corp risk gov reform

Corporate Risk Governance Reform

1 Peter J Schild

The Broad Steps to Risk Governance Reform

•  Build a case •  Develop a framework •  Perform pilots •  Develop learning strategies •  Implement across the organization

2 Peter J Schild

Change Management

Corporate systems are self-preserving and resistant to change. Only when the need is widely recognized and a solution exists that appears to work does the desire to change exceed the natural tendency to resist it.

3 Peter J Schild

Exploring a Case for Change: Six Questions

Peter J Schild 4

Does the board truly understand the strategic objectives, the top risks the company faces in executing

strategies, and the strength of the processes that keep the board and

senior management informed?

Peter J Schild 5

To evaluate the company’s capacity to achieve objectives, directors need confidence in a system of effective internal controls and the reliability of its maintenance, as well as evidence of widespread attentiveness to risk. They must believe in management’s capacity to stay within the boundaries of established tolerances and to report clearly and concisely when those boundaries are approached.

Peter J Schild 6

Are employees connected to the corporate vision?

Peter J Schild 7

Without the right culture the risk taken can easily exceed the risk intended, regardless of the processes employed to measure and monitor it. The goal is an environment where personal visions connect and employees come to understand and agree with intended outcomes and their individual and team roles in achieving them.

Peter J Schild 8

Are all lines of business that contribute to any given strategic

objective, while likely to be managed separately, evaluated as a complete

set of activities?

Peter J Schild 9

Corporations in their entirety are more than collections of individual activities subject to the separate interests of their components. Operating units work together across the enterprise not in relation to their positions within segments, but according to their relative roles in support of defined strategies.

Peter J Schild 10

Does available capital match the risk appetite?

Peter J Schild 11

Neither capital nor risk can be calculated precisely and confidence in predictable outcomes is necessarily limited; therefore, managing to the measurable alone is insufficient. To provide reasonable assurance that the risk taken is equivalent to the risk intended, enhanced processes of risk evaluation coupled with assessments of human capital must be added to traditional tools of measurement.

Peter J Schild 12

Do all lines of business (particularly support activities) coordinate so that their duties do not overlap and their

reports to the board and senior management are compatible?

Peter J Schild 13

Reliable financial reporting and strict regulatory compliance are unconditional yet costly requirements. Efficient processes that boost coordination and enable leverage across risk, finance, compliance, audit and lines of business are both reasonable expectations and consistent with the imperative of operational effectiveness.

Peter J Schild 14

Does the market perceive corporate governance as a strong point in

evaluating the company’s reputation?

Peter J Schild 15

Disciplined, reliable and comprehensive systems of risk management and corporate governance foster investor confidence in management’s capacity to take and manage risk.

Peter J Schild 16

Deliverables

•  Properly executed, effective risk governance satisfies:   Management’s need for line of business control and supervision   The board’s need for perspective to perform oversight, make

strategic decisions, and evaluate management   Regulatory expectations for effective, observable risk

management practices

•  And leads to:   Efficient processes that enable leverage across finance, risk,

compliance and audit   Market confidence in management’s capacity to take and

manage risk

17 Peter J Schild

Aspirations

•  Enhanced reputation •  Higher P/E multiple •  Increased shareholder value/

market capitalization

If the market’s appraisal of management’s competence is reflected in the amount by which total capitalization exceeds net worth, then enhancing one’s reputation leads to increased shareholder value.

18 Peter J Schild

• Assurance • Facilitation • Verification

Process: Enterprise-wide risk

management principles

• Awareness • Literacy • Accountability

Culture: Employees

who feel connected to the company

Reliable reporting Efficient operations

Compliance with laws

Capital preservation

Clear oversight perspective Observable

governance practices Market & regulatory

confidence Better reputation

Increased shareholder

value

Essential Principles + Employee Connection Yields Increased Shareholder Value

19 Peter J Schild

An Overview of the Central Framework

Peter J Schild 20

•  The operating framework includes:   Employee Engagement   Core Objectives   Uniform Procedures   Shared Corporate Hierarchy   Management & Board Reporting

•  The roles necessary for the framework’s execution and maintenance are:   Assurance of its Effectiveness   Facilitation of its Performance & Upkeep   Verification of its Reliability

Peter J Schild 21

The Central Framework

Employee Engagement: “Once you blow the whistle you can’t inhale.”

