B. Gabe Nachand, Partner

Moss Adams LLP

Presenting

ACUIA Region OneACUIA Region One Enterprise Risk Management

Today’s Discussion Objectives

• What is Enterprise Risk Management? – an Overview of ERM

• What is Driving ERM? • ERM  & the Regulators• How ERM Can Benefit My Institution• How My Institution Can Build an ERM Strategy:  Implementation OverviewImplementation Overview– Phase 1 – Planning– Phase 2 – Implementing the Plan– Phase 3 – Refining

• Summary

WHAT IS ENTERPRISE RISK MANAGEMENT (“ERM”)? 

Questions to Ponder…

• In today’s banking environment what risks or “watch out fors” would you suggest directors,watch out fors  would you suggest directors, supervisory committees, audit committees (or even executive management) focus on?

• What would you be looking for in Board Report packages today?packages today?

• Do we understand these issues enough toDo we understand these issues enough to appropriately report on them in each of our institutions today?

What is “Enterprise Risk Management”?

“Enterprise risk management (ERM) is a process, effected by an entity’s board of directors, management and other personnel, 

li d i i d h iapplied in a strategy setting and across the enterprise,designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to 

provide reasonable assurance regarding the achievement ofprovide reasonable assurance regarding the achievement of entity objectives.”

The Committee of Sponsoring Organizations (COSO) of the Treadway Commission, (Sept. 2004)

What is ERM?

• A structured, consistent, and continuous risk management process that is applied across the entire organization

• Identifies, assesses, prioritizes, and manages the internal and external risks that impact the organization

• Driven by a decision‐support process that is aligned with the management and execution of strategic objectivesexecution of strategic objectives

• Enhanced by the assignment of roles and

responsibilities,

• Reportin and omm ni ationIdentify & 

Measure, Monitor & • Reporting and communication,

– policies and procedures, and

– adoption of a risk‐based culture

AssessReport

Business Objectives

Planning & Management

Enterprise Risk Management“What might get in the way of my duty to deliver value to stakeholders?”

Risk

Ri k M t

The potential that events, expected or unanticipated, may have an adverse impact on capital or earnings.

Risk ManagementThe employment of systems and processes to manage the critical tradeoff between risk and return in financial decision‐

Enterprise‐Wide Risk Management

making.

The formal mechanism or structure for managing risks across the entire institution on an integrated basis.

Enterprise Risk Management (ERM) Components

Keys to a good ERM program – must include:

• Risk Identification – What are our key risks?  – What level of risk are we willing to allow/accept (“risk appetite”)?

• Risk Measurement– Risk measurement models  (ALM, Credit Stress)– Guidelines and quantification tools (Credit Risk Classification Operational and– Guidelines and quantification tools (Credit Risk Classification, Operational and 

Credit Losses)

Enterprise Risk Management (ERM) Components

• Risk Control– Policies (Required and Best Practice)

S f i k li i i– System of risk limitations– Authorities and oversight systems

• Risk Monitoring– System of risk reporting – key measurements

Board driven assessments (internal and external audits, monitoring reports) Management Self assessments (management generated reporting against pre set Management Self assessments (management generated reporting against pre‐set 

standards)

In a Nutshell…

ERM is a process for managing and controlling risks across an entire organization, both within g ,and across business lines and legal entities.

WHAT’S DRIVING ERM?WHAT S DRIVING ERM?

What’s Driving ERM?‐ Environmental ‐

• Growing size and organizational structure

• Increasing diversity of business lines and complexity of products

• Increasing number of regulations

• Increasingly competitive marketplace

ERM can be the key for how to win

What’s Driving ERM‐ Institutional ‐

• Fragmented or “silo” risk management efforts– fail to recognize interrelationships of risk across businessesfail to recognize interrelationships of risk across businesses 

or products

L k f ti f i k d ti• Lack of aggregation of common risks and reporting– fail to keep Board and management informed of 

organization‐wide risks

• Lack of attention to how risks are correlatedfails to identify how loans securities businesses etc– fails to identify how loans, securities, businesses, etc. might be affected by common factors and create large exposures

Post Downturn, ERM is More Important than Ever  

• Bankers, regulators, investors, customers and counterparties will not soon forget the near‐collapse in late 2008

• So far, the new era in financial services is a very strong emphasis on safety and risk management

• Those who can demonstrate superior risk management will have a competitive advantage– Greater opportunities in the market due to goodwill from regulators and investorspp g g– More and better customers

• Key ERM implementation challenges for most institutions– Culture– Right expertise– Data and Measurement– Transparency/Reporting

Drivers of ERM – a Summary

Board of Directors • Demand increased financial disclosure and transparency

Stakeholders • Demand evidence that management understands and manages risk

Regulators/Rating Agencies • Seek assurance around compliance and risk assessment processes

