Post on 02-Aug-2018
transcript
1
Enterprise Risk Management How Does ERM Apply to your Credit Union?PresentedbyCarrieKennedy,PartnerTravisSmith,PartnerMossAdamsLLP
2
MOSS ADAMS AT A GLANCE
• Fullservicepublicaccountingfirmwithassurance,tax,andconsultingservicesformiddle‐marketpublicandprivatecompanies
• LargestaccountingfirmheadquarteredintheWestandoneofthe15largestintheUnitedStates
• 21officesinCalifornia,Arizona,NewMexico,Oregon,WashingtonandKansas
• Morethan230partnersandover1,800staff
• Foundedin1913andheadquarteredinSeattle,Washington
• AfoundingmemberofPraxity,aglobalallianceofaccountingfirms
• Wearethe4th largestfirmservicingcreditunionsinthenation(basedonassets)
3
TODAY’S DISCUSSION OBJECTIVES
• WhatisEnterpriseRiskManagement?– anOverviewofERM
• WhatisDrivingERM?• HowERMCanBenefitMyInstitution• HowMyInstitutionCanBuildanERMStrategy:ImplementationOverviewo Phase1– Planningo Phase2– ImplementingthePlano Phase3– Refining
• Summary
5
ENTERPRISE RISK MANAGEMENT
“Thedeclineandultimatefailureofsomegreat
companieshasbeenahistoricalfact.Butsuchdeclineis
notinevitable.Rather,itresultswhencorporateleaders
(CEO’sanddirectorsalike)don’tanticipateanddealwith
thelongtermthreatsfacingtheircompanies.”
HarvardBusinessReview(5/08),“LeadingfromtheBoardroom”
6
WHAT IS “ENTERPRISE RISK MANAGEMENT”?
“Enterpriseriskmanagement(ERM)isaprocess, effected
byanentity’sboardofdirectors,managementandother
personnel,appliedinastrategysetting andacrossthe
enterprise, designedtoidentifypotentialeventsthat
mayaffecttheentity,andmanagerisk tobewithinits
riskappetite,toprovidereasonableassuranceregarding
theachievementofentityobjectives.”
TheCommitteeofSponsoringOrganizations(COSO)oftheTreadwayCommission,(Sept.2004)
7
WHAT IS ERM?• Astructured,consistent,andcontinuousriskmanagementprocess
thatisappliedacrosstheentireorganization• Identifies,assesses,prioritizes,andmanagestheinternalandexternal
risksthatimpacttheorganization• Drivenbyadecision‐supportprocessthatisalignedwiththe
managementandexecutionofstrategicobjectives• Enhancedbytheassignmentofrolesandresponsibilities,
reportingandcommunication,policiesandprocedures,andadoptionofarisk‐basedculture
Identify & Assess
Planning & Management
Measure, Monitor & Report
Business Objectives
8
ENTERPRISE RISK MANAGEMENT (ERM) COMPONENTS
KeystoagoodERMprogram– mustinclude:
• RiskIdentification– Whatareourkeyrisks?– Whatlevelofriskarewewillingtoallow/accept(“riskappetite”)?
• RiskMeasurement– Riskmeasurementmodels(ALM,CreditStress)– Guidelinesandquantificationtools(CreditRiskClassification,OperationalandCreditLosses)
9
ENTERPRISE RISK MANAGEMENT (ERM) COMPONENTS• RiskControl
– Policies(RequiredandBestPractice)– Authoritiesandoversightsystems
• RiskMonitoring– Systemofriskreporting– keymeasurements Boarddrivenassessments(internalandexternalaudits,monitoringreports) ManagementSelfassessments(managementgeneratedreportingagainstpre‐setstandards)
10
IN A NUTSHELL…
ERMisaprocessformanagingand
controllingrisksacrossanentire
organization,bothwithinandacross
businesslinesandlegalentities.
