Maximizing Value Through Enterprise Risk Management

James LamPresidentphone: 781.772.1961Email: jameslam@comcast.netWebsite: www.jameslam.com

ERM CourseMay 3, 2005

2

Our president, James Lam, has spent 20 years in risk management

Professional President, James Lam &

Associates Founder and President, ERisk Partner, Oliver, Wyman &

Company CRO, Fidelity Investments CRO, Capital Markets Services

Inc., a GE Capital company

Industry Activities PRMIA Blue Ribbon Panel Member GARP Inaugural Financial Risk

Manager of the Year (1997) Published over 50 articles and

book chapters Quoted in Wall Street Journal,

Financial Times, Risk Magazine, and CFO Magazine

Academic Senior Research Fellow, Beijing

University Adjunct Professor, Babson College Lectured at Harvard Business

School as the subject of a HBS case study

MBA, UCLA School of Business BBA, Baruch College

Client Solutions

Consulting – ERM, strategic risk, financial risk, and operational risk

Software – Operational risk (with OpenPages) and ERM Dashboard (CXO Systems)

Training – board and management workshops

3

We are singularly focused on risk management

Areas of Expertise Enterprise risk management Market risk management Credit risk management Operational risk management KRIs and risk reporting

Client Solutions

Consulting services Software products

• CXO Systems• OpenPages

Training programs

4

As discussed in James’ recent book, we define ERM as a value added function

“An integrated framework for managing credit risk, market risk, operational risk, economic capital, and risk transfer in order to maximize firm value.”

Definition of ERM:

5

Key trends and requirements

Best practices and practical applications

ERM in the future

Discussion outline

6

ERM is useful because the risks faced by companies are highly interdependent

Business Risk

OperationalRisk

FinancialRisk

IT and business process

outsourcing

Derivatives documentation and counterparty risk

FX risk in a new foreign market

Enterprise-Wide Risks Financial Risks

MarketRisk

LiquidityRisk

CreditRisk

Credit Risk Associated with

Investments

Credit Risk Associated with Borrowers and Counterparties

Funding Liquidity

Asset Liquidity

7

Traditionally, risks were managed within organizational “silos”

StrategicRisk

BusinessRisk

FinancialRisk

OperationalRisk

Who

How

• Board of Directors

• CEO

• CFO

• Treasurer

• Business Managers

• Project Managers

• Internal Audit

• Compliance

• IT

• Strategic planning

• EVA

• Balanced scorecard

• Country and credit limits

• Trading and ALM Limits

• Financial derivatives

• Controls

• Audits

• Contingency planning

• Insurance

• Product plans

• Business reviews

• Project management

8

Benefits

ERM is widely recognized as the best practice approach

Financial InstitutionsBarclays

GE CapitalJP Morgan Chase

Fidelity Investments

Non-Financial CorporationsMicrosoft

BoeingDuke Energy

Ford

Enterprise Risk Management

Chief Executive Officer/Chief Fisk Officer

Strategic Risk

Board

CEO

Business Risk

Line managers

Project Managers

Financial Risk

CFO

Treasurer

Operational Risk

Internal Audit

Compliance

IT

Broadens risk

awareness

Aligns risk profile and strategy

Minimizes surprises

and losses

Rationalizes capital

requirements

Assures regulatory

compliance

Improves ROE and

shareholder value

9

The growing acceptance of ERM is driven by four key forces

Corporate Disasters

• Enron• WorldCom• Adelphia• Mutual Funds

IndustryInitiatives

• Treadway Report, US• Turnbull Report, UK• Dey Report, Canada

Best Practices

• Banks• Asset Managers• Energy Firms• Corporations

RegulatoryActions

• S.E.C.• Sarbanes-Oxley• Basel II

EnterpriseRisk

Management

10

A proactive approach to ERM is based on best practices, not regulations

Reactive Approach Proactive Approach

Current state

New industry

standards

Sarbanes- Oxley

Basel II

Governance Requirements

Desired state (best practices or best-in-class

practices)

• Benchmarking • Gap analysis• Recommendations

• Common themes• Unique standards

Sarbanes- Oxley Basel II

New industry

standardsGovernance

Requirements

?

?? ?

?

