Professional Documents
Culture Documents
Agenda
Current environment Wh t d What does th the term t convergence mean? ? Business drivers and convergence objectives P ti l case studies Practical t di
Page 2
Internal factors
Business and strategy Lack of understanding of risk / return dynamics Unchallenged and weak assumptions Flawed incentive structures Duplicative infrastructures efficiency quests
Siloed risk management and reporting Backward-looking; g data-driven models Reporting not fit for purpose Correlations and dependencies not fully understood
Financial Crisis
Regulatory frameworks
External factors
Market discipline Lack of transparency Over reliance on rating agencies Inadequate infrastructure Complex products
Lack of systemic oversight Unregulated markets Weak capital and liquidity standards
Page 3
Greater
alignment/ Integration
Re-assess
indicators
Proactive
Common
data sources
Transparency p y:
Linking g
Risk
Specialty
The current financial crisis calls for fundamental changes in the way banks identify, identify assess, manage and communicate financial performance and risk. With a risk-and-return oriented view, banks will be able to select customers more effectively, make better product and pricing decisions, operate more efficiently and report to stakeholders with greater confidence confidence.
Footnote (1) Ernst & Young (2005). Investors on Risk: The need for transparency
Page 4
Risk management spend has increased significantly in the last decade due to expansion of regulatory compliance requirements The number of risk functions has increased to keep up with these compliance requirements 73% of companies have seven or more separate risk functions The coverage and focus of risk functions has become increasingly difficult to manage 67% of companies reported they have overlapping risk coverage with two or more risk functions 50% of companies reported gaps in their coverage between risk functions 96% of companies p agree g there are opportunities pp to improve p their risk management efforts Companies believe efficiencies can be gained in their risk management activities Companies p want improved p risk coverage g while balancing g cost and value
Page 5
% of respondents who can track and report an enterprise wide view of risk
77%
24% 9% Limited tracking Tracking, not consolidated 14% 9% In the early stages Midway Nearly complete
Every few years I think the reports should be thrown out and started again. One day, Id like to stop sending a risk report out and see if anyone notices: save some trees.
Source: Ernst & Young Survey: Navigating the Crisis: A Survey of the Worlds Largest Banks (December 2008)
Page 6
The industry sometimes uses the terms enterprise risk management (ERM) and risk convergence interchangeably. Ernst & Young believes the two terms are distinct. distinct
ERM exists to help the board set the objectives for risk management and enable decisions to be made strategically and operationally across the enterprise within defined parameters of risk tolerance. Risk convergence considers the functions and framework built for ERM and seeks k t to address dd inefficiencies i ffi i i and d opportunities t iti t to maximize i i th the cost tb benefit fit to risk management of performing certain processes. In other words risk convergence seeks to refine the target operating model and find practical ways to coordinate, align and ultimately implement process improvement.
The aim is to help the risk organization reach the next level one that can manage and control costs, mitigate risk and support strategic d i i decision-making. ki
Page 7
Management / Boards
Perform Oversight
Risk Mgmt Second line of defense Design and Second line of defense Facilitate Monitor and Report
Page 8
Risk Management
Internal Audit
Legal/ Compliance
Finance/ Sox
Information Technology
Other
Business Unit
Business Unit
Business Unit
Business Unit
K I Key Issues Risk management process fatigue Poorly y defined roles and responsibilities p
Page 9
Concern over effectiveness of risk and control Conflicting g and inconsistent risk reporting p g
Risk Management
Internal Audit
Legal/ Compliance
Finance/ Sox
Information Technology
Other
Key Advantages Well defined roles and responsibilities Distributed risk management responsibility Coordination and leverage across f functions i Efficiency and effectiveness in dealing with BU Clear and comprehensive risk reporting
Page 10
Common data structure gy architecture Common technology Common risk and control processes
Business Unit
Business Unit
Business Unit
Business Unit
Cross-Disciplined Group -Risk Management -Internal Audit -IT Risk -Finance (e.g. SoX) -Compliance
Lines of Business
Business Control / Support
Page 11
Future State
Risk Committee Other Committees
Audit Committee
Internal Audit
Legal Compliance
Finance
Information Technology
Other
Operational Risk
Internal Audit
Legal/ Compliance
Finance
Information Technology
Other
Common Data Structure Common Technology Architecture Common Risk & Control Processes
Business Unit
Business Unit
Business Unit
Business Unit
Governance Model
Business Unit
Business Unit
Business Unit
Business Unit
Issue Tracking
Integrated Training
Page 12
Leading practice
Converged Level 5 Policy set at corporate level and approved by Board Assessment and decision making around risk appetite ingrained in business as usual activities Coordinated risk management and compliance efforts Single view of the organization Clearly identified risk and control owners including hand-offs owners, Scope is comprehensive and not overlapping
Multiple, inconsistent views on the organizational structure No clearly defined roles and responsibilities Scope set by each function varies
Multiple, inconsistent views on the organizational structure No clearly defined roles and Organizational charts Corporate and BU responsibilities inventoried and in the process of organizational charts aligned being rationalized Roles and responsibilities of Scope S set t by b each function ti and BUs defined Roles and responsibilities for BUh f corporate personnel in the process of and documented varies being defined and documented
Risk and control processes and rating methodologies inventoried Risk and control reporting metrics rationalized and business requirements developed Risk and control processes and rating methodology rationalized and aligned Risk and reporting metrics aligned across risk functions
Multiple risk and control assessment processes, each with own measurement of risk Limited analysis of output, periodic reporting of mostly flat risk and control data
Common measurement of risk and IT infrastructure integrated control at both BU and entity level Effective periodic reporting Common reporting p g tools of aggregated risks (inherent and residual), trends, supporting data implemented for (losses, KRIs) to drive risk appetite decisions of report standardization Data warehouse concept with shared risk and control attributes and information Robust and flexible MI system to support assessment process and drive reports.
