governance structures and leading practices for risk ... · governance structures and leading...
TRANSCRIPT
Governance structures and leading practices for risk management inpractices for risk management in
central banks
Helena Tejero, Division Head, Risks & Processes, Bank of Spain
Central Bank Governance Forum 2014IMF / Hawkamah, Dubai, United Arab Emirates
December 8, 2014
FEDERAL RESERVE BANK OF PHILADELPHIA
Today‘s agenda
• International Operational Risk Working Group (IORWG) Overview
• Central Banks Risk Governance Structures
• Central Banks Risk Practices
• Conclusions
1
The views herein are the personal views of the speaker and do not necessarily represent the views of either the IORWG members or
the Bank of Spain.
International Operational Risk Working Group
2
International Operational Risk Working Group (IORWG) Overview
Leadership:• Chaired by the Federal Reserve Bank of
Philadelphia and the Bank of Spain.
Conferences organized: I. Spain, 2006II United States 2007p p
Objectives:• Share best practices.• Innovate new frameworks and methodologies.• Generate genuine interest on ORM*.
Membership Representatives:• Risk representatives from central banks and
monetary/supervisory authorities across the ld
II. United States, 2007III. Denmark, 2009IV. France, 2008V. Brazil, 2010VI. Thailand, 2011VII. Sweden, 2012VIII.Morocco, 2013IX. Israel, 2014X. South Africa (planned for 2015)
3
world.
Membership Benefits:• Knowledge sharing, networking opportunities,
and research topics with other central banks through “global” expert groups participation.
Information channels:• IORWG website (www.iorwg.org).• Regular email alerts to members.
(*) ORM stands for Operational Risk Management
In October 2005, 18 institutions agreed to be part of the IORWG …
LatviaLith i
Estonia
France
UKGermany
Sweden
AustriaLuxembourg
IrelandThe Netherlands
Denmark
Spain
ECB
JapanUnited States of America
Canada
ThailandPortugal
Switzerland
Mexico
Lithuania
Bulgaria
Philippines
Norway
Greece
KoreaBelgium
Jordan
PolandAzerbaijan
Hong KongCuraçao
4… 59 members in 2014.
Brazil
Morocco
International(Bank for International Settlements, BIS)
Australia
NewZealand
Malaysia
ChileSouth Africa
Israel
Malta
International(Bank for International Settlements, BIS)
ItalyDominican Republic
Bolivia
Ecuador
Costa RicaColombia
Indonesia
Argentina
Philippines
Madagascar
Uganda
India
Malawi
El Salvador
Singapore
UruguayAngola
IORWG Collaboration Efforts
Expert Group Process:
• Expert Group studies: 35 completed to date, e.g. last year’s topics: p p p , g y p– ORM Trends and Best Practices (Phase II).– Risk Culture and Awareness.– Incident Management and Reporting.– ORM Interdependencies with Management of Other Enterprise Risks.– Existing Governance Structures in the Area of Risk Management.– Risk Repository (Phase IV).
• 2015 topics will focus on continuing work associated with trends and best practices, reporting, advancement of the risk repository, information and cyber security, training practices and building a maturity model.
5
y y g p g y• Research topics use industry literature, conduct member surveys,
profile central bank practices in greater detail and summarize results at the conference (4-5 month effort).
• Use breakout groups on expert group topics to further discuss key items and report back to the group.
Risk Governance Structures
6
Three lines of defense model
Central banks governance structures generally rely on three lines of defense by which governing bodies and senior management in their responsibility for i k t f k d b th f ll i “li ”risk management framework are served by the following “lines”:
business line management
risk management function
internal audit function
“Owners” of risk. Responsible for identifying and managing the risks
Responsible for providing the risk framework and for
Responsible for independently opining on the overall appropriateness and
7
g ginherent in the products, activities, processes and systems for which they are accountable.
framework and for independently overseeing risk-taking activities bank-wide.
adequacy of the framework and the associated governance processes.
Board / board subcommittee
• Ultimate responsibility for risk management is generally assigned to th i b di (
• Common subcommittees:– The audit committee and, to a
h l t t th i kthe governing bodies (e.g. governor, board, executive committee).