CEO

11

Early adopters of ERM have reported significant and tangible benefits

Benefit Company Actual Results

Market value improvement Top money center bank Outperformed S&P 500 banks by 58%

Early warning of risks Large investment bank Global risk limits cut by 1/3 prior to Russian crisis

Loss reduction Top asset management company

Loss-to-revenue ratio declined by 30%

Regulatory capital relief Large commercial bank $1 billion regulatory capital relief

Insurance cost reduction Large manufacturing company

20-25% reduction in insurance premium

12

Annualized total shareholder returns (1998-2003) for differing degrees of risk model sophistication and business application

Source: PA Consulting Survey of Global Banks

13

Key trends and requirements

Best practices and practical applications

ERM in the future

Discussion outline

14

Establish an ERM framework – policies, processes, and systems

Manage risk interdependencies and aggregations

Provide risk transparency to key stakeholders

Ensure company practices meet or exceed regulatory requirements

Balance business and risk requirements, and avoid “irrational exuberance”

Optimize risk/return by integrating ERM into strategic planning and day-to-day business processes

Attract, retain, and develop talented risk professionals

The role of a chief risk officer

15

An ERM framework should encompass seven key building blocks

2. Line Management

Business strategy alignment

3. Portfolio Management

Think and act like a “fund manager”

4. Risk TransferTransfer out

concentrated or inefficient risks

5. Risk Analytics

Develop advanced analytical tools

6. Data and Technology Resources

Integrate data and system capabilities

7. Stakeholders ManagementImprove risk transparency for key stakeholders

1. Corporate Governance

Establish top-down risk management

16

The enterprise risk management process

ERM Foundations

Risk Identification and

Assessment

Risk Measurement and Reporting

Risk Mitigation and Management

• Senior management and board participation (“tone from the top”)

• Governance structure

• Resource allocation

• Culture, principles, and values

• ERM framework and policies

• Linkage to strategy, performance measurement and incentives

• Organizational learning

• Top-down assessments– Barriers to strategic and

financial goals– Executive team CSAs

Bottom-up assessments– Barriers to business,

customer, and product goals

– Business unit CSAs– Functional unit CSAs

Independent assessments– Internal audit– External audit– Regulators– Customers– Other stakeholders

• ERM dashboard– Earnings volatility– Key risk metrics– Policy compliance– Real-time event

escalation– Drill-down

capabilities

• Scenario analysis– Historical– Managerial– Simulation-based

• Disclosure– Board reporting– External reporting

• Policy enforcement

• Value-based growth and restructuring strategies

• Risk transfer strategies

• Contingency planning and testing

• Event and crisis management

17

1

Characteristics and sources of effective key risk indicators

Key Risk Indicators

Strategies/Objectives

Regulations & Policies

Losses & Incidents

Stakeholder Requirements

• Business plans• Management goals• Performance metrics

• Legal requirements• Regulatory standards• Policy limits

• Actual losses• Incidents• Industry data

• Customers• Vendors• Other

Reflect objective measurement

2Incorporate risk drivers:• Exposure• Probability• Severity• Correlation

3 Be quantifiable – $, %, #

4 Track in time

series against standards or limits

5 Tie to objectives, risk owners, and risk categories

6Balance of leading

and lagging indicators 7

Be useful – support business decisions and actions

8Can be benchmarked

internally or externally

9Timely and

cost effective

10Simplify risk without being simplistic

18

Data Mining

CREDIT RISK

MARKET RISK

BUSINESS RISK

OPERA-TIONAL

RISK

ERM Dashboard

RISK “PILLARS”

Internal and External Data

Basic ERM applications:

• Executive reporting

• Key risk indicators

• Loss/incident tracking

• Control self assessments

• Early warning indicators

• Risk mitigation projects tracking

• ERM content management

Advanced ERM applications:

• Risk transfer

• Economic capital

• Scenario analysis

• Shareholder value management

An ERM dashboard provides an integrated view of all risks, with drill-down capabilities

19

An ERM dashboard should address five key questions for senior management

1. Are any of our strategic, business, and financial objectives at risk?

2. Are we in compliance with policies, limits, laws, and regulations?

3. What risk incidents have been escalated by our risk functions and business units?

4. What key risk indicators and trends that require immediate attention?

5. What are the risk assessments that we should review?

20

Case study:

