Oversight Management of Risk by Malcolm Gilroy

Document Sample
Oversight Management of Risk by Malcolm Gilroy Powered By Docstoc
					Oversight Management of Risk

 May 2010

              This report is solely for the use of FDHL-MT. No part of it may
              be circulated, quoted or reproduced for distribution outside
              FDHL-MT without prior written approval.

 Broad overview of the Topic
 The Holistic Approach to Risk Management
 Process of risk management
 What the Board should question

                           Chart 1
Broad Overview of The Topic

 Definition of Enterprise Risk Management
 Traditional approach of many companies
 The need for Board surveillance and a specific Board Committee
 The role of the Chief Risk Officer (CRO)

                           Chart 2
Risk/Reward Tradeoff

                                 Company    needs
                                 to decide where
                                 on this continuum
                                 it wishes to sit.
                                 This is a Board
      Reward                     decision

                       Chart 3
Definition Of Enterprise Risk Management

 ERM can be described as a risk-based approach to managing
  an enterprise, integrating concepts of strategic planning,
  operations and internal controls
 ERM is evolving to address the needs of various
  stakeholders, who want to understand the broad spectrum of
                               Definition of Enterprise
  risks facing complex organizations to ensure they are
                               Risk Management
  appropriately managed

                             Chart 4
Definition Of Enterprise Risk Management../2
 Definition of Enterprise Risk
 Regulators and debt rating agencies have increased their
  scrutiny on the risk management processes of companies
 Some high-profile failures of companies caused by ERM failure
  have been:
  •   Enron & Barings - Failure of control mechanisms
  •   Lehman & LTCM - Failure to understand business
  •   Union Carbide - Failure in remote part of company
  •   General Motors - Failure to detect industry change

                            Chart 5
Definition Of Enterprise Risk Management../3
 Definition of Enterprise Risk
 Industries change and companies must be aware of such
  changes. It is the Board responsibility to react and lead the
  company through such changes
 Kodak is a good example
  6 companies in the Dow Jones 30 of 1959 remain in the index
  (3 from 1929)
  •   General Electric           General Foods
  •   Dupont                     Exxon Mobil
  •   Proctor & Gamble           Chevron

                             Chart 6
ERM – Traditionally Approach Of Many Companies
  ERM - Traditional Approach of Many
 Companies have not traditionally approached ERM
  Most companies
 Modern approach is build ERM into the strategy and budget
  planning process
 Needs a disciplined approach aligning strategy; process;
  people; technology and knowledge
ERM means the removal of traditional, functional, departmental
and cultural biases

                            Chart 7
    ERM – Traditionally Approach Of Many Companies../2
    ERM - Traditional Approach of Many
   Companies facing
    What risks are we

 Are these comparable to the risks of our competition

 How do they change with a change in business conditions

 What level of risk should we take

 How should we manage that risk

                             Chart 8
 The need Board Surveillance & A Specific
The Need Forfor Board surveillance and a Board Committee
  specific Board Committee
 The main function of any corporation is to make profit for its
  shareholders. To do this they must accept some level of risk

 Since the Board of Directors is the guiding body of a company it
  falls to them to ensure that the company and therefore its RISK
  is properly managed

 All companies are different and their risks and their complexity
  will determine the manner in which a Board focus on Risk

                             Chart 9
 The Role Of The Chief Risk Officer
 The role of the Chief Risk Officer
The Chief Risk Officer is responsible for -

     developing and managing the risk management structure

                      Should you have one??

                              Chart 10
 The Role Of The Chief Risk Officer../2

 While financial services companies are embracing the CRO
  position, other industries such as utilities and commodities-based
  businesses are recognizing the power of knowing all their risks
  from the top down
 James Lam, founder of ERisk, based in New York, and former
  CRO for Fidelity Investments, has been watching the CRO trend
  over the last several years and says there are two indicators that
  CROs are here to stay: salaries are climbing, which
  demonstrates their value, and CROs are beginning to report right
  to the CEO, rather than to the CFO or Treasurer, putting them in
  a more powerful position. Many CRO’s have a dotted line
  reporting relationship to the Board

                             Chart 11
The Role Of The Chief Risk Officer../3

 In Nigeria the risk management role never got as far removed
  from the CEO as it did in developed economies
 Therefore the CEO is effectively today’s CRO in most
  companies in Nigeria
Is this healthy and can the CEO perform the executive functions
of a CEO and oversee the myriad of risks inherent in today’s
listed companies??

