Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Corp Risk Gov Reform


Published on

A walk-thru of the evaluation and implementation of risk governance reform.

  • Be the first to comment

  • Be the first to like this

Corp Risk Gov Reform

  1. 1. Corporate Risk Governance ReformPeter J Schild 1
  2. 2. The Broad Steps to Risk Governance Reform•  Build a case•  Develop a framework•  Perform pilots•  Develop learning strategies•  Implement across the organizationPeter J Schild 2
  3. 3. Change ManagementCorporate systems are self-preserving and resistant to change. Only when the need is widely recognized and a solution exists that appears to work does the desire to change exceed the natural tendency to resist it.Peter J Schild 3
  4. 4. Exploring a Case for Change: Six QuestionsPeter J Schild 4
  5. 5. Does the board truly understand the strategic objectives, the top risks the company faces in executing strategies, and the strength of theprocesses that keep the board and senior management informed?Peter J Schild 5
  6. 6. To evaluate the company’s capacity to achieve objectives, directors need confidence in a system of effective internal controls and the reliability of its maintenance, as well as evidence of widespread attentiveness to risk. They must believe in management’s capacity to stay within the boundaries of established tolerances and to report clearly and concisely when those boundaries are approached.Peter J Schild 6
  7. 7. Are employees connected to the corporate vision?Peter J Schild 7
  8. 8. Without the right culture the risk taken can easily exceed the risk intended, regardless of the processes employed to measure and monitor it. The goal is an environment where personal visions connect and employees come to understand and agree with intended outcomes and their individual and team roles in achieving them.Peter J Schild 8
  9. 9. Are all lines of business that contribute to any given strategicobjective, while likely to be managedseparately, evaluated as a complete set of activities?Peter J Schild 9
  10. 10. Corporations in their entirety are more than collections of individual activities subject to the separate interests of their components. Operating units work together across the enterprise not in relation to their positions within segments, but according to their relative roles in support of defined strategies.Peter J Schild 10
  11. 11. Does available capital match the risk appetite?Peter J Schild 11
  12. 12. Neither capital nor risk can be calculated precisely and confidence in predictable outcomes is necessarily limited; therefore, managing to the measurable alone is insufficient. To provide reasonable assurance that the risk taken is equivalent to the risk intended, enhanced processes of risk evaluation coupled with assessments of human capital must be added to traditional tools of measurement.Peter J Schild 12
  13. 13. Do all lines of business (particularlysupport activities) coordinate so thattheir duties do not overlap and their reports to the board and senior management are compatible?Peter J Schild 13
  14. 14. Reliable financial reporting and strict regulatory compliance are unconditional yet costly requirements. Efficient processes that boost coordination and enable leverage across risk, finance, compliance, audit and lines of business are both reasonable expectations and consistent with the imperative of operational effectiveness.Peter J Schild 14
  15. 15. Does the market perceive corporate governance as a strong point in evaluating the company’s reputation?Peter J Schild 15
  16. 16. Disciplined, reliable and comprehensive systems of risk management and corporate governance foster investor confidence in management’s capacity to take and manage risk.Peter J Schild 16
  17. 17. Deliverables•  Properly executed, effective risk governance satisfies:   Management’s need for line of business control and supervision   The board’s need for perspective to perform oversight, make strategic decisions, and evaluate management   Regulatory expectations for effective, observable risk management practices•  And leads to:   Efficient processes that enable leverage across finance, risk, compliance and audit   Market confidence in management’s capacity to take and manage riskPeter J Schild 17
  18. 18. Aspirations •  Enhanced reputation •  Higher P/E multiple •  Increased shareholder value/ market capitalization If the market’s appraisal of management’s competence is reflected in the amount by which total capitalization exceeds net worth, then enhancing one’s reputation leads to increased shareholder value.Peter J Schild 18
  19. 19. Essential Principles + Employee ConnectionYields Increased Shareholder Value Process: Enterprise- •  Assurance wide risk •  Facilitation Clear oversight management Reliable reporting perspective •  Verification Efficient operations principles Observable Increased Compliance with governance practices shareholder laws Culture: Market & regulatory value •  Awareness Capital confidence Employees preservation who feel Better reputation •  Literacy connected to •  Accountability the company Peter J Schild 19
  20. 20. An Overview of the Central FrameworkPeter J Schild 20