12
DRIVERS OF ERM – A SUMMARY
BoardofDirectors • Demandincreasedfinancialdisclosureandtransparency
MembersasStakeholders • Demandevidencethatmanagementunderstandsandmanagesrisk
Regulators/RatingAgencies • Seekassurancearoundcomplianceandriskassessmentprocesses
Activists • Demandsocialawareness,safety&environmentalconsciousness
MembersasCustomers • Makedecisionsbasedondifferentiatingfactors
Peers • Comparisonwithothersdrivesindustry‐widepractice
Competitors • Pushinnovation,driveleadership
14
BENEFITS OF ENTERPRISE RISK MANAGEMENT• Enhancesintegrateddecision‐makingbetterdealwiththeriskfromgrowth,
mergers,newproducts,etc.• Betteralignriskandstrategy.• Frameworkforidentifyingenhancereturnopportunities– improvedrisk
mitigation.• Improvedeploymentofcapitalresources– allocatingcapitaltobusinessareas
toachievesuperiorriskreturns.• Credibilityandconfidenceingovernanceandriskmanagement– members,
regulators,externalauditors.• Anticipaterisk– seizeopportunities/minimizingcost.• Improvedunderstandingandmanagementofinteractionsand
interrelationshipsbetweenrisks.• Clearaccountabilityandownershipofrisk.• Regulatorycompliancewithsafetyandsoundnessguidelines,foundationfora
stronginternalcontrolenvironment.
15
BENEFITS OF ENTERPRISE RISK MANAGEMENT (CONTINUED…)
Allthepreviouspositivelyimpact:• Protectionofcapital.• Enhancementofearnings.• Reductionoflosses(Fraud,Credit,Operational).• Greaterefficiencyinprocessflows.• Betterdefined/moreefficientinternalauditprograms.• Betterunderstandingofeffectofmarketmovements.
17
ERM IMPLEMENTATION PHASES
Detective controls and processes
Preventative Controls and processes
Proactive planning and improvement
Compliance and Prevention
Operating Performance
Enhanced Member Benefits
GRADUAL EVOLUTION OF THE PROCESS
18
LET’S DO A QUICK SELF ASSESSMENT
• Gototheseparatehandout
• Completethe“RiskOversightSelfAssessment”survey
– Therearenorightorwronganswers
– Trytoobjectivelyanswereachquestionforacreditunionyouhaveinmind
19
SELF ASSESSMENT - IMPLICATIONSQ1‐12 Q13‐28 ImplicationsYes No Lotsoffocusonstrategicplanning,
lotsofrisks,butfewriskmanagement processes
Yes Yes StrategicplanningandriskmanagementarereasonablyintegratedandorganizationmakinggreatERMprogress
No Yes FewperceivedstrategicrisksbutoverspendingonERMprocesses
No No Fewperceivedrisks,butnosystemtobesureortoidentifyrisks‐opportunities
20
LINKING ERM TO STRATEGY
Strategic Integration
Risk vs. Return Optimization
Risk Management
Risk Measurement
Loss Minimization
Compliance/Monitoring
Maturity
Level
High
Low
Time
Risk appetite articulated
21
ERM – STRENGTHENING FOCUS ON STRATEGIC RISK EXPOSURES
Profitability
Increased Revenues
Expense Savings
Increased Loan Yield (Rate & Volume)
Non‐interest Income Products
Reduce Head Count
Oth C t
Vendor Mgmt.
Other Cost Savings
Measures –Vendor Mgmt.
Risk Drivers
Risk Drivers
Risk Drivers
Risk Drivers
Risk Drivers
Risk Metrics?
Risk Metrics?
Risk Metrics?
Risk Metrics?
Risk Metrics?
