This report is solely for the use of FDHL-MT. No part of it may be circulated, quoted or reproduced for distribution outside FDHL-MT without prior written approval.

May 2010

Oversight Management of Risk

Agenda

Broad overview of the Topic

The Holistic Approach to Risk Management

Process of risk management

What the Board should question

Chart 1

Broad Overview of The Topic

Definition of Enterprise Risk Management

Traditional approach of many companies

The need for Board surveillance and a specific Board Committee

The role of the Chief Risk Officer (CRO)

Chart 3

Risk/Reward Tradeoff

Risk

Reward

Company needs

to decide where

on this continuum

it wishes to sit.

This is a Board

decision

Chart 4

Definition of Enterprise Risk Management

ERM can be described as a risk-based approach to managing

an enterprise, integrating concepts of strategic planning,

operations and internal controls

ERM is evolving to address the needs of various stakeholders,

who want to understand the broad spectrum of risks facing

complex organizations to ensure they are appropriately

managed

Definition Of Enterprise Risk Management

Chart 5

Definition of Enterprise Risk Management

Regulators and debt rating agencies have increased their

scrutiny on the risk management processes of companies

Some high-profile failures of companies caused by ERM failure

have been:

• Enron & Barings - Failure of control mechanisms

• Lehman & LTCM - Failure to understand business

• Union Carbide - Failure in remote part of company

• General Motors - Failure to detect industry change

Definition Of Enterprise Risk Management../2

Chart 6

Definition of Enterprise Risk ManagementIndustries change and companies must be aware of such

changes. It is the Board responsibility to react and lead the

company through such changes

Kodak is a good example

6 companies in the Dow Jones 30 of 1959 remain in the index

(3 from 1929)

•General Electric General Foods

•Dupont Exxon Mobil

•Proctor & Gamble Chevron

Definition Of Enterprise Risk Management../3

Chart 7

ERM - Traditional Approach of Many Companies Most companies have not traditionally approached ERM

Modern approach is build ERM into the strategy and budget

planning process

Needs a disciplined approach aligning strategy; process;

people; technology and knowledge

ERM means the removal of traditional, functional, departmental

and cultural biases

ERM – Traditionally Approach Of Many Companies

Chart 8

ERM - Traditional Approach of Many Companies What risks are we facing

Are these comparable to the risks of our competition

How do they change with a change in business conditions

What level of risk should we take

How should we manage that risk

ERM – Traditionally Approach Of Many Companies../2

Chart 9

The need for Board surveillance and a specific Board Committee

The main function of any corporation is to make profit for its

shareholders. To do this they must accept some level of risk

Since the Board of Directors is the guiding body of a company it

falls to them to ensure that the company and therefore its RISK

is properly managed

All companies are different and their risks and their complexity

will determine the manner in which a Board focus on Risk

The Need For Board Surveillance & A Specific Board Committee

Chart 10

The role of the Chief Risk Officer (CRO)

The Chief Risk Officer is responsible for -

developing and managing the risk management structure

Should you have one??

The Role Of The Chief Risk Officer

Chart 11

While financial services companies are embracing the CRO position, other industries such as utilities and commodities-based businesses are recognizing the power of knowing all their risks from the top down

James Lam, founder of ERisk, based in New York, and former CRO for Fidelity Investments, has been watching the CRO trend over the last several years and says there are two indicators that CROs are here to stay: salaries are climbing, which demonstrates their value, and CROs are beginning to report right to the CEO, rather than to the CFO or Treasurer, putting them in a more powerful position. Many CRO’s have a dotted line reporting relationship to the Board

The Role Of The Chief Risk Officer../2

Chart 12

In Nigeria the risk management role never got as far removed from the CEO as it did in developed economies

Therefore the CEO is effectively today’s CRO in most companies in Nigeria

Is this healthy and can the CEO perform the executive functions

of a CEO and oversee the myriad of risks inherent in today’s

listed companies??

The Role Of The Chief Risk Officer../3

Chart 13

The Role of the Chief Risk Officer (CRO)

Strategic Hedged/Insurable Financial

Corporate Property Price

Customer needs Business integrity Liquidity

Demographic changes Disaster recovery Credit

Capital position Information technology Inflation

Legal/political Geographic risks Hedging/Position

This is an example of a Risk Department’s functional breakdownEach company will have a different formation to align with its strategy

The Role Of The Chief Risk Officer../4

Chart 14

The Holistic Approach to Risk Management

Managing risk in silos

View risk as a portfolio

Risk is dynamic

Risk is an opportunity

Chart 15

Managing Risk in Silos

Risk needs to be managed both centrally and in silos (decentralized)

ERM is managed centrally

Operational and financial risk should be managed locally as that is where the business managers are and they should understand their specific risks better than a central committee

This is an example of a Risk Department’s functional breakdownEach company will have a different formation to align with its strategy