• The board or a subcommittee of the board is often responsible for providing oversight and direction with regard to risk management (in some Central Banks (CBs), oversight is provided by the governor or a RMC* at the executive level)
much lesser extent, the risk oversight committee.
• Common duties :– Ensure the establishment and
maintenance of the framework.– Provide oversight over the
program– Review reports – activities and
status of risk management risk
8
RMC at the executive level).
(*) RMC stands for Risk Management Committee
• Improve the focus and dialogue on risk, challenge and dig deeper into emerging risks
status of risk management, risk profile, key risks, response to the most significant risks.
Committees involved in the risk governance
Four different approaches
Th B d d t d l t th
1 2
• The Board does not delegate the risk oversight responsibilities to a sub-committee.
• The Board is supported by existing committees, with a broad mandate, not dedicated to risk issues.
• The Board delegates to an executive sub-committee which is responsible for all risks and in some cases for operational risks only.
The Board delegates to a board The Board delegates to a board
3 4
9
• The Board delegates to a board subcommittee.
• In addition a RMC has an executive role – establish and maintain the risk management framework.
• The Board delegates to a board sub-committee.
• In addition there are:- RMC (executive risk committee)
and- Specialized Risk Committees.
Note: an Audit Committee generally exists in all approaches.
Governance (cont.)
• Governance is often not well documented or understood; responsibilities, particularly advisory roles, are not consistently applied.H l ti hi k i ti i t l i t t ith• How governance relationships work in practice is not always consistent with charter documentation.
• Formal guidance needs to be provided to ensure committees are consistently established, operated, and reviewed.
• Structure, roles, and decision rights across bodies are interpreted differently.
• Complex or undefined governance can result in confusion regarding accountability and prolonged decision making. This can increase operational risk and can lead to reputational risk
10
risk and can lead to reputational risk.
• Conduct self-assessments of governance practices
Operational risk function
• Most CBs have centralized independent ORM unit; several have
t li d li it
• Main responsibilities:– Provide risk management
th d l icentralized compliance units.– In some cases, the functions are
combined with other risk and control-related disciplines, e.g. Business continuity, IT security.
• Usually deals with legal, reputational and compliance risks. To a lesser extent with financial and strategic risks.
• Sample of central banks have on
methodologies. – Facilitate and consolidate the
results of risk assessments.– Assisting in developing
processes and controls.– Track risk incidents and report
on mitigation.– Coordinate reporting board,
RMC and senior management
11
Sample of central banks have on average 4 full-time equivalent in risk units.
• Challenge the business lines outputs from risk management activities
RMC and senior management.– Provide guidance and training.– Few include the operational
risk measurement.
Internal audit
• Central banks have an independent internal audit unit from 1st and 2nd
line of defense.Alth h ORM / till l h d d h i d– Although some ORM programs were/are still launched and championed by the internal audit.
• Main responsibilities:– Verify that the risk framework has been implemented as intended and is
functioning appropriately.– Assess the effectiveness of the bank’s operational risk management
controls, processes and systems, as well as governance. – Review the management and reporting of key risks.
12
• Ensure independence of risk management and internal audit although they may collaborate in activities such as awareness programs
Interdependencies
• Generally the tendency of disciplines is to operate in silos due mainly to a weak governance structure and immature risk culture.Th t t t t f li t ith ORM i i t d ith b i• The greatest extent of alignment with ORM is associated with business continuity, and IT and information security risks.
• There is also high interaction, meetings, exchange of reports with the internal audit unit.
– Building a common risk taxonomy, using the same process map, exchange of information, …
– In a few cases, permanent access to ORM/IA databases.
13
• Challenges with aligning ORM with other disciplines- Get acceptance for an integrated approach- Overcome differences in terminologies and views
regarding approaches and methodologies e.g. IT framework too technical and granular to integrate
Risk Practices
14
Central Banks ORM current status
• Generally ORM programs are fully or almost fully implemented in CBs.• Most ORM frameworks are internally developed.
