More About Enterprise Risk Management Services

RISK MANAGEMENT CHALLENGES

The most frequently encountered challenges to implementing successful Risk Management processes are:

• Reporting of risk issues / solutions is fragmented.
• Organizational "silos" (i.e., areas of managerial control) impede end-to-end analysis of risks and/or the implementation of appropriate, cost-effective solutions.
• Risk is misunderstood.
• Risk management policies are not comprehensive and/or are not supported by an adequate organization or effective methods.

To address these challenges, management must:

1. Embrace the concept that risk (in all its forms) and change are the same.
2. Understand that operational risk and operational exposure are not the same thing - although the two terms are routinely used interchangeably; exposure results from taking operational risk.

If management is unable to deal with even one form of risk well, the company's survival may be stake (unless it is somehow subsidized). At best, a company will lose market share, because of an inability to react to changing conditions. Managers leverage operational risk every day, just as they leverage market and credit risks.

Most organizational structures, and supporting policies, are designed to promote "silo" reporting by general type risk (e.g., credit risks are reported to a Credit Committee, market risks are reported to an Investment or Asset/Liability Management Committee).Hence, in order to introduce Enterprise Risk Management, management must first change the way that directors and executives have traditionally viewed the organization!

Depending on the industry, there are numerous or regulatory initiatives that encourage (and sometimes require) organizations to adopt enterprise risk management processes. For example, financial institution regulators have adopted, in one form or another, risk management guidelines from the following:

• The Turnbull Report.
• The Basel Committee.
• The Australian/New Zealand Standards.

These, and numerous others, all recommend risk management programs designed to eliminate "gaps" in risk management reporting. This is because regulators face growing pressure to address operational risk - which, although misunderstood, is a major contributing factor in most high-profile financial disasters. Therefore, in spite of the challenges, regulators are likely to require financial institutions to implement firm-wide risk management regimes - i.e. Enterprise Risk Management.

While, for at least banks and related financial institutions, Credit Risk Management and Market Risk Management processes are largely well entrenched (albeit generally "silo-oriented" processes), Operational Risk Management has recently received increasing emphasis, to wit:

"The … operational risk measurement system … should play a prominent role in risk reporting, management reporting, internal capital allocation, and/or risk analysis. In addition, the … [entity] … must develop techniques for allocating operational risk capital to major business lines and for creating incentives to improve the management of operational risk throughout the firm."

Working Paper on the Regulatory Treatment of Operational
Risk Basel Committee on Banking Supervision 9/01

ENTERPRISE RISK MANAGEMENT

Enterprise Risk Management is defined as—

"A systematic method of identifying, assessing, communicating, managing and monitoring risks across activities, affiliates, functions or products, in a way that will build shareholder value over the long term."

And, the following the general guidelines support this definition:Risks should be managed using a product or process focus that cut across divisions and affiliates of the "organizational fabric."

Executive and Board oversight and reporting should be done by activity, rather than by risk type to avoid gaps.

• Risks should be prioritized to facilitate their reporting and management.
• Operational, Credit and Market risk management functions should work in integrated fashion.
• Product risks are "owned" - and these risks are managed using standardized, organization-wide risk management methodology.

By the term "risk management methodology", we mean processes that provide the means to systematically identify and manage credit, financial and operational risks across corporate businesses and activities.

An important part of any risk management methodology is, therefore, a capability to prioritize identified risks. Moreover, these same processes will also help any organization identify the important issues associated with change.

A FRAMEWORK FOR RISK MANAGEMENT GOVERNANCE

Establishing a framework for Risk Management governance is key to the implementation of effective Enterprise Risk Management. The following subsections provide information about how to go about these activities.

Set the Stage: Convey Expectations for Ownership & Accountability

Risk Management is the process of managing market, operational and credit risks for the long-term benefit of shareholders. Hence, all major commercial and operational activities (and their managers) are key to, and a part of, corporate risk management efforts. Risk management accountability cannot be delegated to "policy-oriented" functions like Internal Audit, Finance, Credit, Information Security and Risk Management.