Managing Risk in Silos

Chart 16

Managing Risk in Silos

“Field decisions are best taken by the most junior officer, in the field, allowed to take such decisions” General Andrew Stuart

Managing Risk in Silos../2

Chart 17

Managing Risk in Silos

Bhophal incident -1984

Union Carbide Corporation a Dow 30 stock owned 515 OF Union Carbide India Limited

Dec 1984 an act of sabotage caused a gas leak and resulted in 3,800 deaths

Caused international incident Chairman Anderson went to India with task force, was put under

house arrest and asked to leave the country

This is an example of a Risk Department’s functional breakdownEach company will have a different formation to align with its strategy

Managing Risk in Silos../3

Chart 18

Managing Risk in Silos

The result was that UCC suffered a massive reputational hit, was heavily fined

The company fell out of the DJI in 1999 and was bought by Dow Chemicals in 2001

UCC is still fighting damage law suits in the USA to this day

Question is how many Directors of UCC even knew they had an

Indian plant?

Managing Risk in Silos../4

Chart 19

Managing Risk in SilosBhophal incident -1984

Problems:Management of company was left solely to the Indian

management and as a 51% owned entity UCC management

took a hands off approach BUT it was UCC’s reputation at riskThe cause of the leak and the fact that it was sabotage did not

protect UCC. They clearly had no ERM system in place to

protect the parent from regional catastrophic riskOnly a comprehensive risk plan would have identified the

potential risk to the parent

Managing Risk in Silos../5

Chart 20

Managing Risk in SilosManaging Risk in Silos../4

Portfolio

Equities

Fixed Income Cash

GLOBAL RISK MANAGEMENT

Manage silo risk in conjunction with enterprise risk and ensure that it is global

Chart 21

View risk as a Portfolio The idea of having ERM at the top supervising all other risk

activities is to ensure that all risks are covered The concept of managing risks as a portfolio is not to treat all

risk in isolation If a company has a subsidiary gravel pit and a subsidiary

cement factory, you do not have to hedge the forward sales of gravel or the purchase price of gravel since they are offsetting risks at consolidation

This is an example of a Risk Department’s functional breakdownEach company will have a different formation to align with its strategy

View Risk As A Portfolio

Chart 22

View risk as a Portfolio../2

The art of managing a portfolio is to find uncorrelated asset returns and buy both asset classes and leave both unhedged as their volatility will partially offset each other

The danger is that if these are treated in isolation excess cost will be incurred by hedging both risks

The portfolio risk is that both assets may be structured to achieve the same thing and thus not be as uncorrelated as at first believed

This is an example of a Risk Department’s functional breakdownEach company will have a different formation to align with its strategy

Chart 23

View risk as a Portfolio

Portfolio

Equities

Fixed Income Cash

View Risk As A Portfolio../3

Typical financial portfolio, can be replicated for any business grouping

Chart 24

View risk as a Portfolio

1 2 3 4 5 6 7 8 9 10 110%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Risk 2

Risk 1

This is an example of a Risk Department’s functional breakdownEach company will have a different formation to align with its strategy

Return

Observations

View Risk As A Portfolio../4

Chart 25

A Portfolio Approach

Involves creating a general understanding of:

A company’s resources

The business environments in which it operates

How value is created and stored

The key risk issues underlying its value propositions

How its business models are alike and dissimilar

Every important business dimension

Chart 26

Legal and Ownership Structure

Governance and Organizational Structure

Operational Financial

Mission, Vision & Values

Employment Practices and Compensation Structure

Employees Debt and Equity Holders

A Portfolio Approach: Realigning the Internal Model

Chart 27

As a mortgage banker your risk is clearly rising as house prices rise same for the security forces as terrorism increases

Risk is Dynamic

Chart 28

Risk is Dynamic../2

As risks increase the risk managers must find a way to counteract the impact of risk incidents. This is usually expensive and not thought out before

Conversely when risk is lower the need for insurance is lower and economic logic dictates that then you should take off excessive insurance and maximize profits

Chart 29

Risk as an Opportunity

Too many organisations see risk management as a compliance issue, rather than developing approaches which add value and competitive advantage and which reflect their own business culture and stakeholder base

Most approaches to risk management are therefore not driven or inspired by enhancing opportunities (the upside of risk) but by the fear of the ever greater penalties for doing something wrong (the downside of risk)

Prof Martin Loosemore

Chart 30

Risk as an Opportunity../2

When Jamie Dimon stepped up to the plate and bought 100% of Bear Stearns for $2 per share, he used the fact that he had preserved his cash for a rainy day and was able to use it to buy a huge opportunity. So much so that he had to up the price a week later to $10 per share to avoid an awkward law suit

This was a financial example of risk management turning into an opportunity. There are many less notable but equally important examples of good risk management providing superb gains in business

Chart 31

Risk as an Opportunity../3

Potential benefits of successful risk management

• Improved performance and competitive advantage

• Greater resilience to unforeseen risks

• Greater capacity to seize opportunities

• Greater teamwork and collective responsibility for decisions throughout all organizational levels and supply chains

• Higher client satisfaction and retention

• Greater regulatory compliance

• Less rework, disruption and conflict rework

• Enhanced reputation

• Higher quality information for making business decisions

Chart 32

Process of Risk Management

Identify risk

Quantify risk

Mitigate risk

Monitor risk

Chart 33

Identify Risk

Experienced-based approach

Is dependent on corporate experience

Search for bad outcomes and try to identify risk drivers

Solicit staff for potential risk in processes etc.