Credit and Rating Analysts • Asking organizations to report risks in a forward‐looking context

Activists • Demand social awareness, safety & , yenvironmental consciousness

Customers • Make decisions based on differentiating factors

Peers • Comparison with others drives industry‐wide practice

Competitors • Push innovation, drive leadership

ENTERPRISE RISK MANAGEMENT AND THE REGULATORS

Regulatory Expectations for ERMERM starts with the fundamental of strong risk management:

Active Board and d lActive Board and Senior 

Management Oversight

Adequate Policies, Procedures, and 

Limitsg

Adequate Risk Measurement, Monitoring, and 

Comprehensive Internal Controls

MIS

NCUA ERM Guidance

NCUA advises an effective system of Enterprise Risk Management includes consideration of:

• Market Condition• Field of Membership• Credit Union Structure

– Size– Complexity– Geographic diversity– Geographic diversity

Increasing Emphasis on ERM Perspective

Basel Committee’s Core Principles for Effective Banking Supervision (2006)

P i i l 7 Ri k “S i b i fi d h b kPrinciple 7 – Risk management process:  “Supervisors must be satisfied that banks and banking groups have in place a comprehensive risk management process (including Board and senior management oversight) to identify, evaluate, monitor, and control or mitigate all material risks and to assess their overall capital adequacy in relation to their risk profile These processes should beadequacy in relation to their risk profile. These processes should be commensurate with the size and complexity of the organization.” http://www.bis.org/publ/bcbs129.pdf

i i l f ff i i l i k ( )Principles for Effective Operational Risk Management (2003) http://www.bis.org/publ/bcbs96.pdf

P i i l f S d Li idi Ri k M d S i i (SPrinciples for Sound Liquidity Risk Management and Supervision (Sept. 2008) http://www.bis.org/publ/bcbs144.pdf

Basel II Capital Accord

Three Pillars of Capital Adequacy

Minimum Capital Standards

Supervisory Review

Market Discipline

• Banks review own capital adequacy

• Supervisors evaluate bank assessment

• Enhanced disclosures given increased reliance on internal assessments

• Credit Risk• Operational Risk• Market Risk

Principles of Effective Operational Risk Management(Basel Committee on Banking Supervision)

1. Board should approve and periodically review the Operating Risk Framework.

2. Board should ensure that Framework is subject to independent, competent audit staff review.

3. Senior management responsible for implementationg p p4. Process to identify and assess operational risk inherent in 

products, activities, processes and systems.5 Process tomonitor operational risk profiles and material exposure5. Process to monitor operational risk profiles and material exposure 

to losses.

Principles of Effective Operational Risk Management(Basel Committee on Banking Supervision)

6. Policies, processes and procedures should exist to control and/or mitigatematerial operational risks.

7. A contingency and business continuity plan should exist.8. The regulators should require that all banks, regardless of size, have an 

effective framework in place to identify, assess, monitor and control/mitigate material operational risk as part of an overall approachcontrol/mitigate material operational risk as part of an overall approach to risk management.

9. Regulators should conduct regular, independent evaluation of bank’s policies, procedures and practices related to operational risks.policies, procedures and practices related to operational risks.

10. Banks should make sufficient public disclosure to allow market participants to assess their approach to operational risk management.

It Takes 3 to Fly this Plane

Time &Time & Activities

Time & Activities

Audit Compliance RiskPast Present Future

Ri k M l k h h k i i d id if d h d

Do we do aswe say?

Are we incompliance?

What can go wrong?

• Risk Manager – looks thru the cockpit window to identify and assess current threats and future risks to the flight path and plane, and glances at the gauges for reassurance

• Compliance Manager – assists the pilot in maintaining the proper flight path and plane i d b i h l d FAA l ioperating procedures by using the manual and FAA regulations

• Auditor – uses the cockpit gauges and controls to inform the pilot of how the plane is operating relative to its predetermined flight path

In Summary

• Boards of directors are responsible for ensuring that their institutions are managed in a safe and sound manner. (This hasn’t changed)

• In today’s environment (and increasingly in the future), safety an soundness means that risks need to be well‐managed given the institution’s risk environment and business model.

d b bl “ ” h l “• You need to be able to answer “Yes” to this regulator question:  “Do you have a program that appropriately identifies emerging risks in a timely manner?” 

• Therefore:

Safety/Soundness = Risk Management

Consequently, the foundation for modern Corporate Governance is Enterprise Risk Management.

BENEFITS OF ERMBENEFITS OF ERM

Organizational Goals of ERM

• Protect/Enhance Stakeholder Value• Link Strategy and Risk ProfileLink Strategy and Risk Profile• Recognize and Manage integrated/cross organizational risks

• Enhance Risk Based Decisions• Capital Management• Seize Opportunities• Seize Opportunities• Disciplined Culture

For a director, do these sound familiar?

