erm: differences between sectors

A Higher Standard for Risk Professionals

Enterprise Risk Management –Similarities & Differences between Corporates and Financial Institutions

Montreal - April 9, 2008


Legal Disclaimer

The information contained in this document is provided for information purposes only and in no way constitutes an offer of services or a solicitation.

Past performance is not indicative of future performance.

We decline any responsibility with respect to direct or indirect damages or consequences of the inaccuracy of the information reproduced in this document, nor for any actions taken in reliance thereon.

No information or data contained herein may be reproduced by any process whatsoever without written consent.

Certain Statements that we make in this presentation are forward-looking statements. These forward-looking statements are based upon current assumptions and beliefs in light of the information currently available, but involve known and unknown risks and uncertainties. Our actual actions or results may differ materially from those discussed in the forward-looking statements and we undertake no obligation to publicly update any forward looking statement.


Your Panel

Penny CaganManaging DirectorOperational Risk Division

Michel Rochette, MBA, FSA Assistant Director ERM

Anne Duprat, CA, CFA, MBA Senior Manager, Advisory ServicesRisk Management and Operations Improvement


Linkages between Corporate Governance and Operational Risk in the Financial Services Sector


Five Operational Risk Classes

People Risk

The risk of a loss intentionally or unintentionally caused by an employee— i.e. employee error, employee misdeeds—or involving employees, such as in the area of employment disputes.

Process Risk

Risks related to the execution and maintenance of transactions, and the various aspects of running a business, including products and services.

Relationship Risk

Losses arising from the relationship or contact that a firm has with its clients, shareholders, third parties, or regulators.

Technology Risk

The risk of loss caused by a piracy, theft, failure, breakdown or other disruption in technology, data or information; also includes technology that fails to meet business needs.

ExternalRisk

The risk of loss due to damage to physical property or assets from natural or non–natural causes. This category also includes the risk presented by actions of external parties, such as the perpetration of fraud from an outside source.


Corporate Governance

Board Independence Board Interlinks

Management Structure Compensation

Related Party Transactions Self Dealing

Conflicts of Interest ….


Countrywide: Business Practices

• Countrywide came under criticism (NYT, 8/26/2007) for squeezing every possible dollar from customers in fees (lending, servicing, closing)

• Countrywide’s entire structure was predicated on earning higher than industry average fees

• Sold subprime loans under alleged false pretenses: did not count all income sources which may have allowed qualification for standard loans

• Sales staff were paid higher commissions for loans with lengthier than average prepayment terms and shorter presets

• Higher commissions paid for mortgages that were sold in tangent with home equity loans

• No compensation and no money down loans issued; loans extended to some with credit scores as low as 500


Countrywide: Business Practices

Former sales exec: “The entire commission structure in both prime and subprime was designed to reward salespeople for pushing whatever programs Countrywide made the most money on in the secondary markets.”

• Countrywide advertized that it was dedicated to getting the best loan possible• Countrywide’s reliance on securitization drove sales behavior • Subprime mortgages earned more in secondary markets, were more in demand

from investors, and hence, sales execs were compensated to sell more of them• Securitization influenced lender’s risk culture because it seemingly “outsourced”

credit risk; loans were be made with focus on volume rather than credit worthiness

• However, with the outsourcing of credit risk, came increased operational, reputational and liquidity risk

A class action suit has been filed by shareholders claiming that the lender “issued false and misleading statements…”


Characteristics of Subprime Events

•70 in Algo FIRST database (as of 3/24/2008)•$70 billion in losses•Largest loss: $18.4 billion

Event Triggers• Liquidity Risk • Market Risk• Credit Risk • High Pressure

Sales Tactics

• Suitability • AccountingFraud

• Breach ofFiduciaryDuties

• ConcealingLosses/ProblemAssets

Control and Contributory Factors

• Undertook Excessive Risks• Strategy Flaw• Lack of Internal Controls• Failure to Disclose• Failure to Supervise• Inadequate Due Diligence

Efforts


70 Subprime Cases from Algo FIRST database

Control Failings


Examining Linkages betweenOpRisk & Corp. Gov.

• The largest accounting fraud events in the database (Enron, Adelphia, Parmalat) display instances of related party transactions

• The largest internal fraud events in the database include breakdowns of board level accounting oversight

• The largest oprisk events in the FIRST database involve people risk and some sort of fraud – primarily accounting fraud

• The majority of the largest losses in the database occur in the corporate center of the organization (senior management, board of directors)

• Predictable given the access senior management has to decision making, information and policy

Data Set: 322 OpRisk Events in FIRST database


Source: FIRST database

Operational Risk Events with Corporate Governance Breaches (337 events)


Source: FIRST database

Operational Risk Events –broken down by people risk category


Conclusions

• Conflict-of-interest at the executive and board level can serve as indicators of an environment that is prone to experience operational risk events.