22
THE MOSS ADAMS PHASES TO ERM IMPLEMENTATION
• STEP1– PLANNING– (a.k.a.,“puttingyourbestfootforward,knowingtheprocessisn’tgoingtobeperfectbecauseit’sanewareaoffocus,andeveryinstitutionisunique”)
• STEP2– IMPLEMENTING– (a.k.a.,“executingonyourplan,makingslightadjustmentsasneeded;savingsignificantrevisionstotheprocessforthe“refining”stage”)
• STEP3– REFINING– (a.k.a.,“fixingwhatneedstobefixedand/orwhatwasn’taddressedafterimplementingyourplan”)
Asimple3‐stepprocessforgettingyourERMprogramofftheground
24
BUILDING YOUR ERM ROADMAP/ IMPLEMENTATION PLAN: STEP #1 – PLANNING
A. GainBoard/Committee/Executivelevelofsupport‐ “ToneattheTop”mightbethesinglebiggestfactorinbeingsuccessfulatimplementing;starttobuildconsensus/buy‐in
B. Revisit/reviewyourstrategicplan– theERMvisions/balignedwithyourorganization’ssize/complexity
C. Startthinkingabouthowyouaregoingtoidentify(andcategorize)risk
25
GAIN BOARD/MEMBER/EXECUTIVE MANAGEMENT LEVEL SUPPORT
• It’sthatCULTUREthing!!• MutualExpectations,Respect,Reliance• OpenCommunications,Debate• WelcometheMessenger• WelcomeDumbQuestions• DraftPolicies
26
ERM POLICY
• PolicyStatement• Purpose/objectives
o Integratedmgmtofrisko Governanceofriskoversighto Independentreviewandmonitoring
• Responsibilitieso BoardofDirectorso SupervisoryCommitteeo BoardRiskCommitteeo ManagementRiskCommitteeo CEOo CROo InternalAuditoro DepartmentHeads
• RiskCategories• ERMProcess• PolicyGuidelines/Limits
• RiskMetricsandtools– RiskAssessments– Measures
• Controls&Monitoring• RiskResponse• Communication&
Reporting• PolicyExceptions
27
ERM CHARTER
• Purpose/Objectives– Board/Committeedelegationto:IdentifyandManagerisksAdheretopolicies
• CommitteeMembersandChairChiefRiskOfficerdirectreport
• MeetingsFullBoardreporting
• DutiesandresponsibilitiesSupervisoryCommitteeinteractionOversightofManagementRiskCommittees
• PerformanceEvaluation• CommitteeResources
28
ERM IS A SHARED RESPONSIBILITY: TYPICAL ROLES/NEEDS
Board of Directors‐Governance‐Reputational Risk‐Board Training
CEO/COO‐Business Risk‐Execution Risk‐Strategy/Mergers
CFO‐Internal Controls‐Economic Capital‐Performance Measurement
CRO (Larger)‐ERM Roadmap‐Policies/Limits/Appetite‐Risk Quantification‐Dashboards
Functional Risk Managers/Delegated Responsibilities:
‐Credit Risk‐Market Risk‐ Interest Rate Risk‐ Operational Risk‐Compliance Risk‐ Technology Risk‐Etc.
29
A VISION FOR ERM IS FUNDAMENTALLY LINKED TO STRATEGIC GOALS FOR YOUR ORGANIZATION • Whatareyourcorecompetencies?Whatisyourmarket?Whatdoesyourcreditunionwanttobe?Whoareyourmembers?
• Whatareyourreturngoals?• (Riskvs.Reward=Credit&IRR;CapitalAdequacy;Regulatory;Fraud;Other?)
• IdentifyRiskstoyourcreditunion– Whatrisksdoyoutake‐ontogeneratethesereturns?Focuson“key”risks.
• Howmuchofeachrisktypewillyoutakeon? Isyourlevelofriskappropriategivenyourreturngoals(riskappetite)?Doyouhavesufficientcapitalandliquiditytosupporttheserisks?
