Howtobuildanermframework 150604132137 Lva1 App6891

1
HOW TO BUILD AN ENTERPRISE

RISK MANAGEMENT FRAMEWORK
ERM strategies from the Risk Management
Associations ERM Council
Enterprise Risk Credit Risk Market Risk Operational Risk Regulatory Compliance Securities Lending
JOIN. ENGAGE. LEAD.
THE RMA ERM COUNCIL DEFINES ERM
ERM is the management

capability to manage all
business risks in pursuit of
acceptable returns.
JOIN. ENGAGE. LEAD.
STRATEGIC STEPS
Risk appetite
Business strategy and

risk coverage
Governance and policies
Risk data and

infrastructure
Measurement and
evaluation
Control environment.
Response
Stress testing
JOIN. ENGAGE. LEAD.
ERM CULTURE
At the center of the ERM
framework is culture.
If an institution lacks the right
culture and strong leadership at
the top, none of the other elements
will matter.
Organizations that comprehend
and adopt ERM as a way of
thinking typically outperform those
that do not.
JOIN. ENGAGE. LEAD.
ERM CAN ANSWER 3 BASIC BUSINESS

QUESTIONS
Should we
do it?
Aligned with business strategy, risk

appetite, culture, values, and ethics?
Can we
do it?
People, processes, structure, and

technology capabilities?
Did we
do it?
Assessment of expected results,

continuous learning, and a robust
system of checks and balances?
JOIN. ENGAGE. LEAD.
THE ERM FRAMEWORK

What is ERM? It is the capability to effectively answer these questions.
JOIN. ENGAGE. LEAD.
THE ERM FRAMEWORK (CONT.)

The
framework
applies
regardless of
the size of the
institution or
how it
categorizes
risks.
The individual
components
are a dynamic
flow in both
directions.
Culture is at
the heart
without the
right culture,
the other
components
are somewhat
irrelevant.
JOIN. ENGAGE. LEAD.
THE ERM FRAMEWORK HELPS ANSWER

BUSINESS QUESTIONS
Coverage
What are all the risks to our business

strategy and operations?
Risk appetite
How much risk are we willing to take
Culture, governance,
and policies
Risk data and

infrastructure
How do we govern risk taking ?
How do we capture the information we

need to manage these risks?
JOIN. ENGAGE. LEAD.
THE ERM FRAMEWORK HELPS ANSWER

BUSINESS QUESTIONS (CONT.)
Control environment
Measurement and
evaluation
Response
Stress testing
How do we control the risks?
How do we know the size of the various

risks?
What are we doing about these risks?
What possible scenarios could hurt us?

How are various risks interrelated?
JOIN. ENGAGE. LEAD.
10
DETERMINE GOALS AND OBJECTIVES
Before an institution can

articulate its risk appetite,
it must first determine its
goals and objectives, i.e.,
its business strategy.
JOIN. ENGAGE. LEAD.
11
DETERMINE GOALS AND OBJECTIVES (CONT.)
The institution must define

what it wants to achieve in
terms of markets,
geographies, segments,
products, earnings, etc.
JOIN. ENGAGE. LEAD.
12
DETERMINE GOALS AND OBJECTIVES (CONT.)
From there, the institution

assesses the risk implied in
that strategy and
determines the level of risk
it is willing to assume in
executing that strategy.
JOIN. ENGAGE. LEAD.
13
ERM COMPETENCIES
Risk exposures
Control
environment
Risk appetite
Culture,
governance,
and policies
Measurement
and evaluation
Scenario
planning and
stress testing
JOIN. ENGAGE. LEAD.
14
ERM COMPETENCIES:
RISK EXPOSURES
Regardless of a specific business strategy, an institution
is exposed to the following risks:
Credit
Market
Liquidity
Strategic/
Business/
Reputation
Operational
Compliance/
Legal/
Regulatory
Financial
Capital
Adequacy
JOIN. ENGAGE. LEAD.
15
ERM COMPETENCIES:
RISK APPETITE
RMA has defined risk appetite as