  21. 21. The Central Framework •  The operating framework includes:   Employee Engagement   Core Objectives   Uniform Procedures   Shared Corporate Hierarchy   Management & Board Reporting •  The roles necessary for the framework’s execution and maintenance are:   Assurance of its Effectiveness   Facilitation of its Performance & Upkeep   Verification of its ReliabilityPeter J Schild 21
  22. 22. Employee Engagement: “Once you blow the whistle you can’t inhale.” (Bill Chadwick, former National Hockey League referee)Unless those who initiate transactions care about and understand their impact on the company’s risk appetite, the outcome may depart from that which was intended.How people communicate matters as much as how they measure.Peter J Schild 22
  23. 23. Employee Engagement Employee engagement is founded on four principles:   Leadership accountability   Education and awareness   Recruitment and hiring   Development and retention Accountability plus literacy produces a shared vision.Peter J Schild 23
  24. 24. Core Objectives To implement processes that provide for:   Achievable strategies – reasonable assurance of sustainable results   Reliable financial and non-financial reporting   Effective and efficient operations   Compliance with prevailing laws and regulations   Preservation of economic and human capital resourcesPeter J Schild 24
  25. 25. Uniform Procedures Begin with articulating strategic objectives and cycle through identifying, accepting and monitoring risks, determining residual risk, and, based on the results, reaffirming or adjusting risk appetite and strategy.Peter J Schild 25
  26. 26. Uniform Procedures Articulate strategic objectives Evaluate outcomes/ Identify renew inherent strategy risk acceptance Recursive Escalate Establish and resolve evaluation and control exceptions reaffirmation activities Determine Assess and actual accept residual intended risk Monitor risk controls/ report actual vs. expected Peter J Schild 26
  27. 27. Inherent Risk, Control Activities, Residual Risk•  Inherent risk is a function of generic and unique determinative factors that give rise to uncertainty – change, volume, complexity and what can go wrong with an entity’s specific activities.•  The control environment is the set of activities intended to keep things from going wrong or to raise warnings when they start to.•  Residual risk is determined by combining the relative level of inherent risk with the observed control effectiveness.Peter J Schild 27
  28. 28. Corporate Hierarchy •  How the enterprise is subdivided into levels of assessable parts starting with all segments and ending with the lowest level of separately managed silos (“operating units”). •  To assure efficient communication and consistency of reporting, a common hierarchy should be shared by the entire enterprise (especially Finance, Risk, Compliance and Audit), at least to the point that they can map their individual procedures to the shared hierarchy.Peter J Schild 28
  29. 29. Corporate Hierarchy Enterprise Level I Level II Level III Segments: Operating 1 unit 1 2 3 Line of Operating Business 1 unit 2 4 5 Operating 6 unit 3 7 Segment 1 8 Operating 9 unit 4 Line of Business 2 Operating unit 5Peter J Schild 29
  30. 30. Senior Management & Board Reporting •  Information travels many paths to reach senior management and the board •  Coordinating the diverse sources of data while respecting their distinct voices requires deliberate structure and dedicated resources •  Oversight is only as effective as the clarity of knowledge necessary to exercise itPeter J Schild 30
  31. 31. Senior Risk Committee & Risk Governance CouncilTwo innovative groups help to promote senior management literacy and enhance board reporting:   Senior Risk Committee: chaired by CEO, comprised of Chief Operating Officer, Chief Risk Officer, Chief Audit Executive, Chief Financial Officer, General Counsel, Head of HR...   Risk Governance Council: chaired by CRO, comprised of CAE, Chief Accounting Officer, Heads of Operational, Credit & Market Risk, Chief Compliance Officer...Peter J Schild 31
  32. 32. Senior Risk Committee•  No formal agenda, meet periodically (e.g., monthly)•  Review high and emerging risks to strategies, incidents and incident responses; discuss economic and human capital resource allocations; renew commitments to intended riskPeter J Schild 32
  33. 33. Risk Governance Council•  Provide assurance to senior management and the board that residual risk across the enterprise is continuously monitored•  Determine that residual risk is based on actual, as opposed to expected, internal control environments•  Examine identified control weaknesses for potential damage; recommend changes to accepted risk tolerances, both up and down•  Calibrate risk tolerance by clarifying choices among reducing inherent risk, tightening controls, or allowing greater residual risk, and present analysis to Senior Risk CommitteePeter J Schild 33
  34. 34. Senior CommitteeOrganizational Structure Board of Directors Risk Senior Risk Internal Governance Council Committee Audit Operational Credit Risk Market Risk Risk Committee Committee CommitteePeter J Schild 34
  35. 35. Apply the Framework 1  In each entity of the hierarchy… 2  execute the uniform procedures… 3  to determine whether the objectives are being met. The resulting database includes, by operating unit, inherent risks, control environment evaluations, control exceptions, and residual risksPeter J Schild 35
