2013 Chicago Erm Sem 1 Bloom

Seminar I: Three Lines of Risk and Control Defense:

Challenges and Industry Practices

Leon Bloom

4/11/2013

1

Evolving beyond the traditional three lines of defense model

Leon [email protected]

Partner, DeloitteChicago IL, April 22, 2013

Risk Governance

Risk governance - Evolving beyond the traditional 3 lines of defense model

Agenda

Emerging risk governance requirements context and expectations

Current practices in risk governance issues, challenges and shortcomings

Guiding principles roles, responsibilities and accountabilities

Guiding principles policies, processes and practices

Three lines of defense definition vs. effective application and the case for redesign

Aligning the risk governance model with the business model and risk and capital management processes

Structures for risk taking, risk oversight, risk assurance and board oversight

The business case for risk governance

2

4/11/2013

2

Capital: Not enough, and not measured correctly Global banks are still short of EUR400bn of capital to meet Basel 3 BEFORE national surcharges/further losses Banks need to improve, standardise and disclose RWA models to be more acceptable to regulators and investorsLiquidity: Not enough, and not defined correctly Global banks are still short of EUR1.8trn of liquid assets and EUR2.5trn of long term stable funding To avoid deleveraging banks need to work with regulators to improve calculations of LCR and NSFR before adoptionEconomy: A key risk, with asset quality insufficiently transparent Economic recovery remains weak, leading to weak lending growth, margin compression and rising NPLs Banks and insurers need improved transparency and loss modelling to convince regulators and investors of solvencyOperations: Cost cutting the main lever to raise ROTE over COE Regulation compounds the weak revenue outlook; cost reduction is the best lever to raise ROTE over COE Insurers and banks need to shift strategy and optimise headcount and back office costs to meet the environmental

challengesM&A: Growth opportunities for the strong; capital relief for the weak While regulations dis-incentivise large acquisitions, stronger institutions can buy books of businesses Weaker institutions need to consider their portfolio of activities; capital enhancing disposals add valueRisk Governance: Needs significant strengthening; Regulators are raising the bar Accountability for risk taking often lacks clarity and can be undermined Weak risk and control cultures threaten risk governance model effectiveness

Six key issues for global financial institutions

Risk governance - Evolving beyond the traditional 3 lines of defense model 3

The inherent riskiness of the business model - where and how are earnings generated and is there an extreme or concentrated dependency on a particular source or sources and how is the associated risk(s) articulated and addressed/mitigated?

Tail risk - Has a competent process been established to identify tail risks and have the risks been objectively and realistically assessed vs. being underestimated?

Pricing - Does pricing reflect the inherent riskiness of the business model and the assessment of tail risks?

Risk Governance - How well defined and embedded is the risk governance model? Is the assurance function (Internal Audit) being used as a management control or substitute for quality assurance and peer review practices by risk taking areas and the risk management function? Does the governance model in practice align with and support the principles of a sound risk management and control culture?

Among other things, regulatory supervision is giving emphasis to four high priority areas

4Risk governance - Evolving beyond the traditional 3 lines of defense model

4/11/2013

3

Risk governance requirements


Emerging risk governance requirements

The significantly changed environment resulting from the continuing global financial crisis has resulted in a higher hurdle of regulatory requirements and Board expectations pertaining to the timeliness and quality of risk information, and robustness of risk management processes and practices.

Governance

Closer alignment of risk and business considerations

Holistic risk governance approach

Increased emphasis on a clear, transparent risk governance model Clear accountability and role and responsibility structures and segregation of

duties as in the so called three lines of defense model

Many global institutions are visibly benefiting of having an enterprise-wide risk management function CRO works closely with other senior executives to strengthen the

management of the business, by explicitly incorporating consideration of risk into decision-making and performance measurement

Driven by need to generate suitable investor returns in the face of greatly increased regulatory capital requirements, some organizations are pursuing risk optimization which requires a foundation of strengthened financial governance Closer alignment / harnessing of synergies between functions involved in risk

management and risk measurement, capital management, financial performance measurement and management and tax


4/11/2013

4

Risk governance - challenges

Common framework to manage

all types of risk

Providing accountability and transparency

Supports decision making and capital management decisions

Relative to institution-wide business strategies and objectives

ERM is a continuous

activity that aggregates and integrates risk management activities

in order to better optimize

risk-adjusted returns

Governance observations Roles, responsibilities and accountability

are often unclear Second and third line functions being

used as management assurance and quality control functions

Communication paths are not defined Committee structures, responsibilities

and mandates lack clarity Objectives and the target end state for

ERM is unclear Insufficient focus and time spent

discussing risks across the organization Monitoring fails to identify risk conditions

and provide a competent understanding of exposure status

ERM programs are often not dynamic and fail to proactively identify and adapt to unexpected events



