building an erm framework for credit unions

Building an ERM Framework

Enterprise Risk Management

Agenda

Enterprise Risk Management (ERM) Defined ERM Regulatory Landscape Building an ERM Framework ERM Key Success Factors Q & A session

Doxim Inc.

• Established in 2000• Headquarters in Toronto, Canada• Serving hundreds of clients: Financial services & service providers• Growth: Solid recurring revenue business model• SaaS delivery model• Platforms: Automated document processing, ECM, client onboarding and ERM

solutions• Highly available, redundant cloud computing platform

MNP LLP

Founded in 1945 7th largest accountancy and advisory firm in Canada 80 locations and 3,000 team members

MNP LLP – Enterprise Risk Services

Enterprise Risk service line: Enterprise Risk

Management Regulatory Compliance Technology Risk Internal Audit Business Resilience Security & Forensics

What is ERM?

Enterprise Risk Management (ERM) is a rigorous and coordinated approach to assessing and responding to all the risks (both upside and downside) that affect the achievement of an organization’s objectives

Siloed Risk Management

Organizations typically undertake some risk management activities but may lack an integrated and disciplined process

Financial

Reputation Human Resource

IT

Political

Environmental

Insurance

Regulatory

Strategic

Business Interruption

Leading ERM Methodology

(ISO 31000) (AS/NZS 4360)

What is ERM Governance?

Risk Governance is about three things:

1. Understanding limits of acceptable risk

2. Providing confidence and guidance to management

3. Anticipating events to position firm for success

(National Association of Corporate Directors Blue Ribbon Commission on Risk Governance, 2009

ERM Value Proposition

No Big Surprises

Early Warning Systems Systematically identify, assess and prioritize risks

Avoid unrewarded risks Promote organizational learning among management

Reduce chance of repeat problems

Operational Resilience Provide assurance that key risks are understood and mitigated

Prevent and rapidly respond to potential catastrophic failures Secure and protect staff, processes, and technology

Align organizational goals with stakeholder requirements

No Big Mistakes

No Big Missed

Opportunities

Enhance Organizational Value Seek growth, ensuring threats are understood and vulnerabilities

are mitigated Accelerate ability to respond to change and opportunities

Identify opportunities to improve performance and reduce costs

Global Financial Crisis

Conditions triggered economic downward spiral:

Sub-prime meltdown

Liquidity crisis

Extreme market volatility

Repercussions spread to broader economy:

Global credit market constriction

Reduced consumer demand

Volatile commodity prices, currencies and stock prices

ERM Outcome

Balancing risk/reward more challenging

Risk is more complex, interconnected and potentially devastating than ever before

Companies are re-assessing strategies for responding to challenges and pressures

Board risk oversight function has taken centre stage!

ERM Regulatory Landscape

Canada: National Policy 58-201 (2005)

Board should adopt mandate explicitly

acknowledging responsibility for: Adopting strategic plan that takes

opportunities and risks of the business

into account Identification of principal risks, and

ensuring implementation of appropriate

systems to manage these risks


Basel (2011): Principles for Sound Operational Risk Management

Board and senior management should establish a strong

risk management culture with standards and incentives for

responsible behaviour:

Requires Framework for operational risk that is fully integrated

with overall risk management processes Boards must periodically review Framework and approve risk

appetite and tolerance statements for operational risk Defined risk policies must be in place Public disclosure of risk management practices required


Canada: DICO By-law 5 (2011)

Class 2 Credit Unions must have a

comprehensive ERM Framework in

place (scaled to size, complexity and

risk profile)

Class 1 Credit Unions required to

implement and monitor prudent risk

management policies for significant

risks

Building an ERM Framework

Risk Framework enables objectives, risks and control to be aligned throughout the organization

It harnesses the power of the enterprise to work towards the achievement of organizational strategy and objectives

It builds risk management and control into every day business activities at all levels of the organization