(Bill Chadwick, former National Hockey League referee)

Unless those who initiate transactions care about and understand their impact on the company’s risk appetite, the outcome may depart from that which was intended.

How people communicate matters as much as how they measure.

22 Peter J Schild

Employee Engagement

Employee engagement is founded on four principles:   Leadership accountability   Education and awareness   Recruitment and hiring   Development and retention

23 Peter J Schild

Accountability plus literacy produces a shared vision.

Core Objectives

To implement processes that provide for:   Achievable strategies – reasonable

assurance of sustainable results   Reliable financial and non-financial reporting   Effective and efficient operations   Compliance with prevailing laws and

regulations   Preservation of economic and human capital

resources

24 Peter J Schild

Begin with articulating strategic objectives and cycle through identifying, accepting and monitoring risks, determining residual risk, and, based on the results, reaffirming or adjusting risk appetite and strategy.

Peter J Schild 25

Uniform Procedures

Articulate strategic

objectives

Identify inherent

risk

Establish control

activities

Assess and accept

intended risk Monitor

controls/report

actual vs. expected

Determine actual

residual risk

Escalate and resolve exceptions

Evaluate outcomes/

renew strategy

acceptance

Recursive evaluation and reaffirmation

Uniform Procedures

Peter J Schild 26

Inherent Risk, Control Activities, Residual Risk

•  Inherent risk is a function of generic and unique determinative factors that give rise to uncertainty – change, volume, complexity and what can go wrong with an entity’s specific activities.

•  The control environment is the set of activities intended to keep things from going wrong or to raise warnings when they start to.

•  Residual risk is determined by combining the relative level of inherent risk with the observed control effectiveness.

27 Peter J Schild

•  How the enterprise is subdivided into levels of assessable parts starting with all segments and ending with the lowest level of separately managed silos (“operating units”).

•  To assure efficient communication and consistency of reporting, a common hierarchy should be shared by the entire enterprise (especially Finance, Risk, Compliance and Audit), at least to the point that they can map their individual procedures to the shared hierarchy.

Peter J Schild 28

Corporate Hierarchy

Segment 1

Line of Business 1

Operating unit 1

Operating unit 2

Operating unit 3

Line of Business 2

Operating unit 4

Operating unit 5

Corporate Hierarchy

Level I Level II Level III Enterprise

Segments: 1 2 3 4 5 6 7 8 9

Peter J Schild 29

•  Information travels many paths to reach senior management and the board

•  Coordinating the diverse sources of data while respecting their distinct voices requires deliberate structure and dedicated resources

•  Oversight is only as effective as the clarity of knowledge necessary to exercise it

Peter J Schild 30

Senior Management & Board Reporting

Two innovative groups help to promote senior management literacy and enhance board reporting:   Senior Risk Committee: chaired by CEO, comprised

of Chief Operating Officer, Chief Risk Officer, Chief Audit Executive, Chief Financial Officer, General Counsel, Head of HR...

  Risk Governance Council: chaired by CRO, comprised of CAE, Chief Accounting Officer, Heads of Operational, Credit & Market Risk, Chief Compliance Officer...

Peter J Schild 31

Senior Risk Committee & Risk Governance Council

•  No formal agenda, meet periodically (e.g., monthly)

•  Review high and emerging risks to strategies, incidents and incident responses; discuss economic and human capital resource allocations; renew commitments to intended risk

Peter J Schild 32

Senior Risk Committee

•  Provide assurance to senior management and the board that residual risk across the enterprise is continuously monitored

•  Determine that residual risk is based on actual, as opposed to expected, internal control environments

•  Examine identified control weaknesses for potential damage; recommend changes to accepted risk tolerances, both up and down

•  Calibrate risk tolerance by clarifying choices among reducing inherent risk, tightening controls, or allowing greater residual risk, and present analysis to Senior Risk Committee

Peter J Schild 33

Risk Governance Council

Board of Directors

Senior Risk Committee

Credit Risk Committee

Market Risk Committee

Operational Risk

Committee

Internal Audit

Risk Governance

Council

Peter J Schild 34

Senior Committee Organizational Structure

Apply the Framework

1  In each entity of the hierarchy… 2  execute the uniform procedures… 3  to determine whether the objectives are being

met.

The resulting database includes, by operating unit, inherent risks, control environment evaluations, control exceptions, and residual risks

35 Peter J Schild

Systems Thinking

•  While complete in their silos, operating units – entities of sales and support – work together, not only according to their individual nature, but also according to their relative roles and positions in the system.

