Governance Insight June 15, 2011 Enterprise Risk Management

Governance Insight

June 15, 2011

www.vitalinsight.com

Enterprise Risk Management

http://www.vitalinsight.com/

Credit Union ERM – Why we are here

Enterprise Risk Management is becoming top of mind for many credit unions- Board/supervisory committee members- Senior management- Regulatory examiners- External auditors

Credit unions want to more clearly understand:- The benefits of ERM - The goals, objectives, and deliverables of ERM- The most efficient way to implement ERM

Goal for today: Demystify the ERM Process

Vice President, Risk Management, Redstone FCU

• B.S. Degree, Middle Tennessee State University summa cum laude;

Master’s Degree, Strategic Leadership, Middle Tennessee State

University, in progress; Juris Doctorate Degree, University of

Memphis

• Located in Huntsville, AL

• $3 Billion in Assets

• 340,000 members and over 1200 service groups, including

Redstone Arsenal

• Working to expand by moving into new geographical areas, product

areas, exploring merger opportunities

Introductions – Roberta Rodgers

Introductions – Alan White

Former “Big 4” Executive and Experienced Internal Auditor

Conducted well over 200 risk assessments and control reviews

B.S. (Industrial Engineering), Carnegie Mellon & MBA (Finance), University of

Texas

Founder and CEO, Vital Insight, Inc.

• Focused on providing cost effective ERM Solutions to Credit Unions

- Governance Insight software application

- ERM consulting services from experienced professionals

• Training and education

• Risk assessment and evaluation

• Content and best practices

- Strong relationships with academic experts and industry associations

- CUES Exclusive ERM Partner

Selected Credit Union Customers

http://www.swcorp.org/

http://www.marinefederal.org/home/home

ERM Principles & Concepts

Goals & Objectives for an ERM Program

ERM Components

Getting Started

Questions and Comments

Webinar Agenda



ERM Components

Getting Started


Webinar Agenda

Huge changes in the operating environment

What is Driving ERM?

Competitive Marketplace Globalization

Legal Requirements

Short Product Cycles

Explosion of Technology

Complex Business Transactions

Risks management trends

Management and Board Challenge

http://images.google.com/imgres?imgurl=http://www.harmsma.info/images/Klein%20NYC%20Wall%20Street.JPG&imgrefurl=http://www.harmsma.info/Page%20RIN%20waar%20zijn%20we%20zoal%20geweest.html&h=1524&w=2032&sz=234&tbnid=KlSQ-l1sLQwJ:&tbnh=112&tbnw=150&hl=en&start=19&prev=/images?q=wall+street&svnum=10&hl=en&lr=

Competitive Marketplace Globalization

Legal Requirements

Short Product Cycles

Explosion of Technology

Complex Business Transactions

And, they are interconnected – with a cascading impact

Management and Board Challenge

Risks management trends

http://images.google.com/imgres?imgurl=http://www.harmsma.info/images/Klein%20NYC%20Wall%20Street.JPG&imgrefurl=http://www.harmsma.info/Page%20RIN%20waar%20zijn%20we%20zoal%20geweest.html&h=1524&w=2032&sz=234&tbnid=KlSQ-l1sLQwJ:&tbnh=112&tbnw=150&hl=en&start=19&prev=/images?q=wall+street&svnum=10&hl=en&lr=

Huge changes in the operating environment• Liquidity is becoming volatile• Margins are eroding• Delinquencies & charge-offs have increased drastically• Fee income is steadily becoming more important• Restructuring of the Corporates (and the NCUA lawsuit)• Regulations are changing• GAAP is inadequate and may very likely change• IT Risk management requirements will increase• Freddie & Fannie (Risk Retention)• Proposed tax code changes

Efficiency (output/input) is critical Less room for errors and surprises – i.e. risk Regulators are extending risk management requirements

What is Driving ERM?

Regulators are extending risk management requirements

Redstone is getting too big to continue working in silos

The regulatory environment is becoming more burdensome and affecting more areas of the CU

Strategic goals are becoming bigger and require an enterprise-wide view

It’s the right thing to do

Redstone’s ERM Drivers

What is Risk?

The possibility of an event occurring that will have an impact on the achievement of objectives.

