of 23
7/28/2019 Daniel Mckinney
1/23
Febraban
How Convergence can lead to better EnterpriseRisk Management
13 May 2010
7/28/2019 Daniel Mckinney
2/23
Agenda
Current environment
a oes e erm convergence mean
Business drivers and convergence objectives rac ca case s u es
Page 2
7/28/2019 Daniel Mckinney
3/23
The current crisis has exposed failings of riskmanagement
Internal factorsRisk management practices Business and strategy
Lack of understanding of risk / returndynamics
Unchallenged and weak assumptions Flawed incentive structures
Siloed risk management and
reporting Backward-looking; data-driven
Duplicative infrastructures efficiencyquests
models
Reporting not fit for purpose
Correlations and dependencies notfully understood
Financial
External factorsRegulatory frameworks Market discipline Lack of systemic oversight
Unregulated markets
Weak capital and liquiditystandards
Lack of transparency
Over reliance on rating agencies
Inadequate infrastructure
Page 3
7/28/2019 Daniel Mckinney
4/23
The current environment of risk
Leading riskrisk practices are emerging in the wake of the current economic crisis:
Greater alignment/ Integration Re-assess indicators
Proactive
Trans arenc :
Common data sources
Linking front-office and back-office
Risk as an art, and a science Specialty Skills
,assess, manage and communicate financial performance and r isk.With a risk-and-return oriented view, banks will be able to select customers moreeffectively, make better product and pric ing decisions, operate more efficiently and
Page 4
.
Footnote (1) Ernst & Young (2005). Investors on Risk: The need for transparency
7/28/2019 Daniel Mckinney
5/23
Current environment in risk management
Risk management spend has increased significantly in the last decade due toexpansion of regulatory compliance requirements
The number of risk functions has increased to keep up with these compliancerequirements
73% of companies have seven or more separate risk functions
The coverage and focus of risk functions has become increasingly difficult tomanage
67% of companies reported they have overlapping risk coverage with two or
more risk functions 50% of companies reported gaps in their coverage between risk functions
96% of companies agree there are opportunities to improve their riskmanagement efforts
Companies believe efficiencies can be gained in their risk management activities
Com anies want im roved risk covera e while balancin cost and value
Page 5
7/28/2019 Daniel Mckinney
6/23
Integrated risk monitoring is still a work in progress
% of respondents who can track and report anenterprise wide view of risk
% of respondents who have developedenterprise-wide risk reporting
67%77%
9%14%
24%
9%
Limited
tracking
Tracking, not
consolidated
Completeholistic view
In the early stages Midway Nearly complete
thrown out and started again. One day, Id like tostop sending a risk report out and see if anyonenotices: save some trees.
Page 6
Source: Ernst & Young Survey: Navigating the Crisis: A Survey of the Worlds Largest Banks (December 2008)
7/28/2019 Daniel Mckinney
7/23
What does the term convergence mean?
The industry sometimes uses the terms enterprise risk management(ERM) and risk convergence interchangeably. Ernst & Young believes
.
ERM exists to help the board set the objectives for risk management and
enterprise within defined parameters of risk tolerance.
Risk convergence considers the functions and framework built for ERM andsee s to a ress ne c enc es an opportun t es to max m ze t e cost ene tto risk management of performing certain processes. In other words riskconvergence seeks to refine the target operating model and find practicalways to coordinate, align and ultimately implement process improvement.
The aim is to help the risk organization reach the next level one that
can manage and control costs, mitigate risk and support strategicec s on-ma ng.
Page 7
7/28/2019 Daniel Mckinney
8/23
Three lines of defense governance model
Executive Management /Boards
Executive Management / Boards
Convergence focuses on the 2nd and 3rd lines of defense.