Design and Implement the Risk Management Framework

A standardized, integrated approach to managing risk will eliminate dangerous gaps in coverage and reporting, ensure uniform quality and enhance corporate culture.
The normal steps in establish an adequate Risk Management Framework are:

1. Establish the Risk Management as a functional organizational unit.

This typically entails creating a Chief Risk Officer. To the extent possible, the Chief Risk Officer should be: (1) positioned to oversee an integrated Risk Management Framework encompassing policy and operational oversight of product / process risks, and (2) sufficiently senior to ensure the company's compliance with the Board of Directors' risk management mandate(s). As such, the Chief Risk Officer's organization should also integrate credit, operational and market risk management activities. The company's risk and control managers should work together, focusing their resources on products or processes: Middle Office, Asset & Liability Management, Security, Loan Review and, possibly, Internal Audit.

2. Establish or revise applicable Board policies governing Market, Credit and Operational risk activities.

For example:

• Enterprise Risk Management (encompassing operational risk management functions):

  - Role Of The Board Of Directors
  - Role Of Management
  - Roles Of Internal Audit & Compliance
  - Ethics And Leadership
  - Continual Assessment Of Products And Processes
  - Control Activities
  - Segregation Of Duties
  - Provision Of Accurate Data And Information
  - Effective Communication
  - Ongoing Monitoring Of Key Risks
  - Timely Reporting Of Deficiencies
  - Risk Transfer & Retention

• Credit Risk Management:

- General Credit Policies
- Legal Lending Limit
- Credit Authority
- Credit Organization And Approval Processes
- Risk Assessment And Management
- Borrower Grades
- Reserves And Provisioning
- Country Risk
- Financial Institutions Risk
- Lending To Special Category Clients
- Oversight And Audit

• Market Risk Management:

- Interest Rate Risk - Definition, Roles & Accountability
- Price Risk - Definition, Roles & Accountability
- Liquidity - Definition, Roles & Accountability
- Foreign Exchange Risk - Definition, Roles & Accountability
- Trading Mandates & Limits
- Investment Mandates & Limits
- Asset Management Mandates & Limits
- Hedging Mandates & Limits
- Value At Risk - Application & Limits

3. Revise mandates for key governing committees.

Establish committees at Board and Company levels to govern Market, Credit and Operational risk activities, but roles should be refined to support an integrated risk management framework:

The role of the (Board's) Risk Committee is to oversee activities tied to managing credit, market and operational risk. It should establish a general mandate for risk management governance and thereafter be kept fully apprised of management's response. This committee should regularly re-evaluate the Company's risk exposure, risk tolerance and the mandate used to govern and control risks by activity or product rather than by risk category. Finally, the committee should approve policies used to control or mitigate risk exposures.

The Board should understand that all categories of risk - operational, credit and market - must be leveraged to build shareholder value. Likewise, management's risk "perspective" should be product oriented, rather than aligned by risk category, and reporting should be by product or process.

Ultimately, the Board of Directors and Chief Executive Officer should be comfortable that management have: (i) identified and quantified significant risks associated with all major products and corporate initiatives, (ii) established who is accountable for addressing those risks, and (iii) determined the status and timelines of mitigation efforts. Finally, management should ensure that various risk management committees work as part of a formal, product-based risk management framework, monitoring ongoing risk assessment, inventories, quantification, prioritization, ownership, and reporting.

4. Establish a "Life Cycle" approach to developing systems and products.

By adopting a "development life cycle" an organization introduces a standardized approach to managing change. Among other things, methodologies of this type incorporate the following key processes:

• Establishing ownership.
• Developing business cases & securing approvals.
• Performing risk assessments at agreed times.
• Project planning, execution & securing sign-off.
• Pre- and post-implementation & training.

5. Develop a Risk Management Methodology.

Corporate risk management methodology mandates "ongoing product assessment" and should work in step with the development life cycle. By following the methodology, product owners are obliged to continuously identify, assess and manage risks associated with business change. Risk management methodology incorporates the following steps:

1. Agreeing when significant change occurs (product or process).
2. Establishing ownership.
3. Developing product risk inventories.
4. Estimating loss exposure.
5. Developing appropriate risk strategies.
6. Securing approvals and accountabilities for rolling-out risk solutions.