A Prerequisite to any risk discussion in an organization:

You must know

……the organization’s objectives

Risk is measured in terms of impact and likelihood. The Institute of Internal Auditors (IIA)

“Silo” or “Stove-Pipe” Risk Management

Strategic Market Risks

Operations Risks

Finance Risks

IT Risks Legal Risks

Reputation Risks

Human Capital Risks

Traditional Risk Management Approach

Enterprise Focus on Risks

Strategic Market Risks

Operations Risks

Finance Risks

IT Risks Legal Risks

Reputation Risks

Valuation Creation and Preservation

Human Capital Risks

Key Message: Senior Management is facilitating the aggregation and interactions of those risk exposures to evolve from Risk Management to Risk Intelligence

ERM Brings Risks Together

Rewarded Versus Unrewarded Risks

Rewarded Risks (Opportunities to take risk)• Risks that are expected to bring some benefit if properly managed• Interest Rate Risk• Credit Risk• Liquidity Risk• Strategic Risks

Unrewarded Risks• Those for which there is only a downside• Transaction Risk• Compliance Risks• Reputation Risk• Financial Reporting (Accounting) Risk

Maintaining a Balanced Focus on Risk

STRATEGICRISKS

EXECUTIONRISKS

OPERATIONS & COMPLIANCERISKS

Creating Value

Protecting Assets

•Senior Management ERM Agenda

•Board and Supervisory Committee Oversight

•Reputation Risk

•Executive Risk (Ethics, Integrity, Judgment)

•SWOT (risk review) with strategic planning

• Credit, Market Risk Management Processes

• Operational Risk Focus

• Risk Analysis Techniques

• Procedures, Controls, Insurance• Business Area Risk Reviews

• Key Risk Indicators• Early-warning Signals

The ERM program should help the organization to maintain a balanced focus on value creation (rewarded risk taking) as well as value protection (unrewarded risk mitigation).

Incr

easi

ng

ER

M

Pro

gra

m F

ocu

s

Risk Appetite

Risk Appetite is target risk level you are willing to accept in pursuit of member value

Managing and profiting from calculated risk is what financial services organizations do

Risk management practices, risk appetite, strategy and capital are inextricably linked

Management and the Board should engage in a specific dialogue around the follow questions:

• How much risk are you willing to accept?• Are you taking enough risk to achieve the return/reward it is expecting?• Do you understand the combined effects of the risks it is taking? • How much of your capital can be put at risk at any one time?• How much risk are you willing to take with its existing assets at any one

time?• How much risk are you willing to take to achieve future growth at any

one time?

State your objectives Identify most critical areas of risk (risk

assessment)• Keep in mind that you may (have) not have seen the impact yet!

Gather and analyze the relevant data Exercise sound judgment, ethics & integrity Identify potential root causes (WCGW) Determine best response Document and train Monitor, audit, and assure (and measure)

Risk Management Principles

State your objectives Identify most critical areas of risk (risk

assessment)• Keep in mind that you may not have

seen the impact yet! Gather and analyze the relevant data Exercise sound judgment, ethics &

integrity Identify potential root causes (WCGW) Determine best response Document and train Monitor, audit, and assure (and

measure)

Risk Management Principles

Assess Risk

Manage Risk



ERM Components

Getting Started


Webinar Agenda

What is ERM supposed to do?

• Quickly identify emerging risks and problem areas before they escalate and cause serious harm

• Reduce the incidence of serious negative surprises that undermine stakeholder confidence

• Enable the organization to more effectively take advantage of opportunities

• Reduce response time for emerging risks• Demonstrate to stakeholders that reasonable risk

management processes are in place• Provide an efficient way to link business objectives,

risks, mitigation strategies, residual risks, and procedural process documentation

What is ERM NOT supposed to do?

• Be just one more audit• Be just one more compliance exercise• Be done by ONLY audit or risk

management- Risk management is part of the decision

making process• Prevent healthy risk taking

- A good risk manager is a good risk taker- “Too much rigor creates rigor mortis!”

