1.347.891.9252 Rawle Mitchell July 2011rawlem@gmail.com

CAACM 5th Annual Meeting & Conference in Collaboration with ICATT

The Changing Face of Enterprise Risk

Management

July 13-15, 2011Hyatt Regency - Trinidad and Tobago

1.347.891.9252 Rawle Mitchell July 2011rawlem@gmail.com

Overview• Risk has always been managed, somehow, or the other.• As a concept RM evolved from the insurance industry where risk

financing was the main RM activity.• Financial services crisis in 2008 demonstrated the extent to which

uncontrolled risk taking has damaged economies.• RM for years was done by buying insurance.• More recently companies managed risk through the capital

markets with “derivative” instruments.• Risks that defy easy measurements like reputation, legal, human

resources have led to the emergence of ERM.

1.347.891.9252 Rawle Mitchell July 2011rawlem@gmail.com

Risk Definition Through The YearsDefinition Source

"Combination of the probability of occurrence of harm and the severity of that harm." ISO/IEC Guide 51:1999

"Combination of the probability of an event and its consequence ." ISO/IEC Guide 73:2002

"Chance of something happening that will have an impact on objectives ."

AS/NZS 4360:2004

"Events with a negative impact represents risks , which can prevent value creation or erode existing value. Events with positive impact may offset negative impacts or represent opportunities ."

COSO (2004) ERM - Integrated Framework

"The concept of risk refers in general to the magnitude and likelihood of unanticipated changes that have an impact on a firm's cash flows, value or profitability…Risk has a negative connotation , but uncertainity can be a source of opportunities as well as costs."

Lars Oxelheim & Clas Wihlborg (2008) Corporate Decision-Making with Macroeconomic Uncertainity

"Effect of uncertainty on objectives ." ISO 31000:2009

1.347.891.9252 Rawle Mitchell July 2011rawlem@gmail.com

Risk Management Standards

Some of the popular standards:• Australia/New Zealand (AS/NZS) Standard 4360 2004.• COSO 2004 ERM - Integrated Framework

Defines and prescribes a process for implementing ERM.• The ISO 31000 (2009) -1st global risk management

standard. ISO 31000 definition has shifted the emphasis from the

“event” (something happening) to the “effect” – really the effect on OBJECTIVES!

1.347.891.9252 Rawle Mitchell July 2011rawlem@gmail.com

What is ISO?

• International Organization for Standardization (ISO) is the world's largest developer and publisher of International Standards.

• ISO is a specialized international organization founded in Geneva in 1947 and concerned with standardization in all technical and non-technical fields except electrical and electronic engineering.

1.347.891.9252 Rawle Mitchell July 2011rawlem@gmail.com

Why an ISO Standard in RM?

• Organizations around the world [be they public, private, for profit, not-for-profit, multinational, etc.] were facing increasing and greater risks and risk management was not being consistently defined and applied across sectors and countries.

• The challenges of inconsistent practices and definitions thus give rise to the need for a universal standard.

1.347.891.9252 Rawle Mitchell July 2011rawlem@gmail.com

Why did ERM evolve? • Risk managers today need to manage known risks AND they must

also be prepared to cope with unknown risks that may manifest themselves at any time. • Risk managers can only meet these demands if they operate at a

strategic level.• Calls for strengthening risk oversight have been occurring on an

increasing basis over the last several years. • NYSE (2004) adopted governance rules that require audit committees

of listed firms to oversee management’s risk oversight processes. • More recently rating agencies, such as S & P, have begun to explicitly

evaluate an entity’s ERM processes as an input into their credit ratings analysis.

1.347.891.9252 Rawle Mitchell July 2011rawlem@gmail.com

Barriers to ERM Oversight

1.347.891.9252 Rawle Mitchell July 2011rawlem@gmail.com

Marsh & RIMS 3 Levels of RM

1. Strategic RM incorporates all of the characteristics of traditional and progressive approaches, but adds in measures with more of a “C-suite view” of risk.

2. Companies that practice strategic RM tend to view risk as something to optimize, not just to mitigate or avoid.

3. There is a concerted effort to index risk against competitors and against the organization itself.

4. There is a stronger effort to weave risk issues into the overall conversation about the firm’s business decisions.

1.347.891.9252 Rawle Mitchell July 2011rawlem@gmail.com

Antecedents of ERM Implementation

• The idea that ERM is a key component of effective governance has gained widespread acceptance.

• Literature review suggests five broad groups of factors that determine extent of ERM implementation: • Regulatory influences • Internal influences• Ownership• Auditor influence• Firm and industry-related characteristics

1.347.891.9252 Rawle Mitchell July 2011rawlem@gmail.com

Why the Continuing RM evolution?

In light of so many financial failures, Robert P. Hartwig lashed out at then current ERM frameworks. Hartwig: Financial crisis was the result of a failure of RM [in the banking and

securities markets] on a colossal scale. We may literally have to tear up the manual of ERM and start over. How did so many major financial players miss or overlook such huge,

systemic exposures?But there is no “manual of enterprise risk management” to tear up. Risk management is a general term referring to the overall process of addressing risk, not any one particular method for mitigating risk.

