October 2011 The RMA Journal

Enterprise Risk

BY PETER SCHILD

12

RISK MANAGEMENT CAN be described as the means by which reasonable assurance is provided that the risk taken is equiv-alent to the risk intended. Corporate governance, which has been called the strategic response to risk, is an organizing system designed to preserve economic and human capital sufficient to sustain operations.

Given the (surely unintended) amount of shareholder value lost in the financial services industry, the potential to improve both risk management and corporate governance continues to exist. This is not a regulatory issue. Boards, for the sake of their employees, shareholders, clients, and markets, should compel managements to identify historical process faults and inspire stronger cultures of risk awareness.

Opportunities for reform are present in four key areas of corporate governance: 1. Management’s need for line-of-business control and

supervision.2. The board’s need for perspective to perform oversight,

make strategic decisions, and evaluate management.3. The banking regulators’ need for effective, observable

risk management practices.4. The overall need for efficient processes that enable lever-

age across finance, risk, compliance, and audit.Genuine reform consumes resources, and some resistance

is natural. It’s fair to ask what return will come from the investment and what a feasible plan of execution looks PH

OTOD

ISC/T

HINK

STOC

K

Disciplined, reliable, and comprehensive systems of risk management and corporate governance can enhance a company’s reputation and increase shareholder value.

Risk Governance Reform

Copyright 2011 by RMA

The RMA Journal October 2011 13

hances board reporting. Properly executed, the configura-tion shown in Figure 1 adds depth and consistency to the board narrative, while retaining the independent voices of internal audit and the separate risk functions.

Senior Risk Committee (SRC): Chaired by the CEO, this committee includes the COO, CRO, chief audit execu-tive, CFO, general counsel, and head of human resources. A roundtable discussion group meets monthly and as needed. It has no formal agenda and covers a range of current risks, concerns, and outlooks. The SRC is a forum for senior-most management to keep up with high and emerging

like. Asking a few questions designed to broaden the consideration beyond risk management to governance might help build a case for more meaningful change.

1. Does the board truly understand the strategic objec-tives, the top risks the company faces in executing strategies, and the strength of the processes that keep the board and senior management informed?

Board reporting is itself a key component of any strat-egy; effective oversight is contingent on a board conver-sant in the risks to established strategies and how they can be assessed. Because information reaches the full board from various members of management and through different committees, coordinating the diverse sources of data while respecting their distinct voices requires delib-erate structure and dedicated resources. Unfortunately, board-level reporting often resembles a swiftly passing freight train—more tedious than informative.

To evaluate the company’s capacity to achieve core ob-jectives, directors need confidence in a system of effective internal controls and the reliability of its maintenance, as well as evidence of widespread attentiveness to risk. They must believe in management’s capacity to stay within the boundaries of established tolerances and to report clearly and concisely when those boundaries are approached.

Augmenting the organizational structure as suggested in Figure 1 promotes senior management awareness, estab-lishes rapid lines of communication, provides for reflection at the appropriate levels for fast-moving events, and en-

Augmenting the Organizational Structure for Risk Awareness

Figure 1

Board of Directors

Risk Governance Council

Senior Risk Committee

Internal Audit

Credit Risk Committee

Market Risk Committee

Asset/Liability Committee

Operational Risk Committee

To evaluate the company’s capacity to achieve core objectives, directors need confidence in a system of effective internal controls and the reliability of its maintenance, as well as evidence of widespread attentiveness to risk.

October 2011 The RMA Journal14

much detail obscures perspective and precludes a digest-ible assessment of the franchise’s capacity to take on and manage risk.

Corporations in their entirety are more than collections of individual activities subject to the separate interests of their components. A uniform process must be overlaid onto routine reporting mechanisms to lift information from them and fit it into a format suited for oversight, as illustrated in Figure 2.

Absent a firm-wide, uniform approach that enables aggregation of the discrete line-of-business activities that make up each strategic initiative, managements and boards cannot visualize risk sufficiently well to identify, assess, accept, and monitor its full magnitude.

3. Do all lines of business (particularly support activities) coordinate so that their duties do not overlap and their reports to senior management and the board are compatible?

All voices must be heard—and, for the efficiency of day-to-day operations as well as the need to present the board with a comprehensible message, they should speak the same language. Too often risk, finance, compliance, audit, and lines of business view the organizational hier-archy differently, leading to duplication and irreconcilable reporting.

Reliable financial reporting and strict regulatory compli-ance are unconditional but costly requirements. A common method for identifying the company’s parts and assembling them into a whole fosters mutual reliance among support groups and yields efficiencies. A shared understanding of common objectives (for example, enlightening the board) beyond immediate responsibilities is a reasonable expecta-tion and is also consistent with the imperative of operational effectiveness.

risks to strategies, discuss economic and human capital resource allocations, enhance literacy and accountability, and renew the commitment to intended risk.