• Conversely, operational risk events may indicate problems at the senior management and board level.

• Decisions made at the top of the organization out of self interest can have a detrimental effect on all stakeholders

• Related party transactions serve as red flags for the existence of conflict-of-interest

• Senior management is responsible for establishing, maintaining and distilling corporate values


Similarities & Differences between Corporates and Financial Institutions


Overall Similarities

• Most companies believe that ERM can increase better decision making.

• Few have integrated into strategic planning/budgeting/risk-adjusted performance, in the day-to-day activities.

• The majority of directors in both industries have a good understanding of their company’s risks.

• In both industries, boards do understand the risk/return trade-offs of strategic decisions when Boards are presented the proper analysis.

• Most established ERM are less than 2 years old but majority wants to implement within 2-3 years.


Support for ERM Objectives

• Little more than half of the businesses we surveyed said that the objectives of ERM are understood and supported “entirely” or “significantly” by the board of directors and senior management, this decreases to only one in four in middle management and only 4% of employees as a whole.


Governance

Financial Institutions• Risk Committee at the Board level

work in close collaboration withAudit Committee. More elaborated.

• Board more educated about risk.

• CRO is usually charged with the ERM function.

• Risk Appetite statements are moreoften defined.

• More diverse frameworks: Regulatory/value creation likeAus/NZ Standards compared toCOSO.

• Risk better integrated with executivecompensation.

Corporates• Audit committee is usually chargedwith the risk/ERM function in additionto overseeing the audit function.

• More reliance on top managementto inform board.

• CFO is responsible for the ERM program (50%) compared to theCRO (10%).

• Risk Tolerance is usually the focus,when done.

• Risk Framework: COSO / ISO/ SOXmore prevalent as drivers.

• Executive compensation not linkedto risk.


Risk Identification

Financial Institutions• Risk Inventory is broader.

• Risk Importance:• Regulatory/ Strategic(1st)• Financial risk(2nd)• Operational(3rd)

Corporates• Risk Inventory is narrower.

• Risk Importance:• Strategic risk(1st)• Operational risk (2nd): Supply chain risk/pandemic/food safety/P&C.

• Financial (3rd)• Compliance(4th). SOX

has done the job!


Risk Quantification/Assessment

Financial Institutions• Based on internal models for somerisks:- Traded portfolios: Var.- Credit Risk: Intensity Based &

Credit migration models- Operational risk: LDA- Based on market value impacts

for others:- Strategic/reputation.

• Correlation: often performed(EC)

• Prioritization of risks is a by-productof the quantitative analysis.

• Analysis inform company of the potential of all risks: expected vs. unexpected.

• Metric chosen: Value Metric

Corporates• More qualitative assessmentfocusing on ranking only.

• Risk scales are qualitative: high/low.

• Prioritization of risks is thus more qualitative, more based on gap-typeanalysis.

• More emphasis on heat maps/ scorecards.

• Less analysis of unexpected events: Company killers!

• Metric chosen: EBIT.


Risk Management

Financial Institutions• Still siloed but less than

corporations. Attempt to managedirect/indirect impacts of risk:

• Reputation impact• Corporate socialresponsibility.

• Social responsibleinvestments guidelines.

•Environmental guidelines.• More portfolio views of ERM.

Corporates• Risk is still siloed and viewed to bethe domain of traditional risk managers.

• Board members still believe that their companies don’t manage risks very well. More reactive than proactive.

• Still try to control risk.

• Less emphasis on cost/benefitanalysis of implementing controls.

• More emphasis on businesscontinuity/crisis management.


Risk Disclosure

Financial Institutions• Elaborate for financial risks:

• Trading portfolios VARs.• Credit limits/Credit Var.• ALM risks.

• Still limited for:• Operational risk.• Reputation risk.

• Basel II, Pillar III will improve onthat.

Corporates• Still focus solely on SECrequirements for publicly heldcompanies.

• Communicate after the fact during acrisis


Rating Agency Drivers: Standards & Poors

• Proposal to include ERM as part of the Credit Analysis decision. • Issued in the Fall of 07.• Comments were submitted until March 08.• Proposal to include ERM or not will be issued soon.

• Describes an analysis approach to ERM from S & P’s perspective: components.

• Describes a high-level scoring approach to ERM: Scoring approach.• Describes high level principles on how the ERM would be integrated

with the credit rating approach: Ratings impact.