Al f t COSO ESCB ISO B l t d d– Also some refer to COSO, ESCB, ISO or Basel standards. • Common ORM framework for all areas across the central bank.
– Different frameworks in few central banks still co-exist.• “ERM” approach is not generally implemented.
– Although major integration is seen in risk reporting. • Central banks follow a standardized phased approach for risk management
procedure: risk identification, assessment, responding to, reporting on and monitoring.
• Most banks use different IT solutions (mainly SharePoint MS Office or
15
Most banks use different IT solutions (mainly SharePoint, MS Office or internally developed) for different ORM activities, some do not use any tools.
– The use of an integrated IT tool to support the whole risk management procedure is rare (often cost prohibitive).
Central banks ORM practices
Ri k tit /
[Non exhaustive]
ORM development
•Risk and control self
•Risk appetite/ tolerance
•Risk awareness and culture
- +•Risk quantification
•Impactful/ value-added reports
•KRIs•Scenario analysis
•Risk identification
16
control self assessment
qadded reports•Incident reporting
Developing and reviewing central banks’ risk appetite/tolerance
• Risk Appetite is defined as “the • Risk Tolerance is “a series of limits
Risk Appetite Risk Tolerance
amount of risk, on a broad level, that an organization is willing to accept in the pursuit of its mission, vision, business objectives and overall strategic goals.”– Approved at the senior level,
embraced by the board, easy to communicate and embedded and understood at all levels.Set clear boundaries qualitative
which may either be set as not to be breached, or as an alert mechanism.”– While risk appetite is broad, risk
tolerance is tactical and operational.
– Tolerances form part of the risk appetite framework for specific risks, by guiding operational areas for appropriate risk taking and select the types of controls which
17
– Set clear boundaries – qualitative statements and quantitative measures.
– Reportable: through monitoring, action defined for any breaches (escalation, review, approval).
select the types of controls which are needed to ensure that limits are not exceeded.
Risk appetite/tolerance experiences
• Experiences– There is evidence of the gap between the financial system and central
b k di th d t di d t f th tbanks regarding the understanding and management of the concept– The concept of Risk Appetite / Tolerance has not yet been embraced in
CBs because of the reputational impact and the conservative profile of the CBs
– Nevertheless, generally CBs have incorporated some elements of risk appetite into their framework; different levels of maturity are noticed.
– Expressed as a statement, embedded in policies or part of risk matrix.– Some CBs publish their risk appetite on their main website to illustrate to
the public how their risk framework works
18
the public how their risk framework works.
• Introducing a clear distinction between appetite and tolerance should be the first step.
• Risk (all types of) appetite shall be more formally documented.
Central banks risk culture / awareness
• This topic remains the most challenging for IORWG central banks, as it is and will be the core driver of the business areas’ motivation to manage i krisks. – Few central banks rank culture as excellent; almost 70% see culture as
good and more than 20% as inadequate.• Generally staff in key functions have the appropriate level of skills,
knowledge and experience to enable sound risk management practices.– Senior management and key business heads have been trained in
most cases.– Training to all staff is in place only in some central banks.
• Risk awareness activities are regularly performed:
19
Risk awareness activities are regularly performed:– Monthly/quarterly risk bulletins, newsletters, quizzes to staff.– Periodic incident reporting.– Risk articles in the quarterly Bank magazine.
Central banks risk culture / awareness (cont.)
• Risk awareness activities are regularly performed (cont.):– Risk awareness week and other activities.
Monthly departmental/ business unit awareness– Monthly departmental/ business unit awareness.– Risk management workshops.– Monthly risk managers’ meetings.– Displaying messages or banners that promote a strong risk culture in
strategic areas.– Playing recorded risk messages in the elevators.
• Key levers for risk culture fostering:– Strong support from board and senior management.– ORM training.
Increased communication/cooperation with board senior management
20
– Increased communication/cooperation with board, senior management, business areas and staff.
– Enhanced risk methodology (clear and practical).
• Fostering a risk aware culture at all levels of the organization
Risk reporting practice
• Most common components:– Risk Control Self Assessments.
