2009 Internal Audit Solutions for Tough Times Conference

San Diego, California

Presented by:

John A. Wheeler, Managing Principal

Wheelhouse Advisors LLC

1

Learn about the evolving role of the Chief Risk Officer (“CRO”) both before and during the current global economic crisis

Develop an understanding of the complementary aspects of the CRO and Chief Audit Executive (“CAE”) roles, as well as the potential conflicts to avoid

Discover strategies and critical success factors for an effective CRO & CAE partnership

2

GE Capital In 1993, GE entered the capital markets business and needed a broad understanding of a risk profile that it did not understand wellThe CRO title was coined by James Lam who first served in the roleResponsible for developing an integrated approach for credit, market and operational risks within the Financial Guaranty Insurance GroupBased on a similar concept of the Chief Information Officer (“CIO”) who is responsible for integrating IT resources and elevating the role of technology in the business

Source: “Enterprise Risk Management: From Incentives to Controls”, James Lam

3

Original version published in 1992 and served as the foundation for auditors and management to evaluate the interrelationships of risks and controls

Focused primarily on operational risk, but promoted a newly adopted risk-based approach to auditing

4

Over the next decade, internal auditors worked to implement COSO

Developed a more complete risk mindset

Educated management as well as the board of directors

Were limited in their ability to fully implement an effective risk management program due to independence concerns

COSO viewed as a good start, but incomplete

5

Operational Risk

People

Process

Systems

External Events

Internal Fraud

External Fraud

Employment Practices and Workplace Safety

Business Disruption and System Failures

Execution, Delivery, & Process Management

Clients, Products, & Business Practice

Damage to Physical Assets

6

In 2004, COSO enhanced the

integrated framework to

extend beyond operational risk

Emphasized the continuous

nature of an effective program

Established the critical link to

strategic planning and

solidified the need for a true

CRO within an organization

7

Operational Risk

People

Process

Systems

External Events

Operational Risk

Management

Credit Risk

Market RiskCompliance / Legal Risk

Liquidity Risk

Statistical Modeling / Value-at-Risk

Underwriting Standards /

Documentation

Counterparty Failures / Fraud

Product Pricing / Valuation Methods

8

Articulating the organization’s risk appetite

Integrating risk management disciplines and streamlining approaches

Wavering support from the board of directors and/or the CEO

Not having the full complement of skills required for the role

Tight budgets / making a compelling business case

Organizational culture

Misaligned incentives and lack of accountability

9

The Chief Audit Executive (“CAE”) typically has both the full appreciation and perspective of the company’s entire risk portfolio

The CAE and the CRO share a common goal of providing reasonable assurance of the successful achievement of company objectives

10

Chief Risk Officer

• Providing the overall leadership, vision and direction for Enterprise Risk Management

• Establishing an integrated risk management framework and developing the supporting infrastructure

• Developing risk management policies, including the articulation of management’s risk appetite

• Implementing a set of risk indicators and reports

• Allocating economic capital to business activities based on risk profile

• Communicating the company’s risk profile to key stakeholders

Chief Audit Executive

• Evaluating the risk portfolio and determining business activities to monitor and/or exam

• Providing independent assurance on the effectiveness of the risk management program as well as compliance with applicable laws and regulations

• Investigating and reporting incidents of fraud or ethical violations

• Serving as an internal consultant on risk related activities such as providing educationand facilitating risk evaluation

• Communicating independent view and key findings to management and the board of directors

11

Reporting relationships –CAE must maintain independence

Political influence over decision making

Inappropriate shift of responsibility, particularly during times of expense control and resource / skill constraints

12

Recent crisis demonstrates the need for a holistic, integrated approach to ERM

In most cases, ERM cannot be led on a part-time basis by the CEO or other member of C-suite

Need to combine risk discipline and analysis with sound business judgment

0% 10% 20% 30% 40% 50%

Reinforcing role of the CRO

Involving board and senior executives more in ERM

Expanding ERM to cover more types of risk

Reassessing risk culture

Involving all employees in ERM

Not making any changes

How has the recession and economic turmoil impacted your ERM approach?

Source: 2009 Treasury & Risk Magazine ERM Survey

13

Board members from major U.S. public companies see room for improvement in their ERM programs in many areas

Addressing these concerns will require a solid partnership between the CRO & CAE

Right skills and technology are critical to successful improvement

Assessing risks17%

Mitigation of risks21%

Understanding the link

between strategy and

risks25%

Acting on the risk

information8%

Tracking and reporting on

risks9%

Indentification of risks

17%

Other3%

What aspect of risk management is posing the greatest challenge to your company?

Source: 2009 KPMG Audit Committee Survey

14

Chief Risk OfficerEnsure risk management is fully incorporated in the strategic planning processAlign performance, risk and compensation management systemsFocus on both quantitative and qualitative aspects of risk profile – do not blindly accept model resultsMaintain consistent communication channels and agreement on risk appetite

Chief Audit ExecutiveProvide objective, unbiased viewpoint of risk management practices through peer and competitor benchmarking Perform risk-based audits that equally challenge both high performing and poor performing business unitsExercise authority to investigate fraudProactively communicate any gaps in risk assessment or mitigation plans to management

15

Risk & Control Program Analysis

Program Maturity Evaluation

Benchmarking

Gap Analysis

Enhancement Road Map

Enterprise Risk Assessment

Framework Construction

Risk Catalog Creation

Risk Appetite Definition

Risk Assessment Methodology

Governance, Risk & Compliance Automation

Requirements Definition

System Evaluation / Selection

Implementation Assistance

Compliance Process Improvement

Organizational Review

Process Analysis & Redesign

16

Wheelhouse Advisors LLC1170 Peachtree StreetSuite 1200Atlanta, Georgia 30309

John Wheeler, Managing Principal+1 (404) 805-9203 x1703john.wheeler@wheelhouseadvisors.com