MNP’s ERM Methodology

Risk management must be viewed as a process, not an event

(ISO 31000)

Response Monitoring

Risk Treatment Optimization

ERM Framework

Risk Assessment

Develop ERM Prevention &

Response Strategies

Design & Implement Solutions

Monitor ERM Compliance & Performance

Continuous Improvement

u

v

w

x

t

ERM Risk Assessment

ERM Risk Management

Framework

ERM Framework Roadmap

Dimensions of a Risk Management Framework

Risk Culture& Policies

Organizational Mindset Tone at the Top Standards/Protocols Risk Appetite &

Tolerance


Organizational Mindset Tone at the Top Standards/Protocols Risk Appetite &

Tolerance

Infrastructure &Organization

Authority, Responsibility& Accountability

Bottom-up Structure Top-down Structure


Authority, Responsibility& Accountability

Bottom-up Structure Top-down Structure

Resources &Capabilities

Installing Centres of Competency

Communication& Awareness

Learning & Education Monitoring Functions


Installing Centres of Competency

Communication& Awareness

Learning & Education Monitoring Functions

Tools & Techniques

Tools & techniquesto support the efficient

& effective identification, measurement, management & reporting of risk

Tools & Techniques

Tools & techniquesto support the efficient

& effective identification, measurement, management & reporting of risk


Key activities: Gain Executive and Board level commitment for ERM Framework Establish the risk management philosophy and develop a risk

management policy Communicate the ERM initiative and policy to management and staff Review current risk management practices Determine risk appetite and risk tolerances








Tools & TechniquesTools & Techniques

Risk Appetite & Risk Tolerance

Corporate Strategy is governed by the willingness of an organization to accept risk in the pursuit of value creation

Risk Appetite establishes the boundaries for the broad risk taking activities of the organization

Guidepost in strategy setting Reflects entity’s risk management

philosophy Can be qualitative or quantitative

Risk Appetite & Risk Tolerance

Risk Tolerance is the level of variation an organization is willing to accept around the achievement of objectives:

Generally quantitative (measured the same as related objectives)

Considers relative importance of objectives (aligns with risk appetite)

Performance measures used to ensure results adhere to tolerances










Define mandates, roles & responsibilities and assign and/or hire personnel

ERM Roles & Responsibilities

Board

Executive

Corporate Risk Department

Risk Champions

Risk Owners

All Employees

Risk Process, Tools, Advice, Monitoring, Develop & Train Risk Champions, Ensure Quality and Ownership, Escalating, Reporting to Board

Identify / Assess / Mitigate / Monitor / Escalate

Ensure mitigation action plans undertaken Confirm quality of the assessment,

monitoring and status reporting of their risks.

Facilitate Risk Management Process at Site or for a Function

Tone at the Top, Policy, Set Risk Appetite, Monitor reporting, Performance Management

Governance, Assure Stakeholders

ERM Framework RoadMap









Develop training and awareness programs for personnel with key risk management role

Roll out program to all staff and management










Establish context

Establishing the Context

MissionHow we want to get there?

ValuesWhat is important to us?

StrategyWhat is our game plan?

Strategic InitiativesWhat are the objectives and priorities?

Risk ManagementWhat are the risks that will impact our objectives?

Strategy ExecutionHow are we going to accomplish what needs to be done?

VisionWhat we want to be?

ERM










Develop risk identification, assessment and risk treatment processes

Ongoing – escalation of new risks

Annual self-assessment

Credit Union Risk UniverseVALUE CHAIN

Business Setting Social/Economic (global and local market stability;

demographics) Political (government

fiscal and monetary policy; regulatory developments )

Competition (financial services industry)

Technological Advancement

Provincial expansions Accounting standards

(IFRS)

Operational Fraud (money

laundering, identity theft, debit card skimming, etc.)