Benefits of Enterprise Risk Management

• Enhances integrated decision‐making better deal with the risk from growth, M&A, new products, etc.

li i k d• Better align risk and strategy.• Framework for identifying enhance return opportunities – improved risk 

mitigation.• Improve deployment of capital resources – allocating capital to business areas to p p y p g p

achieve superior risk returns (RAROC).• Credibility and confidence in governance and risk management – investors, 

regulators, rating agencies, external auditors.• Anti ipate risk sei e opport nities/minimi in ost• Anticipate risk – seize opportunities/minimizing cost.• Improved understanding and management of interactions and interrelationships 

between risks.• Clear accountability and ownership of risk.• Regulatory compliance with safety and soundness guidelines, foundation for a 

strong internal control environment.

Benefits of Enterprise Risk Management (continued…)

All the previous positively impact: • Protection of capital• Protection of capital.• Enhancement of earnings.• Reduction of losses (Fraud, Credit, Operational).• Greater efficiency in process flows.• Better defined/more efficient internal audit programs.• Better understanding of effect of market movements.Better understanding of effect of market movements.

What We are Observing: Industry ERM Themes so Far for 2012+

• ERM– Managing an acquisition (valuation, financial integration, change in risk profile, culture, data 

integration, etc.)g )– Model validation– Incentive programs that incorporate risk and are better aligned with organizational performance

• Compliance and regulatoryp g y– Regulatory reform outcomes– Stress testing– Compliance:  fair lending, BSA, AML

Credit• Credit– Provision and reserve going forward– Growing the loan portfolio– Diversifying away from risk concentrations in the portfolio

• Market Risk– The investments portfolio – understanding the risks going forward– Interest rate risk management

BUILDING AND ERM STRATEGY: IMPLEMENTATION OVERVIEW

ERM Implementation Phases

Proactive planning and i

D i

Preventative Controls and processes

improvement

Detective controls and processes

Compliance and Prevention

Operating Performance

Stakeholder Value Enhancement

GRADUAL EVOLUTION OF THE PROCESS

Developing ERM Capabilities is an Evolution, Not an Event

EARLY INTERMEDIATE ADVANCED• Minimal credit grading • No portfolio analysis • No operational risk

measurement • ROA as return measure

• Some risk quantification combined with seasoned judgment

• Operational and market risk in early stages

• An integrated risk management perspective

• Granular risk quantification ROA as return measure

• Efffective regulatory and investor relations

• Some RAROC calculations

• Portfolio analytics • Active portfolio

management function • Full RAROC across

bank

Add Capabilities as Risk/Complexity are Added

Linking ERM to Strategy

HighRisk appetite 

Strategic Integration

Risk vs. Return Optimization

Level

articulated

Risk Management

Risk Measurementaturity

 L

Loss Minimization

Compliance/Monitoring

M

Low

Time

ERM – Strengthening Focus on Strategic Risk Exposures

Increased Loan Risk 

DriversRisk 

Metrics?

Increased Revenues

Yield (Rate & Volume)

Non‐interest 

Drivers

Risk Drivers

Risk Metrics?

Profitability

Income Products

Drivers

Risk Drivers

Metrics?

Risk Metrics?

Expense Savings

Reduce Head Count

Oth C t

Drivers

Risk Drivers

Risk Metrics?

Other Cost Savings 

Measures –Vendor Mgmt.

Drivers

Risk Drivers

Risk Metrics? Drivers

The Moss Adams Phases to ERM Implementation

• STEP 1 – PLANNING – (a.k.a., “putting your best foot forward, knowing the process isn’t going to be perfect because it’s a new area of focus, and every institution is unique”)

STEP 2 IMPLEMENTING (a k a “executing on your plan making slight• STEP 2 – IMPLEMENTING – (a.k.a.,  executing on your plan, making slight adjustments as needed; saving significant revisions to the process for the “refining” stage”)

• STEP 3 – REFINING – (a.k.a., “fixing what needs to be fixed and/or what wasn’t addressed after implementing your plan”)

A simple 3­step process for getting your ERM program off the ground 

ERM IMPLEMENTATION PHASE 1 ‐PLANNING

Building Your ERM Roadmap/ Implementation Plan:STEP #1 – PLANNING

A. Gain Board/Committee/Executive level of support  ‐ “Tone at the Top” might be the single biggest factor in being successful at implementing; start to build consensus/ buy‐in

B. Revisit/review your strategic plan – the ERM vision s/b aligned with your organization’s size/complexity

C. Start thinking about how you are going to identify (and categorize) risk TIPS:  

• Define plan owners, roles and responsibilities for execution, timelines, resource alignment• Prioritize key tasks look for up‐front early wins• Prioritize key tasks – look for up‐front, early wins• Utilize existing management structures• Think about existing organizational design/structure• Other:  degree of alignment with finance, specific control tools, etc?• Start to build consensus among key internal and external stakeholders (including 

regulators*)• Preliminary risk assessment – work on the “completeness” of the risks inventory• Look for risk concentrations• Understand management’s current risk activities – functions, controls, what is tracked, 

who does it, etc.?who does it, etc.? 