30
ERM RISK COMPONENTSREGULATORY RISK CATEGORIES
NCUA Risk Categories
Credit Risk
Interest Rate Risk
Liquidity Risk
Transaction Risk
Compliance Risk
Strategic Risk
Reputation Risk
Fed Risk Categories
Credit Risk
Market Risk
Liquidity Risk
Operational Risk
Legal risk
Reputational Risk
FHLB Risk Categories
Credit Risk
Market Risk
Liquidity Risk
Operational Risk
Business Risk
31
REGULATORY CAPITAL RULES HAVE CREATED A FRAMEWORK FOR CLASSIFICATION OF RISK TYPES
RiskType Definition
CreditRisk Lossduetoaborrower’sinabilitytomeetitsfinancialobligations
Lossduetochangeinborrower’screditquality
MarketRisk Lossduetochangeinmarketvalueoftradedpositions
Lossduetoimpactofchangesincosttocloseaccrualpositions(primarilyinterestraterisk)
OperationalRisk Lossresultingfrominadequateorfailedinternalprocess,peopleandsystems,orfromexternalevents.Thedefinitionincludeslegalrisk.Thedefinitiondoesnotincludestrategicorreputationalrisks.
32
MANY INSTITUTIONS HAVE ADOPTED THESE DEFINITIONS FOR A FUNCTIONAL ERM STRUCTURE
CreditRisk
EnterpriseRiskManagementFunctionalStructure(NotOrganizationalStructure)
MarketRisk OperationalRisk
Compliance Risk Int. and Ext. FraudBusiness Process FailureHRLitigationData SecurityTechnology/SystemsNatural DisasterEtc.
Change in Fair Value
Interest Rate Risk
Currency Risk
Liquidity Risk
Commercial
Retail
Counterparty
OtherRiskCategoryPossibilities:Business,Strategic,Concentrations,Reputation,etc.
34
BUILDING YOUR ERM ROADMAP/IMPLEMENTATION PLAN: STEP #2 – IMPLEMENTING
A. IdentifyandprioritizetheRISKS‐ Keepittothe“TOP5”forin‐depthBoardreporting‐ Additionalriskscanbeidentifiedandlisted,butdon’ttakeawaythe
focusfromtheTop5
B. Simultaneouslyadoptapreliminaryriskframeworkandconceptualizesimplereporting
C. Identifygapsintheprocessandstarttoanalyze(butdon’tletthemslowyoudown!)
35
ERM IMPLEMENTATION – THINK ABOUT “RISK AWARENESS”
35
Difficultprocess– 3levelsofriskawareness
• Known– Youlendmoneytovariouspartiesandsomeoneisn’tgoingtopay(creditrisk)
• Unknown,butknowable – e.g.,floodorothernaturaldisasterthatisn’tunusualforthearea.
• Unknown,unknowable– wouldnoteverknowinadvance,butisthereaplanIcanhaveif“something”takesmeoutofwhatIdo?
Thishelpsyoutothinkbeyondtheeverydayrisks.
36
ERM IMPLEMENTATION – RISK ASSESSMENT AskeachBoardmember:
“Withourcreditunion’sbusinessmodelinmind,whataretheTop5emerging risks:”
1. _________________________________________2. _________________________________________3. _________________________________________4. _________________________________________5. _________________________________________
AskManagementthesamequestion.Willtheresultsbesimilar?
HowoftendoestheBoardandSeniorManagementengageinexplicitdiscussionsaboutrisk?
Reminder:AddressingriskinanadvancedERMprocessbecomesstrategicinsteadofdefensive36
37
RISK ASSESSMENT (CONTINUED)…
• Foridentifiedriskevents:– Whatisthetimeframetoconsider?– Howlikelyistheeventtooccur?– Whatwouldbetheimpact?
• Onfinancialgoals(cashflow,capital,reportedearnings)
• Onoperationalgoals• Onreputation/brand
– Inherentvs.residualrisks?
37
38
ONE COMPLICATION: INHERENT VS. RESIDUAL RISK
• Whatrisksareweassessing?– Inherentrisk: Risktoanentityintheabsenceofanyactions
managementmighttaketoaltereithertherisk’slikelihoodorimpact
– ResidualRisk:Riskthatremainsaftermanagementrespondstotheriskidentified
Backtosomeriskassessmentexamples….