Huge changes in the operating environment Allows the CU to make well-informed decisions Reduces surprises; prepares us for the worst case

scenario Ensures all areas have been considered – do things

right the first time Opportunities for healthy risk taking are not

overlooked Identify gaps and overkill in processes and

procedures

Redstone’s ERM Objectives



ERM Components

Getting Started


Webinar Agenda

Financial Risk Strategic Risk

• Relates to “macro” risks, strategic decisions, economic trends and planning

• Includes NCUA categories of Strategic and Reputation Risk (also IT)

• Typically managed through the Strategic Planning process

• Identify relevant risk scenarios and develop plans for addressing them

• All significant strategic risks should be managed due to large impact

• Relates to risk that is present in the credit union’s investments and loan portfolio

• Includes NCUA categories Interest Rate and Liquidity

• Also includes concentration and accounting risk

• Usually managed through the ALM process and includes executive and board level involvement

• Subjectivity of assumptions underlying financial models

Enterprise Risk Management Components

Operations Risk

• Risk that operations are not designed or executed effectively

• Includes NCUA categories Transaction, Compliance, and Credit risk

• Also includes Fraud, Accounting, IT

• Managed through effective business processes and controls

• Requires prioritization of efforts and activities to manage effectively




• Managed through the Strategic Planning process

• Identified four primary risk scenarios and developed plans for addressing them



Operations Risk





• Requires prioritization of efforts and activities to managed effectively






Liquidity

Accounting

Financial Risk Management Components

Interest Rate


Interest Rate

•Loan pricing (risk based pricing)

• Investment yields•Duration•Typically managed through ALM process at the executive & board level

•Ratio analysis & modeling are key components– Should include scenario

analysis and shocks– Beware geeks bearing

formulas (like VAR)

Liquidity


•Basic cash management– Budgeting &

forecasting– Contract renewals and

vendor management– Seasonality analysis– Should include

scenario analysis•Be cognizant of NCUA requirements

•Heavily linked to strategic risk!

Accounting


• Important for monitoring and measuring ratios•Allowance for loan loss is incredibly subjective•Should include scenario analysis•Should not be “outsourced”

– Do not assume that accounting risk is managed just because the audit or regulatory exam is clean

Liquidity

Accounting


Interest Rate

Concentration Risk


Concentration Risk

•Hottest NCUA risk category– Supervisory Letter Issued– “A risk concentration is any single

exposure or group of exposures with the potential to produce losses large enough (relative to capital, total assets, or overall risk level) to threaten a financial institution’s health or ability to maintain its core operations.”

•Many credit unions are over-concentrated in cash (may increase need for fees)

•No set guidelines for establishing limits have been communicated

•Three key phases for concentration risk:– Policy setting– Initial analysis and remediation– On-going monitoring

Asset Liability Policy Asset-Liability Committee meets monthly Monthly review of interest rate risk, liquidity risk,

investment strategy Monitor key ratios: net worth, delinquency, charge-

offs, ROA Monitor long-term asset ratio Quarterly qualitative review CFO establishes annually how much risk the CU can

take with BOD based on worst case scenarios using NCUA’s 7 risk categories

Planning, budgeting, forecasting, follow-up

Redstone’s Financial Risk Plan








Operations Risk











Two Step Process

Enterprise Risk Assessment & Prioritization (“Top

Down”)

Detailed Process Level Risk Analysis (“Deep Dives”)

Two Step Process

Enterprise Risk Assessment & Prioritization (“Top

Down”)

Detailed Process Level Risk Analysis (“Deep Dives”)

Scope

Scrutiny

Conducted EWRA Conducting initial deep dives on all high risk areas Forming a Risk Management business unit

responsible for implementing operational risk plan By end of 2012 will have conducted a deep dive in

every business unit Establish annual schedule for risk assessments Consult with business units on new projects Monthly reporting to the BOD

Redstone’s Operational Risk Plan

The Enterprise Wide Risk Assessment is used to

identify, evaluate, and prioritize operational risk hot

spots

Financial and strategic risks are not typically

evaluated in this assessment

Goal is to identify areas that require further analysis

by process owners, internal audit, etc.