  36. 36. Systems Thinking•  While complete in their silos, operating units – entities of sales and support – work together, not only according to their individual nature, but also according to their relative roles and positions in the system.•  Inherent delays between actions and outcomes naturally give rise to unintended consequences because actions taken in one part do not affect all related parts at the same time, but do so at the pace of their movement through the system.•  By delivering consistent assessments of each of the parts and enabling an assembled view of the whole, the framework provides perspective that augments preparation, anticipation, response, and recovery.Peter J Schild 36
  37. 37. 37 Risk Management 9 Human Resources 8 Legal/Compliance 7 Operations 6 Technology 5 Manage by Segment Finance 4 Line of Business 3 3Management Line of Business 2 2 1 Line of Business 1 Oversee by Strategy Peter J Schild C D B A
  38. 38. Presentation Format: Segment Risk•  The following slide is a compilation of individual assessments of all operating units within a sample segment: Technology.•  It displays how control concerns in separate parts affect the entire segment.•  Risk tolerance can be defined as the intended risk – the inherent risk intentionally taken with the assumption of an acceptable control environment.•  Comparing actual risk to intended risk presents senior management and the board the opportunity to quickly evaluate the segment capacity to take on additional risk, such as new products, strategies or acquisitions.Peter J Schild 38
  39. 39. Actual vs. Intended Risk:Technology Segment Risk Control Environment Low Acceptable Medium Marginal High Unacceptable Inherent + Tested Control = Residual Intended Strategy Risk Environment (Actual) Risk Risk* A B C D Composite Segment * Inherent Risk + Acceptable Control Environment = Intended Risk Peter J Schild 39
  40. 40. 40 Risk Management 9 Human Resources 8 Legal/Compliance 7 Operations 6 Technology 5 Manage by Segment Finance 4 Line of Business 3 3 Line of Business 2 2Oversight 1 Oversee by Line of Business 1 Strategy Peter J Schild C D B A
  41. 41. Presentation Format: Strategy Risk•  The following slide is a compilation of individual assessments of interdependent entities engaged in the execution of a particular strategy (a “strategic domain”) .•  It displays how control concerns in separate parts affect the strategy.•  Comparing actual risk to intended risk presents senior management and the board the opportunity to quickly evaluate strategies and determine exactly where they need to focus their attention to increase assurance that strategies are most likely to achieve intended objectives.Peter J Schild 41
  42. 42. Actual vs. Intended Risk:Strategy “A” Risk Control Environment Low Acceptable Medium Marginal High Unacceptable Strategic Domain: Inherent + Tested Control = Residual Intended Operating units Risk Environment (Actual) Risk Risk* Line of Business Finance Technology Operations Compliance Human Resources Risk Management * Inherent Risk + Acceptable Control Environment = Intended Risk Peter J Schild 42
  43. 43. Is This What We Want?•  Both inherent and residual risk are important to monitor – well-managed/high inherent or poorly managed/low inherent can each lead to unacceptable outcomes.•  In its silo, the line of business may be well-managed; but if other components of the strategy exhibit high residual risk, the overall risk may exceed that which was intended.•  Decision: resolve the control issues, reduce the inherent risk, or accept the residual risk.•  Comparing segment and strategy evaluations:   Are any operating units stressed supporting multiple strategies?   Are economic and human capital resources distributed most favorably?Peter J Schild 43
  44. 44. Four Key Roles to Execute and Sustain1  Monitor employee engagement – a function of human resources. As with any initiative, employee engagement must be tracked and tested to evaluate the depth of its understanding and fulfillment.2  Assure effectiveness – to align accountability with ownership, lines of business should be responsible for assurance by attesting to the design and operating effectiveness of their identified controls, and for reporting and resolving exceptions.3  Facilitate performance and upkeep – a discrete risk management function is desirable to facilitate process execution through focused support units that consult on building, implementing, and maintaining the framework. Risk units serve as a central clearing organization for retaining shared databases, and promote replication of the pattern of evaluation and reporting across the enterprise.4  Verify continued reliability – internal audit verifies through independent, objective oversight that management’s assurances can be relied upon, internal controls are designed and operating as reported by management, exceptions are appropriately escalated, and practicable resolutions are prescribed and on track.Peter J Schild 44
  45. 45. Perform Pilots in Selected Business UnitsPeter J Schild 45
  46. 46. Develop Learning StrategiesPeter J Schild 46
  47. 47. Implement Across the OrganizationPeter J Schild 47