1. Enterprise Risk
Risk
Governance Reform
Disciplined, reliable, and comprehensive systems of risk
management and corporate governance can enhance a
company’s reputation and increase shareholder value.
BY PETER SCHILD
RISK MANAGEMENT CAN be described as the means by which Opportunities for reform are present in four key areas
reasonable assurance is provided that the risk taken is equiv- of corporate governance:
alent to the risk intended. Corporate governance, which has 1. Management’s need for line-of-business control and
been called the strategic response to risk, is an organizing supervision.
system designed to preserve economic and human capital 2. The board’s need for perspective to perform oversight,
sufficient to sustain operations. make strategic decisions, and evaluate management.
Given the (surely unintended) amount of shareholder value 3. The banking regulators’ need for effective, observable
lost in the financial services industry, the potential to improve risk management practices.
both risk management and corporate governance continues 4. The overall need for efficient processes that enable lever-
to exist. This is not a regulatory issue. Boards, for the sake of age across finance, risk, compliance, and audit.
PHOTODISC/THINKSTOCK
their employees, shareholders, clients, and markets, should Genuine reform consumes resources, and some resistance
compel managements to identify historical process faults and is natural. It’s fair to ask what return will come from the
inspire stronger cultures of risk awareness. investment and what a feasible plan of execution looks
12 October 2011 The RMA Journal
Copyright 2011 by RMA
2. To evaluate the
company’s capacity to
achieve core objectives,
directors need confidence
in a system of effective
internal controls and
the reliability of its
maintenance, as well as
evidence of widespread
attentiveness to risk.
like. Asking a few questions designed to broaden the Figure 1
consideration beyond risk management to governance
might help build a case for more meaningful change. Augmenting the Organizational Structure
for Risk Awareness
1. Does the board truly understand the strategic objec-
tives, the top risks the company faces in executing Board of Directors
strategies, and the strength of the processes that keep
the board and senior management informed?
Risk Governance Senior Risk Internal Audit
Board reporting is itself a key component of any strat- Council Committee
egy; effective oversight is contingent on a board conver-
sant in the risks to established strategies and how they
can be assessed. Because information reaches the full Credit Risk Market Risk Asset/Liability Operational Risk
board from various members of management and through Committee Committee Committee Committee
different committees, coordinating the diverse sources of
data while respecting their distinct voices requires delib-
erate structure and dedicated resources. Unfortunately,
board-level reporting often resembles a swiftly passing
freight train—more tedious than informative. hances board reporting. Properly executed, the configura-
To evaluate the company’s capacity to achieve core ob- tion shown in Figure 1 adds depth and consistency to the
jectives, directors need confidence in a system of effective board narrative, while retaining the independent voices of
internal controls and the reliability of its maintenance, as internal audit and the separate risk functions.
well as evidence of widespread attentiveness to risk. They
must believe in management’s capacity to stay within the Senior Risk Committee (SRC): Chaired by the CEO,
boundaries of established tolerances and to report clearly this committee includes the COO, CRO, chief audit execu-
and concisely when those boundaries are approached. tive, CFO, general counsel, and head of human resources. A
Augmenting the organizational structure as suggested in roundtable discussion group meets monthly and as needed.
Figure 1 promotes senior management awareness, estab- It has no formal agenda and covers a range of current risks,
lishes rapid lines of communication, provides for reflection concerns, and outlooks. The SRC is a forum for senior-
at the appropriate levels for fast-moving events, and en- most management to keep up with high and emerging
The RMA Journal October 2011 13
3. Figure 2 much detail obscures perspective and precludes a digest-
ible assessment of the franchise’s capacity to take on and
Aggregating Line-of-Business Segments manage risk.
for Oversight Corporations in their entirety are more than collections
Manage by Segment
of individual activities subject to the separate interests of
Oversee by Strategy
their components. A uniform process must be overlaid
I
onto routine reporting mechanisms to lift information
from them and fit it into a format suited for oversight, as
Legal/Compliance
Line of Business 1
Line of Business 2
Line of Business 3
Risk Management
Human Resources
II illustrated in Figure 2.
Technology
Operations
Finance
III Absent a firm-wide, uniform approach that enables
aggregation of the discrete line-of-business activities
IV
that make up each strategic initiative, managements and
boards cannot visualize risk sufficiently well to identify,
assess, accept, and monitor its full magnitude.
risks to strategies, discuss economic and human capital
resource allocations, enhance literacy and accountability, 3.Do all lines of business (particularly support activities)
and renew the commitment to intended risk. coordinate so that their duties do not overlap and
their reports to senior management and the board are
Risk Governance Council (RGC): This committee is compatible?
chaired by the CRO and includes the chief audit executive
(ex officio), chief accounting officer, heads of operational, All voices must be heard—and, for the efficiency of
credit, and market risk, and the chief compliance officer. day-to-day operations as well as the need to present the
It reviews outstanding risk issues and exposures, control board with a comprehensible message, they should speak
concerns, status of reso- the same language. Too often risk, finance, compliance,
The RGC and Internal lution, and boundaries
of risk tolerance. The
audit, and lines of business view the organizational hier-
archy differently, leading to duplication and irreconcilable
Audit are each important RGC examines identi- reporting.