Tone at the Top & Culture

• It’s that CULTURE thing!!• Mutual Expectations, Respect, RelianceMutual Expectations, Respect, Reliance• Model the Standard

Legally: Duty of Loyalty and CareBusiness JudgmentBusiness JudgmentDisclosure / Transparency

• Open Communications, Debate• Brainstorm risks at various management levels ‐ whatBrainstorm risks at various management levels  what 

risk is coming around the corner? • Welcome the Messenger• Welcome Dumb Questions• Welcome Dumb Questions• Draft Policies

ERM Policy

• Policy Statement• Purpose/objectives

Integrated mgmt of risk

• Risk Metrics and tools– Risk Assessments

Measures– Integrated mgmt of risk– Governance of risk oversight– Independent review and monitoring– Best practice risk control

• Responsibilities

– Measures• Controls & Monitoring• Risk Response• Communication & Responsibilities

– Board of Directors– Board Risk Committee– Management Risk Committee– CEO

Reporting• Policy Exceptions

– CRO– Internal Auditor– Department Heads

• Risk Categories• ERM Process• Policy Guidelines/Limits

ERM Charter

• Purpose/Objectives – Board delegation to:Identify and Manage risksy gAdhere to policies

• Committee Members and ChairChief Risk Officer direct reportChief Risk Officer direct report

• MeetingsFull Board reporting

• Duties and responsibilities• Duties and responsibilitiesAudit Committee interactionOversight of Management Risk Committees

P f E l ti• Performance Evaluation• Committee Resources

ERM is a Shared Responsibility:  Typical Roles/Needs

Board of Directors

‐Governance

‐Reputational RiskReputational Risk

‐Board Training

CEO/COOCRO (L ) ‐Business Risk

‐Execution Risk

‐Strategy/Mergers

CFO‐SOX

‐Basel II/Economic Capital

‐Performance Measurement

CRO (Larger)‐ERM Roadmap

‐Policies/Limits/Appetite

‐Risk Quantification

‐Dashboards

Functional Risk Managers/Delegated Responsibilities:

‐Credit Risk‐Market RiskMarket Risk‐ Interest Rate Risk‐ Operational Risk‐Compliance Risk‐ Technology Risk‐Etc.

A Vision for ERM is Fundamentally Linked to Strategic Goals for Your Organization  

• What are your core competencies?  What is your market?  What does your organization want to be? Who are the stakeholders?

• What are your return goals?What are your return goals?  • (Risk vs. Reward = Credit & IRR; Capital Adequacy; Regulatory; Fraud;Other?)

• Identify Risks to your Institution – What risks do you take‐on to generate these t ? F “k ” i kreturns? Focus on “key” risks. – Credit risks in lending? – Credit risks in your investments portfolio?– Market risks through interest rates?– Market risks through your investments portfolio?Market risks through your investments portfolio?– Operational risks through providing processing/cash management services?– Operational risks through asset management services?– Compliance risks in highly regulated markets?– Other?H h f h i k ill k ? I l l f i k• How much of each risk type will you take on? Is your level of risk appropriate given your return goals (risk appetite)?  Do you have sufficient capital and liquidity to support these risks?

ERM Risk Components

• Credit Risk and Market Risk are typically called ‘financial risks’ – return and risk are usually directly correlated here

• Greater risk will lead to higher returns in the long run, but will also result in significantly greater earnings volatility and require much more capital.  A risk appetite is needed to decide how much risk and what types of risk are appropriate

• Operational Risks can also be financial risks, but the risk/return relationship can be very different  – Some operational risks such as regulatory and compliance concerns are not related to returns, only protection against future loss or are a cost of doing business

– Fee‐based businesses such as asset management or payment processing are operational‐risk driven businesses with a direct relation to returns

• Regardless of the risk type, ERM practices can enable management and the board to:– Develop a consolidated view of their risk profile across all risk types and understand hot spots

– Measure risk exposure using quantitative and qualitative methods– Set a risk appetite and manage to it– Better understand where returns are generated

Regulatory Risk Categories (Risks Example 1)