                             Chart 12
The Role Of The Chief Risk Officer../4

  Strategic             Hedged/Insurable         Financial
  Corporate             Property                 Price

  Customer needs        Business integrity       Liquidity

  Demographic changes   Disaster recovery        Credit

  Capital position      Information technology   Inflation

  Legal/political       Geographic risks         Hedging/Position

This is anThe Roleaof the Chief Risk
           example of Risk Department’s functional breakdown
          Officer (CRO)
Each company will have a different formation to align with its

                             Chart 13
The Holistic Approach to Risk Management

 Managing risk in silos
 View risk as a portfolio
 Risk is dynamic
 Risk is an opportunity

                             Chart 14
 Managing Silos
Managing Risk inRisk      in Silos
 Risk needs to be managed both centrally and in silos
 ERM is managed centrally
 Operational and financial risk should be managed locally as
  that is where the business managers are and they should
  understand their specific risks better than a central committee

This is an example of a Risk Department’s functional breakdown
Each company will have a different formation to align with its

                             Chart 15
 Managing Silos../2
Managing Risk inRisk in   Silos

“Field decisions are best taken by the
most junior officer, in the field, allowed
to take such decisions”

General Andrew Stuart

                      Chart 16
 Managing Silos../3
Managing Risk inRisk in           Silos
Bhophal incident -1984

 Union Carbide Corporation a Dow 30 stock owned 515 OF
    Union Carbide India Limited
   Dec 1984 an act of sabotage caused a gas leak and resulted in
    3,800 deaths
   Caused international incident
   Chairman Anderson went to India with task force, was put under
    house arrest and asked to leave the country

This is an example of a Risk Department’s functional breakdown
Each company will have a different formation to align with its strategy

                                Chart 17
 Managing Silos../4
Managing Risk inRisk in       Silos
 The result was that UCC suffered a massive reputational hit,
  was heavily fined
 The company fell out of the DJI in 1999 and was bought by
  Dow Chemicals in 2001
 UCC is still fighting damage law suits in the USA to this day
Question is how many Directors of UCC even knew they had an
Indian plant?

                             Chart 18
 Managing Silos../5
Managing Risk inRisk in       Silos
Bhophal incident -1984
 Management of company was left solely to the Indian
   management and as a 51% owned entity UCC management
   took a hands off approach BUT it was UCC’s reputation at risk
 The cause of the leak and the fact that it was sabotage did not
   protect UCC. They clearly had no ERM system in place to
   protect the parent from regional catastrophic risk
 Only a comprehensive risk plan would have identified the
   potential risk to the parent

                             Chart 19
 Managing Risk in Silos
Managing Risk in Silos../4

Manage silo risk in conjunction with enterprise risk and ensure that it is global


           Equities                                 Cash

                   GLOBAL RISK MANAGEMENT

                                  Chart 20
  View As A as a Portfolio
View Riskrisk Portfolio

 The idea of having ERM at the top supervising all other risk
  activities is to ensure that all risks are covered
 The concept of managing risks as a portfolio is not to treat all
  risk in isolation
 If a company has a subsidiary gravel pit and a subsidiary
  cement factory, you do not have to hedge the forward sales of
  gravel or the purchase price of gravel since they are offsetting
  risks at consolidation

   This is an example of a Risk Department’s functional
   Each company will have a different formation to align
   with its strategy

                             Chart 21
 View risk as a Portfolio../2

 The art of managing a portfolio is to find uncorrelated asset
  returns and buy both asset classes and leave both unhedged as
  their volatility will partially offset each other
 The danger is that if these are treated in isolation excess cost
  will be incurred by hedging both risks
 The portfolio risk is that both assets may be structured to
  achieve the same thing and thus not be as uncorrelated as at
  first believed