Business Continuity Insurance Physical

Infrastructure / Facilities

Capital Project Management

Third Party Reliance/ Outsourcing

Member satisfaction New Product

Introduction Financial Reporting &

Disclosure Financial, Scenario &

Operational Planning Financial Policies

(accounting standards compliance)

Branch Controls

Financial Market risk

Liquidity and Funding Foreign Exchange

Capital Management Structural (asset/liability

matching) Interest Rates

Compliance Regulatory (DICO, Basel

II Accord, Bill C-10, credit card interchange fees,

Federal Bank Act, OSFI, etc.)

Legal (including contract management) Employment

Privacy

EXTERNAL CONDITIONS

IT Systems Capacity & Availability IT Disaster Recovery

Security Strategy & Architecture

Reliability & Efficiency Information Systems System Conversions

Innovation / Emerging Technology

Human Resources Staffing Levels & Skills

Development, Performance &

Succession Recruitment & Retention

Compensation & Incentives (Executive)

Employee Satisfaction Employee Conduct

Lending Lending evaluation

(commercial / personal)

Credit default Credit concentration Environmental (e.g. member purchase of

contaminated property)

INTERNAL CONDITIONS

Strategic Corporate Governance &

Board Effectiveness Transparency & Financial

Integrity Strategy Development &

Implementation Strategic Partnerships &

Relationships Performance Measurement

Reputation/Brand Mergers/Acquisitions,

Divestures Distribution Networks

(branch openings, ATM, on-line banking, insurance,

etc.)

Cultural Goal Alignment Communication

Change Management Ethics & Values

Social Responsibility Accountabilities &

Empowerment

Sample Likelihood Scores

Likelihood Score

Descriptor Probability of occurrence

1 Improbable/Remote < 5% in one year or once in 20 years

2 Unlikely/Might Happen

4% to 20% in one year or once in 15-20 years

3 Possible 20% to 40% in one year or once in 10-15 years

4 Good Chance 40% to 50% in one year or once in every 5 years

5 Probable/Likely 50% to 80% in one year or once in every 5 years

6 Definitely/Certain >80% in one year or once every 1-2 years

Source: DICO ERM Application Guide

Sample Impact ScoresImpact Score

Descriptor Quantitative Impact Qualitative Impact

1 Minimal or Insignificant $ or % of dollar loss No members lostInsignificant impact on capital

No loss to reputationNegligible effect on memberNo regulatory consequencesNo service disruption

2 Slight or Minor $$ or % of dollar loss$$ or % revenue loss# or % of members lostMinor impact on capital

Adverse reaction by affect membersFew members affectBusiness Disruption < 1 day

3 Moderate $$ or % of dollar loss$$ or % revenue loss# or % of members lostMinor impact on capital

Adverse reaction by membersSome member affected Regulatory attentionBusiness Disruption >1 but less than 2 days

4 High $$ or % of dollar loss$$ or % revenue loss# or % of members lostMaterial impact on capital

Adverse reaction in newsMany members affected Regulatory warningBusiness disruption 2-7 days

5 Very High $$ or % of dollar loss$$ or % revenue loss# or % of members lostMajor impact on capital

Adverse reaction is newsMost member affected Regulatory interventionBusiness Disruption longer than 7 days

6 Severe or Catastrophic $$ or % of dollar loss$$ or % revenue loss# or % of members lostCatastrophic impact on capital

Loss of reputationAll members affectedCease OperationsCannot Recover Service

Source: DICO ERM Application Guide

Risk Assessment – Severity Matrix

RISK RATING MATRIX

LIKELIHOOD

RATING

AHappens all the time with high certainty. Will happen with very high certainty.

L18 M11 H6 H3 H1

BHappens frequently with high certainty. Will happen with high certainty.

L20 M14 M10 H4 H2

C It could happen. Seen it happen before. L22 L19 M12 H7 H5

DReasonably certain it won't happen. It may happen at some point.

L24 L21 M15 M13 H8

EDoubt it could happen. May occur in exceptional circumstances.