OCC Risk Categories

di i k

Fed Risk Categories

FHLB Risk Categories

Credit Risk

Interest Rate Risk

Liquidity Risk

Credit Risk

Market Risk

Liquidity Risk

Credit Risk

Market Risk

Liquidity Risk

Price Risk

Foreign Exchange Risk

Transaction Risk

Operational Risk

Legal risk

Reputational Risk

Operational Risk

Business Risk

Compliance Risk

Strategic Risk

Reputation Risk

Regulatory Capital Rules Have Created a Framework for Classification of Risk Types(Risks Example 2)

Risk Type Definition

Credit Risk Loss due to a borrower’s inability to meet its financial obligations 

Loss due to change in borrower’s credit quality

Market Risk Loss due to change in market value of traded positions

Loss due to impact of changes in cost to close accrual positions (primarily interest rate risk)

Operational Risk Loss resulting from inadequate or failed internal process, people and systems or from external events Thepeople and systems, or from external events.  The definition includes legal risk. The definition does not include strategic or reputational risks.

Many Institutions Have Adopted These Definitions for a Functional ERM Structure (Risks Example 2.1)

Enterprise Risk Management Functional Structure (Not 

Credit Risk

p g (Organizational Structure)

Market Risk Operational Risk

Compliance Risk Int. and Ext. FraudBusiness Process Failure

Change in Fair Value

I t t R t Ri k

Commercial

HRLitigationData SecurityTechnology/SystemsN t l Di t

Interest Rate Risk

Currency Risk

Liquidity Risk

Retail

Counterparty

Natural DisasterEtc.

Liquidity Risk

Other Risk Category Possibilities:   Business, Strategic, Concentrations, Reputation, etc. 

ERM IMPLEMENTATION PHASE 2 –IMPLEMENTING THE PLAN

Building Your ERM Roadmap/Implementation Plan:STEP #2 – IMPLEMENTING

A. Identify and prioritize the RISKS‐ Keep it to the “TOP 5” for in‐depth Board reportingKeep it to the  TOP 5  for in depth Board reporting ‐ Additional risks can be identified and listed, but don’t take away the 

focus from the Top 5

B Si lt l d t li i i k f k d t liB. Simultaneously adopt a preliminary risk framework and conceptualize simple reporting 

C. Identify gaps in the process and start to analyze (but don’t let them slow you y g p p y ( ydown!) 

TIPS:  • Identify strengths and weaknesses in existing risk management function• Identify strengths and weaknesses in existing risk management function• Re‐align existing capabilities with where you need to get to• Scope:  risk controls, information technology, culture, expertise, policies, 

risk quantification, reporting/transparency 

ERM Implementation – Think about “Risk Awareness”

Difficult process – 3 levels of risk awareness 

• Known – You lend money to various parties and someone isn’t going to pay (credit risk)p y ( )

• Unknown, but knowable – e.g., flood or other natural disaster that isn’t unusual for the area.  

• Unknown, unknowable – would not ever know in advance, but is there a plan I can have if “something” takes me out of what I do?  

This helps you to think beyond the everyday risks. 

Focus on Key Enterprise Risks

• Risk issues that are most significant and deserve attention of executive management and the Board.g

• Issues identified through the risk assessment process ithi h f ti l i kwithin each functional risk area.

• Escalated to corporate level with mitigation andEscalated to corporate level with mitigation and action plans presented.

ERM Implementation – Risk Assessment 

Ask each Board/Committee member: 

“With our entity’s business model in mind what are the Top 5 emerging risks:”With our entity s business model in mind, what are the Top 5 emerging risks:   

1. _________________________________________2. _________________________________________3. _________________________________________4. _________________________________________5. _________________________________________

Ask Management the same question. Will the results be similar? 

How often does the Board and Senior Management engage in explicit discussions b t i k?about risk? 

Reminder:  Addressing risk in an advanced ERM process becomes strategic instead of defensive

Risk Assessment (continued)…

• For identified risk events:Wh t i th ti f t id ?– What is the time frame to consider?

– How likely is the event to occur?

– What would be the impact?What would be the impact?• On financial goals (cash flow, capital, reported earnings)

• On operational goals

• On reputation/brand

– Inherent vs. residual risks?

One Complication: Inherent vs. Residual Risk

• What risks are we assessing?– Ignore response to start: tendency to over value controls “100%Ignore response to start: tendency to over value controls  100% 

under control” – red flag; nothing is foolproof.– Inherent risk: Risk to an entity in the absence of any actions 

management might take to alter either the risk’s likelihood ormanagement might take to alter either the risk s likelihood or impact

– Residual Risk: Risk that remains after management responds to the risk identifiedthe risk identified

Back to some risk assessment examples….

