sustainable risk management capability D&T’s Point of View
Assessing Risk Intelligence Our definition of risk includes strategic, tactical, and operational risks (not just financial and accounting or insurance) Our risk identification process adequately addresses current operations as well as future growth opportunities We make appropriate use of qualitative and quantitative assessment methods We have established our risk tolerance policy applicable to all areas of the company We apply a consistent company-wide risk–reward trade-off rule to all of our decisions Risk assessment and prioritization are integral parts of the organization’s business planning, budgeting, capital allocation, and audit planning processes. The Board, Audit Committee or Executive are asking broader questions about risk and exposure e.g., strategic and tactical not just operational Senior management and board members are promptly informed of issues that may have a significant impact on risk management and control. We have appropriate oversight of the key risks faced by the company. Risks, controls, and exposures are systematically reviewed at intervals that are appropriate to the volatility of our organization’s business conditions. Timely and reliable information is available to personnel to manage the risk inherent in current and future growth objectives. Our disaster recovery plan enables us to be up and running within 24 hours or less. We have clearly defined metrics and early-warning indicators to identify when risk thresholds are about to be exceeded. We use appropriate risk-based valuation methodologies to assess current operations and future growth opportunities. Credit risk is coordinated and integrated across the entire organization Risk / reward calculations are an explicit part of our decision model. Risk / reward trade-offs are systematically evaluated from a portfolio perspective When a risk occurs, the organization systematically conducts reviews to identify and correct root causes. The organization follows up to ensure that mitigation strategies and corrective actions are effective. Risk-management and internal-control best practices are shared to accelerate organizational learning. Risk management is accepted as an integral part of everyone’s job There are effective processes in place for communicating and managing change Authority, responsibility and accountability are clear. We trust each other and communicate openly about our objectives and risks. We understand what is expected of us and the scope of our freedom to act. D&T’s Point of View
The Risk Intelligent Organization Step 1. Building the Risk-based Decision Model Risk Decision Analysis Gap analysis between existing & required Common process with local application Migration Model Step 2. Assessing Business Risks Risk Prioritization Methodology Risk Identification / Risk Assessment / Risk Prioritization Risk Alignment to Corporate Strategy Step 3. Assessing Risk Infrastructure Governance / Control / Information Technology / Valuation and Risk Measurement / Credit / Accounting and Disclosure Gap Analysis between existing and industry leading practices D&T’s Point of View
Generic Risk Framework Proprietary Information: This presentation contains concepts, ideas and materials which are proprietary and may not be used, copied, provided to others or referred to without the express written permission of Deloitte and Touche. This presentation is incomplete without the accompanying discussion.
Example Risk Categories General Business Conditions Business Strategy & Organization Operations Safety & Security Customer Value Financial Asset Management Business Continuity Stakeholder Relations Information Technology Regulatory & Legal E-business Human Resources Public Safety & Environmental Political Competitors Supplier Relations Distribution & Dealer Relations Joint Ventures / Alliances Ethics Accounting & Disclosure Credit Insurance Compliance D&T’s Generic Risk Framework