•  Inherent delays between actions and outcomes naturally give rise to unintended consequences because actions taken in one part do not affect all related parts at the same time, but do so at the pace of their movement through the system.

•  By delivering consistent assessments of each of the parts and enabling an assembled view of the whole, the framework provides perspective that augments preparation, anticipation, response, and recovery.

36 Peter J Schild

Manage by Segment

Oversee by Strategy

A

B

C

D

Line of Business 1

Technology

Legal/Com

pliance

Hum

an Resources

Finance

Operations

Line of Business 2

Line of Business 3

Risk M

anagement

Management

1 2 3 4 5 6 7 8 9

37 Peter J Schild

Presentation Format: Segment Risk

•  The following slide is a compilation of individual assessments of all operating units within a sample segment: Technology.

•  It displays how control concerns in separate parts affect the entire segment.

•  Risk tolerance can be defined as the intended risk – the inherent risk intentionally taken with the assumption of an acceptable control environment.

•  Comparing actual risk to intended risk presents senior management and the board the opportunity to quickly evaluate the segment capacity to take on additional risk, such as new products, strategies or acquisitions.

38 Peter J Schild

Strategy Inherent Risk

+ Tested Control Environment

= Residual (Actual) Risk

Intended Risk*

A B C D Composite Segment

Peter J Schild 39

Actual vs. Intended Risk: Technology Segment

* Inherent Risk + Acceptable Control Environment = Intended Risk

Risk Control Environment Low Acceptable Medium Marginal High Unacceptable

Manage by Segment 1 2 3 4 5 6 7 8 9

Oversee by Strategy

A

B

C

D

Line of Business 1

Technology

Legal/Com

pliance

Hum

an Resources

Finance

Operations

Line of Business 2

Line of Business 3

Risk M

anagement

Oversight

40 Peter J Schild

Presentation Format: Strategy Risk

•  The following slide is a compilation of individual assessments of interdependent entities engaged in the execution of a particular strategy (a “strategic domain”) .

•  It displays how control concerns in separate parts affect the strategy.

•  Comparing actual risk to intended risk presents senior management and the board the opportunity to quickly evaluate strategies and determine exactly where they need to focus their attention to increase assurance that strategies are most likely to achieve intended objectives.

41 Peter J Schild

Strategic Domain: Operating units

Inherent Risk

+ Tested Control Environment

= Residual (Actual) Risk

Intended Risk*

Line of Business Finance Technology Operations Compliance Human Resources Risk Management

Peter J Schild 42

Actual vs. Intended Risk: Strategy “A”

* Inherent Risk + Acceptable Control Environment = Intended Risk

Risk Control Environment Low Acceptable Medium Marginal High Unacceptable

Is This What We Want? •  Both inherent and residual risk are important to monitor –

well-managed/high inherent or poorly managed/low inherent can each lead to unacceptable outcomes.

•  In its silo, the line of business may be well-managed; but if other components of the strategy exhibit high residual risk, the overall risk may exceed that which was intended.

•  Decision: resolve the control issues, reduce the inherent risk, or accept the residual risk.

•  Comparing segment and strategy evaluations:   Are any operating units stressed supporting multiple strategies?   Are economic and human capital resources distributed most

favorably? 43 Peter J Schild

Four Key Roles to Execute and Sustain 1  Monitor employee engagement – a function of human resources. As with

any initiative, employee engagement must be tracked and tested to evaluate the depth of its understanding and fulfillment.

2  Assure effectiveness – to align accountability with ownership, lines of business should be responsible for assurance by attesting to the design and operating effectiveness of their identified controls, and for reporting and resolving exceptions.

3  Facilitate performance and upkeep – a discrete risk management function is desirable to facilitate process execution through focused support units that consult on building, implementing, and maintaining the framework. Risk units serve as a central clearing organization for retaining shared databases, and promote replication of the pattern of evaluation and reporting across the enterprise.

4  Verify continued reliability – internal audit verifies through independent, objective oversight that management’s assurances can be relied upon, internal controls are designed and operating as reported by management, exceptions are appropriately escalated, and practicable resolutions are prescribed and on track.

44 Peter J Schild

Perform Pilots in Selected Business Units

45 Peter J Schild

Develop Learning Strategies

46 Peter J Schild

Implement Across the Organization

47 Peter J Schild