corp risk gov reform
DESCRIPTION
A walk-thru of the evaluation and implementation of risk governance reform.TRANSCRIPT
Corporate Risk Governance Reform
1 Peter J Schild
The Broad Steps to Risk Governance Reform
• Build a case • Develop a framework • Perform pilots • Develop learning strategies • Implement across the organization
2 Peter J Schild
Change Management
Corporate systems are self-preserving and resistant to change. Only when the need is widely recognized and a solution exists that appears to work does the desire to change exceed the natural tendency to resist it.
3 Peter J Schild
Exploring a Case for Change: Six Questions
Peter J Schild 4
Does the board truly understand the strategic objectives, the top risks the company faces in executing
strategies, and the strength of the processes that keep the board and
senior management informed?
Peter J Schild 5
To evaluate the company’s capacity to achieve objectives, directors need confidence in a system of effective internal controls and the reliability of its maintenance, as well as evidence of widespread attentiveness to risk. They must believe in management’s capacity to stay within the boundaries of established tolerances and to report clearly and concisely when those boundaries are approached.
Peter J Schild 6
Are employees connected to the corporate vision?
Peter J Schild 7
Without the right culture the risk taken can easily exceed the risk intended, regardless of the processes employed to measure and monitor it. The goal is an environment where personal visions connect and employees come to understand and agree with intended outcomes and their individual and team roles in achieving them.
Peter J Schild 8
Are all lines of business that contribute to any given strategic
objective, while likely to be managed separately, evaluated as a complete
set of activities?
Peter J Schild 9
Corporations in their entirety are more than collections of individual activities subject to the separate interests of their components. Operating units work together across the enterprise not in relation to their positions within segments, but according to their relative roles in support of defined strategies.
Peter J Schild 10
Does available capital match the risk appetite?
Peter J Schild 11
Neither capital nor risk can be calculated precisely and confidence in predictable outcomes is necessarily limited; therefore, managing to the measurable alone is insufficient. To provide reasonable assurance that the risk taken is equivalent to the risk intended, enhanced processes of risk evaluation coupled with assessments of human capital must be added to traditional tools of measurement.
Peter J Schild 12
Do all lines of business (particularly support activities) coordinate so that their duties do not overlap and their
reports to the board and senior management are compatible?
Peter J Schild 13
Reliable financial reporting and strict regulatory compliance are unconditional yet costly requirements. Efficient processes that boost coordination and enable leverage across risk, finance, compliance, audit and lines of business are both reasonable expectations and consistent with the imperative of operational effectiveness.
Peter J Schild 14
Does the market perceive corporate governance as a strong point in
evaluating the company’s reputation?
Peter J Schild 15
Disciplined, reliable and comprehensive systems of risk management and corporate governance foster investor confidence in management’s capacity to take and manage risk.
Peter J Schild 16
Deliverables
• Properly executed, effective risk governance satisfies: Management’s need for line of business control and supervision The board’s need for perspective to perform oversight, make
strategic decisions, and evaluate management Regulatory expectations for effective, observable risk
management practices
• And leads to: Efficient processes that enable leverage across finance, risk,
compliance and audit Market confidence in management’s capacity to take and
manage risk
17 Peter J Schild
Aspirations
• Enhanced reputation • Higher P/E multiple • Increased shareholder value/
market capitalization
If the market’s appraisal of management’s competence is reflected in the amount by which total capitalization exceeds net worth, then enhancing one’s reputation leads to increased shareholder value.
18 Peter J Schild
• Assurance • Facilitation • Verification
Process: Enterprise-wide risk
management principles
• Awareness • Literacy • Accountability
Culture: Employees
who feel connected to the company
Reliable reporting Efficient operations
Compliance with laws
Capital preservation
Clear oversight perspective Observable
governance practices Market & regulatory
confidence Better reputation
Increased shareholder
value
Essential Principles + Employee Connection Yields Increased Shareholder Value
19 Peter J Schild
An Overview of the Central Framework
Peter J Schild 20
• The operating framework includes: Employee Engagement Core Objectives Uniform Procedures Shared Corporate Hierarchy Management & Board Reporting
• The roles necessary for the framework’s execution and maintenance are: Assurance of its Effectiveness Facilitation of its Performance & Upkeep Verification of its Reliability
Peter J Schild 21
The Central Framework
Employee Engagement: “Once you blow the whistle you can’t inhale.”