S & P’s ERM for the Corporate Sector

• Modeled after what is being done for the Financial Sector.• S & P is of the view that ERM can help companies anticipate/better

manage risk on a forward looking approach: • Help reduce volatility of earnings → overall probability of

default by the firm → overall credit rating. • Credit rating approach has 3 main components:

• Business profile• Financial profile• Management profile: ERM would influence this component.


S & P’s ERM: Components

• Risk Governance and Culture:• Roles/structure/accountability• Communications: Internal/External• Looks for transparency of the ERM process.• Firm must look beyond just compliance.• Business units daily adherence to risk tolerance: Use Test

of other regulatory criteria!• Risk Controls:

• Identification/measuring/managing risks.• Proper implementation of risk controls.• Risk tolerance and risk limits consistency.


S & P’s ERM: Components(continued)

• Emerging risks preparation:• New and extremely rare events: Unexpected/Cat.• Wants to see firms have in place processes to deal:

• Environmental scanning• Trend analysis• Stress testing• Contingency planning

• Strategic risk management:• Incorporate risk into strategic decision making.• Must use a comprehensive measure of risk: enterprise

value.• Will seek evidence of implementation in:

• Strategic asset allocation, new products, M & A, compensation.

ADVISORY

The evolution of risk and controlsFrom score-keeping to strategic partneringApril 2008

Questions to consider

How can we transform an expensive compliance obligation into a real business advantage?

How can we deliver significant and quantifiable operational and financial value from the risk spend?

How do we reconcile increased efficiency with increased risk and controls management?

1© 2007 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the KPMG network are affiliated. All rights reserved.

Agenda

Survey demographics

The Risk and Controls Evolution– executive summary

Main findings


© 2007 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the KPMG network are affiliated. All rights reserved. 3

Survey demographics

Raj Singh, Chief Risk Officer, AllianzMark Carawan, Internal Audit Director, BarclaysIan Rushby, Group VP and General Auditor, British PetroleumThomas C. Wilson, Chief Insurance Risk Officer, ING Group

Robert Brewer, SVP and Chief Compliance Officer, Office DepotRob Kella, Chief Risk Officer, QantasAndreas Grunbichler, Group Chief Risk Officer, Zurich Financial Services

Interviewees

Geographical location Global revenues


Survey demographics

Primary industry

A variety of factors are changing the scope of risk and controls

Getting the structure right:

− Coordination is the key to success

− Co-sourcing of internal audit is becoming more widespread as companies require specialized skills

A limited awareness of risk remains a significant barrier

Innovation points the way to greater effectiveness and efficiency

Risk and controls management is no longer confined to “Keeping Score”

Executive Summary



A changing risk environment

Internal factors driving change


A changing risk environment

External factors driving change


Outsourcing – potential benefits and drawbacks


What are the major barriers to effective risk and controls management?


Innovation is one of the keys to efficiency


Changes needed for risk and controls to function more effectively


How confident are respondents that these goals can be achieved over the next 3 years?

© 2007 KPMG International. KPMG International provides no client services and is a Swiss cooperative with which the independent member firms of the KPMG network are affiliated.

A vision of the future

“Controlling risk is where it starts, but going forward, risk management will also have a strong link into the decision-making process and create new business opportunities”

Andreas GrunbichlerGroup Chief Risk Officer, Zurich Financial Services


How can this vision be achieved?

More broad-ranging risk profiling

Adopting a combined risk and assurance model

Co-sourcing

Using progressive tools

Cultural change

Developing a strategic, enterprise focus



The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can

be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a

thorough examination of the particular situation.

The views and opinions expressed herein are those of the interviewees and do not necessarily represent the views and opinions of KPMG International or KPMG member firms.

© 2007 KPMG International. KPMG International is a Swiss cooperative. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All

rights reserved.

KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.


Enterprise Risk Management –Similarities & Differences between Corporates and Financial Institutions

Montreal - April 9, 2008


PRMIA would like to thank our sponsors


PRMIA would like to thank our panelists

Penny Cagan ([email protected])Managing DirectorOperational Risk Division

Anne Duprat, CA, CFA, MBA ([email protected]) Senior Manager, Advisory ServicesRisk Management and Operations Improvement

Michel Rochette, MBA, FSA ([email protected]) Assistant Director ERMGlobal Risk Consulting

mailto:[email protected]




Upcoming PRMIA and Partner Events

• An Overview of Credit Modelling and Management (IFM2) (More information can be found at http://www.ifm2.uqam.ca).

April 10-11, 2008• Buy Side Risk Managers' Roundtable

May 27, 2008

http://www.prmia.org/