Banking Risk Categories within ERM (Risks Example #3)

Strategic Credit Interest Rate Liquidity

Product OfferingMerger & Acquisition

Payment DefaultLoan Concentration

Interest RatesYield Curve

Funding SourcesOn/off Balance Sheet

CompetitionRevenue Growth

ProfitabilityCapital

Loan ConcentrationLoan Quality

Collateral Valuation

Yield CurveInvestment VolatilityForeign Exchange

On/off Balance SheetContingency

LegalComplianceOperationalReputation

Image & Branding ID Theft & Fraud Consumer Employment LawEmployee RelationsCustomer RelationsRegulatory RelationsPublic Relations

Stakeholder Relations

ID Theft & FraudSecurity & PrivacyBusiness ContinuityPhysical Security

VendorsProcess Errors

ConsumerCommercialFiduciary

Money Laundering

Employment LawContracts

Intellectual PropertyLitigation

Financial Reporting

ABC Institution Simple Enterprise Risk Assessment Example (Risks Example #4).

Operatons

Reporting

Compliance

Safeguard of Assets

Risk Impact (AVG.)

Vulnerability

Control Environment

Control Monitoring

Risk Likelihood (AVG.)

Inherent Risk

(Impact x Vulnerability)

sidual Risk (risk after controls)

(Impact x Likelihood)

Test?

Residual Risk

Risk

Tested?

Risk Universe

(Resid

PRIOR YEARLoans Lns 5 5 4 3 4.25 5 2 2 3.00 21.25 H 12.75 M Yes (I/A) 20.00 H Yes

ALLL ALLL 4 3 4 5 4.00 5 3 2 3.25 20.00 H 13.00 M ‐             19.00 H Yes

Investments Inv 3 4 3 3 3.25 4 2 3 3.25 13.00 M 10.56 M ‐             16.00 M ‐

Deposits Dep 5 5 4 3 4 25 2 1 2 1 75 8 50 L 7 44 L 9 00 M

PRIOR YEAR

Deposits Dep 5 5 4 3 4.25 2 1 2 1.75 8.50 L 7.44 L ‐           9.00 M ‐Internet Banking IntBk 5 4 3 4 4.00 4 2 3 2.75 16.00 H 11.00 M Yes (I/A) 12.00 L ‐

Debit Cards Debit 4 3 3 4 3.50 4 2 4 3.25 14.00 H 11.38 M ‐             13.00 M ‐

ACH ACH 3 3 3 3 3.00 2 2 3 2.50 6.00 L 7.50 L ‐             5.00 M YesWire Transfers Wires 3 2 4 4 3.25 3 1 3 2.50 9.75 M 8.13 L Yes (I/A) 8.00 H ‐Debit Cards 4 3 3 4 3.50 3 1 2 2.00 10.50 M 7.00 LItem Proc., Br Cap IP 3 2 2 3 2.50 2 1 3 2.25 5.00 L 5.63 L ‐             4.00 H ‐

General Ledger GL 4 4 3 4 3.75 4 2 3 2.75 15.00 H 10.31 M ‐             11.00 H ‐

ALM/IRR ALM 4 4 4 3 3.75 4 3 3 3.50 15.00 H 13.13 M Yes (Ext.) 16.00 H ‐

AVP, Punch & Disb AP 4 3 3 74 3.50 3 2 3 2.75 10.50 M 9.63 M ‐             10.00 M ‐

EDP EDP 5 3 4 3 3.75 3 1 2 2.25 11.25 M 8.44 L ‐             12.00 M ‐

BSA BSA 5 3 5 4 4.25 4 1 3 2.75 17.00 H 11.69 M ‐             16.00 H ‐Compliance Comp 4 3 4 4 3.75 3 1 2 2.00 11.25 M 7.50 L Yes (Ext.) 12.00 M ‐

Collections Coll 4 2 3 2 2.75 3 2 3 2.75 8.25 L 7.56 L ‐             ‐ ‐ ‐

Impact Risk Likelihood (vVulnerability/Control) From To RiskNegligible 1 Remote / Excellent 1 8.99 Low

Low 2 Unlikely / Good 9 13.99 ModModerate 3 Possible / Fair 14 25.00 High

High 4 Probable / Needs ImprovementExtreme 5 Certain / Does Not ExistExtreme 5 Certain / Does Not Exist

Risk Management Continuum

Strategic

• Proactive board and senior t i l t

Reactive

Aware

• Some board and senior 

management involvement

• Risk managed and assessed across entire organization

Reactive• Lack of Board or senior

management emphasis on risk

• No common risk lingo

management support

• Risk leader identified

• Periodic risk profiling

• Common language and approach used and understood

• Real time analysis of risk• Stove‐pipe risk management• Ad hoc approach• Missing coverage of risk 

areas

• Key risks defined in common vocabulary

• Recognized need for ERM

• Real‐time analysis of risk portfolio (real‐time KRIs)