(Bill Chadwick, former National Hockey League referee)
Unless those who initiate transactions care about and understand their impact on the company’s risk appetite, the outcome may depart from that which was intended.
How people communicate matters as much as how they measure.
22 Peter J Schild
Employee Engagement
Employee engagement is founded on four principles: Leadership accountability Education and awareness Recruitment and hiring Development and retention
23 Peter J Schild
Accountability plus literacy produces a shared vision.
Core Objectives
To implement processes that provide for: Achievable strategies – reasonable
assurance of sustainable results Reliable financial and non-financial reporting Effective and efficient operations Compliance with prevailing laws and
regulations Preservation of economic and human capital
resources
24 Peter J Schild
Begin with articulating strategic objectives and cycle through identifying, accepting and monitoring risks, determining residual risk, and, based on the results, reaffirming or adjusting risk appetite and strategy.
Peter J Schild 25
Uniform Procedures
Articulate strategic
objectives
Identify inherent
risk
Establish control
activities
Assess and accept
intended risk Monitor
controls/report
actual vs. expected
Determine actual
residual risk
Escalate and resolve exceptions
Evaluate outcomes/
renew strategy
acceptance
Recursive evaluation and reaffirmation
Uniform Procedures
Peter J Schild 26
Inherent Risk, Control Activities, Residual Risk
• Inherent risk is a function of generic and unique determinative factors that give rise to uncertainty – change, volume, complexity and what can go wrong with an entity’s specific activities.
• The control environment is the set of activities intended to keep things from going wrong or to raise warnings when they start to.
• Residual risk is determined by combining the relative level of inherent risk with the observed control effectiveness.
27 Peter J Schild
• How the enterprise is subdivided into levels of assessable parts starting with all segments and ending with the lowest level of separately managed silos (“operating units”).
• To assure efficient communication and consistency of reporting, a common hierarchy should be shared by the entire enterprise (especially Finance, Risk, Compliance and Audit), at least to the point that they can map their individual procedures to the shared hierarchy.
Peter J Schild 28
Corporate Hierarchy
Segment 1
Line of Business 1
Operating unit 1
Operating unit 2
Operating unit 3
Line of Business 2
Operating unit 4
Operating unit 5
Corporate Hierarchy
Level I Level II Level III Enterprise
Segments: 1 2 3 4 5 6 7 8 9
Peter J Schild 29
• Information travels many paths to reach senior management and the board
• Coordinating the diverse sources of data while respecting their distinct voices requires deliberate structure and dedicated resources
• Oversight is only as effective as the clarity of knowledge necessary to exercise it
Peter J Schild 30
Senior Management & Board Reporting
Two innovative groups help to promote senior management literacy and enhance board reporting: Senior Risk Committee: chaired by CEO, comprised
of Chief Operating Officer, Chief Risk Officer, Chief Audit Executive, Chief Financial Officer, General Counsel, Head of HR...
Risk Governance Council: chaired by CRO, comprised of CAE, Chief Accounting Officer, Heads of Operational, Credit & Market Risk, Chief Compliance Officer...
Peter J Schild 31
Senior Risk Committee & Risk Governance Council
• No formal agenda, meet periodically (e.g., monthly)
• Review high and emerging risks to strategies, incidents and incident responses; discuss economic and human capital resource allocations; renew commitments to intended risk
Peter J Schild 32
Senior Risk Committee
• Provide assurance to senior management and the board that residual risk across the enterprise is continuously monitored
• Determine that residual risk is based on actual, as opposed to expected, internal control environments
• Examine identified control weaknesses for potential damage; recommend changes to accepted risk tolerances, both up and down
• Calibrate risk tolerance by clarifying choices among reducing inherent risk, tightening controls, or allowing greater residual risk, and present analysis to Senior Risk Committee
Peter J Schild 33
Risk Governance Council
Board of Directors
Senior Risk Committee
Credit Risk Committee
Market Risk Committee
Operational Risk
Committee
Internal Audit
Risk Governance
Council
Peter J Schild 34
Senior Committee Organizational Structure
Apply the Framework
1 In each entity of the hierarchy… 2 execute the uniform procedures… 3 to determine whether the objectives are being
met.
The resulting database includes, by operating unit, inherent risks, control environment evaluations, control exceptions, and residual risks
35 Peter J Schild
Systems Thinking
• While complete in their silos, operating units – entities of sales and support – work together, not only according to their individual nature, but also according to their relative roles and positions in the system.
