Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Risk Gov Reform RMAJournal

223 views

Published on

  • Be the first to comment

  • Be the first to like this

Risk Gov Reform RMAJournal

  1. 1. Enterprise Risk Risk Governance Reform Disciplined, reliable, and comprehensive systems of risk management and corporate governance can enhance a company’s reputation and increase shareholder value. BY PETER SCHILD RISK MANAGEMENT CAN be described as the means by which Opportunities for reform are present in four key areas reasonable assurance is provided that the risk taken is equiv- of corporate governance: alent to the risk intended. Corporate governance, which has 1. Management’s need for line-of-business control and been called the strategic response to risk, is an organizing supervision. system designed to preserve economic and human capital 2. The board’s need for perspective to perform oversight, sufficient to sustain operations. make strategic decisions, and evaluate management. Given the (surely unintended) amount of shareholder value 3. The banking regulators’ need for effective, observable lost in the financial services industry, the potential to improve risk management practices. both risk management and corporate governance continues 4. The overall need for efficient processes that enable lever- to exist. This is not a regulatory issue. Boards, for the sake of age across finance, risk, compliance, and audit. PHOTODISC/THINKSTOCK their employees, shareholders, clients, and markets, should Genuine reform consumes resources, and some resistance compel managements to identify historical process faults and is natural. It’s fair to ask what return will come from the inspire stronger cultures of risk awareness. investment and what a feasible plan of execution looks 12 October 2011 The RMA JournalCopyright 2011 by RMA
  2. 2. To evaluate the company’s capacity to achieve core objectives, directors need confidence in a system of effective internal controls and the reliability of its maintenance, as well as evidence of widespread attentiveness to risk.like. Asking a few questions designed to broaden the Figure 1consideration beyond risk management to governancemight help build a case for more meaningful change. Augmenting the Organizational Structure for Risk Awareness1. Does the board truly understand the strategic objec- tives, the top risks the company faces in executing Board of Directors strategies, and the strength of the processes that keep the board and senior management informed? Risk Governance Senior Risk Internal Audit Board reporting is itself a key component of any strat- Council Committeeegy; effective oversight is contingent on a board conver-sant in the risks to established strategies and how theycan be assessed. Because information reaches the full Credit Risk Market Risk Asset/Liability Operational Riskboard from various members of management and through Committee Committee Committee Committeedifferent committees, coordinating the diverse sources ofdata while respecting their distinct voices requires delib-erate structure and dedicated resources. Unfortunately,board-level reporting often resembles a swiftly passingfreight train—more tedious than informative. hances board reporting. Properly executed, the configura- To evaluate the company’s capacity to achieve core ob- tion shown in Figure 1 adds depth and consistency to thejectives, directors need confidence in a system of effective board narrative, while retaining the independent voices ofinternal controls and the reliability of its maintenance, as internal audit and the separate risk functions.well as evidence of widespread attentiveness to risk. Theymust believe in management’s capacity to stay within the Senior Risk Committee (SRC): Chaired by the CEO,boundaries of established tolerances and to report clearly this committee includes the COO, CRO, chief audit execu-and concisely when those boundaries are approached. tive, CFO, general counsel, and head of human resources. A Augmenting the organizational structure as suggested in roundtable discussion group meets monthly and as needed.Figure 1 promotes senior management awareness, estab- It has no formal agenda and covers a range of current risks,lishes rapid lines of communication, provides for reflection concerns, and outlooks. The SRC is a forum for senior-at the appropriate levels for fast-moving events, and en- most management to keep up with high and emerging The RMA Journal October 2011 13
  3. 3. Figure 2 much detail obscures perspective and precludes a digest- ible assessment of the franchise’s capacity to take on and Aggregating Line-of-Business Segments manage risk. for Oversight Corporations in their entirety are more than collections Manage by Segment of individual activities subject to the separate interests of Oversee by Strategy their components. A uniform process must be overlaid I onto routine reporting mechanisms to lift information from them and fit it into a format suited for oversight, as Legal/Compliance Line of Business 1 Line of Business 2 Line of Business 3 Risk Management Human Resources II illustrated in Figure 2. Technology Operations Finance III Absent a firm-wide, uniform approach that enables aggregation of the discrete line-of-business activities IV that make up each strategic initiative, managements and boards cannot visualize risk sufficiently well to identify, assess, accept, and monitor its full magnitude. risks to strategies, discuss economic and human capital resource allocations, enhance literacy and accountability, 3.Do all lines of business (particularly support activities) and renew the commitment to intended risk. coordinate so that their duties do not overlap and their reports to senior management and the board are Risk Governance Council (RGC): This committee is compatible? chaired by the CRO and includes the chief audit executive (ex officio), chief accounting officer, heads of operational, All voices must be heard—and, for the efficiency of credit, and market risk, and the chief compliance officer. day-to-day operations as well as the need to present the It reviews outstanding risk issues and exposures, control board with a comprehensible message, they should speak concerns, status of reso- the same language. Too often risk, finance, compliance, The RGC and Internal lution, and boundaries of risk tolerance. The audit, and lines of business view the organizational hier- archy differently, leading to duplication and irreconcilable Audit are each important RGC examines identi- reporting. sources of information for fied control weaknesses