39
ABC INSTITUTIONSIMPLE ENTERPRISE RISK ASSESSMENT EXAMPLE
Operaton
s
Reporting
Compliance
Safeguard of Assets
Risk Impact (A
VG.)
Vulnerability
Control Environment
Control Mo
nitoring
Risk Likelihood (AVG.)
Inherent Risk
(Impact x Vulnerability)
Residual Risk (risk after controls)
(Impact x Likelihood)
Test?
Residual Risk
Risk
Tested?
Risk Universe
PRIOR YEARLoans Lns 5 5 4 3 4.25 5 2 2 3.00 21.25 H 12.75 M Yes (I/A) 20.00 H Yes
ALLL ALLL 4 3 4 5 4.00 5 3 2 3.25 20.00 H 13.00 M ‐ 19.00 H Yes
Investments Inv 3 4 3 3 3.25 4 2 3 3.25 13.00 M 10.56 M ‐ 16.00 M ‐
Deposits Dep 5 5 4 3 4.25 2 1 2 1.75 8.50 L 7.44 L ‐ 9.00 M ‐Internet Banking IntBk 5 4 3 4 4.00 4 2 3 2.75 16.00 H 11.00 M Yes (I/A) 12.00 L ‐
Debit Cards Debit 4 3 3 4 3.50 4 2 4 3.25 14.00 H 11.38 M ‐ 13.00 M ‐
ACH ACH 3 3 3 3 3.00 2 2 3 2.50 6.00 L 7.50 L ‐ 5.00 M YesWire Transfers Wires 3 2 4 4 3.25 3 1 3 2.50 9.75 M 8.13 L Yes (I/A) 8.00 H ‐Debit Cards 4 3 3 4 3.50 3 1 2 2.00 10.50 M 7.00 LItem Proc., Br Cap IP 3 2 2 3 2.50 2 1 3 2.25 5.00 L 5.63 L ‐ 4.00 H ‐
General Ledger GL 4 4 3 4 3.75 4 2 3 2.75 15.00 H 10.31 M ‐ 11.00 H ‐
ALM/IRR ALM 4 4 4 3 3.75 4 3 3 3.50 15.00 H 13.13 M Yes (Ext.) 16.00 H ‐
AVP, Punch & Disb AP 4 3 3 74 3.50 3 2 3 2.75 10.50 M 9.63 M ‐ 10.00 M ‐
EDP EDP 5 3 4 3 3.75 3 1 2 2.25 11.25 M 8.44 L ‐ 12.00 M ‐
BSA BSA 5 3 5 4 4.25 4 1 3 2.75 17.00 H 11.69 M ‐ 16.00 H ‐Compliance Comp 4 3 4 4 3.75 3 1 2 2.00 11.25 M 7.50 L Yes (Ext.) 12.00 M ‐
Collections Coll 4 2 3 2 2.75 3 2 3 2.75 8.25 L 7.56 L ‐ ‐ ‐ ‐
Impact Risk Likelihood (vVulnerability/Control) From To RiskNegligible 1 Remote / Excellent 1 8.99 Low
Low 2 Unlikely / Good 9 13.99 ModModerate 3 Possible / Fair 14 25.00 High
High 4 Probable / Needs ImprovementExtreme 5 Certain / Does Not Exist
PRIOR YEAR
40
RISK MANAGEMENT CONTINUUM
Reactive• Lack of Board or senior
management emphasis on risk
• No common risk lingo• Stove‐pipe risk management• Ad hoc approach• Missing coverage of risk
areas
Aware
• Some board and senior management support
• Risk leader identified
• Periodic risk profiling
• Key risks defined in common vocabulary
• Recognized need for ERM
Strategic
• Proactive board and senior management involvement
• Risk managed and assessed across entire organization
• Common language and approach used and understood
• Real‐time analysis of risk portfolio (real‐time KRIs)
• Recognized need for ERM
Most companies straddle Goal
41
RISK ASSESSMENT CYCLE
Identify risk & controls
Assess exposures and
control effectiveness
Determine corrective action(s)
Test Controls
Management Certification
Board of Directors
Risk Assessment
*Report; reassess risks & ratings
*Track Project & Task priority, status, due dates, hours
*Record testing scope, conclusion and
recommendation(s)
*Shows a snapshot of the
pulse of enterprise risk
management at –a‐glance
42
ASSESSED RISK REPORTING: RISK MAPPING
• HeatMapsareavaluabletoolforcommunicating/reportingrisks• Chartbothlikelihood/probabilityandseverity/impact
43
HEAT MAP PORTRAYAL OF INHERENTRISKS
Impact(Severity)
Likelihood (Probability of Occurrence)
9
10
6
5
1
2 4
7
38
Mitigation Risk
Not Mitigated
Marginal Mitigation
Sufficient/Acceptable
Risk Event:1. ‐‐‐‐‐2. ‐‐‐‐‐3. ‐‐‐‐‐4. ‐‐‐‐‐5. ‐‐‐‐‐
45
BUILDING YOUR ERM ROADMAP/IMPLEMENTATION PLAN: STEP #3 – REFINING
A. DefinetheCreditUnion’s“RiskAppetite”• Quantifyingrisk• DetermineKeyRiskIndicators(KRI)
