pwc.com.au three lines of defence as a strategic · pdf filepwc.com.au three lines of defence...
TRANSCRIPT
pwc.com.au
Three lines of defence as astrategic imperative
Practical perspectives on whatit looks like for Mutuals.
AMI Finance and RiskForum
November 2012November 2012
Agenda
Whythreelines?
How itworks
Practical
PwC 2
Practicalfor
Mutuals
When itdoesn’t
work
Role ofRisk andthe CRO
What is “3 Lines of defence”?
The three lines of defence risk governance model (3LOD) has been widely adopted internationally and has become generallyaccepted as the de facto governance standard by boards, management and industry regulators alike.
The 3LOD should apply to all risk types (not just operational risk) and comprises:
Executive management: Risk functions: Internal audit:
1st
Line2nd
Line3rd
Line
PwC 3
Executive management:
Identification, assessment andmanagement of risks throughmitigating actions includinginternal controls as an integral partof delivering “normal” strategy.
The CEO and his executive areresponsible for managementof risk and is held accountableby the Board.
Risk functions:
The Chief Risk Officer(CRO)through a dedicated risk functionadvises the Executive on the designand implementation of the mosteffective enterprise wide riskframework in support of theExecutive as they discharge theirresponsibilities.
The CRO and the risk functionare not responsible formanaging risk; that ismanagement’s job.
Internal audit:
Internal Audit provide independentassurance on the adequacy of designand effectiveness of operation of therisk management framework.
The Internal Auditor isresponsible for independentassurance and is accountable tothe Audit and Risk Committee.
Sustainable risk-return thinkingthroughout thebusiness
Why is it valuable?
Business-wideunderstandingand respect for
• Growth is enabled with confidence
• Risk and Return front of mind. Nobody hasjust Risk, nobody just Return.
• Able to move quickly to pursue strategy
• Timely, useful, risk-related information
• Empowered and accountable decisions thatunderstand risk impact
• Culture of doing the right thing
PwC
Stakeholderconfidence inbusiness decisions
and respect forrisk appetite
• Optimised risk/return in line with the defined Risk Appetite
• NOT risk minimisationGoal:
• Support for strategic choices
• Enhanced/protected reputation
• Improved regulator relationships
• Culture of doing the right thing
When it works: 3LOD best practice outcomes
Executivemanagement
1st
Line• Promotes a strong risk awareness culture and sustainable risk-return thinking
• Promotes a culture that adheres to existing appetite levels and manages risk exposures
• Optimises the risk portfolio on both the macro and micro level
• Ongoing identification and monitoring of risks.
• Combination of enabler, trusted advisor and enforcer of risk management practices2nd
PwC 5
Internalaudit
3rd
Line• Possess a good understanding of the business markets, the business types, and risk management
practices
• Able to challenge the business units and risk management functions
• Independent oversight function with creditability at the business unit, Executive andBoard level
• Ability to link business and risk with processes, technology and people.
• Combination of enabler, trusted advisor and enforcer of risk management practices
• Understands how the business makes money
• Talented risk managers with business experience engage with the business front lines as equals
• Overarching “risk oversight unit” across all risk types provides real value to the business, the Executiveand the Board.
Riskmanagement
function
2Line
Three lines of defence – Roles and Responsibilities
Executive management:
Identification, assessment andmanagement of risks throughmitigating actions includinginternal controls.
1st
Line
Risk functions:
• Facilitate and assist in setting riskappetites and designing riskmitigation.
• Analyse and report on riskperformance
• Provide valued insight
2nd
Line
Internal audit:
Independent and objective assuranceon the adequacy and effectiveness ofthe risk management framework.
3rd
Line
PwC 6
• Promote a view that it is management’sresponsibility to manage risk and “thebuck stops with them”.
• Promote a strong culture of adhering tolimits and managing risk exposures
• Ongoing monitoring of positions andinherent risks
• Ensuring that when an event or varianceoccurs, the underlying cause is deeplyunderstood
• Provide valued insight
• “Centre of excellence” in riskmanagement
• Scope includes all risk types; enterprisewide. credit, market, operational,regulatory,liquidity etc.
• Understand aggregated risk positionsand support in developing and advisingon risk strategies
• Separate from the business but notindependent.
• Independent assurance on therobustness and application of theEnterprise wide risk framework
• Assess the appropriateness andeffectiveness of internal controls
• Ability to link business and risk withorganisation, processes and systems.
Keyattributes
Keyattributes
Keyattributes
• Take actions to mitigate the risk to achieveresidual risk levels as set out in the risk
• Monitor and report performance of therisk mitigants to ensure the target appetite
is responsible for owning and managing the risks that the business originates.
Key activities
• Identify the risks being taken by the businessto achieve its strategic aims
Riskidentification
andassessment
Riskmitigation
Monitoringand
reporting
The first lineof defence
1st
PwC
residual risk levels as set out in the riskappetite statements.