sources of information for fied control weaknesses Reliable financial reporting and strict regulatory compli-
for potential damage ance are unconditional but costly requirements. A common
the SRC. Their separate and determines that method for identifying the company’s parts and assembling
lines of input sustain residual risk is based them into a whole fosters mutual reliance among support
on actual, as opposed groups and yields efficiencies. A shared understanding of
their independence, to expected, internal common objectives (for example, enlightening the board)
standing, and authority. control environments. beyond immediate responsibilities is a reasonable expecta-
In the process, this tion and is also consistent with the imperative of operational
committee has the capacity to recommend changes to effectiveness.
accepted risk tolerances, both up and down. It provides
senior management and the board with the assurance Figure 3
that residual risk across the enterprise is monitored
continuously. Integral Analysis of Process and Culture
The RGC and Internal Audit are each important sources
of information for the SRC. Their separate lines of input Subjective Beliefs Objective Measures
sustain their independence, standing, and authority.
My feelings/ One’s empirical
Individual
2.Are the lines of business that contribute to any given intentions behaviors
strategic objective evaluated as a complete set of
activities? While likely to be managed separately, Culture Process
are they observed together as one strategy?
Our culture: Our company:
connection through connection through
Group
Strategic risk is managed differently from day-to-day meaning and values principles and
procedures
operations. The normal practice of managing in silos
produces volumes of data that, when bound together,
contribute to that image of a lengthy freight train. Too
14 October 2011 The RMA Journal
4. Figure 4 nect and employees arrive at a shared
understanding of what it looks like to
Reform Methodology and Benefits realize corporate objectives.
A useful component of effective, effi-
cient governance is an integral analysis.
Enterprise-wide · Assurance Paying attention to all four quadrants in
risk management · Facilitation Figure 3 takes into account the widest
principles · Verification
Reliable reporting Clear oversight perspective Increased variety of evidence from the greatest
Efficient operations Observable governance practices shareholder value
Compliance with laws Market & regulatory confidence number of sources. Group cultures
Capital preservation Better reputation
Employees who · Awareness (in the lower left) are accompanied by
feel connected to · Literacy
the company · Accountability social practices (in the lower right) that
identify experiences generally held to
be true, valid, and believable within the
organization. Such experiences in turn
favorably affect behaviors (upper right)
4.Does available capital match the risk appetite? and what is held to be
significant by individual Risk is aggregated only
Capital resources are difficult to measure precisely. But employees (upper left).
managing beyond the measurable is necessary to provide rea- Goal setting involves
after committing to it
sonable assurance of adequate capital and its preservation. striving to do better and apart from where
Different measures of capital—economic, regulatory, both within and across it’s taken; therefore,
GAAP—show how scorekeepers can disagree, presenting quadrants. Just as each
hurdles to communication among lines of business, board individual has tasks to individual awareness and
members, regulators, accountants, and shareholders. Quan- perform that, in coor- how people connect with
tification of capital is too uncertain to be the sole means of dination with those of
determining its adequacy, although existing tools to measure others, contribute to
each other matter in an
risk-based capital remain necessary and useful. But only when group production, so organization strategically
these tools are combined with an assessment of employee culture is both individ- committed to taking risk.
skills, competencies, and risk awareness—human capital— ual feelings and a set of
can overall capital adequacy be evaluated realistically. group values. In this way, as well, performance evaluations
may be elevated from individual to more meaningful team
5.Are employees connected to the corporate vision? assessments. In order for sustainability to be achieved, in-
dividuals’ and groups’ subjective (cultural) and objective
The objective process of managing risk can be sustained (process) feelings, attitudes, behaviors, and day-to-day
only with development of the more subjective elements procedures must be shaped and monitored together.
of culture. Without the right culture, the risk taken can This entire reform methodology and its logical benefits
easily exceed the risk intended, regardless of the processes can be pictured (Figure 4) as a continuous flow built on
employed to measure and monitor it. a sound process and culture in which both the individual
Employees should understand and agree with intended and the group play a part.
outcomes and their individual and team roles in achieving Implementation of the approach described here enables
them. Risk is aggregated only after committing to it and the board, external auditors, regulators, rating agencies, and
apart from where it’s taken; therefore, individual aware- financial analysts alike to recognize disciplined, reliable, and
ness and how people connect with each other matter in an comprehensive systems of risk management and corporate
organization strategically committed to taking risk. Process governance, thereby enhancing the company’s reputation.
alone, no matter how well designed and implemented, is And if the market’s appraisal of management’s competence is
not enough to achieve effective governance. reflected in the amount by which total capitalization exceeds
Widespread risk literacy and identification with corporate net worth, then enhancing the institution’s reputation leads
goals are essential. Merging a culture of employee engagement to increased shareholder value. v
with the fundamental principles of risk management requires
a full-range program of organizational learning strategies,
addressing recruiting, development, retention, and account- Peter Schild was chief audit executive at Wachovia. He retired in December 2007, a
ability. Literacy and accountability, at individual and group few months before Wells Fargo acquired Wachovia. He can be reached at pschild@
levels, cultivate an environment where personal visions con- carolina.rr.com.
The RMA Journal October 2011 15