I id t R ti
• Most popular scoring method used is risk matrices.
– Incident Reporting.– Business Continuity
Management.– Market and credit risks.– Top organizational risks.– Risk Tolerance.– Emerging Risks.
• To a lesser extent:
5
4
3
2
1
1 2 3 4 5
Imp
act
Likelihood
21
To a lesser extent:– KRIs.– Project risks.– Scenario Analysis.– Liquidity risks.– KPIs.
Likelihood
Risk reporting practice (cont.)
Risk Reporting
Receiver Board or dedicated risk management committeeReceiver Board or dedicated risk management committeeSenior management/business areas for information, also internal audit
Frequency At least annually for approvalFrequent reporting on dedicated risks/incidents
Media Usually hard copy, some via e-mailInclude additional presentationsOnly a few provide information to all staff
22
Only a few provide information to all staff
Content Most focus only on operational risk- Major risks, mitigation, risk heat map, major incidents
Overview to Board/risk management committee about the risk profile of the Bank
Risk reporting practice (cont.)
Risk reporting remains a key challenge for central banks: how to create impactful and value-added reports along with data limitations?
Frequency
Accuracy
Appropriateness
Characteristics
Leading Indicators –
Forward Looking
Lagging indicators and
incident reports – trend analysis
Key tools
23
Comprehensiveness
Timeliness
Truthfulness
Dashboards and Heat maps
Identification of thresholds and trigger points
Incident management & reporting practice
• Only some central banks have a mature practice in place.– There are still many central banks at an early stage and few have no
f l i l t d tformal process implemented yet.• Incident management and reporting procedure:
– Most CBs utilize standardized templates.– Reporting includes “near misses”.– For the grading of the incidents most of the CBs use a scale of 1 to 5– Only a few CBs work with financial thresholds.– Generally decentralized – submission from business areas to ORM
function.– Incidents are analyzed – by the business units and/or ORM function –
24
– Incidents are analyzed by the business units and/or ORM function and appropriate action plans are agreed on.
– In the majority of the CBs, the business unit is in charge of any action plan follow up and the reporting.
Incident management & reporting practice (cont.)
• Major challenges– As regards the procedure, clear guidelines and a process description are
d dneeded.– As regards the awareness, there are major challenges to overcome:
– Overall Bank’s risk awareness and culture.– “Shame culture” or “blame game”.– Get a strong support from senior management.– Timeliness of reporting by business area.
– Technical difficulties:– Evaluation of financial impact is sometimes difficult.– Difficulties in determining a near miss
25
– Difficulties in determining a near miss.– Quality of the reports and the level of details.
Conclusions
26
Concluding remarks
• Central banks governance structures often rely on three lines of defense; a range of practice exists relating to the implementation of those.Th b d b itt f th b d i ft ibl f idi• The board or a subcommittee of the board is often responsible for providing oversight and direction to risk management. –How should we improve the focus and dialogue on risk?
• Risk committees are generally in place to support board and senior management’s risk management responsibilities.–Are the RMCs operating effectively?
• Most central banks have a centralized independent unit dealing with ORM.– How should we substantiate an independent review of the business lines
outputs?
27
outputs? • The greatest extent of alignment with ORM is associated with business
continuity and IT and information security risks. There is also high interaction, meetings, exchange of reports with internal audit. –How should we evolve into an enterprise-wide/integrated risk
management?
Concluding remarks (cont.)
• Generally ORM programmes are fully or almost fully implemented in central banks.
H h ld h t dit th i l t ti j f–How should we shorten or expedite the implementation journey for new-comers?
• Few ORM techniques are mature.• Some techniques still need to improve:
–Risk appetite shall be more formally documented.–Continue enhancement of risk awareness / culture.–Improve quality of risk information.–Enhance incident reporting from a procedural, cultural and technical point of
view
28
view.• Few techniques are still at infancy:
–KRIs, Scenario Analysis and Risk Quantification.
Thank you for your attentionThank you for your attention
Helena Tejero [email protected] [email protected]
29