Guiding principles roles and responsibilities

The governance model should promote transparency of accountability, communication, decision making, and information flows

Decisions and accountability should reside with individuals, not committees, wherever possible

Business areas retain accountability for managing their own risks that responsibility is not transferred to the risk oversight function

All classes of risk should have clearly assigned responsible / accountable parties in the governance model (e.g. should not be purely focused on product risk)

Decisions should be made with appropriate consideration of the enterprise impact - not just the impact of individual lines

Risk governance structure should clearly reflect the roles and interaction with pricing, underwriting, reserving, and other critical, interdependent functions

The structure should enable risks to be appropriately considered and factored in to broader business decisions

Should clearly articulate the requirements for independent assurance (e.g. Independent Audit)

8

4/11/2013

5


Guiding principles processes and policies

Risk governance must be supported and enabled by explicit policies with transparent accountabilities and authorities

The governance processes should be as streamlined as possible, avoiding unnecessary levels of decision-making bureaucracy

Risks should aggregate and integrate at the appropriate level of governance, including cross line, cross business unit, enterprise; the governance model should include owners of the aggregated risk at each level within an aggregation hierarchy

Monitoring process must be clearly articulated in the governance model (including responsibilities, frequency, etc.)

Governance must be linked to a philosophy/vision/or governing objective at the top

Governance should enable making risk management processes proactive rather than reactive

The governance model should not be static it should be re-evaluated every year to ensure appropriate evolution

9

The evolution of the lines of defense model


4/11/2013

6

Framework provides a design for the governance infrastructure and governance operating model. The top part of the framework depicts areas where responsibility of the board is typically heightened.

A risk governance framework provides the foundation for oversight and establishing the necessary checks and balances regarding risk taking.

A risk governance framework helps clarify oversight responsibilities by establishing a common foundation


A focused assessment is needed to fully understand an organizations current Risk Culture and to track progress of cultural change.

Measuring the risk and control culture


4/11/2013

7

Maturity Model LevelsUnaware It is a characteristic of the processes / practices at this level that they are either non existent, not implemented, not

commonly/clearly defined; lack formal process, and the enterprise is not conscious or aware of their importance.

Fragmented It is a characteristic of the processes / practices at this level that they are at the starting point or are inconsistent acrossvarious business lines. The processes / practices exist in silos, or are defined differently at different levels and are not considered important within the enterprise.

Integrated It is a characteristic of the processes / practices at this level that they are defined, documented and communicated to the entire enterprise. The processes / practices mostly exist at the enterprise level but are not implemented, leveraged or embraced across enterprise.

Comprehensive It is a characteristic of the processes / practices at this level that they are mature, widely adopted and understood, repeatable, clearly defined, well-documented and aligned with an enterprises risk management framework. The processes / practices are consistent, effective and widely applied across the enterprise.

Optimized It is a characteristic of the processes / practices at this level that they well entrenched in business as usual, and the focus is on continually improving them. The processes / practices are at the optimum level and enterprise is able to sustain or strengthen such processes / practices.

Risk practices maturity model


Three lines of defense issues and challenges

Governance interaction and information flow

ENABLE

VALIDATION & ASSURANCE REPORTING

Internal Audit

Validation of controls Objective review of

risk management process

Assurance to senior executive management and Board on assertions of risk exposure

Risk Management

Policies, governance and information flow

Risk assessment methods

Measurement, aggregation rules and tools

Monitor risk exposure status and report to Board

ASSURE

Board of Directors & Senior Executive Management

REPORT ASSERTAssertions on status of risk exposure

Business Unit Managementand Staff Risk identification and

assessments Actions to exploit,

reduce, transfer, or avoid risk

Provide assertions on risk exposure for each business unit or functional area within NFS

3rd line2nd line 1st line14Risk governance - Evolving beyond the traditional 3 lines of defense model

4/11/2013

8

Evolution of the three lines of defense

Reviews the impact of regulatory requirements to processes, policies and controls

Provides input for risk reporting Implements reporting framework

Develops business processes, controls and policies aligned with the risk appetite (e.g. underwriting guidelines, trading policies)

Executes tasks adhering to policies defined

Provides feedback on the controls and policies in place

Adheres with defined processes and complies with limits

Identifies and assesses relevant regulatory changes

Supports any updates required Monitors execution of change

Supports the business in the design of the capital model

Completes regular risk model validation

Monitors capital adequacy

Develops and maintains reporting framework

Implements reporting framework Monitors data accuracy Monitors risk reporting trends and

issues

Defines the risk controls and processes

Monitors effectiveness of controls and residual risk

Monitors ongoing application & operation of methodologies

Manages risk IT systems

Supports the business in the development of a risk appetite and strategy

Monitors compliance with regulatory requirements

Independent monitoring of the risk reporting framework

Tests implementation and data accuracy

Provides independent assurance for the Board and senior management on assertions of risk exposure

