How to Build an Enterprise Risk Management Framework

Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
1
JOIN. ENGAGE. LEAD.
HOW TO BUILD AN ENTERPRISE
RISK MANAGEMENT FRAMEWORK
ERM strategies from the Risk Management
Association’s ERM Council

2
JOIN. ENGAGE. LEAD.
THE RMA ERM COUNCIL DEFINES ERM
ERM is the management
capability to manage all
business risks in pursuit of
acceptable returns.

3
JOIN. ENGAGE. LEAD.
STRATEGIC STEPS
Risk appetite
Business strategy and
risk coverage
Governance and policies
Risk data and
infrastructure
Measurement and
evaluation
Control environment.
Response Stress testing

4
JOIN. ENGAGE. LEAD.
ERM CULTURE
At the center of the ERM
framework is culture.
If an institution lacks the right
culture and strong leadership at
the top, none of the other elements
will matter.
Organizations that comprehend
and adopt ERM as a “way of
thinking” typically outperform those
that do not.

5
JOIN. ENGAGE. LEAD.
ERM CAN ANSWER 3 BASIC BUSINESS
QUESTIONS
• Aligned with business strategy, risk
appetite, culture, values, and ethics?
Should we
do it?
• People, processes, structure, and
technology capabilities?
Can we
do it?
• Assessment of expected results,
continuous learning, and a robust
system of checks and balances?
Did we
do it?

6
JOIN. ENGAGE. LEAD.
THE ERM FRAMEWORK
What is ERM? It is the capability to effectively answer these questions.

7
JOIN. ENGAGE. LEAD.
THE ERM FRAMEWORK (CONT.)
The
framework
applies
regardless of
the size of the
institution or
how it
categorizes
risks.
The individual
components
are a dynamic
flow in both
directions.
Culture is at
the heart—
without the
right culture,
the other
components
are somewhat
irrelevant.

8
JOIN. ENGAGE. LEAD.
THE ERM FRAMEWORK HELPS ANSWER
BUSINESS QUESTIONS
• What are all the risks to our business
strategy and operations?
Coverage
• How much risk are we willing to takeRisk appetite
• How do we govern risk taking ?
Culture, governance,
and policies
• How do we capture the information we
need to manage these risks?
Risk data and
infrastructure

9
JOIN. ENGAGE. LEAD.
THE ERM FRAMEWORK HELPS ANSWER
BUSINESS QUESTIONS (CONT.)
• How do we control the risks?Control environment
• How do we know the size of the various
risks?
Measurement and
evaluation
• What are we doing about these risks?Response
• What possible scenarios could hurt us?
• How are various risks interrelated?
Stress testing

10
JOIN. ENGAGE. LEAD.
DETERMINE GOALS AND OBJECTIVES
Before an institution can
articulate its risk appetite,
it must first determine its
goals and objectives, i.e.,
its business strategy.

11
JOIN. ENGAGE. LEAD.
DETERMINE GOALS AND OBJECTIVES (CONT.)
The institution must define
what it wants to achieve in
terms of markets,
geographies, segments,
products, earnings, etc.

12
JOIN. ENGAGE. LEAD.
DETERMINE GOALS AND OBJECTIVES (CONT.)
From there, the institution
assesses the risk implied in
that strategy and
determines the level of risk
it is willing to assume in
executing that strategy.

13
JOIN. ENGAGE. LEAD.
ERM COMPETENCIES
Risk exposures Risk appetite
Culture,
governance,
and policies
Control
environment
Measurement
and evaluation
Scenario
planning and
stress testing

14
JOIN. ENGAGE. LEAD.
ERM COMPETENCIES:
RISK EXPOSURES
Credit Liquidity
Strategic/
Business/
Reputation
Market Operational
Compliance/
Legal/
Regulatory
Financial
Capital
Adequacy
Regardless of a specific business strategy, an institution
is exposed to the following risks:

15
JOIN. ENGAGE. LEAD.
ERM COMPETENCIES:
RISK APPETITE
RMA has defined risk appetite as
“the amount of risk (volatility of
expected results) an
organization is willing to accept
in pursuit of a desired financial
performance (returns).”

16
JOIN. ENGAGE. LEAD.
ERM COMPETENCIES:
RISK APPETITE (CONT.)
The concepts of risk appetite and risk tolerance are
often used interchangeably, but they have distinct
differences in meaning.
Risk appetite represents
the acceptance of volatility
an institution is willing to
assume in executing its
business strategy.
Risk tolerance refers to
day-to-day operational
limits developed within the
context of an
organization’s stated risk
appetite (for example,
concentration limits).

17
JOIN. ENGAGE. LEAD.
ERM COMPETENCIES:
RISK APPETITE (CONT.)
Management and the board of directors
must understand the critical links among
strategy, business plans, and risk.
• A risk appetite statement is one tool that facilitates
this linkage.
• In this context, the risk management function is an
integral part of the institution’s overall strategies and
specific business objectives—an essential part of the
institution’s success, returns, and value creation.

