building an erm framework for credit unions
DESCRIPTION
This presentation highlights Doxim's Best Practices for building an ERM framework for Credit Unions. See how Doxim's RiskManager can help facilitate the effective management of an ERM Program. Visit www.doxim.com for more information.TRANSCRIPT
Building an ERM Framework
Enterprise Risk Management
Agenda
Enterprise Risk Management (ERM) Defined ERM Regulatory Landscape Building an ERM Framework ERM Key Success Factors Q & A session
Doxim Inc.
• Established in 2000• Headquarters in Toronto, Canada• Serving hundreds of clients: Financial services & service providers• Growth: Solid recurring revenue business model• SaaS delivery model• Platforms: Automated document processing, ECM, client onboarding and ERM
solutions• Highly available, redundant cloud computing platform
MNP LLP
Founded in 1945 7th largest accountancy and advisory firm in Canada 80 locations and 3,000 team members
MNP LLP – Enterprise Risk Services
Enterprise Risk service line: Enterprise Risk
Management Regulatory Compliance Technology Risk Internal Audit Business Resilience Security & Forensics
What is ERM?
Enterprise Risk Management (ERM) is a rigorous and coordinated approach to assessing and responding to all the risks (both upside and downside) that affect the achievement of an organization’s objectives
Siloed Risk Management
Organizations typically undertake some risk management activities but may lack an integrated and disciplined process
Financial
Reputation Human Resource
IT
Political
Environmental
Insurance
Regulatory
Strategic
Business Interruption
Leading ERM Methodology
(ISO 31000) (AS/NZS 4360)
What is ERM Governance?
Risk Governance is about three things:
1. Understanding limits of acceptable risk
2. Providing confidence and guidance to management
3. Anticipating events to position firm for success
(National Association of Corporate Directors Blue Ribbon Commission on Risk Governance, 2009
ERM Value Proposition
No Big Surprises
Early Warning Systems Systematically identify, assess and prioritize risks
Avoid unrewarded risks Promote organizational learning among management
Reduce chance of repeat problems
Operational Resilience Provide assurance that key risks are understood and mitigated
Prevent and rapidly respond to potential catastrophic failures Secure and protect staff, processes, and technology
Align organizational goals with stakeholder requirements
No Big Mistakes
No Big Missed
Opportunities
Enhance Organizational Value Seek growth, ensuring threats are understood and vulnerabilities
are mitigated Accelerate ability to respond to change and opportunities
Identify opportunities to improve performance and reduce costs
Global Financial Crisis
Conditions triggered economic downward spiral:
Sub-prime meltdown
Liquidity crisis
Extreme market volatility
Repercussions spread to broader economy:
Global credit market constriction
Reduced consumer demand
Volatile commodity prices, currencies and stock prices
ERM Outcome
Balancing risk/reward more challenging
Risk is more complex, interconnected and potentially devastating than ever before
Companies are re-assessing strategies for responding to challenges and pressures
Board risk oversight function has taken centre stage!
ERM Regulatory Landscape
Canada: National Policy 58-201 (2005)
Board should adopt mandate explicitly
acknowledging responsibility for: Adopting strategic plan that takes
opportunities and risks of the business
into account Identification of principal risks, and
ensuring implementation of appropriate
systems to manage these risks
ERM Regulatory Landscape
Basel (2011): Principles for Sound Operational Risk Management
Board and senior management should establish a strong
risk management culture with standards and incentives for
responsible behaviour:
Requires Framework for operational risk that is fully integrated
with overall risk management processes Boards must periodically review Framework and approve risk
appetite and tolerance statements for operational risk Defined risk policies must be in place Public disclosure of risk management practices required
ERM Regulatory Landscape
Canada: DICO By-law 5 (2011)
Class 2 Credit Unions must have a
comprehensive ERM Framework in
place (scaled to size, complexity and
risk profile)
Class 1 Credit Unions required to
implement and monitor prudent risk
management policies for significant
risks
Building an ERM Framework
Risk Framework enables objectives, risks and control to be aligned throughout the organization
It harnesses the power of the enterprise to work towards the achievement of organizational strategy and objectives