  This is an example of a Risk Department’s functional breakdown
  Each company will have a different formation to align with its strategy

                                Chart 22
  View As A as a Portfolio
View Riskrisk Portfolio../3
Typical financial portfolio, can be replicated for any business grouping


          Equities                               Cash

                                Chart 23
  View As A as a Portfolio
View Riskrisk Portfolio../4


e   60%

t   50%                                                            Risk 2

u   40%
                                                                   Risk 1

r   30%

n   20%


           1   2    3    4    5       6      7   8   9   10   11

       This is an example of a Risk Department’s functional breakdown
     Each company will have a different formation to align with its strategy

                                  Chart 24
    A Portfolio Approach

Involves creating a general understanding of:
 A company’s resources
    The business environments in which it operates
    How value is created and stored
    The key risk issues underlying its value propositions
    How its business models are alike and dissimilar
    Every important business dimension

                               Chart 25
A Portfolio Approach: Realigning the Internal Model

                  Mission, Vision & Values

           Operational                      Financial
           Employees                 Debt and Equity Holders
   Employment Practices and Compensation Structure
         Governance and Organizational Structure

            Legal and Ownership Structure

                          Chart 26
Risk is Dynamic

As a mortgage banker your risk is clearly rising as house prices
rise same for the security forces as terrorism increases

                             Chart 27
 Risk is Dynamic../2

 As risks increase the risk managers must find a way to
  counteract the impact of risk incidents. This is usually
  expensive and not thought out before
 Conversely when risk is lower the need for insurance is lower
  and economic logic dictates that then you should take off
  excessive insurance and maximize profits

                           Chart 28
 Risk as an Opportunity

 Too many organisations see risk management as a compliance
  issue, rather than developing approaches which add value and
  competitive advantage and which reflect their own business
  culture and stakeholder base
 Most approaches to risk management are therefore not driven
  or inspired by enhancing opportunities (the upside of risk) but
  by the fear of the ever greater penalties for doing something
  wrong (the downside of risk)

Prof Martin Loosemore

                            Chart 29
Risk as an Opportunity../2

 When Jamie Dimon stepped up to the plate and bought 100%
  of Bear Stearns for $2 per share, he used the fact that he had
  preserved his cash for a rainy day and was able to use it to buy
  a huge opportunity. So much so that he had to up the price a
  week later to $10 per share to avoid an awkward law suit
 This was a financial example of risk management turning into
  an opportunity. There are many less notable but equally
  important examples of good risk management providing superb
  gains in business

                             Chart 30
    Risk as an Opportunity../3
Potential benefits of successful risk management
•   Improved performance and competitive advantage
•   Greater resilience to unforeseen risks
•   Greater capacity to seize opportunities
•   Greater teamwork and collective responsibility for decisions
    throughout all organizational levels and supply chains
•   Higher client satisfaction and retention
•   Greater regulatory compliance
•   Less rework, disruption and conflict rework
•   Enhanced reputation
•   Higher quality information for making business decisions
                               Chart 31
Process of Risk Management

 Identify risk

 Quantify risk

 Mitigate risk

 Monitor risk

                        Chart 32
Identify Risk

Experienced-based approach
 Is dependent on corporate experience
 Search for bad outcomes and try to identify risk drivers
 Solicit staff for potential risk in processes etc.
Environmental approach
 Seeks to understand the business in the context of its
 What is changing and how will it affect the business?