1.347.891.9252 Rawle Mitchell July 2011rawlem@gmail.com

Why the Continuing RM evolution?But, RIMS contends that the financial crisis resulted from: 1. System-wide failure to embrace appropriate ERM behaviors - or

attributes - within these distressed organizations.2. Failure to develop and reward internal RM competencies.3. Failure to use ERM to inform management’s decision making for

both risk-taking and risk-avoiding decisions.4. Over-reliance on the use of financial models, with the mistaken

assumption that the “risk quantifications” (used as predictions) based solely on financial modeling were both reliable and sufficient tools to justify decisions to take risk in the pursuit of profit.

5. Failure to embed ERM best practices from the top all the way down.

1.347.891.9252 Rawle Mitchell July 2011rawlem@gmail.com

Regulatory Impact on ERMERM must be part of the culture - accepted, expected and practiced at the highest levels and down through the organization - if it is to help the organization make better risk-adjusted decisions.There’s an increased focus on the effectiveness of BOD risk oversight practices: 1. NYSE’s corporate governance rules already require audit committees

of listed corporations to discuss risk assessment and RM policies. 2. Credit rating agencies, such as S&P, are assessing ERM processes as

part of their corporate credit ratings analysis. 3. More importantly, while business leaders know organizations must

regularly take risks to enhance stakeholder value, effective organizations recognize strategic advantages in managing risks.

1.347.891.9252 Rawle Mitchell July 2011rawlem@gmail.com

Regulatory Impact on ERM4. Signals from some regulatory bodies now suggest that there may be

new regulatory requirements or new interpretations of existing requirements placed on boards regarding their risk oversight responsibilities.

5. Legislation has also been introduced in US Congress that would mandate the creation of board risk committees.

6. The U.S. Treasury Department is considering regulatory reforms that would require compensation committees of public financial institutions to review and disclose strategies for aligning compensation with sound risk-management.

7. July 2009, the SEC issued its first set of proposed rules that would expand proxy disclosures about the impact of compensation policies on risk taking and the role of the BOD in the company’s risk management practices.

1.347.891.9252 Rawle Mitchell July 2011rawlem@gmail.com

Barriers to Adopting more Strategic Approaches to RM

1. Ability to feasibly/definitively demonstrate value and ERM ROI metrics

2. Senior management concerns that ERM processes are too difficult and/or costly

3. Personnel and financial resources dedicated to RM4. Personnel skills, expertise and capabilities5. Products that would enhance RM strategy and capabilities6. RM technology issues

1.347.891.9252 Rawle Mitchell July 2011rawlem@gmail.com

Barriers, What Barriers?

Changes that must be made to help firms adopt more strategic approaches to RM:1. Reorganize and reengineer the RM function2. Increase internal education3. Increase investment and resources in RM capabilities4. Implement RM supporting software/technology

1.347.891.9252 Rawle Mitchell July 2011rawlem@gmail.com

Can ERM Evolve Further?

Some ERM truisms: 1. Firms are using RM more in developing their strategic

goals and objectives.2. Senior management at many firms are now more aware

than ever of the need to incorporate risk into the decision making process.

3. Firms are increasing their investment in RM4. Today RM must deal with the known risks as well as the

unknown and the unknowable.

1.347.891.9252 Rawle Mitchell July 2011rawlem@gmail.com

Steps to ERM Improvement

1. Integrate strategic planning processes and risk assessment activities to take advantage of risk opportunities and consider risk variations across strategic goals.

2. Reward risk ownership and effective RMAPs, so in this way ERM is being aligned with the firm’s balanced scorecard and merit payouts.

Going forward – companies must focus not only on the downside of risk but the upside as well.

1.347.891.9252 Rawle Mitchell July 2011rawlem@gmail.com

What Role Should RMIS Play?

1. RMIS and other technologies today have a large role in managing risk.

2. Demand for on line, real time risk related calculations with quick response times means that a new generation of risk systems architecture is required to cope with such demands.

3. These RMIS have to be event-driven systems with service-oriented frameworks.

1.347.891.9252 Rawle Mitchell July 2011rawlem@gmail.com

BOD ERM Role & What Prevents That?BOD must:1. Take responsibility for ensuring that the institution has a framework

in place to embed ERM and its constituent parts including risk appetite, risk roles and responsibilities, etc.

2. Verify that risk and other key personnel are appropriately trained to fulfill their ERM roles and responsibilities.

3. Insist on receiving regular risk reports and RMAPs.4. Ensure that corporate objectives are developed in conjunction with

ERM insights.5. Ensure that executive management conduct table top risk exercises

and submit reports on same to BOD.6. Ensure that business continuity and disaster recovery plans are

developed, tested and improved regularly.

1.347.891.9252 Rawle Mitchell July 2011rawlem@gmail.com

Changing Skills Set for the CRO1. Most progressive institutions have a dedicated senior executive

charged with the responsibility of being the “Risk Champion” at their organisation.

2. CRO is largely charged with the Risk Champion role.3. However, the CEO or MD is really the “chief-risk-officer” just as

he/she is the “chief-revenue-officer”.4. CRO by designation must possess a 360 degree view of the firm.5. CRO must be multi-faceted in terms of skills set, but in particular,

must be a great communicator and facilitator, very good with finance, and must thoroughly understand the core nature of the business.

1.347.891.9252 Rawle Mitchell July 2011rawlem@gmail.com

There is no time like the present to rethink your company’s approach to enterprise risk management.

ERM is a process that must be ongoing and flowing throughout your institution!

Thank You

Email: rawlem@gmail.com Skype: rawle.mitchell64 Cell: 347-891-9252