• Establish controls
risk mitigants to ensure the target appetiteis achieved
• Deploy own assurance where appropriate
• Investigate the underlying causes and takeremedial action.
7
to achieve its strategic aims
• Assess the potential impact of each risk,individually and collectively to determinepossible outcomes
• Set risk appetite statements for each riskcategory
• Align risk appetites with financial budgets.
Key activities
is responsible for providing expert advice, oversight and challenge.
The Secondline of
defence
• Advise management on the most appropriaterisk management framework to meet theoperational and financial approved outcomes
• Understand the business model and currentand future business plans
• Understand, assess and approve the risk
• Developing a deep understanding ofconcentrations, correlations, and earlywarnings
Providingexpert advice
Oversight Challenge
2nd
PwC 8
operational and financial approved outcomes
• Set operational boundaries by drafting andimplementing policies and procedures
• Provide guidance and direction forimplementing the policies and monitoringtheir execution.
• Develop supporting organizationalstructure, infrastructure, and internalprocesses are required for effective riskmanagement
• Reporting risk management performanceagainst the target appetite
• Providing deep insight as to trends,predictions, underlying causes forperformance variances.
• Understand, assess and approve the riskmanagement framework in place and operatedby the management; the 1st line
• Provide continuing advice to ensurepromote the ongoing improvement of the riskmanagement framework
• Review and assess the reporting of risk andbusiness management performance to ensure itis in line with the approved target riskassessment
• Provide support to teams of enhancing riskmanage capability in the 1st line; e.g. training,technical briefings etc.
warnings
• Develop a more critical understanding ofthe underlying risk-return drivers ofprofitability
• Constructively challenge managementactions and decisions where they appear todiffer with the approved risk management planor framework
• Enforce the qualitative and quantitativeaspects of the approved risk framework andrisk appetite e.g. ensuring no new product islaunched until all sign offs are in place.
is Internal Audit, which undertakes independent and regular ex-post reviews of the overallEnterprise wide risk management framework.
The Thirdline of
defence
• Objectively and independently evaluate theexisting enterprise wide risk framework
• Analyse the appropriateness of businessprocesses and associated controls
• Leverage Subject Matter Expertiseknowledge to make recommendations to
Assurance ofadequacy of
overallframework
Assurance oneffectiveness
Continuousimprovement
Key activities3rd
PwC
existing enterprise wide risk framework processes and associated controls
• Monitor and review the effectivenessof internal controls
• Conduct ad-hoc reviews of trouble areas,where level of risk are high or unacceptable
knowledge to make recommendations toimprove the design and operation of theenterprise risk management framework
9
Some practical considerations for Mutuals
In our experience, 3 LoD operates best when the and structure that is proportionate to the Mutual’s complexity.
<Case Study>
PwC
When doesn’t’ it work-the Wild West
1st
“I’m taking all the business in town and I don’t care whatanybody else says”
2nd
PwC
3rd
“I’m on a personal crusade against Risk- there’ll be nogrowth on my watch”
“Somebody is going to pay for this!”
When doesn’t it work- Perception
“The next big thingfor consultants”
“What compliancegets up to while therest of us are tryingto run a business”
“One more thingAPRA wants us to do”
PwC
When doesn’t it work- Role confusion• Seen as “owning” Risk and as a
result design and executechange
• Ignored by business due toperceived lack of commercialfocus
• Focused on administration andreporting, not insight
• Inability to influence executive
• Seen as saying “No”
3rd
2nd
• Misalignment of businessdecisions and risk consequences
• Not understanding ownership ofRisk
• Unwilling to produce andmonitor risk data (perceived lackof value)
• Leadership role modeling growth
1st
PwC
• Silent on strategic impacts oftheir findings
• Not risk focused- processand controls
• Lack of commercial acumen
• Challenging relationshipwith business
• Findings not linked back tothe 3 lines
3rd• Leadership role modeling growth
over risk
• Focus on symptoms, not routecause
• Unwilling to self-assess and testtheir own activities
The role (and challenge!) of the Mutual CRO/Head of Risk
Design leadingrisk-based
Use your seat atthe table toinfluence 3LoDprofile
Drive andchallenge the RiskAppetite process
Hold business toaccount for
Clearly define andcommunicate theRisk team’s role
Construct an RMFthat is
PwC 14
risk-basedreporting toBoard and Exec
account forownership of Risk
Communicatewith clarity andconsideration
that isproportionate tothe organisation
Contribute tostrategicplanning,decisions andanalysis
Providecommerciallyrelevant insightbased on risk data
Dependencies and needs
Risk/Return tone fromthe top
Need
Demonstrate and demandrisk/return thinking from alllevels of the business
Purpose
A culture of doing the rightthing with confidence inbusiness value
Value
Board-endorsed and Reflect risk appetite Consistent understanding of
PwC 15
Board-endorsed andcascaded risk appetite
Risk-orientateddata/informationcollected on a regularbasis
Incentive/performancealignment
Reflect risk appetitethroughout organisationalgoals
Identify and monitor riskperformance and trends forreporting
Reinforcement ofcost/benefit of activitywithin defined boundaries
Consistent understanding ofrisk appetite and businessactivity that aligns
Drive business activity atstrategic goals within riskappetite, identifying areas ofconcern
An organisation withcongruent goals throughout
• Provide leadership on Risk Management for the Board, Executive andManagement.