the amount of risk (volatility of
expected results) an
organization is willing to accept
in pursuit of a desired financial
performance (returns).
JOIN. ENGAGE. LEAD.
16
ERM COMPETENCIES:
RISK APPETITE (CONT.)
The concepts of risk appetite and risk tolerance are
often used interchangeably, but they have distinct
differences in meaning.
Risk appetite represents

the acceptance of volatility
an institution is willing to
assume in executing its
business strategy.
Risk tolerance refers to

day-to-day operational
limits developed within the
context of an
organizations stated risk
appetite (for example,
concentration limits).
JOIN. ENGAGE. LEAD.
17
ERM COMPETENCIES:
RISK APPETITE (CONT.)
Management and the board of directors

must understand the critical links among
strategy, business plans, and risk.
A risk appetite statement is one tool that facilitates
this linkage.
In this context, the risk management function is an
integral part of the institutions overall strategies and
specific business objectivesan essential part of the
institutions success, returns, and value creation.
JOIN. ENGAGE. LEAD.
18
ERM COMPETENCIES:
CULTURE, GOVERNANCE,
AND POLICIES
Culture can be described as
what people do when they are not
being watched.
Culture is
the most
important
aspect of
any good
ERM
competency.
JOIN. ENGAGE. LEAD.
19
ERM COMPETENCIES:
CULTURE, GOVERNANCE,
AND POLICIES (CONT.)
Policies express the risk
appetite of the company to the
masses.
Policies describe to all

stakeholders what the company
is willing to do and not to do.
Culture,
Governance, and
Policies
The statement of risk appetite is
executed through policies (what
to do?) and procedures (how to
do them?).
Culture, governance, and

policies collectively help an
institution manage its risk-taking
activities.
JOIN. ENGAGE. LEAD.
20
ERM COMPETENCIES:
CONTROL ENVIRONMENT (CONT.)
The internal control environment is

one the most important tools in the
management toolbox for
management of risks.
Internal controls help reduce the

level of inherent risk to a level
acceptable to management.
JOIN. ENGAGE. LEAD.
21
ERM COMPETENCIES:
The system of internal controls includes:
Culture
Governance
Preventive and
detective
controls
Policies
Scenario
planning
JOIN. ENGAGE. LEAD.
22
ERM COMPETENCIES:
Management relies on
internal controls to
manage residual risk to
an acceptable level.
Residual risk is defined

as the level of inherent
risks reduced by
internal controls.
Building an effective
internal control
environment allows
management to control
what can be controlled.
JOIN. ENGAGE. LEAD.
23
ERM COMPETENCIES:
MEASUREMENT AND
EVALUATION
The science and art of measurement
in ERM is about concluding which
risks are significant and which ones
are not, and where to invest time,
energy, and effort.
At any given
time, boards
of directors
and
management
must
manage a
portfolio of
risks
JOIN. ENGAGE. LEAD.
24
ERM COMPETENCIES:
MEASUREMENT AND EVALUATION (CONT.)
In order to accomplish the goal of
measurement and evaluation, an
institution may adopt:
A simple model of color rating
(green, yellow, and red).
A middle-of-the-road failure
mode and effect analysis
(FMEA) model.
Or a highly sophisticated risk
adjusted return on capital
(RAROC)
JOIN. ENGAGE. LEAD.
25
ERM COMPETENCIES:
MEASUREMENT AND EVALUATION (CONT.)
Measurement
and evaluation
help boards
and
management
answer the
question, so
what?
The process of measurement and

evaluation must :
Include the
system of
internal
controls and
Determine how
well the risks
can be
managed.
JOIN. ENGAGE. LEAD.
26
ERM COMPETENCIES:
SCENARIO PLANNING AND
STRESS TESTING
The art of ERM is the ability to answer
the question, what can go wrong and,
hence, create deviation from expected
outcomes?
Management
must
address
known,
knowable,
and
unknowable
risks.
JOIN. ENGAGE. LEAD.
27
ERM COMPETENCIES: SCENARIO PLANNING

