this report is solely for the use of fdhl-mt. no part of it may be circulated, quoted or reproduced...
TRANSCRIPT
This report is solely for the use of FDHL-MT. No part of it may be circulated, quoted or reproduced for distribution outside FDHL-MT without prior written approval.
May 2010
Oversight Management of Risk
Agenda
Broad overview of the Topic
The Holistic Approach to Risk Management
Process of risk management
What the Board should question
Chart 1
Broad Overview of The Topic
Definition of Enterprise Risk Management
Traditional approach of many companies
The need for Board surveillance and a specific Board Committee
The role of the Chief Risk Officer (CRO)
Chart 3
Risk/Reward Tradeoff
Risk
Reward
Company needs
to decide where
on this continuum
it wishes to sit.
This is a Board
decision
Chart 4
Definition of Enterprise Risk Management
ERM can be described as a risk-based approach to managing
an enterprise, integrating concepts of strategic planning,
operations and internal controls
ERM is evolving to address the needs of various stakeholders,
who want to understand the broad spectrum of risks facing
complex organizations to ensure they are appropriately
managed
Definition Of Enterprise Risk Management
Chart 5
Definition of Enterprise Risk Management
Regulators and debt rating agencies have increased their
scrutiny on the risk management processes of companies
Some high-profile failures of companies caused by ERM failure
have been:
• Enron & Barings - Failure of control mechanisms
• Lehman & LTCM - Failure to understand business
• Union Carbide - Failure in remote part of company
• General Motors - Failure to detect industry change
Definition Of Enterprise Risk Management../2
Chart 6
Definition of Enterprise Risk ManagementIndustries change and companies must be aware of such
changes. It is the Board responsibility to react and lead the
company through such changes
Kodak is a good example
6 companies in the Dow Jones 30 of 1959 remain in the index
(3 from 1929)
•General Electric General Foods
•Dupont Exxon Mobil
•Proctor & Gamble Chevron
Definition Of Enterprise Risk Management../3
Chart 7
ERM - Traditional Approach of Many Companies Most companies have not traditionally approached ERM
Modern approach is build ERM into the strategy and budget
planning process
Needs a disciplined approach aligning strategy; process;
people; technology and knowledge
ERM means the removal of traditional, functional, departmental
and cultural biases
ERM – Traditionally Approach Of Many Companies
Chart 8
ERM - Traditional Approach of Many Companies What risks are we facing
Are these comparable to the risks of our competition
How do they change with a change in business conditions
What level of risk should we take
How should we manage that risk
ERM – Traditionally Approach Of Many Companies../2
Chart 9
The need for Board surveillance and a specific Board Committee
The main function of any corporation is to make profit for its
shareholders. To do this they must accept some level of risk
Since the Board of Directors is the guiding body of a company it
falls to them to ensure that the company and therefore its RISK
is properly managed
All companies are different and their risks and their complexity
will determine the manner in which a Board focus on Risk
The Need For Board Surveillance & A Specific Board Committee
Chart 10
The role of the Chief Risk Officer (CRO)
The Chief Risk Officer is responsible for -
developing and managing the risk management structure
Should you have one??
The Role Of The Chief Risk Officer
Chart 11
While financial services companies are embracing the CRO position, other industries such as utilities and commodities-based businesses are recognizing the power of knowing all their risks from the top down
James Lam, founder of ERisk, based in New York, and former CRO for Fidelity Investments, has been watching the CRO trend over the last several years and says there are two indicators that CROs are here to stay: salaries are climbing, which demonstrates their value, and CROs are beginning to report right to the CEO, rather than to the CFO or Treasurer, putting them in a more powerful position. Many CRO’s have a dotted line reporting relationship to the Board
The Role Of The Chief Risk Officer../2
Chart 12
In Nigeria the risk management role never got as far removed from the CEO as it did in developed economies
Therefore the CEO is effectively today’s CRO in most companies in Nigeria
Is this healthy and can the CEO perform the executive functions
of a CEO and oversee the myriad of risks inherent in today’s
listed companies??