Environmental approach

Seeks to understand the business in the context of its

environment

What is changing and how will it affect the business?

Chart 34

Quantify Risk

What risk measures are available to business managers

Financial Indicators

Liquidity

P&L performance measures

Key Risk Indicators

Customer complaints

Lawsuits

Plant failures

Accidents

Errors

Chart 35

Quantify Risk../2

Many quantitative measures have been created to measure risk

One of the most important and mis-understood of these is Value @ Risk or VAR

A simplified definition of VaR is that it measures the amount of loss one can expect for a given portfolio over a specified period of time with a 95% or 99% degree of confidence

Chart 36

Quantify Risk../3

The problem with VaR

VaR risk can be hedged away but adds to total book

The data is usually too short term in nature to represent a full

economic cycle, thus there have been far more 100 year

events in the last 30 years than is feasible

The data has no answer for how much one can lose in the

1% or 5% of events not covered by the confidence levels

VaR tends to be used in isolation and it should not be. It does

not pretend to measure Liquidity Risk

Chart 37

Quantify Risk

Short-term Data

Quantify Risk../4

Chart 38

Quantify Risk

For a good example see page 77 Exhibit 5.4 in “Bank Boards and the Financial Crisis” by Nestor Associates

Quantify Risk../5

Long-term Data

Chart 39

How serious was the overemphasis on VaR in 2008?

UBS blames an over-dependance on VaR and an absence of other risk measures in its mortgage book, as an overarching cause for the horrendous losses they suffered in their fixed income business

Using VaR without liquidity limits allowed the book to grow to proportions that could not easily be financed when market liquidity dropped

VaR is a useful tool but not in isolation

Quantify Risk../6

Chart 40

Balanced scorecards and Key Performance Indicators tie

strategy to operations

Credit losses or problems

Audit problems and exceptions

Frequently too much time is spent trying to refine what risks are

being monitored and not enough time is spent fixing issues that

cause risk (80/20 Rule)

Quantify Risk../7

Chart 41

Risk/Mitigation Heatmap

Level of Risk

Frequency

Chart 42

Mitigate Risk

The process to mitigate risk will vary from one situation to another, proper risk mitigation calls for understanding what you currently have and what needs to be done in order to maintain your status quo

Don’t waste time and money mitigating non critical risks, you will always have risk; identify the main causes of risk and manage those causes

Chart 43

Monitor Risk

In much the same way as decisions should be taken by the most junior person permitted to take the decision; risk should be monitored all the way through the organization, by the most junior person able and permitted to monitor that risk

No one person or department should be managing too many risks as then most risks will not be properly monitored

Chart 44

Monitor Risk../2

Set up a series of dashboards that are easy to read and indicate the key risks to be monitored by the entity or person and ensure that all of these functions are working properly

The Board equally should have one dashboard the indicates whether the systems are effective and that risk management processes are consistently performed

They need a separate dashboard that monitors catastrophic risk and requires the Board’s action

Chart 45

What The Board Should Question

Process

Resources

Is risk mitigation foolproof

Does the company have sufficient capital maintain its risk

profile

Chart 46

Process

Must be:

Simple process oriented and preferably automated

Regularly performed

Understandable to the operator

If a risk is not handled immediately system must trigger risk

potential to the next level

Performed consistently across all parts of the organization

Chart 47

Resources

Insufficient resources will result in sub-optimal results (you get what you pay for)

If the company cannot afford the means to monitor its risk; can it afford to take the risk?

Resources must be consistent across all aspects of the organization and be able to communicate

Must be available at ALL TIMES

Chart 48

Is Risk Mitigation Foolproof?

Risk must be ranked according to severity of the event and its frequency

It is too expensive to insure every event so a policy must be designed that takes into account the risk/reward from mitigating against the event

Certain events cannot be allowed to happen even once and

therefore must be protected against at all costs

Chart 49

Does Company have Sufficient Capital?

If the company has lost capital it must lower its risk profile otherwise the management is violating the risk budget that was agreed with the Board

If the Board leaves the same level of risk available to management they must understand that they have moved the company closer to potential disaster

This is Measurable

Chart 50

OperatorsRegulators

Enterprise Diagnostics

Financial Markets

Enterprise Risk

Management

CONSULTING TEAM

FDHL-MTA Financial Services Strategic Transformation Collaboration