PerformOversight
Perform Oversight
Internal Audit
Test and Verify
Third line of defense
Risk MgmtCom liance
Develop
Report
Second line of defenseDesign andFacilitate
Monitor and Report
Develop
Report
Interpret andDevelop
Monitor and Report
Second line of defense
BU Processand RiskOwners
BU ProcessFirst line of defense
BU Processand RiskOwners
BU Processand RiskOwners
BU Processand RiskOwners
Page 8
7/28/2019 Daniel Mckinney
9/23
Current flow of risk and control information
External regulators, analysts, investors
Board/senior mana ement oversi ht
AuditCommittee
RiskCommittee
OtherCommittees
Risk InformationInternal Legal/ Finance/Other
BusinessUnit
BusinessUnit
BusinessUnit
BusinessUnit
Risk management process fatigue
Poorly defined roles and responsibilities
Concern overeffectiveness of risk and control
Conflicting and inconsistent risk reporting
ey ssues
Page 9
7/28/2019 Daniel Mckinney
10/23
A possible converged flow
External regulators, analysts, investors
oar sen or managemen overs g
Audit
Committee
Risk
Committee
Other
Committees
RiskManagement
InformationTechnology
InternalAudit
Legal/Compliance
Finance/Sox
Other
Common data structure
Common technology architecture
Key Advantages
Common risk and control processes
Distributed risk management
responsibility
Coordination and leverage across
BusinessUnit
BusinessUnit
BusinessUnit
BusinessUnit
functions
Efficiency and effectiveness in
dealing with BU
Clear and comprehensive risk
Page 10
reporting
7/28/2019 Daniel Mckinney
11/23
Organizational model to support convergenceIllustrative Example
Audit Committee/ Risk CommitteeBoard Level
Operational Risk Committee
Risk Working Group
SeniorMgmnt Level
Cross-Disciplined Group-Risk Management-Internal Aud it-IT Risk-
Corporate Operational Risk
. .-Compliance
Risk Teams Aligned to LOB
Aligned to LOB
Operational Risk Managers
(e.g. Finance, Operations, Technology)
Lines of Business
Business Control / Support
Shared Support Functions
Finance, Operations, Technology
Page 11
7/28/2019 Daniel Mckinney
12/23
Convergence A Portfolio Approach
Convergence does not have a single defined roadmap the improvement path is component based and depends on start point and
priorities..Future State
Board/Senior Management Oversight
Audit
Committee
Risk
Committee
Other
Committees
Board/Senior Management Oversight
Audit
Committee
Risk
Committee
Other
Committees
CurrentState
Board/Senior Management Oversight
Audit
Committee
Risk
Committee
Other
Committees
Board/Senior Management Oversight
Audit
Committee
Risk
Committee
Other
Committees
Firmwide RiskAssessment Framework (RCSA)
Entity Level Control Design andImplementation
Common Risk & Control Processes
Common Data Structure
Common Technology Architecture
Internal
Audit
Operational
Risk
Legal
ComplianceFinance Information
TechnologyOther
Common Risk & Control Processes
Common Data Structure
Common Technology Architecture
Common Risk & Control Processes
Common Data Structure
Common Technology Architecture
Internal
Audit
Operational
Risk
Legal
ComplianceFinance Information
TechnologyOtherInternal
Audit
Operational
Risk
Legal
ComplianceFinance Information
TechnologyOther
Internal
AuditOperational
Risk
Legal/
ComplianceFinance Information
TechnologyOtherInternal
AuditOperational
Risk
Legal/
ComplianceFinance Information
TechnologyOther
Governance Model
Common Technology / Integration
Control Testing Strategies
Risk Based Control
Business
Unit
Business
Unit
Business
Unit
Business
Unit
Business
Unit
Business
Unit
Business
Unit
Business
Unit
Business
Unit
Business
Unit
Business
Unit
Business
Unit
Business
Unit
Business
Unit
Business
Unit
Business
Unit
Business
Unit
Business
Unit
Business
Unit
Business
Unit
x s ng ec no ogy
Issue Tracking
a ona za on
Integrated Training
Redesign/ Rationalize RiskReportingDefine
The Vision
Pre -Convergence
Analysis
Key Indicators forRisk Monitoring Refine and
Stabilize
Common Taxonom / Data Structure
Page 12
Foundation Structure Organizational View
7/28/2019 Daniel Mckinney
13/23
7/28/2019 Daniel Mckinney
14/23
Risk Responsibili ty Matrix Who is responsible for riskoversight?