• Recognized need for ERM

Most companies straddleGoal

Risk Assessment Cycle

Identify risk & t l

*Shows a snapshot of the pulse of enterprise risk management at –

a‐glance

controls

Assess exposures and 

control ff ti

Board of Directors

*Report;  reassess risks & 

ratings

effectiveness

Risk Assessment

Determine corrective action(s)

Management Certification

Test Controls *Track Project & Task priority, status, due dates hours

*Record testing scope, conclusion and 

recommendation(s)

dates, hours

Governance and Management StructureRisk View

HCredit Risk

Interest Rate Risk

Liquidity Risk

Operational Risk

Information Technology 

Risk

Human 

Capital

Compliance Risk

Legal Risk

Strategic Risk

Reputation Risk

Board Credit  Finance Committee Audit Committee

Ethics Committee

BSA/ComplianceCommittee

Strategic Planning Committee

ERM

Audit Committee

Risk Categories

Board of Di t Committee

Credit Polity

Funds Management Policy

Operational Risk Policy

IT Policies

Human Capital Risk Policy

Committee

Compliance Program

Legal Policy

Committee

Strategic Risk Policy

Reputation Risk Policy

ERM Policy

Internal Audit Charter

Directors

Risk Management 

Policies

Executive Loan 

Committee

Chief 

ALCO

Chief Financial

Security & Cont. Plan & 

Mgt. Committees

Technology Steering 

Committee

Senior Chief

HR/Compen‐sation 

Committee

SVP, 

Management Committee

Director of  Legal

Management CommitteeEnterprise Risk ManagementCommittee

Senior Management Committees

Senior Credit Officer

Chief Financial Officer

Senior Operations Officer

Chief Information 

Officer

,Human 

ResourcesRegulatory Risk Mgt.

Legal Director Chief Risk Officer Chief Risk OfficerManagement 

Officers

*Audit Committee sole committee composed of strictly outside directors

Assessed Risk Reporting: Risk Mapping

l bl l f• Heat Maps are a valuable tool for communicating/reporting risks• Chart both likelihood/probability and severity/impact• Chart both likelihood/probability and severity/impact

Heat Map Portrayal of Inherent Risks

92 4 Mitigation Risk

Not Mitigated

Impact(Severity)

10

1 7

38

Marginal Mitigation

6

5

8

Sufficient/Acceptable

Likelihood (Probability of Occurrence)

Risk Event:1. ‐‐‐‐‐2. ‐‐‐‐‐3. ‐‐‐‐‐44. ‐‐‐‐‐5. ‐‐‐‐‐

ERM IMPLEMENTATION PHASE 3 –REFINING

Building Your ERM Roadmap/Implementation Plan: STEP #3 – REFINING

A. Plan for Remediation of Gaps/Execution• What are you doing to address the immediate risks?  (What’s the risk response – Tolerate, Terminate Transfer or Treat?)Terminate, Transfer, or Treat?)

• What controls will be in place going forward to monitor the risks? • Develop recommendations to remediate gaps• What Key Risk Identifiers (KRI’s) have you identified (or intend to indentify) going forward?• Cement consensus, buy‐in among key stakeholders• Further define plan owners, roles and responsibilities for execution, timelines, resource alignment

• Memorialize project plan

B E h D fi iti f “Ri k A tit ” f I tit tiB. Enhance Definition of “Risk Appetite” for Institutions• Quantifying risk

C. Enhance Reportingf• What will reporting to executive management and the Board look like going forward?  

• Ongoing monitoring of implementation progress with board‐level accountability• Benchmark vs. industry leaders in this area as well as peers

Self Evaluation Approach for Identifying Gaps to Remediate

• Organize subject‐matter experts in each of the institution’s risk categories and at the ERM level.

Facilitate a discussion of the bank’s risk categories– Facilitate a discussion of the bank s risk categories.• Review factors underlying the seven elements of a risk management 

process* in each risk category relative to best practices.• Comprehensive evaluation of bank’s risk management processes.p g p• Prepare detailed report with findings, observations and recommendations 

in respective risk categories.• Major conclusions and recommendations to create final report.

R d ti /A ti Pl /I l t ti• Recommendations/Action Plan/Implementation– Management Risk Comm.– Board Risk Comm.