Technology
Fragmented IT infrastructure with limited interfacing and significant manual vetting and reconciliation of data Various reporting engines delivering disparate risk and control assessment output
Infrastructure in the process of being integrated Reporting tools in the process of being integrated
Data Model
Each function has own data structure High level of autonomy to define risks and controls within the business units or segments no efficient translation method
Alignment of data structure and source systems in process Common risk taxonomy initiative underway
Integrate data structure and source systems Consolidation of risk and control language risk library owned at corporate level.
Data structure allows for BU customization but supports organizational roll-up. Risks and controls owned by BU. Map existing BU risks to list of highlevel risks defined by corporate
Multiple functions perform assurance and validation activities Various structures and methodologies around process and controls documentation and testing
Common methodology and structure for assurance and validation activities identified
Validation policy finalized and procedures deployed Methodology and structure implemented
Assurance and validation activities performed on a coordinated/leveraged basis, perhaps by one single function/utility One structure and methodology for assurance and validation activities
Page 13
Risk Management Ownership BCP RISK TYPE Market Credit People Transaction IT Reputational Legal/ Regulatory Financial Reporting Vendor St t i Strategic PRIMARY RESP SECONDARY RESP
Compliance Operational Risk
Finance
Market
IT
Credit Risk
HR
KEY
Multiple assessments for a risk family may present opportunities for enhanced coordination
Page 14
4
Benefit to r risk management
11
2 5
Develop common risk taxonomy
10
9 8 3 1 6
Rationalize risk i k reporting ti
Page 15
S i Savings
Risk Identification & Assessment
$ $000
Risk FTEs
$ $000
Q lit ti Qualitative
Targets risk activity at the riskiest parts of the business Focuses risk assessment on areas where the business has direct control Consequential improvement in the control environment Focuses risk activity on output Provides greater information transparency Pushes responsibility back on the business for risk and controls Streamlined process is less bureaucratic Consistent and complete information allows better analysis and leverage More integrated action plans Consistent and complete information allows better analysis and leverage Reduced planning activity More flexible deployment of resources Lower overall testing activity driven by focus and consistency More efficient use of resources within first line without increasing net risk position
1,200
4.8
4.8
630
1.7
3.1
1,700
5.9
560
2,700
9.8
24
600
1.8
Issue Tracking
960
10.3
270
2.6
Management Assurance
1,300
9.3
3.5
300
(0.7)
3.5
2,030
41.1
1,290
29.4
Total
9,890
30.1
90.7
3,650
7.8
46.6
Step change in capability Increased certainty over the final result Reduce unnecessary costs
Page 16
Risk Management
3.1
Potential Savings & Benefits The potential savings for risk identification and assessment are 1,248 man days p.a. / 4.8 FTEs FTE s / $630,000 p.a. In addition, the following benefits can be realized: Better value for money and stronger assurance for senior management by focusing on the risks that matter Reduced need for risk coordinator time Clarity on assessments should improve the quality of the information Greater consistency of the risk coordinator role as well as the role being based on a better understanding d t di of f the th skills kill required i dt to d do th the j job b( (e.g., people l d doing i th the j job b are equipped i dt to d do it) Improving risk identification and assessment should have a consequential reduction in incidents
Page 17
Scenario Analysis
e.g. Compliance Review
Detailed Targeted Risk/Control Ri k/C lA Assessment e.g. SOX e.g. Ext. Vendor SAS 70
Scop pe
De etail
T Targeted t d Assessment s
Page 18
18
kM a P ran a g cti e m e ce nt s