Reliable financial reporting and strict regulatory compli- for potential damage ance are unconditional but costly requirements. A common the SRC. Their separate and determines that method for identifying the company’s parts and assembling lines of input sustain residual risk is based them into a whole fosters mutual reliance among support on actual, as opposed groups and yields efficiencies. A shared understanding of their independence, to expected, internal common objectives (for example, enlightening the board) standing, and authority. control environments. beyond immediate responsibilities is a reasonable expecta- In the process, this tion and is also consistent with the imperative of operational committee has the capacity to recommend changes to effectiveness. accepted risk tolerances, both up and down. It provides senior management and the board with the assurance Figure 3 that residual risk across the enterprise is monitored continuously. Integral Analysis of Process and Culture The RGC and Internal Audit are each important sources of information for the SRC. Their separate lines of input Subjective Beliefs Objective Measures sustain their independence, standing, and authority. My feelings/ One’s empirical Individual 2.Are the lines of business that contribute to any given intentions behaviors strategic objective evaluated as a complete set of activities? While likely to be managed separately, Culture Process are they observed together as one strategy? Our culture: Our company: connection through connection through Group Strategic risk is managed differently from day-to-day meaning and values principles and procedures operations. The normal practice of managing in silos produces volumes of data that, when bound together, contribute to that image of a lengthy freight train. Too14 October 2011 The RMA Journal
  4. 4. Figure 4 nect and employees arrive at a shared understanding of what it looks like to Reform Methodology and Benefits realize corporate objectives. A useful component of effective, effi- cient governance is an integral analysis. Enterprise-wide · Assurance Paying attention to all four quadrants in risk management · Facilitation Figure 3 takes into account the widest principles · Verification Reliable reporting Clear oversight perspective Increased variety of evidence from the greatest Efficient operations Observable governance practices shareholder value Compliance with laws Market & regulatory confidence number of sources. Group cultures Capital preservation Better reputation Employees who · Awareness (in the lower left) are accompanied by feel connected to · Literacy the company · Accountability social practices (in the lower right) that identify experiences generally held to be true, valid, and believable within the organization. Such experiences in turn favorably affect behaviors (upper right)4.Does available capital match the risk appetite? and what is held to be significant by individual Risk is aggregated only Capital resources are difficult to measure precisely. But employees (upper left).managing beyond the measurable is necessary to provide rea- Goal setting involves after committing to itsonable assurance of adequate capital and its preservation. striving to do better and apart from where Different measures of capital—economic, regulatory, both within and across it’s taken; therefore,GAAP—show how scorekeepers can disagree, presenting quadrants. Just as eachhurdles to communication among lines of business, board individual has tasks to individual awareness andmembers, regulators, accountants, and shareholders. Quan- perform that, in coor- how people connect withtification of capital is too uncertain to be the sole means of dination with those ofdetermining its adequacy, although existing tools to measure others, contribute to each other matter in anrisk-based capital remain necessary and useful. But only when group production, so organization strategicallythese tools are combined with an assessment of employee culture is both individ- committed to taking risk.skills, competencies, and risk awareness—human capital— ual feelings and a set ofcan overall capital adequacy be evaluated realistically. group values. In this way, as well, performance evaluations may be elevated from individual to more meaningful team5.Are employees connected to the corporate vision? assessments. In order for sustainability to be achieved, in- dividuals’ and groups’ subjective (cultural) and objective The objective process of managing risk can be sustained (process) feelings, attitudes, behaviors, and day-to-dayonly with development of the more subjective elements procedures must be shaped and monitored together.of culture. Without the right culture, the risk taken can This entire reform methodology and its logical benefitseasily exceed the risk intended, regardless of the processes can be pictured (Figure 4) as a continuous flow built onemployed to measure and monitor it. a sound process and culture in which both the individual Employees should understand and agree with intended and the group play a part.outcomes and their individual and team roles in achieving Implementation of the approach described here enablesthem. Risk is aggregated only after committing to it and the board, external auditors, regulators, rating agencies, andapart from where it’s taken; therefore, individual aware- financial analysts alike to recognize disciplined, reliable, andness and how people connect with each other matter in an comprehensive systems of risk management and corporateorganization strategically committed to taking risk. Process governance, thereby enhancing the company’s reputation.alone, no matter how well designed and implemented, is And if the market’s appraisal of management’s competence isnot enough to achieve effective governance. reflected in the amount by which total capitalization exceeds Widespread risk literacy and identification with corporate net worth, then enhancing the institution’s reputation leadsgoals are essential. Merging a culture of employee engagement to increased shareholder value. vwith the fundamental principles of risk management requiresa full-range program of organizational learning strategies,addressing recruiting, development, retention, and account- Peter Schild was chief audit executive at Wachovia. He retired in December 2007, aability. Literacy and accountability, at individual and group few months before Wells Fargo acquired Wachovia. He can be reached at pschild@levels, cultivate an environment where personal visions con- carolina.rr.com. The RMA Journal October 2011 15

×