common objectives of the cro and the cae
DESCRIPTION
1. Learn about the evolving role of the chief risk officer (CRO) both before and during the current global economic crisis. 2. Develop an understanding of the complementary aspects of the CRO and chief audit executive (CAE) roles, as well as the potential conflicts to avoid. 3. Discover strategies and critical success factors for an effective CRO and CAE partnership.TRANSCRIPT
2009 Internal Audit Solutions for Tough Times Conference
San Diego, California
Presented by:
John A. Wheeler, Managing Principal
Wheelhouse Advisors LLC
1
Learn about the evolving role of the Chief Risk Officer (“CRO”) both before and during the current global economic crisis
Develop an understanding of the complementary aspects of the CRO and Chief Audit Executive (“CAE”) roles, as well as the potential conflicts to avoid
Discover strategies and critical success factors for an effective CRO & CAE partnership
2
GE Capital In 1993, GE entered the capital markets business and needed a broad understanding of a risk profile that it did not understand wellThe CRO title was coined by James Lam who first served in the roleResponsible for developing an integrated approach for credit, market and operational risks within the Financial Guaranty Insurance GroupBased on a similar concept of the Chief Information Officer (“CIO”) who is responsible for integrating IT resources and elevating the role of technology in the business
Source: “Enterprise Risk Management: From Incentives to Controls”, James Lam
3
Original version published in 1992 and served as the foundation for auditors and management to evaluate the interrelationships of risks and controls
Focused primarily on operational risk, but promoted a newly adopted risk-based approach to auditing
4
Over the next decade, internal auditors worked to implement COSO
Developed a more complete risk mindset
Educated management as well as the board of directors
Were limited in their ability to fully implement an effective risk management program due to independence concerns
COSO viewed as a good start, but incomplete
5
Operational Risk
People
Process
Systems
External Events
Internal Fraud
External Fraud
Employment Practices and Workplace Safety
Business Disruption and System Failures
Execution, Delivery, & Process Management
Clients, Products, & Business Practice
Damage to Physical Assets
6
In 2004, COSO enhanced the
integrated framework to
extend beyond operational risk
Emphasized the continuous
nature of an effective program
Established the critical link to
strategic planning and
solidified the need for a true
CRO within an organization
7
Operational Risk
People
Process
Systems
External Events
Operational Risk
Management
Credit Risk
Market RiskCompliance / Legal Risk
Liquidity Risk
Statistical Modeling / Value-at-Risk
Underwriting Standards /
Documentation
Counterparty Failures / Fraud
Product Pricing / Valuation Methods
8
Articulating the organization’s risk appetite
Integrating risk management disciplines and streamlining approaches
Wavering support from the board of directors and/or the CEO
Not having the full complement of skills required for the role
Tight budgets / making a compelling business case
Organizational culture
Misaligned incentives and lack of accountability
9
The Chief Audit Executive (“CAE”) typically has both the full appreciation and perspective of the company’s entire risk portfolio
The CAE and the CRO share a common goal of providing reasonable assurance of the successful achievement of company objectives
10
Chief Risk Officer
• Providing the overall leadership, vision and direction for Enterprise Risk Management
• Establishing an integrated risk management framework and developing the supporting infrastructure
• Developing risk management policies, including the articulation of management’s risk appetite
• Implementing a set of risk indicators and reports
• Allocating economic capital to business activities based on risk profile
• Communicating the company’s risk profile to key stakeholders
Chief Audit Executive
• Evaluating the risk portfolio and determining business activities to monitor and/or exam
• Providing independent assurance on the effectiveness of the risk management program as well as compliance with applicable laws and regulations
• Investigating and reporting incidents of fraud or ethical violations
• Serving as an internal consultant on risk related activities such as providing educationand facilitating risk evaluation
• Communicating independent view and key findings to management and the board of directors
11
Reporting relationships –CAE must maintain independence
Political influence over decision making
Inappropriate shift of responsibility, particularly during times of expense control and resource / skill constraints
12
Recent crisis demonstrates the need for a holistic, integrated approach to ERM
In most cases, ERM cannot be led on a part-time basis by the CEO or other member of C-suite
Need to combine risk discipline and analysis with sound business judgment
0% 10% 20% 30% 40% 50%
Reinforcing role of the CRO
Involving board and senior executives more in ERM
Expanding ERM to cover more types of risk
Reassessing risk culture
Involving all employees in ERM
Not making any changes
How has the recession and economic turmoil impacted your ERM approach?
Source: 2009 Treasury & Risk Magazine ERM Survey
13
Board members from major U.S. public companies see room for improvement in their ERM programs in many areas
Addressing these concerns will require a solid partnership between the CRO & CAE
Right skills and technology are critical to successful improvement
Assessing risks17%
Mitigation of risks21%
Understanding the link
between strategy and
risks25%
Acting on the risk
information8%
Tracking and reporting on
risks9%
Indentification of risks
17%
Other3%
What aspect of risk management is posing the greatest challenge to your company?
Source: 2009 KPMG Audit Committee Survey
14
Chief Risk OfficerEnsure risk management is fully incorporated in the strategic planning processAlign performance, risk and compensation management systemsFocus on both quantitative and qualitative aspects of risk profile – do not blindly accept model resultsMaintain consistent communication channels and agreement on risk appetite
Chief Audit ExecutiveProvide objective, unbiased viewpoint of risk management practices through peer and competitor benchmarking Perform risk-based audits that equally challenge both high performing and poor performing business unitsExercise authority to investigate fraudProactively communicate any gaps in risk assessment or mitigation plans to management
15
Risk & Control Program Analysis
Program Maturity Evaluation
Benchmarking
Gap Analysis
Enhancement Road Map
Enterprise Risk Assessment
Framework Construction
Risk Catalog Creation
Risk Appetite Definition
Risk Assessment Methodology
Governance, Risk & Compliance Automation
Requirements Definition
System Evaluation / Selection
Implementation Assistance
Compliance Process Improvement
Organizational Review
Process Analysis & Redesign
16
Wheelhouse Advisors LLC1170 Peachtree StreetSuite 1200Atlanta, Georgia 30309
John Wheeler, Managing Principal+1 (404) 805-9203 [email protected]