B. MonitoringandReporting• WhatwillreportingtoexecutivemanagementandtheBoardlooklikegoingforward?• Ongoingmonitoringofimplementationprogresswithboard‐levelaccountability• Benchmarkvs.industryleadersinthisareaaswellaspeers
46
ELEMENTS OF RISK APPETITE
Existing Risk Profile
Risk Capacity
Risk Tolerance
Desired Level of Risk
The existing level and distribution of risks across risk categories (e.g. financial risk, market risk, operational risk, reputation risk, etc.
The Maximum risk a firm may bear and remain solvent
Acceptable levels of variations an entity is willing to accept around specific objectives
What is the Desired risk / return level
Determination of Risk Appetite
(the amount of risk an entity is willing to
accept in the pursuit of value)
47
WAYS TO DEFINE RISK APPETITE
Quantitative Clearly defined measureCan be cascaded to business unitsFor example, loss of capital or degree of volatility in earnings
Qualitative Not all risks can be accurately/crediblymeasuredFor example, risk of damage to reputation
Zero Tolerance A subset which can be very clearly definedFor example, loss of life or violation of laws
48
SOME EXAMPLES OF EXTERNAL KEY RISK INDICATORS
Industry and Competitor TrendsNumber of CompetitorsNew product or service announcementsPricing TrendsRisk events realized by competitorsShifts in customer tastes/trends
Economic TrendsUnemployment forecastsConsumer spending trendsTrade and foreign policy
Liquidity/Capital MarketsInterest rate trends/forecastsCredit spreads in debt and credit marketsStock market trends and forecasts
Supply Chain IssuesFinancial health of suppliersRisk events at suppliersPricing trends
Regulatory ChangesAnticipated changes in tax policyNew regulations/restrictionsChanges in key political offices
49
SOME EXAMPLES OF INTERNAL KEY RISK INDICATORS
Business OperationsTransactions, outputSales volume, failed dealsOperational performance issuesSupply chain/logistics
Information TechnologyDisasters, outages, disruptionHelp desk metricsSecurity metricsProject metricsIT incidents/investigations, complaintsIT audit issues
ComplianceState of controlsRegulatory inquiries/investigationsLitigation casesDiscovery requests
Human ResourcesTurnoverHeadcountCorporate training: policies,
procedures, ethicsVacanciesSick daysDisciplinary actions
Accounting/FinanceAdjustmentsUnsubstantiated balancesMissed deadlinesWrite‐offs
AuditHigh‐risk issues/material weak.Past‐due audit issues
50
KEY RISK INDICATORS GUIDANCE FOR DEVELOPING YOUR ERM DASHBOARD (THE METRIC/DATA IS…)
Based on established practices or benchmarks
Developed consistently across the organization
Provide an unambiguous and intuitive view of the highlighted risk
Allow for measurable comparisons across time and business units
Provide opportunities to access the performance of risk owners on a timely basis
Consumes resources efficiently (not overly burdensome to get the info)
51
CREATE AN IDEAL ROSTER OF RISK REPORTS
EXAMPLES:• Ahigh‐levelsummaryofthetoprisksfortheenterpriseasawhole;brokendownbyoperatingunit,geographiclocations,productgroup,etc.,alongwithsignificantgapsinriskmanagementcapabilities
• Reportofemergingissuesorrisksthatwarrantimmediateattention
• Summaryofriskevents,e.g.,significantexceptionsversuspoliciesorestablishedlimits
• Summaryofsignificantchangesinkeyvariablesbeyondmanagement’scontrol(e.g.interestrates,exchangerates,etc.)andtheeffectonearnings,cashflows,capital,andthebusinessplan.