Primary
Roles of a risk function
• Advise the Board, Executive and Management on Risk Framework developmentand implementation, Risk Management best practice, setting Risk Appetite,Performance Reporting and Variance Analysis.
Advisor
PwC
• Enforcing compliance with the approved Risk Management Framework.Enforcer
• Provider of business enabling processes to support the organisation eg NewProduct Approval process, Credit Approval process.
Enabler
• Communicating risk management best practice across the organisationand positively influencing the appropriate risk culture. Representing theorganisation externally and the risk agenda internally.
Ambassador
16
Who is responsible for what – a summary
TheBoard
The CEO
Ultimately accountable for risk management for the organisation. Responsibility delegated to theCEO to discharge on behalf of the Board.
The CEO has overall responsibility for risk management within the organisation, with powerdelegated to him through the Board. In practice the CEO delegates responsibility throughout theexecutive team.
PwC 19
TheBusiness
The CRO
InternalAudit
The Business (the first line of defence) have responsibility for effectively managing the commercialand operational risks undertaken by the business on a day to day basis.
Leads the second line of defence. Advises the CEO on setting targetrisk appetite, designing andimplementing the most effective enterprise wide risk framework reporting risk performance andinsuring variances are understood and rectified.
Leads the third line of defence (Internal Audit). Provides independent assurance on the adequacyand the effectiveness of the enterprise wide risk framework in operation, and encourages continuousimprovement.
Federated: strong group function supported by businessfocussed teams in each divisions. Variations of this adoptedby many banks. Success is dependent upon:
Centralised
A summary of risk management function models options
Centralised: one function at the centre. Works well forsmall/medium sized organisations, or large organisations thatare not complex and operate in one country, or have acentralised management culture.
Federated
• Quality of leadership
PwC
Unified
20
Distributed: complete risk functions operate within eachdivision with limited or no formal communication betweenthem. Complimented by a small group at the centre (20 peopleor less). Works well for distributed conglomerates (differentbusinesses, different countries)
Unified: the next generation of Federated. Comprises a groupfunction and teams in each division. Divisional CRO’s report toGroup CRO but divisional risk team staff are employed at division.Whole Risk Community lead by a Risk Board chaired by the GroupCRO. Whole Risk Community treated as 2nd line of defence.
Distributed
• Quality of leadership• Power of the divisional CEO’s vs Group and organisational culture• CRO reporting line
20
The Business Risk Strategy is the high level statement that sets out theBroad policy as to how risk will be taken and managed by the enterpriseto achieve its strategic objectives – often known as the Board’s riskappetite statement
The Risk Profile identifies, assesses and evaluates key risks facing theenterprise against a number of facets including probability and impactand looks at both internal and external threats and opportunities
The Risk Appetite sets out both at the Board and Executive, the level ofrisk tolerance the enterprise is willing to take and hold to achieve itsshort term (1 year) and medium term (1 – 3 year) aims
Risk Strategy
Risk Profile
Risk Appetite
A generic risk framework
PwC
Risk Mitigation is the sum of the actions is undertaken by managementand the risk function to actually manage the risks identified in the riskprofile to the tolerance determined by the enterprise's Risk Appetite. Thisincludes the design and implementation of policies, processes andprocedures
Ongoing Monitoring and Reporting of the extent to which riskmitigation has maintained risk exposure within limits established by theenterprise’s Risk Appetite
The process of Analysing the reason behind Variances betweenpredicted and actual performance. Where the variation is significant, it isimportant to develop remedial strategies to return performance to theexpected range
Risk Mitigation
Performance Optimisation
Monitoring & Reporting
VarianceAnalysis & Remediation
Performance Optimisation is the process of balancing the totality ofrisk across the overall enterprise. This includes optimising the use of capitaland effort against each risk category. Portfolio management principles applyparticularly for FS enterprises
21
pwc.com.au
Rob Kella
© 2012 PricewaterhouseCoopers. All rights reserved. In this document, “PwC” refers toPricewaterhouseCoopers a partnership formed in Australia, which is a member firm ofPricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.
Sam GarlandSenior Manager
Phone: +61 (2) 8266 3029
Fax: +61 (2) 8286 3029
Mobile: +61 (0) 405745042
Rob KellaPrincipal
Phone: +61 (2) 8266 0209
Fax: +61 (2) 8286 0209
Mobile: +61 (0) 417 088 019