Tests implementation of model

Independent review of appropriateness of and compliance with controls and processes

Tests implementation of any changes to methodologies

Independent monitoring of articulation of risk appetite and organizational compliance with limits framework

Provides capital adequacy calculation inputs

Defines the capital model and allocation process and tools

Tests implementation of process, policy and control

Line of Business(1st line of defense):

Day to day management & risk control

Internal Audit(3rd line of defense):

Independent assurance

Regulatory change

Risk capital calculation & allocations

Risk management reporting

Risk management methodologies

Risk appetite & strategy

Risk management framework

Risk & Compliance(2nd line of defense):

Risk policies, methodologies & oversight

Executes tasks adhering to policies Provides feedback on the controls

and policies in place

Input to the business to develop and maintain policies

Monitors compliance Develops and enforce risk

governance model

Independent monitoring of compliance with policies

Risk management policies

Reg

ular

ris

k m

odel

mon

itorin

g, p

eer

or m

anag

emen

t co

mpl

ianc

e re

view

s of

pol

icie

s an

d co

ntro

ls,

regu

lar

stat

us r

epor

ting,

mon

itors

ris

k pr

ofile

, ef

fect

iven

ess

of c

ontr

ols

& r

esid

ual r

isk,

mon

itors

&

ensu

res

capi

tal a

dequ

acy,

ens

ures

dat

a ac

cura

cy,

impl

emen

ts c

ontr

ols

and

repo

rtin

g fr

amew

ork,

re

view

s th

e im

pact

of r

egul

ator

y re

quire

men

ts to

pro

cess

es, p

olic

ies

and

cont

rols

Com

plet

es re

gula

r ris

k m

odel

val

idat

ion,

ann

ual r

evie

ws

of p

olic

ies

and

cont

rols

, ad

dres

ses

esca

late

d ris

ks,

revi

ews

and

chal

leng

es r

isk

appe

tite

cons

ider

ing

emer

ging

risk

s an

d ch

ange

risk

pro

file,

re

view

pol

icie

s re

gula

rly t

o en

sure

alig

nmen

t w

ith b

usin

ess

stra

tegy

, ens

ures

regu

lato

ry c

hang

es a

re

deve

lope

d an

d im

plem

ente

d in

a ti

mel

y m

anne

r

Qua

lity

assu

ranc

e re

view

for i

nter

nal c

ontro

ls, r

evie

ws

com

plia

nce

resu

lts, r

evie

ws

over

all a

ppro

ach

to re

gula

tory

cha

nges

, pee

r rev

iew

/ pe

riodi

c se

lf as

sess

men

t on

the

effe

ctiv

enes

s of

inte

rnal

aud

it

Executive Management: Reviews and updates risk appetite and strategy, processes, risk model and reporting framework

The Board of Directors: Reviews and approves risk appetite, processes, risk model and reporting framework 15

Executive Management Committee

Risk taking structure

Business / Functional Head

Board of Directors

Business Leadership Groups

Individual Risk Takers

Overall accountability for the enterprise risk profile Delegates responsibility for risk management to Senior Management / Executive

Management Committee Approves overall risk appetite and the philosophy on risk taking

Ultimately responsible for accepting the risks taken by the businesses within the context of defined risk appetite and philosophy on risk taking

Responsible for ensuring the proper management of those risks taken by the businesses

Responsible for the management and control of risks assumed by business unit or functional areas in accordance with approved risk appetite and limits

Forum for discussing and deciding on appropriate risk taking strategy in accordance with constraints established by the risk oversight structure

Responsible for evidencing the in control status of the risks assumed by the businesses

Risk taking as governed by approved risk appetite and limits

Key Objectives & Responsibilities


4/11/2013

9


Executive Management Committee

Risk oversight structure

Enterprise Risk Management Committee

Board of Directors

Individual Business CRO or Risk Leads

Matrixed Risk Management Staff/Corp ERM

Overall accountability for the enterprise risk profile Delegates responsibility and authority for risk management to Senior Management / Executive Management

Committee Approves overall risk appetite and the philosophy on risk taking

Ultimately responsible for accepting the risks taken by the businesses within the context of the approved risk appetite and risk philosophy

Responsible for ensuring the effective management and control of risk by the business

Establishes risk management policy and recommends to the Executive Management Committee prior to submission to the Board for approval