• Summaryofthestatusofimprovementinitiatives
52
RISK REPORT EXAMPLE (KRI REPORT)Target Key
Better Than expected Expected Worse Than Expected N/A
1st qtr
2nd qtr
3rd qtr
4th qtr YTD
1st qtr
2nd qtr
3rd qtr
4th qtr YTD
Average Daily Census Past due over 30 daysAssets per FTE Past due over 60 daysetc. Past due over 90 daysetc. Over 90 days and accruing
ALLL/LoansNet charge‐off %, annualized
1st qtr 2nd qtr 3rd qtr 4th qtr YTD TDR's/LoansNet Interest Margin etc.ROA etc.ROE etc.Efficiency Ratio etc.Tangible Book Value
N/A etc.N/A etc.
etc.etc.etc.etc.
Human Resources Credit Quality
Financial
54
INTERNAL AUDITING ROLES IN REGARD TO ERM
• Givingassuranceonriskmanagementprocesses• Givingassurancethatrisksarecorrectlyevaluated• Evaluatingriskmanagementprocesses• Evaluatingthereportingofkeyrisks• Reviewingthemanagementofkeyrisks• Facilitatingidentificationandevaluationofrisks• CoordinatingERMactivities• Consolidatingthereportingonrisks• MaintaininganddevelopingERMframework
55
ROLES INTERNAL AUDITING SHOULD NOT UNDERTAKE
• Settingtheriskappetite• Imposingriskmanagementprocesses• Managementassuranceofrisks• Takingdecisionsonriskresponses• Implementingriskresponsesonmanagement’sbehalf• Accountabilityforriskmanagement
57
NO ERM AT YOUR CREDIT UNION?
• It’shappeningalready…thisisthebusinessofbanking
• Startsimply…jointBoard/CommitteeandManagementadventure
• FocusonBusinessandRegulators…howtouseittoimproveprocessesandperformance…acontinuousimprovementperspective
58
GREAT DUMB QUESTIONS
• Whathappensif…?• Seemslikethatmarketis…couldthatimpactus?• Iheardabout…dowehaveriskexposurehere?• Doesourpolicyexplainwhattodoif…?• Whoisresponsibleformakingsurewedon’t…?• Dowehavealimiton…?• Whatdoesourstrategicplansayabout…?• DoyouthinkseniormanagementknowshowtheBoardfeelsaboutthatrisk?
• ArethereanyotherBoardmemberswhodidn’tunderstandthat;I’mnotclearabout…?
• HasanyonearoundherereadtheCOSOtemplateforriskmanagement?
59
RECOMMENDATIONS FOR ERM
• DevelopERMPolicy– DefineRiskcategories,roles,
Measure,monitor,andreports
• DevelopERMCommitteeCharter– Definemembers,roles,scope,reportingrelationship
toothercommittees
• PublishERMBoardPacket– Keyriskindicators(KRI)dashboard– ALCO,Credit,Compliance,OperationalRisk
summaries