Risk Responsibility Matrix
Risk Management Ownership
BCP HRCredit RiskITMarketFinanceOperational
RiskCompliance
People
Transaction
Credit
Market
RISK TYPE
Reputational
Vendor
Financial Reporting
Legal/ Regulatory
IT
SECONDARY RESP
PRIMARY RESPKEYtrategc
Multiple assessments for a risk family may present opportunities for enhanced coordinationSome risk families may have little coverage
Page 14
7/28/2019 Daniel Mckinney
15/23
7/28/2019 Daniel Mckinney
16/23
7/28/2019 Daniel Mckinney
17/23
7/28/2019 Daniel Mckinney
18/23
Risk assessment - targeted approach
Hi hest Level Theft andClients,
Products andPhysical
Information TransactionFinancial
External
High Level Risk Profi leHigh Level
RiskCategories
Fraud BusinessPractices
Data Security
Technology Processing
ReportingProvider
Investigate Fat
e.g. Major Fraudu lent Event
Detailed TargetedTargeted
e.g. ComplianceReview
Risk/Control Assessmentssessmen
s
Very Detailed TargetedDeep Dive
e.g. SOXe.g. Ext.VendorSAS 70
RCAssessmens
Top level risk identification
and assessment covering
Targeted assessments
driven by regulatory
Increasingly narrow scope
for the assessment,eD
arge e
Assessments
Assessments
e g es evecategories for OperationalRisk and identifying fat tailevents.
requ remen s e.g., ;Data Protection) or byhigh inherent risk levels(e.g., business area issubject to high levels ofdependency on third party
ocuse on g r s areaweak control coverage.This could involvereviewing similarprocessing across differentproducts
Sco ta
il
RCAs
Page 18
.
18
7/28/2019 Daniel Mckinney
19/23
7/28/2019 Daniel Mckinney
20/23
Issue convergence reportingData security and Vendor Risk
External Losses in2006 were the starting
oints
Event and Issue Timeline
External Lo ss, $20.3 MM10/3/03 1/26/06
External Loss, $18 MM7/1/06 - 10/24/06
2005 2006 200720042003
en or Event1/3/06
en or Event6/8/06
Internal NearMiss12/1/06
Internal NearMiss10/1/06
Three
Internal Audit IssueOpened on 3/31/06.Status ..
Internal AuditIssueOpened 4/12/06.Downgraded to..
Internal Audit IssueOpened 6/1/2006. It
remains
Internal Audit IssueOpened on 3/31/03. Statusxxxxx
Internal Audit Issue
Opened on 12/13/06. Remains
issuesremainopen
Internal AuditExternal Vendor EventsInternal Losses IssuesLosses
Internal Near Missesin 2006 add to theHigh/Open issues in 2006
Page 20
s oryrequirements
7/28/2019 Daniel Mckinney
21/23
Convergence lessons learned
A Convergence Vision requires collaboration and co-ordination
Compromise is critical
Shift from siloed view of risk management
Im ossible to measure success if there is no standard to which ou are measurin
Well defined goals and objectives
Measures of success cost in our out of scope
Build momentum through quick wins establishing the basic building blocks
The number of stakeholders involved in this type of project requires robust project.
Communication to all stakeholders critical to retain key executive sponsorship andmomentum
Page 21
7/28/2019 Daniel Mckinney
22/23
Convergence lessons learned cont.
Improved business performance results from integrated, coordinated andeffective risk practices
The right approach can help achieve improved business performance through.
en ca on an va a on o e gaps n r s coverage an scope across r sfunction/processes and activities
Evaluation of the appropriate levels of alignment of risk management practices toorganizational, strategic and operational objectives
Alignment and coordination risk management capabilities across the enterprise
eve opmen o r s - ase per ormance me r cs a suppor governance, r smanagement and compliance objectives
Establishment of business-level performance measures/drivers
Page 22
7/28/2019 Daniel Mckinney
23/23
on ac s
Dan McKinney
Partner, Operational Risk Management(212) 773 4072
Thomas CampanilePartner, Enterprise Risk Management(212) 773 8461
Page 23