It builds risk management and control into every day business activities at all levels of the organization
MNP’s ERM Methodology
Risk management must be viewed as a process, not an event
(ISO 31000)
Response Monitoring
Risk Treatment Optimization
ERM Framework
Risk Assessment
Develop ERM Prevention &
Response Strategies
Design & Implement Solutions
Monitor ERM Compliance & Performance
Continuous Improvement
u
v
w
x
t
ERM Risk Assessment
ERM Risk Management
Framework
ERM Framework Roadmap
Dimensions of a Risk Management Framework
Risk Culture& Policies
Organizational Mindset Tone at the Top Standards/Protocols Risk Appetite &
Tolerance
Risk Culture& Policies
Organizational Mindset Tone at the Top Standards/Protocols Risk Appetite &
Tolerance
Infrastructure &Organization
Authority, Responsibility& Accountability
Bottom-up Structure Top-down Structure
Infrastructure &Organization
Authority, Responsibility& Accountability
Bottom-up Structure Top-down Structure
Resources &Capabilities
Installing Centres of Competency
Communication& Awareness
Learning & Education Monitoring Functions
Resources &Capabilities
Installing Centres of Competency
Communication& Awareness
Learning & Education Monitoring Functions
Tools & Techniques
Tools & techniquesto support the efficient
& effective identification, measurement, management & reporting of risk
Tools & Techniques
Tools & techniquesto support the efficient
& effective identification, measurement, management & reporting of risk
ERM Framework Roadmap
Key activities: Gain Executive and Board level commitment for ERM Framework Establish the risk management philosophy and develop a risk
management policy Communicate the ERM initiative and policy to management and staff Review current risk management practices Determine risk appetite and risk tolerances
Dimensions of a Risk Management Framework
Risk Culture& Policies
Risk Culture& Policies
Infrastructure &Organization
Infrastructure &Organization
Resources &Capabilities
Resources &Capabilities
Tools & TechniquesTools & Techniques
Risk Appetite & Risk Tolerance
Corporate Strategy is governed by the willingness of an organization to accept risk in the pursuit of value creation
Risk Appetite establishes the boundaries for the broad risk taking activities of the organization
Guidepost in strategy setting Reflects entity’s risk management
philosophy Can be qualitative or quantitative
Risk Appetite & Risk Tolerance
Risk Tolerance is the level of variation an organization is willing to accept around the achievement of objectives:
Generally quantitative (measured the same as related objectives)
Considers relative importance of objectives (aligns with risk appetite)
Performance measures used to ensure results adhere to tolerances
ERM Framework Roadmap
Dimensions of a Risk Management Framework
Risk Culture& Policies
Risk Culture& Policies
Infrastructure &Organization
Infrastructure &Organization
Resources &Capabilities
Resources &Capabilities
Tools & TechniquesTools & Techniques
Define mandates, roles & responsibilities and assign and/or hire personnel
ERM Roles & Responsibilities
Board
Executive
Corporate Risk Department
Risk Champions
Risk Owners
All Employees
Risk Process, Tools, Advice, Monitoring, Develop & Train Risk Champions, Ensure Quality and Ownership, Escalating, Reporting to Board
Identify / Assess / Mitigate / Monitor / Escalate
Ensure mitigation action plans undertaken Confirm quality of the assessment,
monitoring and status reporting of their risks.
Facilitate Risk Management Process at Site or for a Function
Tone at the Top, Policy, Set Risk Appetite, Monitor reporting, Performance Management
Governance, Assure Stakeholders
ERM Framework RoadMap
Dimensions of a Risk Management Framework
Risk Culture& Policies
Risk Culture& Policies
Infrastructure &Organization
Infrastructure &Organization
Resources &Capabilities
Resources &Capabilities
Tools & TechniquesTools & Techniques
Develop training and awareness programs for personnel with key risk management role
Roll out program to all staff and management
ERM Framework Roadmap
Dimensions of a Risk Management Framework
Risk Culture& Policies
Risk Culture& Policies
Infrastructure &Organization
Infrastructure &Organization
Resources &Capabilities
Resources &Capabilities
Tools & TechniquesTools & Techniques
Establish context
Establishing the Context
MissionHow we want to get there?
ValuesWhat is important to us?
StrategyWhat is our game plan?
Strategic InitiativesWhat are the objectives and priorities?
Risk ManagementWhat are the risks that will impact our objectives?
Strategy ExecutionHow are we going to accomplish what needs to be done?
VisionWhat we want to be?