• $1 trillion of assets under management

• Private company

• Decentralized business culture

Background 3-Year ERM Program• Organized Global Risk Forum

• Implemented annual Global Risk Review

• Automated loss accounting

• Developed ERM framework

• Implemented intranet-based Global Risk MIS

• Experienced significant reduction in loss ratio

21

Risk Metrics

Risk Event Log

Event LossRoot

CausesControlsNeeded

Education

0%

20%

40%

60%

80%

100%

1995 1996 1997 1998

• New associates• Management• Business/Operational processes• Best practices• Lessons learned

Goal

MAP

Actual Loss Experience

85% Decline

Basic risk management processes can lead to significant improvements

22

Expenses

-

Revenue

Equity

-

Losses

M&A

New Business

ERM provides linkage between risk management and key value drivers

Shareholder Value

Growth

ROE

Risk Management by Silos (5, 6)

4. Risk oversight costs5. Insurance/hedging expense

6. Credit, market operational write-offs

7. Capital management8. Risk transparency

9. New business development

10. M&A/Diversification strategy

1. Risk-based pricing2. Target customer selection3. Relationship management

Risk Management Impact

Enterprise risk management (1-10)

Integrated risk management (4–7)

23

Economic capital represents a common currency for risk

Credit RiskEarnings volatility due to variation in credit losses

Market RiskEarnings volatility due to market price movements

Operational RiskEarnings volatility due to changes in operating economics (e.g. volume, margins or costs) or one-off events

Credit Risk

MarketRisk

OperationalRisk

Probability

Change in Value

Enterprise-wide Risk

24

Calculate ROE Calculate Pricing

Exposure $100 mm $100 mm

Margin 2.50%

Revenue $2.5 mm $2.2 mm

Risk Losses <0.5 mm> <0.5 mm>

Expense <1.0 mm> <1.0 mm>

Pre-Tax Net Income $1.0 mm $0.7 mm

Tax <0.4 mm> <0.3 mm>

Net Income $0.6 mm $0.4 mm

Economic Capital $2.0 mm $2.0 mm

RAROC 20%

Economic capital underpins risk-based profitability measurement and pricing

2.20%

30%

25

Companies without risk-based pricing suffer adverse selection

Risk Rating

Price

Will lose competitors who use risk-adjusted

price

Risk-Adjusted Price

Non-Risk-Adjusted Price

AAA AAA BBB

Will win business from competitors but earn below

hurdle rate return

26

Business/risk reviews of major investments and projects

Key Business Assumptions

Monitoring Systems

Trigger PointsManagement Decision or

Action

Volume Margin Losses

What?

By Whom?

+Expected-

Accelerate Maintain Exit

27

ERM requires balancing the hard and soft side of risk management

Hard Side

Measures and reporting

Risk oversight committees

Policies & procedures

Risk assessments

Risk limits

Audit processes

Systems

Soft Side

Risk awareness

People

Skills

Integrity

Incentives

Culture & values

Trust & communication

28

Case study:

New capital markets business

Traders hired from foreign bank

Aggressive business and growth targets

Background 2-Year ERM Program Established risk policies and

systems

Instilled risk culture

Survived “Kidder” disaster

Captured 25% market share with zero policy violations

Recognized as best practice

29

Engaged senior management and board of directors

Established policies, systems, and processes, supported by a strong risk culture

Clearly defined risk appetite with respect to risk limits and business boundaries

Robust risk analytics for intra- and inter-risk measurement, summarized in an “ERM dashboard”

Risk-return management via integration of ERM into strategic planning, business processes, performance measurement, and incentive compensation

Hallmarks of success in ERM

30

Key trends and requirements

Best practices and practical applications

ERM in the future

Discussion outline

31

1. ERM will become the industry standard

2. CROs prevalent in risk-intensive companies

3. Audit committees will evolve into risk committees

4. Economic capital in; VaR out

5. Risk transfer executed at enterprise level

6. Advanced technologies key to advancement

7. A measurement standard will emerge for operational risk

8. Risk-based or economic reporting becomes standard

9. Risk becomes part of corporate and college programs

10. Salary gap among risk professionals continues to widen

Ten predictions on the future of enterprise risk management