unprecedented events in 2008
DESCRIPTION
Office of Financial Stability - Troubled Asset Relief Program Implementing Enterprise Risk Management in a Start-up Federal Organization. Unprecedented Events in 2008. 2. OFS’ Challenges at inception. Environment Encountered. Risks. Siloed information Disparate processing - PowerPoint PPT PresentationTRANSCRIPT
Office of Financial Stability - Troubled Asset Relief Program
Implementing Enterprise Risk Management in a Start-up Federal Organization
Unprecedented Events in 2008
U.S. Financial Industry
13,500
12,500
11,500
10,500
9,500
8,500
7,500
6,500
3/23/08 4/29/08 6/5/08 7/14/08 8/20/08 9/26/08 11/4/08
2
OFS’ Challenges at inception
•Start-up organization (Inception: October 2008 resulting from passage of Emergency Economic Stabilization Act (EESA)•Programs to address liquidity and financial crisis were unclear•Expectation of rapid response•Limited experience leveraging from past crises•Processes not established•No policies or procedures•Heavy oversight demands (GAO, SIG TARP, Congressional Oversight Panel (COP)•Control environment changing rapidly•Non-existent Governance, Risk and Compliance activities
•Siloed information •Disparate processing•Inability to create integrated reporting•High degree of manual processing•Version control issues with documents
Environment Encountered Risks
4
Based on COSO Internal Control and Enterprise Risk Management Frameworks and other best practices
Monitoring
Information & Communication
Control Activities
Risk Response
Risk Assessment
Event Identification
Objective Setting
Internal Environment
DIV
ISIO
N
BU
SIN
ES
S U
NIT
SU
BS
IDIA
RY
STRATEGIC
OPERATIONS
REPORTING
COMPLIANCE
EN
TIT
Y-L
EV
EL
Identification of Existing ERM Frameworks In Use
6
Set internal
operational objectives
Identify major risks and
assign responsibility
Design and implement
risk mitigation
actions
Monitor and report
on risks
Test risk mitigation
actions
Overall objectives for OFS, including - Vision- Priorities- Operational norms
Listing of major risks in the organization along with priority, timing and responsibility for addressing the risk
Policies and procedures needed to manage level of riskOther actions as needed to mitigate risks
Management information and reporting needed to ensure risks are within tolerances
Periodic and independent testing of policies and procedures to ensure they are robust
Initial establishment of the OFS’ Methodology
What
Who Executive Committee (EC) in consultation with Treasury Management
Senior Assessment Team (SAT) in conjunction with OFS operating units (EC sets prioritization)
OFS Operating units with support from CRCO and CFO
OFS Operating units with support from CRCO and CFO - Reporting to SAT and EC
CFO to test transactions processes, CRCO to test qualitative and performance measures
Define strategic
objectives
Desired outcomes of overall program
Treasury policy officials
How EC meeting Discussion and in-depth interviews with staff leading to Risk Matrix
Development of risk mitigation policies, procedures and other actions
Regular reporting to SAT on status of risks Spread sheet tracking of risks and status
Policy development process
Set risk and other
objectives
Level of risk to undertake in - Financial - Market - Operational - People, Process and Systems - Strategic - Reputation
Executive Committee (EC) in consultation with Treasury Management
EC Risk Management meeting
7
Goal was to achieve collaborative Enterprise Risk Management
Library of Risks
Risk Factors
Residual RiskInherent Risks
Controls
RiskAnalytics
Force-Ranking of Risks
Risk Scoping
Location/Division Statutory Group Product Line Commodity Group
Management Consensus
Risk Mitigation
3rd PartyTesting
Internal Audit
Self Audit
RiskMitigation
Risk Assessment
ComplianceStrategy
e.g., Financial External, e.g.,
Political Operational
Develop strategies for lowering risk
Gain management consensus for risk assessment
Source: MetricStream 18
Po
ten
tia
l n
ew f
un
ctio
ns
Pro
cure
men
t
Senior Assessment Team Conduct risk assessments
Perform control activities by function
Ass
et P
urc
has
es
Ass
et S
ales
Ass
et M
anag
eme
nt
Program Functions
Bud
get/
Acc
oun
ting
Rep
ortin
g/C
omp
lianc
e
Info
rma
tion
Tec
h.
Hum
an
Res
ourc
es
Support functions
Establish control environment
Governance
Internal and external monitoring
Information and communication
Executive Committees - Joint Chiefs Meeting, Investment Committee, IT Governance Council, Contract and Agreement Review Board, Staffing Board
OFS’ Governance Environment established early
Development and implementation of policies and procedures
8
Pot
entia
l new
fu
nctio
ns
Pro
cure
men
t
OFS Risk Management Team
Conduct risk assessments
Ass
et P
urch
ases
Ass
et S
ales
Ass
et M
anag
eme
nt
Business Functions
Bud
get/
Acc
oun
ting
Rep
ortin
g/C
omp
lianc
e
Info
rma
tion
Tec
h.