• Inherent delays between actions and outcomes naturally give rise to unintended consequences because actions taken in one part do not affect all related parts at the same time, but do so at the pace of their movement through the system.
• By delivering consistent assessments of each of the parts and enabling an assembled view of the whole, the framework provides perspective that augments preparation, anticipation, response, and recovery.
36 Peter J Schild
Manage by Segment
Oversee by Strategy
A
B
C
D
Line of Business 1
Technology
Legal/Com
pliance
Hum
an Resources
Finance
Operations
Line of Business 2
Line of Business 3
Risk M
anagement
Management
1 2 3 4 5 6 7 8 9
37 Peter J Schild
Presentation Format: Segment Risk
• The following slide is a compilation of individual assessments of all operating units within a sample segment: Technology.
• It displays how control concerns in separate parts affect the entire segment.
• Risk tolerance can be defined as the intended risk – the inherent risk intentionally taken with the assumption of an acceptable control environment.
• Comparing actual risk to intended risk presents senior management and the board the opportunity to quickly evaluate the segment capacity to take on additional risk, such as new products, strategies or acquisitions.
38 Peter J Schild
Strategy Inherent Risk
+ Tested Control Environment
= Residual (Actual) Risk
Intended Risk*
A B C D Composite Segment
Peter J Schild 39
Actual vs. Intended Risk: Technology Segment
* Inherent Risk + Acceptable Control Environment = Intended Risk
Risk Control Environment Low Acceptable Medium Marginal High Unacceptable
Manage by Segment 1 2 3 4 5 6 7 8 9
Oversee by Strategy
A
B
C
D
Line of Business 1
Technology
Legal/Com
pliance
Hum
an Resources
Finance
Operations
Line of Business 2
Line of Business 3
Risk M
anagement
Oversight
40 Peter J Schild
Presentation Format: Strategy Risk
• The following slide is a compilation of individual assessments of interdependent entities engaged in the execution of a particular strategy (a “strategic domain”) .
• It displays how control concerns in separate parts affect the strategy.
• Comparing actual risk to intended risk presents senior management and the board the opportunity to quickly evaluate strategies and determine exactly where they need to focus their attention to increase assurance that strategies are most likely to achieve intended objectives.
41 Peter J Schild
Strategic Domain: Operating units
Inherent Risk
+ Tested Control Environment
= Residual (Actual) Risk
Intended Risk*
Line of Business Finance Technology Operations Compliance Human Resources Risk Management
Peter J Schild 42
Actual vs. Intended Risk: Strategy “A”
* Inherent Risk + Acceptable Control Environment = Intended Risk
Risk Control Environment Low Acceptable Medium Marginal High Unacceptable
Is This What We Want? • Both inherent and residual risk are important to monitor –
well-managed/high inherent or poorly managed/low inherent can each lead to unacceptable outcomes.
• In its silo, the line of business may be well-managed; but if other components of the strategy exhibit high residual risk, the overall risk may exceed that which was intended.
• Decision: resolve the control issues, reduce the inherent risk, or accept the residual risk.
• Comparing segment and strategy evaluations: Are any operating units stressed supporting multiple strategies? Are economic and human capital resources distributed most
favorably? 43 Peter J Schild
Four Key Roles to Execute and Sustain 1 Monitor employee engagement – a function of human resources. As with
any initiative, employee engagement must be tracked and tested to evaluate the depth of its understanding and fulfillment.
2 Assure effectiveness – to align accountability with ownership, lines of business should be responsible for assurance by attesting to the design and operating effectiveness of their identified controls, and for reporting and resolving exceptions.
3 Facilitate performance and upkeep – a discrete risk management function is desirable to facilitate process execution through focused support units that consult on building, implementing, and maintaining the framework. Risk units serve as a central clearing organization for retaining shared databases, and promote replication of the pattern of evaluation and reporting across the enterprise.
4 Verify continued reliability – internal audit verifies through independent, objective oversight that management’s assurances can be relied upon, internal controls are designed and operating as reported by management, exceptions are appropriately escalated, and practicable resolutions are prescribed and on track.
44 Peter J Schild
Perform Pilots in Selected Business Units
45 Peter J Schild
Develop Learning Strategies
46 Peter J Schild
Implement Across the Organization
47 Peter J Schild