Elements of Risk Appetite

Existing RiskThe existing level and distribution of risks 

i k t i ( fi i l i k k tExisting Risk Profile

across risk categories (e.g. financial risk, market risk, operational risk, reputation risk, etc. Determination 

of Risk Appetite (the amount of risk an

Risk Capacity The Maximum risk a firm may bear and remain solvent

(the amount of risk an entity is willing to 

accept in the pursuit of value)

Risk ToleranceAcceptable levels of variations an entity is willing to accept around specific objectives

Desired Level of Risk What is the Desired risk / return level

Ways to Define Risk Appetite

Quantitative Clearly defined measureCan be cascaded to business units

l l f i l d fFor example, loss of capital or degree of volatility in earnings

Qualitative Not all risks can be accurately/crediblymeasuredmeasuredFor example, risk of damage to reputation

Zero Tolerance A subset which can be very clearly defineddefinedFor example, loss of life or violation of laws

Create An Ideal Roster of Risk Reports

EXAMPLES: • A  high‐level summary of the top risks for the enterprise as a whole; 

b k d b h l dbroken down by operating unit, geographic locations, product group, etc., along with significant gaps in risk management capabilities

• Report of emerging issues or risks that warrant immediate attention• Report of emerging issues or risks that warrant immediate attention• Summary of risk events, e.g., significant exceptions versus policies 

or established limits• Summary of significant changes in key variables beyondSummary of significant changes in key variables beyond 

management’s control (e.g. interest rates, exchange rates, etc.) and the effect on earnings, cash flows, capital, and the business plan.

• Summary of the status of improvement initiatives

Some Examples of External Key Risk Indicators

Industry and Competitor TrendsNumber of CompetitorsNew product or service announcementsPricing Trends

Economic TrendsUnemployment forecastsConsumer spending trendsTrade and foreign policy

Liquidity/Capital MarketsInterest rate trends/forecastsCredit spreads in debt and credit marketsStock market trends and forecasts

Risk events realized by competitorsShifts in customer tastes/trends

Supply Chain Issues Regulatory ChangesSupply Chain IssuesFinancial health of suppliersRisk events at suppliersPricing trends

Regulatory ChangesAnticipated changes in tax policyNew regulations/restrictionsChanges in key political offices

Some Examples of Internal Key Risk Indicators

Business OperationsTransactions, outputSales volume, failed dealsOperational performance issues

Information TechnologyDisasters, outages, disruptionHelp desk metricsSecurity metricsP j i

ComplianceState of controlsRegulatory inquiries/investigationsLitigation cases

Supply chain/logistics Project metricsIT incidents/investigations, complaintsIT audit issues

Discovery requests

Human Resources Accounting/Finance AuditHuman ResourcesTurnoverHeadcountCorporate training: policies, 

procedures, ethics

Accounting/FinanceAdjustmentsUnsubstantiated balancesMissed deadlinesWrite‐offs

AuditHigh‐risk issues/material weak.Past‐due audit issues

VacanciesSick daysDisciplinary actions

Risk Report Example (KRI Report)

Target KeyBetter Than expected Expected Worse Than Expected N/A

1st qtr

2nd qtr

3rd qtr

4th qtr YTD

1st qtr

2nd qtr

3rd qtr

4th qtr YTD

Average Daily Census Past due over 30 daysAssets per FTE Past due over 60 daysetc Past due over 90 days

Human Resources Credit Quality

etc. Past due over 90 daysetc. Over 90 days and accruing

ALLL/LoansNet charge‐off %, annualized

1st qtr 2nd qtr 3rd qtr 4th qtr YTD TDR's/LoansNet Interest Margin etc

Financial

Net Interest Margin etc.ROA etc.ROE etc.Efficiency Ratio etc.Tangible Book Value

N/A etc.N/A etc.N/A etc.

etc.etc.etc.etc.

IN SUMMARYIN SUMMARY…

No ERM at your Institution?

• It’s happening alreadythis is the business of banking…this is the business of banking

• Start simplyp y…joint Board and Management adventure

l• Focus on Business and Regulators…how to use it to improve processes and performanceperformance…a continuous improvement perspective

Great DUMB Questions

• What happens if…?• Seems like that market is…could that impact us?p• I heard about…do we have risk exposure here?• Does our policy explain what to do if…?• Who is responsible for making sure we don’t ?Who is responsible for making sure we don t…?• Doe we have a limit on…?• What does our strategic plan say about…?• Do you think senior management knows how the Board• Do you think senior management knows how the Board 

feels about that risk?• Are there any other Board members who didn’t 

understand that; I’m not clear about ?understand that; I m not clear about…?• Has anyone around here read the COSO template for 

risk management?

QUESTIONS?

Gabe Nachand

Moss Adams LLP

(503)471‐1277QUESTIONS? (503)471‐1277

gabe.nachand@mossadams.com

Disclaimer Statement

The material appearing in this presentation is for i f i l l d i l l iinformational purposes only and is not legal or accounting advice. Communication of this information is not intended to create, and receipt does not constitute, a legal relationship, including, but not limited to, an accountant‐client relationship. Although these materials may have been prepared by professionals they should not be used asbeen prepared by professionals, they should not be used as a substitute for professional services. If legal, accounting, or other professional advice is required, the services of a 

f i l h ld b htprofessional should be sought.