Risk Governance Council (RGC): This committee is chaired by the CRO and includes the chief audit executive (ex officio), chief accounting officer, heads of operational, credit, and market risk, and the chief compliance officer. It reviews outstanding risk issues and exposures, control

concerns, status of reso-lution, and boundaries of risk tolerance. The RGC examines identi-fied control weaknesses for potential damage and determines that residual risk is based on actual, as opposed to expected, internal control environments. In the process, this

committee has the capacity to recommend changes to accepted risk tolerances, both up and down. It provides senior management and the board with the assurance that residual risk across the enterprise is monitored continuously.

The RGC and Internal Audit are each important sources of information for the SRC. Their separate lines of input sustain their independence, standing, and authority.

2. Are the lines of business that contribute to any given strategic objective evaluated as a complete set of activities? While likely to be managed separately, are they observed together as one strategy?

Strategic risk is managed differently from day-to-day operations. The normal practice of managing in silos produces volumes of data that, when bound together, contribute to that image of a lengthy freight train. Too

Integral Analysis of Process and Culture

Figure 3

My feelings/intentions

One’s empirical behaviors

Our culture: connection through meaning and values

Our company: connection through

principles and procedures

Culture Process

Group

Indivi

dual

Subjective Beliefs Objective Measures

Aggregating Line-of-Business Segments for Oversight

Figure 2

Risk Management

Human Resources

Legal/Compliance

Operations

Technology

Finance

Line of Business 3

Line of Business 2

Line of Business 1

Oversee by Strategy

Manage by Segment

I

II

III

IV

The RGC and Internal Audit are each important sources of information for the SRC. Their separate lines of input sustain their independence, standing, and authority.

The RMA Journal October 2011 15

nect and employees arrive at a shared understanding of what it looks like to realize corporate objectives.

A useful component of effective, effi-cient governance is an integral analysis. Paying attention to all four quadrants in Figure 3 takes into account the widest variety of evidence from the greatest number of sources. Group cultures (in the lower left) are accompanied by social practices (in the lower right) that identify experiences generally held to be true, valid, and believable within the organization. Such experiences in turn favorably affect behaviors (upper right)

and what is held to be significant by individual employees (upper left).

Goal setting involves striving to do better both within and across quadrants. Just as each individual has tasks to perform that, in coor-dination with those of others, contribute to group production, so culture is both individ-ual feelings and a set of group values. In this way, as well, performance evaluations may be elevated from individual to more meaningful team assessments. In order for sustainability to be achieved, in-dividuals’ and groups’ subjective (cultural) and objective (process) feelings, attitudes, behaviors, and day-to-day procedures must be shaped and monitored together.

This entire reform methodology and its logical benefits can be pictured (Figure 4) as a continuous flow built on a sound process and culture in which both the individual and the group play a part.

Implementation of the approach described here enables the board, external auditors, regulators, rating agencies, and financial analysts alike to recognize disciplined, reliable, and comprehensive systems of risk management and corporate governance, thereby enhancing the company’s reputation. And if the market’s appraisal of management’s competence is reflected in the amount by which total capitalization exceeds net worth, then enhancing the institution’s reputation leads to increased shareholder value. v

Peter Schild was chief audit executive at Wachovia. He retired in December 2007, a few months before Wells Fargo acquired Wachovia. He can be reached at pschild@carolina.rr.com.

4. Does available capital match the risk appetite?

Capital resources are difficult to measure precisely. But managing beyond the measurable is necessary to provide rea-sonable assurance of adequate capital and its preservation.

Different measures of capital—economic, regulatory, GAAP—show how scorekeepers can disagree, presenting hurdles to communication among lines of business, board members, regulators, accountants, and shareholders. Quan-tification of capital is too uncertain to be the sole means of determining its adequacy, although existing tools to measure risk-based capital remain necessary and useful. But only when these tools are combined with an assessment of employee skills, competencies, and risk awareness—human capital—can overall capital adequacy be evaluated realistically.

5. Are employees connected to the corporate vision?

The objective process of managing risk can be sustained only with development of the more subjective elements of culture. Without the right culture, the risk taken can easily exceed the risk intended, regardless of the processes employed to measure and monitor it.

Employees should understand and agree with intended outcomes and their individual and team roles in achieving them. Risk is aggregated only after committing to it and apart from where it’s taken; therefore, individual aware-ness and how people connect with each other matter in an organization strategically committed to taking risk. Process alone, no matter how well designed and implemented, is not enough to achieve effective governance.

Widespread risk literacy and identification with corporate goals are essential. Merging a culture of employee engagement with the fundamental principles of risk management requires a full-range program of organizational learning strategies, addressing recruiting, development, retention, and account-ability. Literacy and accountability, at individual and group levels, cultivate an environment where personal visions con-

Reform Methodology and Benefits

Figure 4

Enterprise-wide risk management

principles

Employees who feel connected to

the company

Reliable reporting Efficient operations

Compliance with lawsCapital preservation

· Assurance· Facilitation· Verification

· Awareness· Literacy· Accountability

Clear oversight perspectiveObservable governance practicesMarket & regulatory confidence

Better reputation

Increased shareholder value

Risk is aggregated only after committing to it and apart from where it’s taken; therefore, individual awareness and how people connect with each other matter in an organization strategically committed to taking risk.