The Role Of The Chief Risk Officer../3
Chart 13
The Role of the Chief Risk Officer (CRO)
Strategic Hedged/Insurable Financial
Corporate Property Price
Customer needs Business integrity Liquidity
Demographic changes Disaster recovery Credit
Capital position Information technology Inflation
Legal/political Geographic risks Hedging/Position
This is an example of a Risk Department’s functional breakdownEach company will have a different formation to align with its strategy
The Role Of The Chief Risk Officer../4
Chart 14
The Holistic Approach to Risk Management
Managing risk in silos
View risk as a portfolio
Risk is dynamic
Risk is an opportunity
Chart 15
Managing Risk in Silos
Risk needs to be managed both centrally and in silos (decentralized)
ERM is managed centrally
Operational and financial risk should be managed locally as that is where the business managers are and they should understand their specific risks better than a central committee
This is an example of a Risk Department’s functional breakdownEach company will have a different formation to align with its strategy
Managing Risk in Silos
Chart 16
Managing Risk in Silos
“Field decisions are best taken by the most junior officer, in the field, allowed to take such decisions” General Andrew Stuart
Managing Risk in Silos../2
Chart 17
Managing Risk in Silos
Bhophal incident -1984
Union Carbide Corporation a Dow 30 stock owned 515 OF Union Carbide India Limited
Dec 1984 an act of sabotage caused a gas leak and resulted in 3,800 deaths
Caused international incident Chairman Anderson went to India with task force, was put under
house arrest and asked to leave the country
This is an example of a Risk Department’s functional breakdownEach company will have a different formation to align with its strategy
Managing Risk in Silos../3
Chart 18
Managing Risk in Silos
The result was that UCC suffered a massive reputational hit, was heavily fined
The company fell out of the DJI in 1999 and was bought by Dow Chemicals in 2001
UCC is still fighting damage law suits in the USA to this day
Question is how many Directors of UCC even knew they had an
Indian plant?
Managing Risk in Silos../4
Chart 19
Managing Risk in SilosBhophal incident -1984
Problems:Management of company was left solely to the Indian
management and as a 51% owned entity UCC management
took a hands off approach BUT it was UCC’s reputation at riskThe cause of the leak and the fact that it was sabotage did not
protect UCC. They clearly had no ERM system in place to
protect the parent from regional catastrophic riskOnly a comprehensive risk plan would have identified the
potential risk to the parent
Managing Risk in Silos../5
Chart 20
Managing Risk in SilosManaging Risk in Silos../4
Portfolio
Equities
Fixed Income Cash
GLOBAL RISK MANAGEMENT
Manage silo risk in conjunction with enterprise risk and ensure that it is global
Chart 21
View risk as a Portfolio The idea of having ERM at the top supervising all other risk
activities is to ensure that all risks are covered The concept of managing risks as a portfolio is not to treat all
risk in isolation If a company has a subsidiary gravel pit and a subsidiary
cement factory, you do not have to hedge the forward sales of gravel or the purchase price of gravel since they are offsetting risks at consolidation
This is an example of a Risk Department’s functional breakdownEach company will have a different formation to align with its strategy
View Risk As A Portfolio
Chart 22
View risk as a Portfolio../2
The art of managing a portfolio is to find uncorrelated asset returns and buy both asset classes and leave both unhedged as their volatility will partially offset each other
The danger is that if these are treated in isolation excess cost will be incurred by hedging both risks
The portfolio risk is that both assets may be structured to achieve the same thing and thus not be as uncorrelated as at first believed
This is an example of a Risk Department’s functional breakdownEach company will have a different formation to align with its strategy
Chart 23
View risk as a Portfolio
Portfolio
Equities
Fixed Income Cash
View Risk As A Portfolio../3
Typical financial portfolio, can be replicated for any business grouping
Chart 24
View risk as a Portfolio
1 2 3 4 5 6 7 8 9 10 110%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Risk 2
Risk 1
This is an example of a Risk Department’s functional breakdownEach company will have a different formation to align with its strategy
Return
Observations
View Risk As A Portfolio../4
Chart 25
A Portfolio Approach
Involves creating a general understanding of:
A company’s resources
The business environments in which it operates
How value is created and stored
The key risk issues underlying its value propositions
How its business models are alike and dissimilar
Every important business dimension
Chart 26
Legal and Ownership Structure
Governance and Organizational Structure
Operational Financial
Mission, Vision & Values
Employment Practices and Compensation Structure
Employees Debt and Equity Holders
A Portfolio Approach: Realigning the Internal Model
Chart 27
As a mortgage banker your risk is clearly rising as house prices rise same for the security forces as terrorism increases
Risk is Dynamic
Chart 28
Risk is Dynamic../2
As risks increase the risk managers must find a way to counteract the impact of risk incidents. This is usually expensive and not thought out before
Conversely when risk is lower the need for insurance is lower and economic logic dictates that then you should take off excessive insurance and maximize profits
Chart 29
Risk as an Opportunity
Too many organisations see risk management as a compliance issue, rather than developing approaches which add value and competitive advantage and which reflect their own business culture and stakeholder base
Most approaches to risk management are therefore not driven or inspired by enhancing opportunities (the upside of risk) but by the fear of the ever greater penalties for doing something wrong (the downside of risk)
Prof Martin Loosemore
Chart 30
Risk as an Opportunity../2
When Jamie Dimon stepped up to the plate and bought 100% of Bear Stearns for $2 per share, he used the fact that he had preserved his cash for a rainy day and was able to use it to buy a huge opportunity. So much so that he had to up the price a week later to $10 per share to avoid an awkward law suit
This was a financial example of risk management turning into an opportunity. There are many less notable but equally important examples of good risk management providing superb gains in business
Chart 31
Risk as an Opportunity../3
Potential benefits of successful risk management
• Improved performance and competitive advantage
• Greater resilience to unforeseen risks
• Greater capacity to seize opportunities
• Greater teamwork and collective responsibility for decisions throughout all organizational levels and supply chains
• Higher client satisfaction and retention
• Greater regulatory compliance
• Less rework, disruption and conflict rework
• Enhanced reputation
• Higher quality information for making business decisions
Chart 32
Process of Risk Management
Identify risk
Quantify risk
Mitigate risk
Monitor risk
Chart 33
Identify Risk
Experienced-based approach
Is dependent on corporate experience
Search for bad outcomes and try to identify risk drivers
Solicit staff for potential risk in processes etc.