ERM
ERM Framework Roadmap
Dimensions of a Risk Management Framework
Risk Culture& Policies
Risk Culture& Policies
Infrastructure &Organization
Infrastructure &Organization
Resources &Capabilities
Resources &Capabilities
Tools & TechniquesTools & Techniques
Develop risk identification, assessment and risk treatment processes
Ongoing – escalation of new risks
Annual self-assessment
Credit Union Risk UniverseVALUE CHAIN
Business Setting Social/Economic (global and local market stability;
demographics) Political (government
fiscal and monetary policy; regulatory developments )
Competition (financial services industry)
Technological Advancement
Provincial expansions Accounting standards
(IFRS)
Operational Fraud (money
laundering, identity theft, debit card skimming, etc.)
Business Continuity Insurance Physical
Infrastructure / Facilities
Capital Project Management
Third Party Reliance/ Outsourcing
Member satisfaction New Product
Introduction Financial Reporting &
Disclosure Financial, Scenario &
Operational Planning Financial Policies
(accounting standards compliance)
Branch Controls
Financial Market risk
Liquidity and Funding Foreign Exchange
Capital Management Structural (asset/liability
matching) Interest Rates
Compliance Regulatory (DICO, Basel
II Accord, Bill C-10, credit card interchange fees,
Federal Bank Act, OSFI, etc.)
Legal (including contract management) Employment
Privacy
EXTERNAL CONDITIONS
IT Systems Capacity & Availability IT Disaster Recovery
Security Strategy & Architecture
Reliability & Efficiency Information Systems System Conversions
Innovation / Emerging Technology
Human Resources Staffing Levels & Skills
Development, Performance &
Succession Recruitment & Retention
Compensation & Incentives (Executive)
Employee Satisfaction Employee Conduct
Lending Lending evaluation
(commercial / personal)
Credit default Credit concentration Environmental (e.g. member purchase of
contaminated property)
INTERNAL CONDITIONS
Strategic Corporate Governance &
Board Effectiveness Transparency & Financial
Integrity Strategy Development &
Implementation Strategic Partnerships &
Relationships Performance Measurement
Reputation/Brand Mergers/Acquisitions,
Divestures Distribution Networks
(branch openings, ATM, on-line banking, insurance,
etc.)
Cultural Goal Alignment Communication
Change Management Ethics & Values
Social Responsibility Accountabilities &
Empowerment
Sample Likelihood Scores
Likelihood Score
Descriptor Probability of occurrence
1 Improbable/Remote < 5% in one year or once in 20 years
2 Unlikely/Might Happen
4% to 20% in one year or once in 15-20 years
3 Possible 20% to 40% in one year or once in 10-15 years
4 Good Chance 40% to 50% in one year or once in every 5 years
5 Probable/Likely 50% to 80% in one year or once in every 5 years
6 Definitely/Certain >80% in one year or once every 1-2 years
Source: DICO ERM Application Guide
Sample Impact ScoresImpact Score
Descriptor Quantitative Impact Qualitative Impact
1 Minimal or Insignificant $ or % of dollar loss No members lostInsignificant impact on capital
No loss to reputationNegligible effect on memberNo regulatory consequencesNo service disruption
2 Slight or Minor $$ or % of dollar loss$$ or % revenue loss# or % of members lostMinor impact on capital
Adverse reaction by affect membersFew members affectBusiness Disruption < 1 day
3 Moderate $$ or % of dollar loss$$ or % revenue loss# or % of members lostMinor impact on capital
Adverse reaction by membersSome member affected Regulatory attentionBusiness Disruption >1 but less than 2 days
4 High $$ or % of dollar loss$$ or % revenue loss# or % of members lostMaterial impact on capital
Adverse reaction in newsMany members affected Regulatory warningBusiness disruption 2-7 days
5 Very High $$ or % of dollar loss$$ or % revenue loss# or % of members lostMajor impact on capital
Adverse reaction is newsMost member affected Regulatory interventionBusiness Disruption longer than 7 days
6 Severe or Catastrophic $$ or % of dollar loss$$ or % revenue loss# or % of members lostCatastrophic impact on capital
Loss of reputationAll members affectedCease OperationsCannot Recover Service
Source: DICO ERM Application Guide
Risk Assessment – Severity Matrix
RISK RATING MATRIX
LIKELIHOOD
RATING
AHappens all the time with high certainty. Will happen with very high certainty.
L18 M11 H6 H3 H1
BHappens frequently with high certainty. Will happen with high certainty.
L20 M14 M10 H4 H2
C It could happen. Seen it happen before. L22 L19 M12 H7 H5
DReasonably certain it won't happen. It may happen at some point.
L24 L21 M15 M13 H8
EDoubt it could happen. May occur in exceptional circumstances.
