hoover.2016 texas bankers cfo conference

ENTERPRISE RISK MANAGEMENT

A PRACTICAL APPROACH

Terry Hoover CPA, CIA

AGENDA

• Working Definition of Enterprise Risk Management (ERM)

• Components of ERM

• Talk through a “mock” ERM Program Review

• Look at some sample tools you can implement immediately

COMMONLY USED DEFINITIONS

• COSO’s ERM Framework

• ISO 31000

• Consultants

• FFIEC

• OCC

• Federal Reserve

• Wikipedia

MANAGEMENT

Wikipedia – Management

• Management in businesses is the function that coordinates the

efforts of people to accomplish goals and objectives by using

available resources efficiently and effectively. Management

includes planning, organizing, staffing, leading, and controlling

an organizations to accomplish the goal.

• Management involves identifying the mission, objective,

procedures, rules…to contribute to the success of the

enterprise.

RISK MANAGEMENT

Wikipedia – Risk Management

• The identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events – or to maximize the realization of opportunities. Risk management’s objective is to assure uncertainty does not deflect the endeavor from the business goals.

• Risks can come from various sources including uncertainty in financial markets, threats from project failures, legal liabilities, credit risk, accidents, natural causes and disasters, deliberate attack, or events of uncertain or unpredictable root cause.

ENTERPRISE RISK MANAGEMENT

Wikipedia – Enterprise Risk Management

• Includes methods and processes used by organizations to

manage risks and seize opportunities related to the

achievement of their objectives. ERM provides a framework

for risk management, which typically involves identifying

events or circumstances relevant to the organization’s

objectives (risks and opportunities), assessing them in terms of

likelihood and magnitude of impact, determining a response

strategy, and monitoring progress.

COSO ERM FRAMEWORK

Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and mange risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

ISO 3100 DEFINITION

Risk Management Framework

A set of components that provide

the foundations and

organizational arrangements for

designing, implementing,

monitoring, reviewing and

continually improving risk

management throughout the

organization.

COMPTROLLER OF THE CURRENCY

Risk management

systems should:

• Identify Risk

• Measure Risk

• Monitor Risk

• Control Risk

ERM, SIMPLY STATED

• ERM is the process used to identify, measure, monitor, and

control risk

BUT, WHAT DOES ERM “LOOK LIKE”

• Most of us must be “doing” ERM at some level – the doors are

still open

• Can we do better / are there gaps in our program / how do we

know

FEDERAL RESERVE

KEY ERM “COMPONENTS”

• Board and senior management oversight

• Policies, procedures, and limits

• Risk measurement, monitoring, and reporting

• Internal controls

MOCK ERM PROGRAM REVIEW

• Gather Information

• Understand how your bank “sees” ERM and risk management

• Populate the Program Overview / Gap Analysis Tool

• Identify gaps

• Provide sample tools

STEP 1 – GATHER INFORMATION

• Strategic Plan / Goals and Objectives

• Policies

• Board / Executive Management Reports and Presentations

• Other Metrics

• Risk Assessments

• Internal Audit Scope / Schedule / Reports

STEP 2 - UNDERSTAND

• Read all information provided

• Talk to executive and senior managers, and also to board

members if possible

• Understand how you see risk management, the importance, the

drivers, your appetite for risk, and what you want out of your

ERM program.

STEP 3 – GAP ANALYSIS

• Customize the Program Overview / Gap Analysis tool to your bank

• Document your program elements in the Program Overview / Gap

Analysis tool.

• Definitions

• Governance (committees, risk owners)

• Key policies, procedures, and limits

• Risk assessments

• Reports and other communication protocols

• Internal control elements

• Risk appetite statements

• Key Risk / Performance Indicators

PROGRAM SUMMARY / GAP ANALYSIS

PROGRAM SUMMARY / GAP ANALYSIS

COMMON “GAPS”

• No ERM Policy or Framework

• No Enterprise Risk Assessment (Top 10 or Letterman List)

• Risk Appetite not documented

• Missing Key Risk Indicators

• No periodic ERM Summary Report to Board and Executive

Management

ERM POLICY OR FRAMEWORK

• The Program Overview / Gap Analysis Tool thoroughly

documents your program

• ERM Policy should be short, high level. Does not replace other

policies…more of an umbrella.

• Overall Policy Statement and Objectives

• Risk Appetite

• Risk Categories

• Program Elements (governance; risk measurement, monitoring,

and reporting; internal control system)

• Program Review

ENTERPRISE RISK ASSESSMENT

• Key Risk List – “Board Level” Risks – Letterman List – Top 10 List

• Survey senior and executive management to identify risk

inventory

• Normalize the risk inventory

• Department heads identify “top 5” risks to their departments and

rate risk and controls

• Risk committee to normalize risk ratings and identify most

significant bank wide risks (Top 10)

• Assign accountability and develop risk management action plans

for top risks

EXAMPLE KEY RISKS

KEY RISK LIST

RISK APPETITE

• Risk Appetite is the amount of risk – on a broad level – an

entity is willing to accept in pursuit of value and strategy.

HIGH LEVEL GUIDING PRINCIPLES AND RISK APPETITE STATEMENTS

DETAILED RISK APPETITE STATEMENTS

KEY RISK INDICATORS

• Key Risk Indicator (KRI) – a ratio or piece of information that

measures or provides insight into a key risk.

• Key Performance Indicators (KPI) – a ratio or piece of

information that measures performance.

• The most meaningful KRI’s and KPI’s will be directly related to

your Strategic Plan, Enterprise Risk Assessment, and Risk

Appetite Statements.

EXAMPLE KEY RISK AND PERFORMANCE INDICATORS

ERM SUMMARY REPORT

• A periodic (i.e. quarterly), concise summary report that goes to

the board and executive management.

• A great way to communicate to the regulators

• Promotes transparency

• Dashboards & graphs – a picture is worth a thousand words

RISK PROFILE TABLE OF CONTENTS

RISK PROFILE SUMMARY

RISK PROFILE NARRATIVE

KEY RISK/PERFORMANCE INDICATORS

CONTACT INFORMATION

Terry Hoover CPA, CIAterry@payneandsmith.com214.695.8464

Payne & Smith, LLC5952 Royal Lane, Ste. 158Dallas, Tx 75230