EWRA Concepts

Identifying Risk Events

An item that is uncertain, can happen in the future, and has an impact on objectives

Assigned scores for likelihood and impact During the initial phase Risk should be analyzed as

though there were no controls (inherent risk)• Example: “In the payroll process, there is a risk

that the right people are paid the wrong rates” • “Or that the wrong people are paid the right

rates” Risks are usually identified by logic and analysis

(intuition) But data can be used to identify holes as well

Risk Response

Accept• Risks that fall within the organization’s risk appetite and/or

that do not significantly threaten the organization’s business objectives can be accepted

- Laziness or apathy cannot be the default Transfer (Reassign)

• Typically done through insurance Mitigate

• Risks that cannot be accepted or realistically transferred should be mitigated through the use of control measures

Remaining risk is “residual risk”• Most common mistake by organizations is an attempt to

immediately determine “residual risk”








Operations Risk











Risk Drivers on Value

0

5

10

15

20

25

30Customer

Demand Shortfall

Competition

M&A Problems

ProductsPricing

Loss Customer

Supplier

Cost Overruns

Accounting Irregularities

Management Ineffectiveness

Supply Chain Issues

Macroeconomics Commodity Prices Interest Rates

Lawsuit Natural

DisastersStrategic Operational Financial HazardSource: Marsh/Mercer; used with permission

RegulatoryR&D

Delays

Fortune 1000 companies that lost > 25% stockholder value in one month…

Strategic Risk Challenges

Difficult to identify

• Requires creativity and forward thinking

• Some are outside of our control

Nearly impossible to quantify

• Requires effective estimations and judgment

• Most should be actively managed anyway

Hard to monitor

• Metrics and action items are not obvious

There is rarely one “right answer” to any risk

Solutions can often create new risks

Extended timeline means they can change

• Three huge risks of any project that lasts more than one year

(technology, environment, people)

Many Overlook Risk of Committing to Wrong Strategy

Time

Range of Uncertainty

Strategies Built Today

Performance Observed Over Time

Adapted from The Strategy Paradox, by Michael Raynor

Strategic Risk Identification

Start with external strategic risks• New Regulations• Changes to Asset Prices• Strategic Partner Plans & Viability

- Corporate Credit Unions- Fannie & Freddie

• Interest Rate Changes• Economy and Employment• New Competitors• Lost Competitors when Local/Regional Banks Fail

- May increase your volume – are you ready?

Typical Internal Strategic Risks

Executive Integrity & Ethics Loss or compromise of member data Inability to identify and develop new/effective products &

services Insufficient access to capital Inability to manage credit risk Reputation is not maintained/perception of insufficient financial

soundness Lack of adequate resources Inability to grow/scale to meet market requirements Inability to attract and retain qualified personnel And many others….

Strategic Risk Options

Accept

Avoid

Transfer (Insure/Hedge/Outsource)

Aggressively Manage

• Operationalize (but this will create operational risk)

• Monitor & Respond

• Develop “Real Options”

• Influence

Developed strategic objectives Identify risks associated with each objective –

scenario planning Determine level of acceptable risk and risk

mitigation strategies for each objective Utilize forecasting model to tie strategic risk

plan to financial risk plan Monthly reporting to BOD with a detailed

annual review to make the program more visible

Redstone’s Strategic Risk Plan



ERM Components

Getting Started


Webinar Agenda

Define Roles & Responsibilities

Risk Management

Executives & Managers

Board of Directors

Auditors & Supervisory Committee

ERM Champion

Establish the ERM Terminology

Provide Guidance, Quality Assurance & Project

Management

Communicate & Demonstrate the Value of ERM

Measure the Progress of the Program

Adjust Plans based on Lessons Learned

Our First Steps at Redstone

Research ERM models

Define what ERM means for RFCU

Find a partner (Vital Insight) to assist with

development and implementation

Educate the Board; Executive Staff; Management

Conduct EWRA and determine where deep dives

were needed

Vital Insight Services for Different Needs

Risk and Objectives VI Services

Financial RiskConcentration Risk Assessment

ALM Policy Review or Development

Strategic RiskRisk Profile

Strategic Risk Assessment & Scenario Analysis

Operations RiskEnterprise Wide Risk Assessment

Functional Risk Assessments (“Deep Dives”)

Education & Change Management

VI Academy Training SessionsERM Fitness Check

Mentoring & Quality Assurance

Questions

Roberta RodgersVice President, Risk [email protected]

Alan WhitePresident & [email protected]

Documents

Governance Insight June 15, 2011 Enterprise Risk Management