L25 L23 M17 M16 H9
1 2 3 4 5IMPACT RATING
Dollar
Impact
Revenue(variance to budgeted ounces)
< 1 % 1 - 5 % 5 - 20 % 20 - 50 % > 50 %
Cost (variance to budgeted costs)
< 1 % 1 - 5 % 5 - 20 % 20 - 50 % > 50 %
Project Schedule Delay < 2 weeks 2 - 4 weeks 1 - 3 months 3 - 6 months > 6 months
Project Budget(variance to budgeted costs)
< 1 % 1 - 5 % 5 - 20 % 20 - 50 % > 50 %
Value(reduction to NPV)
< 1 % 1 - 5 % 5 - 20 % 20 - 50 % > 50 %
Licence to
Operate
Legislation, Laws, Regulations that cause:
Increased reporting standards and
regulatory burden
Fall out of compliance and increasing scrutiny
from regulators
Temporary shut down and operating
uncertaintyTemporary closure Complete shutdown
Stakeholder Relations & Reputation
Potential stakeholder opposition
Some stakeholder opposition
Moderate stakeholder opposition and bad
publicity
Strong stakeholder opposition and
operational interruptions
Vehement stakeholder opposition
Stakeholder Relations & Reputation
No impact on stakeholder confidence in management of the
company
Limited impact on stakeholder confidence in management of the
company
Medium impact on stakeholder confidence
in management of company
High impact on stakeholder confidence
in management of company
Loss of stakeholder confidence in
management of company
Doxim RiskManager
Doxim RiskManager for ERM
Talking with our Credit Union customers over the past 12 plus months Doxim has identified a need within the CU space:
Regulatory mandates are driving need to implement ERM DICO, DGCM, CUDIC, etc… Subset of risk management imperative
Difficult to manage manually Need a cost effective, purpose built tool Doxim RiskManager:
Best of breed, cloud based solution Easy to use, secure, collaborative Manage all risks across a Credit Union
Doxim RiskManager Demo
Demo of key capabilities aligned with ERM Roadmap: Strategic drivers
Work from your strategic drivers out Understand risk universe
Align all risks under the strategic drivers Manage and resource your risks
Identifying inherent likelihood and impact Compare risk scores to risk appetite Identify the risk owners Develop risk responses
Risk monitoring/reporting Optimization Continuous improvement
Dashboards and reporting
ERM Framework Roadmap
Dimensions of a Risk Management Framework
Risk Culture& Policies
Risk Culture& Policies
Infrastructure &Organization
Infrastructure &Organization
Resources &Capabilities
Resources &Capabilities
Tools & TechniquesTools & Techniques
Develop risk monitoring processes: Identify risks that need to be
monitored Establish risk indicators Assign responsible party and
establish frequency for monitoring risk indicators
ERM Framework Roadmap
Dimensions of a Risk Management Framework
Risk Culture& Policies
Risk Culture& Policies
Infrastructure &Organization
Infrastructure &Organization
Resources &Capabilities
Resources &Capabilities
Tools & TechniquesTools & Techniques
Develop risk reporting processesRegular ongoing reportingException reporting
Develop risk management tools (templates or software)
Continuous improvement
Doxim RiskManager
Doxim RiskManager Benefits
SaaS solution = monthly fee vs big upfront investment Priced for the Credit Union marketplace Fully scalable for any sized organization Secure multi-tenant environment ensures
data privacy Pre-built content:
DICO, DGCM and other provincial
ERM regulations framework preloaded
Facilitates collaboration across
departments/locations
Doxim RiskManager Benefits One version for all users Not a black box
Universal accessibility and visibility
Supports multi-user access Flexible, real time reporting:
Pre-built and adhocCustom Dashboards
Multiple user levels i.e. admin, user,
& view onlyUser based permissions
What Does Success Look Like?
Tone set at the top
Risk management integrated within decision-making
Risk management linked to performance management
Proactive risk assessment, monitoring and reporting
Risk Management embedded in business processes
Contact Information
For ERM consultation and workshops:
Ingrid Robinson, MFAc, CPA, CIA, CRMASenior Manager, Enterprise Risk Services, MNP [email protected]
For ERM Solution, Doxim RiskManager Inquiries:
Sharon RussellEnterprise Risk Manager, Privacy [email protected]
Connect With Us
facebook.com/doxim
@Doxim_Inc
linkedin.com/company/doxim-inc.
doxim.com/blog
youtube.com/doximTV
www.doxim.com