18
JOIN. ENGAGE. LEAD.
Culture can be described as
“what people do when they are not
being watched.”
Culture is
the most
important
aspect of
any good
ERM
competency.
ERM COMPETENCIES:
CULTURE, GOVERNANCE,
AND POLICIES

19
JOIN. ENGAGE. LEAD.
ERM COMPETENCIES:
CULTURE, GOVERNANCE,
AND POLICIES (CONT.)
Policies express the risk
appetite of the company to the
masses.
Policies describe to all
stakeholders what the company
is willing to do and not to do.
The statement of risk appetite is
executed through policies (what
to do?) and procedures (how to
do them?).
Culture, governance, and
policies collectively help an
institution manage its risk-taking
activities.
Culture,
Governance, and
Policies

20
JOIN. ENGAGE. LEAD.
ERM COMPETENCIES:
CONTROL ENVIRONMENT (CONT.)
The internal control environment is
one the most important tools in the
management toolbox for
management of risks.
Internal controls help reduce the
level of inherent risk to a level
acceptable to management.

21
JOIN. ENGAGE. LEAD.
ERM COMPETENCIES:
Culture Governance Policies
Preventive and
detective
controls
Scenario
planning
The system of internal controls includes:

22
JOIN. ENGAGE. LEAD.
ERM COMPETENCIES:
Management relies on
internal controls to
manage residual risk to
an acceptable level.
Residual risk is defined
as the level of inherent
risks reduced by
internal controls.
Building an effective
internal control
environment allows
management to control
what can be controlled.

23
JOIN. ENGAGE. LEAD.
ERM COMPETENCIES:
MEASUREMENT AND
EVALUATION
The science and art of measurement
in ERM is about concluding which
risks are significant and which ones
are not, and where to invest time,
energy, and effort.
At any given
time, boards
of directors
and
management
must
manage a
portfolio of
risks

24
JOIN. ENGAGE. LEAD.
ERM COMPETENCIES:
MEASUREMENT AND EVALUATION (CONT.)
In order to accomplish the goal of
measurement and evaluation, an
institution may adopt:
• A simple model of color rating
(green, yellow, and red).
• A middle-of-the-road failure
mode and effect analysis
(FMEA) model.
• Or a highly sophisticated risk
adjusted return on capital
(RAROC)

25
JOIN. ENGAGE. LEAD.
ERM COMPETENCIES:
MEASUREMENT AND EVALUATION (CONT.)
Measurement
and evaluation
help boards
and
management
answer the
question, “so
what?”
The process of measurement and
evaluation must :
Include the
system of
internal
controls and
Determine how
well the risks
can be
managed.

26
JOIN. ENGAGE. LEAD.
The art of ERM is the ability to answer
the question, “what can go wrong and,
hence, create deviation from expected
outcomes?”
Management
must
address
known,
knowable,
and
unknowable
risks.
ERM COMPETENCIES:
SCENARIO PLANNING AND
STRESS TESTING

27
JOIN. ENGAGE. LEAD.
ERM COMPETENCIES: SCENARIO PLANNING
AND STRESS TESTING (CONT.)
Scenario planning and
stress testing are tools
that focus on the
knowable and, perhaps,
some unknowable risks.
A robust scenario
planning and stress
testing discipline is a
must from a capital
planning perspective.

28
JOIN. ENGAGE. LEAD.
To help you develop your ERM framework, RMA offers a
series of highly practical workbooks:
1. Risk Appetite Workbook, November 2010.
2. Scenario Analysis and Stress Testing for Community
Banks, February 2012.
3. Governance and Policies Workbook (includes
“Response”), November 2013.
4. Risk Measurement and Evaluation (in development).
5. Risk Data and Infrastructure (to be developed).
RMA members may download the workbooks for $0 (free!).
Not a member? Join today.
ENTERPRISE RISK MANAGEMENT
WORKBOOKS

29
JOIN. ENGAGE. LEAD.
SHARE THIS PRESENTATION
Visit http://www.rmahq.org for information on risk management
Visit our blog at http://rmablog.rmahq.org/
RMA is a member-driven professional association whose sole purpose is to
advance sound risk principles in the financial services industry.
RMA helps its members use sound risk principles to improve institutional
performance and financial stability, and enhance the risk competency of
individuals through information, education, peer sharing, and networking.
Become a member today.

How to Build an Enterprise Risk Management Framework

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (20)

Ähnlich wie How to Build an Enterprise Risk Management Framework

Ähnlich wie How to Build an Enterprise Risk Management Framework (20)

Mehr von Colleen Beck-Domanico

Mehr von Colleen Beck-Domanico (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

How to Build an Enterprise Risk Management Framework