                            Chart 33
Quantify Risk
What risk measures are available to business managers
    Financial Indicators
    Liquidity
    P&L performance measures
Key Risk Indicators
      Customer complaints
      Lawsuits
      Plant failures
      Accidents
      Errors
                             Chart 34
 Quantify Risk../2

 Many quantitative measures have been created to measure
 One of the most important and mis-understood of these is
  Value @ Risk or VAR
 A simplified definition of VaR is that it measures the amount of
  loss one can expect for a given portfolio over a specified period
  of time with a 95% or 99% degree of confidence

                             Chart 35
 Quantify Risk../3

The problem with VaR
 VaR risk can be hedged away but adds to total book
 The data is usually too short term in nature to represent a full
  economic cycle, thus there have been far more 100 year
  events in the last 30 years than is feasible
 The data has no answer for how much one can lose in the
  1% or 5% of events not covered by the confidence levels
 VaR tends to be used in isolation and it should not be. It does
  not pretend to measure Liquidity Risk

                             Chart 36
Quantify Risk

   Short-term Data

                     Chart 37
Quantify Risk

    Long-term Data

For a good example see page 77 Exhibit 5.4 in “Bank Boards and the Financial Crisis”
by Nestor Associates

                                      Chart 38
 Quantify Risk../6

How serious was the overemphasis on VaR in 2008?
 UBS blames an over-dependance on VaR and an absence of
  other risk measures in its mortgage book, as an overarching
  cause for the horrendous losses they suffered in their fixed
  income business
 Using VaR without liquidity limits allowed the book to grow to
  proportions that could not easily be financed when market
  liquidity dropped
 VaR is a useful tool but not in isolation

                              Chart 39
Quantify Risk../7

 Balanced scorecards and Key Performance Indicators tie
  strategy to operations
 Credit losses or problems
 Audit problems and exceptions

Frequently too much time is spent trying to refine what risks are
being monitored and not enough time is spent fixing issues that
cause risk (80/20 Rule)

                            Chart 40
Risk/Mitigation Heatmap


                          Level of Risk

                          Chart 41
 Mitigate Risk

 The process to mitigate risk will vary from one situation to
  another, proper risk mitigation calls for understanding what you
  currently have and what needs to be done in order to maintain
  your status quo
 Don’t waste time and money mitigating non critical risks, you will
  always have risk; identify the main causes of risk and manage
  those causes

                             Chart 42
Monitor Risk

 In much the same way as decisions should be taken by the
  most junior person permitted to take the decision; risk should
  be monitored all the way through the organization, by the most
  junior person able and permitted to monitor that risk
 No one person or department should be managing too many
  risks as then most risks will not be properly monitored

                            Chart 43
 Monitor Risk../2

 Set up a series of dashboards that are easy to read and
  indicate the key risks to be monitored by the entity or person
  and ensure that all of these functions are working properly
 The Board equally should have one dashboard the indicates
  whether the systems are effective and that risk management
  processes are consistently performed
 They need a separate dashboard that monitors catastrophic
  risk and requires the Board’s action

                             Chart 44
What The Board Should Question

 Process
 Resources
 Is risk mitigation foolproof
 Does the company have sufficient capital maintain its risk

                            Chart 45

Must be:
 Simple process oriented and preferably automated
 Regularly performed
 Understandable to the operator
 If a risk is not handled immediately system must trigger risk
  potential to the next level
 Performed consistently across all parts of the organization

                                Chart 46

 Insufficient resources will result in sub-optimal results (you get
  what you pay for)
 If the company cannot afford the means to monitor its risk;
  can it afford to take the risk?
 Resources must be consistent across all aspects of the
  organization and be able to communicate
 Must be available at ALL TIMES

                             Chart 47
Is Risk Mitigation Foolproof?

 Risk must be ranked according to severity of the event and its
 It is too expensive to insure every event so a policy must be
  designed that takes into account the risk/reward from mitigating
  against the event

Certain events cannot be allowed to happen even once and
therefore must be protected against at all costs

                             Chart 48
Does Company have Sufficient Capital?

 If the company has lost capital it must lower its risk profile
  otherwise the management is violating the risk budget that
  was agreed with the Board
 If the Board leaves the same level of risk available to
  management they must understand that they have moved the
  company closer to potential disaster
This is Measurable

                            Chart 49
  Financial Markets

                                      CONSULTING TEAM
                                       FDHL-MT
                                       A Financial Services
                                       Strategic Transformation
Enterprise Diagnostics

    Risk                 Regulators    Operators