AND STRESS TESTING (CONT.)
Scenario planning and

stress testing are tools
that focus on the
knowable and, perhaps,
some unknowable risks.
A robust scenario
planning and stress
testing discipline is a
must from a capital
planning perspective.
JOIN. ENGAGE. LEAD.
28
ENTERPRISE RISK MANAGEMENT

WORKBOOKS
To help you develop your ERM framework, RMA offers a
series of highly practical workbooks:
1. Risk Appetite Workbook, November 2010.
2. Scenario Analysis and Stress Testing for Community
Banks, February 2012.
3. Governance and Policies Workbook (includes
Response), November 2013.
4. Risk Measurement and Evaluation (in development).
5. Risk Data and Infrastructure (to be developed).
RMA members may download the workbooks for $0 (free!).
Not a member? Join today.
JOIN. ENGAGE. LEAD.
29
SHARE THIS PRESENTATION
Visit http://www.rmahq.org for information on risk management
Visit our blog at http://rmablog.rmahq.org/

RMA is a member-driven professional association whose sole purpose is to
advance sound risk principles in the financial services industry.
RMA helps its members use sound risk principles to improve institutional
performance and financial stability, and enhance the risk competency of
individuals through information, education, peer sharing, and networking.
Become a member today.
JOIN. ENGAGE. LEAD.

Howtobuildanermframework 150604132137 Lva1 App6891

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Howtobuildanermframework 150604132137 Lva1 App6891

Uploaded by

Copyright:

Available Formats

1

HOW TO BUILD AN ENTERPRISE

JOIN. ENGAGE. LEAD.

THE RMA ERM COUNCIL DEFINES ERM

ERM is the management

JOIN. ENGAGE. LEAD.

Business strategy and

Governance and policies

Risk data and

JOIN. ENGAGE. LEAD.

JOIN. ENGAGE. LEAD.

ERM CAN ANSWER 3 BASIC BUSINESS

Aligned with business strategy, risk

People, processes, structure, and

Assessment of expected results,

JOIN. ENGAGE. LEAD.

THE ERM FRAMEWORK

JOIN. ENGAGE. LEAD.

THE ERM FRAMEWORK (CONT.)

JOIN. ENGAGE. LEAD.

THE ERM FRAMEWORK HELPS ANSWER

What are all the risks to our business

How much risk are we willing to take

Risk data and

How do we govern risk taking ?

How do we capture the information we

JOIN. ENGAGE. LEAD.

THE ERM FRAMEWORK HELPS ANSWER

How do we control the risks?

How do we know the size of the various

What are we doing about these risks?

What possible scenarios could hurt us?

JOIN. ENGAGE. LEAD.

DETERMINE GOALS AND OBJECTIVES

Before an institution can

JOIN. ENGAGE. LEAD.

DETERMINE GOALS AND OBJECTIVES (CONT.)

The institution must define

JOIN. ENGAGE. LEAD.

DETERMINE GOALS AND OBJECTIVES (CONT.)

From there, the institution

JOIN. ENGAGE. LEAD.

JOIN. ENGAGE. LEAD.

JOIN. ENGAGE. LEAD.

RMA has defined risk appetite as

JOIN. ENGAGE. LEAD.

Risk appetite represents

Risk tolerance refers to

JOIN. ENGAGE. LEAD.

Management and the board of directors

JOIN. ENGAGE. LEAD.

JOIN. ENGAGE. LEAD.

Policies describe to all

Culture, governance, and

JOIN. ENGAGE. LEAD.

The internal control environment is

Internal controls help reduce the

JOIN. ENGAGE. LEAD.

JOIN. ENGAGE. LEAD.

Residual risk is defined

JOIN. ENGAGE. LEAD.

JOIN. ENGAGE. LEAD.

JOIN. ENGAGE. LEAD.

The process of measurement and