U Em nau p l o th o y e r iz e eA d c ti v it
F in an R e c ia l g a R e u la t o n d p o ry rtin g
Wo E n rk p l v ir a c on e me nt
ec P r ou t io n ce an ss d in g
lF
rau
te r
na
Business Division
Type
Risk Total
ma
Ex
La
Corporate/Firmwide
External Internal Issues External Internal Issues External Internal Issues External Internal Issues External Internal Issues
$MMs 3,547.2 0.0 0.0 00 0.0 0.0 0.0 197.8 0.0 226.0 0.0 25.0 0.0 133.7 133 7 0.0 1,566.2 0.0 0.0 0.0 5,695.9 -
# 14 0 0 0 0 0 0 0 0 15 0 0 1 0 0 2 0 0 2 0 0 1 0 0 0 0 0 35 0 0
$MMs 39.6 0.0 0.0 00 0.0 0.0 0.0 0.0 0.0 675.0 0.0 0.0 0.0 0.0 0 0 0.0 0.0 0.0 -
# 3 0 1 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0
$MMs 284.9 0.0 0.0 00 0.0 0.0 1.3 5.3 0.0 0.0 0.0 0.0 5.0 0.0 0 0 1.1 0.0 0.0 -
# 9 0 0 0 0 0 0 1 1 2 0 0 0 0 0 0 1 0 0 1 1 0 0 0 0.0 0.0 0.0 0.0 0 0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0 0 0.0 0.0 0.0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
Da
$MMs 2,175.8 0.0 25.6 00 0.0 327.6 0.0 2,825.0 0.0 0.0 0.0 373.5 8.8 500.8 500 8 0.0 0.0 0.0 -
# 10 0 4 1 0 0 12 0 4 41 0 4 0 0 2 12 3 1 10 0 3 0 0 0
$MMs 0.0 0.0 0.0 0.0 0 0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0 0 1.4 0.0 0.0 -
In f
# 0 0 2 0 0 0 0 0 1 0 0 1 0 0 0 0 0 1 0 1 1 0 0 0
$MMs 50.0 0.0 0.0 0.0 0 0 0.0 0.0 55.0 0.0 0.0 0.0 0.0 0.0 00 0.0 2.7 0.0 0.0 -
# 1 0 7 0 0 0 0 0 0 1 0 4 0 0 0 0 0 21 0 1 21 0 0 3
$MMs 136.8 0.0 0.0 0.0 0 0 0.0 0.0 0.0 0.0 0.0 0.0 6,000.0 0.0 120.0 120 0 0.0 0.0 0.0 -
R is
# 1 0 4 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 1 0 2 0 0 0
$MMs 128.5 0.0 0.0 0.0 0 0 0.0 0.0 29.0 11.2 0.0 0.0 82.1 16.0 337.4 337 4 10.4 0.0 2.5 24.4
Ex
# 1 0 13 0 0 1 0 0 2 2 1 9 0 0 0 1 7 23 2 3 29 0 2 2 1
$MMs 6,362.8 25.6 327.6 1.3 3,112.1 11.2 901.0 6,480.6 29.8 1,091.9 15.5 1,566.2 2.5 24.4 $ $ 19,892.26 60.33 -
# 39 0 31 1 0 1 12 1 8 61 1 18 2 0 2 16 11 47 15 6 57 1 2 5 1 0 0 148 21 169
Investment Banking
Investment Management
Merchant Banking
External Securities Division - Macro Internal Issues External Securities Division - Micro Internal Issues Securities Division Principal Investing Securities Division Special Situations / Other External Internal Issues External I Internal l Issues External Internal Issues
Total
714.6 -
4 0 1
290.2 7.3 -
11 3 2
0 0 0
6,228.4 8.8 -
86 3 18
1.4 -
0 1 6
105.0 2.7 -
2 1 56
6,256.8 -
3 0 7
601.4 40.2 -
7 13 79
Page 19
External Loss, $20.3 MM 10/3/03 1/26/06 Vendor V d Event 1/3/06 Vendor V d Event 6/8/06
2003
2004
2005
2006
2007
Three issues remain open Internal Audit Issue Opened 6/1/2006. It remains Internal Audit Issue Opened on 12/13/06. Remains
External Losses
Internal Losses
A Convergence Vision requires collaboration and co-ordination Compromise is critical Shift from siloed view of risk management Impossible p to measure success if there is no standard to which you y are measuring g Well defined goals and objectives Measures of success cost in our out of scope Clear well articulated business case grounded in fact Build momentum through quick wins establishing the basic building blocks Must be demonstrable
The number of stakeholders involved in this type of project requires robust project governance and management methodologies to be adopted. Communication to all stakeholders critical to retain key executive sponsorship and momentum
Page 21
Identification Id tifi ti and d validation lid ti of f th the gaps i in risk i k coverage and d scope across risk i k function/processes and activities Evaluation of the appropriate levels of alignment of risk management practices to organizational, strategic and operational objectives Alignment and coordination risk management capabilities across the enterprise Development D l t of f risk-based i kb d performance f metrics t i th that t support t governance, risk i k management and compliance objectives Establishment of business-level performance measures/drivers
Page 22
C t t Contacts
Dan McKinney Partner, Operational Risk Management (212) 773 4072 Thomas Campanile Partner, Enterprise Risk Management (212) 773 8461
Page 23