L25 L23 M17 M16 H9

1 2 3 4 5IMPACT RATING

Dollar

Impact

Revenue(variance to budgeted ounces)

< 1 % 1 - 5 % 5 - 20 % 20 - 50 % > 50 %

Cost (variance to budgeted costs)

< 1 % 1 - 5 % 5 - 20 % 20 - 50 % > 50 %

Project Schedule Delay < 2 weeks 2 - 4 weeks 1 - 3 months 3 - 6 months > 6 months

Project Budget(variance to budgeted costs)

< 1 % 1 - 5 % 5 - 20 % 20 - 50 % > 50 %

Value(reduction to NPV)

< 1 % 1 - 5 % 5 - 20 % 20 - 50 % > 50 %

Licence to

Operate

Legislation, Laws, Regulations that cause:

Increased reporting standards and

regulatory burden

Fall out of compliance and increasing scrutiny

from regulators

Temporary shut down and operating

uncertaintyTemporary closure Complete shutdown

Stakeholder Relations & Reputation

Potential stakeholder opposition

Some stakeholder opposition

Moderate stakeholder opposition and bad

publicity

Strong stakeholder opposition and

operational interruptions

Vehement stakeholder opposition

Stakeholder Relations & Reputation

No impact on stakeholder confidence in management of the

company

Limited impact on stakeholder confidence in management of the

company

Medium impact on stakeholder confidence

in management of company

High impact on stakeholder confidence

in management of company

Loss of stakeholder confidence in

management of company

Doxim RiskManager

Doxim RiskManager for ERM

Talking with our Credit Union customers over the past 12 plus months Doxim has identified a need within the CU space:

Regulatory mandates are driving need to implement ERM DICO, DGCM, CUDIC, etc… Subset of risk management imperative

Difficult to manage manually Need a cost effective, purpose built tool Doxim RiskManager:

Best of breed, cloud based solution Easy to use, secure, collaborative Manage all risks across a Credit Union

Doxim RiskManager Demo

Demo of key capabilities aligned with ERM Roadmap: Strategic drivers

Work from your strategic drivers out Understand risk universe

Align all risks under the strategic drivers Manage and resource your risks

Identifying inherent likelihood and impact Compare risk scores to risk appetite Identify the risk owners Develop risk responses

Risk monitoring/reporting Optimization Continuous improvement

Dashboards and reporting










Develop risk monitoring processes: Identify risks that need to be

monitored Establish risk indicators Assign responsible party and

establish frequency for monitoring risk indicators










Develop risk reporting processesRegular ongoing reportingException reporting

Develop risk management tools (templates or software)

Continuous improvement

Doxim RiskManager

Doxim RiskManager Benefits

SaaS solution = monthly fee vs big upfront investment Priced for the Credit Union marketplace Fully scalable for any sized organization Secure multi-tenant environment ensures

data privacy Pre-built content:

DICO, DGCM and other provincial

ERM regulations framework preloaded

Facilitates collaboration across

departments/locations

Doxim RiskManager Benefits One version for all users Not a black box

Universal accessibility and visibility

Supports multi-user access Flexible, real time reporting:

Pre-built and adhocCustom Dashboards

Multiple user levels i.e. admin, user,

& view onlyUser based permissions

What Does Success Look Like?

Tone set at the top

Risk management integrated within decision-making

Risk management linked to performance management

Proactive risk assessment, monitoring and reporting

Risk Management embedded in business processes

Contact Information

For ERM consultation and workshops:

Ingrid Robinson, MFAc, CPA, CIA, CRMASenior Manager, Enterprise Risk Services, MNP [email protected]

For ERM Solution, Doxim RiskManager Inquiries:

Sharon RussellEnterprise Risk Manager, Privacy [email protected]

mailto:[email protected]

Connect With Us

facebook.com/doxim

@Doxim_Inc

linkedin.com/company/doxim-inc.

doxim.com/blog

youtube.com/doximTV

www.doxim.com

building an erm framework for credit unions

Economy & Finance