Provides oversight of risk identification, assessment, mitigation and exposure status monitoring, supporting analysis, and risk issue escalation/resolution

Serves as a risk clearing house and forum for the evaluation of enterprise risk issues Monitors the exposure status of the enterprise risk profile and reports to Senior Management and the Board

Responsible for ensuring that individual business unit or functional risk governance structures are effective in accordance with Board, Senior Management, and Enterprise Risk Management Committee mandates

Owns development and implementation of risk policy, processes and practices for individual business units or functional areas

Monitors exposure status of the risk profile of the business, and reports to the Enterprise Risk Management Committee

Performs information aggregation, reporting, and analysis to support the risk governance structure


Risk assurance structure

Internal Auditand Compliance

Board of Directors

Overall accountability for the enterprise risk profile Delegates responsibility for risk management to senior management i.e. to the Senior

Executive Management Committee Approves overall risk appetite, authority for risk taking and philosophy on risk taking Reviews and challenges assertions by management on the exposure of the risk profile

Reviews and approves governing policies and limits with respect to risk management and risk taking

Reviews and challenges assertions regarding the risk profile and its exposure status that are provided by management, the risk management function and internal audit

Engagement and oversight of independent auditors Oversight of financial reporting activities Oversight of Internal Audit function

Periodic validation of control and compliance with laws, regulations and governing internal policies (Internal Audit)

Periodic validation of risk management processes (Internal Audit or external expert review(s)) Periodic assurance to senior executive management and Board on assertions regarding risk

exposure (Internal Audit) Identify and communicate regulatory compliance policies and expectations (Compliance)

Audit and/or Risk Committee of the Board



4/11/2013

10

Reporting and Monitoring

Communication and Awareness

Performance Management

Organization Model

Governance and Culture

Training

People

Governance and culture

How effective is an organizations governance and how ethical and risk intelligent is its operating culture?


Board level governance considerations

Consideration

All risk management oversight included among other duties legally required of the Audit Committee

Audit CommitteeAssign risk management review to Audit Committee

Entire BoardMake risk management review the purview of the entire Board rather than a separate committee

Multiple CommitteesSegment risk oversight by risk category across distinct Board sub-committees, with an aggregated and integrated view at the full Board level

Risk CommitteeEstablish Risk Committee of the Board

What you have to believe

Centralization of risk management review and challenge in a Risk Committee (or Audit and Risk Committee) can promote effective risk oversight which can be achieved despite other significant committee responsibilities, e.g. financial reporting

The Audit Committees existing responsibilities can provide solid foundation for comprehensive risk coverage

Regular briefings at full Board meetings on the exposure status of the risk profile with periodic updates on specific significant risk related issues i.e. deeper dives

Enterprise risk is an accountability for all Board members requiring them to be explicitly and directly focused on it vs. it being the focus of a Board sub-committee

Regular reports to the entire Board will be sufficient to provide overall ERM oversight

Full Board has capacity to comprehend and adequately deal with enterprise-wide risk issues

Multiple Board committees will review different aspects of the overall risk profile

Separately focused committees are required to achieve adequate coverage of distinct types of risk, e.g. a Credit Committee for credit risk

Audit Committee may already be overloaded with other responsibilities; potential overlap with Audit Committee will be minimal

Effective Board oversight of the risk profile and its exposure status can be achieved despite a siloed Board structure

Single Board committee dedicated to comprehensive risk oversight

A Board Risk Committee will have sufficient capacity and technical depth to effectively oversee all categories and types of risk

It is important to ensure an integrated view of all risk categories and the overall risk profile at the Board committee level

Dedicated risk committee will evidence an explicit and strong commitment to risk management to external and internal stakeholders and interested parties

Risk related responsibilities currently resident in other Board committees could be merged into the Risk Committee of the Board

It is critical to consider the most effective design of Board level oversight of risk, including the establishment of Board committees.


4/11/2013

11

The business case for effective risk governance

Risk governance should enable: optimized use of capital and resources through their allocation to business areas

which will achieve superior risk / reward results Improved understanding of interactions and interrelationships between risks improved risk adjusted returns clear accountability or ownership of risk and its management and control costly assurance activities to be rationalized and justified within the context of

governing risk management principles reduced likelihood of unpleasant earnings surprises Anticipation risk thus minimizing the cost and effort in dealing with it Demonstration and evidencing of the in control status of significant risks Strengthened perceptions regarding governance and risk management by

investors, supervisors, rating agencies and others

Risk governance is intended to help improve the odds in taking risk: reducing surprises, optimizing risk and return, thus improving shareholder value.


Cover PageLeon Bloom

Documents

2013 Chicago Erm Sem 1 Bloom