Hum
an
Res
ourc
es
Support functions
Process owners establish control environment
Process owners execute control activities
Execute internal controls methodology for all components of the organization
External monitoring from Oversight Organizations
OFS Internal Controls Team
Comprehensive view of the risks and controls
9
Leveraging stakeholder interviews
Internal control over operations and financial reporting
Annual Assurance Statement
Sharing process flow documentation
Sharing risk control matrices
Leveraging test plans and results
Jointly leading the effort to develop office-wide policies and procedures
Linkage Between Risk Management and Internal Controls Tasks
12
Initial Focus was on Operational Risk AssessmentsThe following risk categories provide a common language for evaluating operating risks, and support an assessment of key risk areas. We begin our assessment with a list of generic questions for these risk categories and tailor the questions to the specific program or business support function being addressed
Operating Risks
People Technology External Events
• Staffing Expertise & Adequacy•Employee Fraud & Theft•Staffing Workload•Skills•Training•Morale•Career Advancement•Supervision
• New Product /Offerings/Structures•Transaction Sourcing•Transaction Processing•Vendor/Supplier•Data Quality•Legal/Compliance•Model Application •Model Design
•Architecture, Configuration, Integration Design•Hardware•Software •Infrastructure•End User Computing
• External Fraud/Theft•Business Continuity
•Security•Access•Tools•Backup•Continuity of Operations•Data Integrity•Enterprise Architecture •Change Management
•Process Maturity•Awareness•Communication of the Process•Coordination with Other Areas•Policies and Procedures•Controls, Performance Metrics,•Transaction Processing•Stream Lining
ProcessReporting & Disclosure
• Financial Reporting & Disclosure•Regulatory Reporting•Securities Reporting & Disclosure
ReputationalFinancial Political Strategic Compliance
• Monetary Loss•Fraud Potential •Internal Controls
• Mission Impact • Communication with Oversight Organizations
• Linkage to enterprise risk-convergence of bottoms –up and top-down view of risk ( as discussed, we need to see the individual risks collectively to form a view of the strategic risk)
• Contractual provisions with third parties such as financial agents, internal controls, EESA non-compliance (Executive Compensation, etc. ), controls to prevent fraud
11
Choose high priority programs and business support areas
Identify key processes/lifecycle steps within each high priority area
Develop risk interview questions based on understanding of underlying
processes supporting programs and business support areas
Interview key stakeholders for each program/business area (10-12)
Synthesize risks
Assign risk ratings (high, medium, low)
Develop mitigation plans for areas assigned high or medium risk rating
Report periodically on results of risk assessments and progress against
mitigation plans
Process of Conducting Risk Assessments
13
ProgramsCPP, PPIP, SBA, etc.
Analytical Tool
Risk Reporting and
Monitoring
Market Risk Criteria
•Duration (Fixed Income)
• Volatility, Delta, Theta, Rho (Options and Warrants)
•Equity Beta (Common Stock)
Credit Risk Criteria
•Credit Grades (Ratings)
• Yields (Credit Spreads)
•Concentration Amounts (By Sector, Asset and Class)
Program Data
We are transitioning to evaluating other types of risk
15
Compliance Requirements
Laws Applicable to TARP•Economic Stability Act of 2008 (EESA)•American Recovery and Reinvestment Act of 2009 (ARRA)
Regulations Applicable to TARP•TARP Standards for Compensation and Corporate Governance (31 CFR Part 31)•Interim Final regulation for Conflicts of Interest (31 CFR Part 31)
Legal Documents•Governing the programs and their related activities
Applicable Investment Laws and Regulations
•Investment Advisers Act of 1940•Investment Act of 1940
Laws Applicable to TARP•Economic Stability Act of 2008 (EESA)•American Recovery and Reinvestment Act of 2009 (ARRA)
Regulations Applicable to TARP•TARP Standards for Compensation and Corporate Governance (31 CFR Part 31)•Interim Final regulation for Conflicts of Interest (31 CFR Part 31)
Legal Documents•Governing the programs and their related activities
Applicable Investment Laws and Regulations
•Investment Advisers Act of 1940•Investment Act of 1940
Compliance Activities at TARP
Financial Agents Compliance
Each TARP program has its own unique compliance requirements Capital Purchase Program (“CPP”) Automotive Industry Financing
Program (“AIFP”) Auto Supplier Support Program
(“ASSP”) Small Business Administration
Loans (“SBA”) Systemically Significant Failing
Institutions (“SSFI”) Targeted Investment Program
(“TIP”) Asset Guarantee Program (“AGP”) Term Asset-Backed Securities
Loan Facility (“TALF”) Making Home Affordable (“MHA”)
Program Public-Private Investment Program
(“PPIP”)
Each TARP program has its own unique compliance requirements Capital Purchase Program (“CPP”) Automotive Industry Financing
Program (“AIFP”) Auto Supplier Support Program
(“ASSP”) Small Business Administration
Loans (“SBA”) Systemically Significant Failing
Institutions (“SSFI”) Targeted Investment Program
(“TIP”) Asset Guarantee Program (“AGP”) Term Asset-Backed Securities
Loan Facility (“TALF”) Making Home Affordable (“MHA”)
Program Public-Private Investment Program
(“PPIP”)
Anti-Fraud Group
• Report on Non Compliance
• Report on Non Compliance
• Reports to Oversight Organizations
• Reports to Oversight Organizations
OFS’ approach to managing Compliance for TARP programs
17
An integrated ERM system is still a work in progress
Issues Management/ Remediation
RiskManagement
Dashboards & Reporting
Manage Control Hierarchy
Controls testing Remediation 302 Certification
Other Compliance Reporting
Manage Risk/Control Matrix
Enterprise Risk Assessment
Define audit universe
Closed Loop Issues Management
Federated Compliance Reporting
Work Program Library Electronic Workpapers Scheduling Remediation Reporting Resource Management
Email Integration Document
Interoperability
Source: MetricStream
19
OFS is a temporary agency within US Treasury
Most of the staff are term employees – loss of intellectual capital
Scalability of the ERM function to other components of US Treasury
Budget pressures
Convincing and educating senior management of the sustainability of ERM
across the organization
Challenges ahead
13