Environmental approach
Seeks to understand the business in the context of its
environment
What is changing and how will it affect the business?
Chart 34
Quantify Risk
What risk measures are available to business managers
Financial Indicators
Liquidity
P&L performance measures
Key Risk Indicators
Customer complaints
Lawsuits
Plant failures
Accidents
Errors
Chart 35
Quantify Risk../2
Many quantitative measures have been created to measure risk
One of the most important and mis-understood of these is Value @ Risk or VAR
A simplified definition of VaR is that it measures the amount of loss one can expect for a given portfolio over a specified period of time with a 95% or 99% degree of confidence
Chart 36
Quantify Risk../3
The problem with VaR
VaR risk can be hedged away but adds to total book
The data is usually too short term in nature to represent a full
economic cycle, thus there have been far more 100 year
events in the last 30 years than is feasible
The data has no answer for how much one can lose in the
1% or 5% of events not covered by the confidence levels
VaR tends to be used in isolation and it should not be. It does
not pretend to measure Liquidity Risk
Chart 37
Quantify Risk
Short-term Data
Quantify Risk../4
Chart 38
Quantify Risk
For a good example see page 77 Exhibit 5.4 in “Bank Boards and the Financial Crisis” by Nestor Associates
Quantify Risk../5
Long-term Data
Chart 39
How serious was the overemphasis on VaR in 2008?
UBS blames an over-dependance on VaR and an absence of other risk measures in its mortgage book, as an overarching cause for the horrendous losses they suffered in their fixed income business
Using VaR without liquidity limits allowed the book to grow to proportions that could not easily be financed when market liquidity dropped
VaR is a useful tool but not in isolation
Quantify Risk../6
Chart 40
Balanced scorecards and Key Performance Indicators tie
strategy to operations
Credit losses or problems
Audit problems and exceptions
Frequently too much time is spent trying to refine what risks are
being monitored and not enough time is spent fixing issues that
cause risk (80/20 Rule)
Quantify Risk../7
Chart 41
Risk/Mitigation Heatmap
Level of Risk
Frequency
Chart 42
Mitigate Risk
The process to mitigate risk will vary from one situation to another, proper risk mitigation calls for understanding what you currently have and what needs to be done in order to maintain your status quo
Don’t waste time and money mitigating non critical risks, you will always have risk; identify the main causes of risk and manage those causes
Chart 43
Monitor Risk
In much the same way as decisions should be taken by the most junior person permitted to take the decision; risk should be monitored all the way through the organization, by the most junior person able and permitted to monitor that risk
No one person or department should be managing too many risks as then most risks will not be properly monitored
Chart 44
Monitor Risk../2
Set up a series of dashboards that are easy to read and indicate the key risks to be monitored by the entity or person and ensure that all of these functions are working properly
The Board equally should have one dashboard the indicates whether the systems are effective and that risk management processes are consistently performed
They need a separate dashboard that monitors catastrophic risk and requires the Board’s action
Chart 45
What The Board Should Question
Process
Resources
Is risk mitigation foolproof
Does the company have sufficient capital maintain its risk
profile
Chart 46
Process
Must be:
Simple process oriented and preferably automated
Regularly performed
Understandable to the operator
If a risk is not handled immediately system must trigger risk
potential to the next level
Performed consistently across all parts of the organization
Chart 47
Resources
Insufficient resources will result in sub-optimal results (you get what you pay for)
If the company cannot afford the means to monitor its risk; can it afford to take the risk?
Resources must be consistent across all aspects of the organization and be able to communicate
Must be available at ALL TIMES
Chart 48
Is Risk Mitigation Foolproof?
Risk must be ranked according to severity of the event and its frequency
It is too expensive to insure every event so a policy must be designed that takes into account the risk/reward from mitigating against the event
Certain events cannot be allowed to happen even once and
therefore must be protected against at all costs
Chart 49
Does Company have Sufficient Capital?
If the company has lost capital it must lower its risk profile otherwise the management is violating the risk budget that was agreed with the Board
If the Board leaves the same level of risk available to management they must understand that they have moved the company closer to potential disaster
This is Measurable
Chart 50
OperatorsRegulators
Enterprise Diagnostics
Financial Markets
Enterprise Risk
Management
CONSULTING TEAM
FDHL-MTA Financial Services Strategic Transformation Collaboration