Upload
ngophuc
View
216
Download
0
Embed Size (px)
Citation preview
The Role of the Chief Risk Office and the Board’s Role in Risk Oversight
John FraserSenior Vice President, Internal Audit
& former Chief Risk OfficerHydro One Network Inc.
August 25, 2014
The Canadian Society of Corporate Secretaries16th Annual Corporate Governance ConferenceBanff Springs Hotel | Banff, AB | August 24 ‐ 27, 2014
Objectives of this Session• Provide some background on Enterprise
Risk Management, how it evolved and why it is now a hot topic for board rooms
• Introduce the core fundamentals of Enterprise Risk Management, what it is, some of the tools and how to explain it to executive management and the board
• Explain the Chief Risk Officer’s role and how it interacts with the board or a board sub-committee
• Address the board’s role in risk oversight – increased expectations and what to do
How Well is ‘Risk’ Understood (2006)?
“In 2006, 60% of directors felt they had an understanding of their company’s risks, while executives say that only 18% of directors understand their company’s risks.”
Source: KPMG in “Raising the Bar” (April 2008) quoting the February 2006 McKinsey Quarterly Survey
How Well is Risk Understood (2013)?
In 2013, directors surveyed said their knowledge of the risks that the company faced was as follows:
• 15% of directors said they have a complete understanding
• 54% said they had a good understanding, and
• 29% said they had a limited or no understanding
McKinsey & Company in “Improving board governance” via an on line survey in April 2013 of 772 corporate directors, 34 % of whom were chairs. 22% were public companies78% were private companies.
What is risk management’s contribution to your
organization?• 47% said “It is essential for adding value to
our overall business”• 34% said “It can occasionally help us
improve the way we do business”• 15% said “Its contribution to our overall
organization is only marginal”• 4% said “It does not contribute to our
overall business”
Source: Based on a December 2012 survey by the Economist Intelligence Unit and published by KPMG in 2013 in “Expectations of Risk Management Outpacing Capabilities – It’s Time for Action”
Some of the Challenges of Implementing ERM
• The Business Case: Regulatory or Effectiveness?
• Culture change• Agreeing Risk Criteria (Appetite /
Tolerances etc.)• Staffing: who should lead, skills,
workshops, how much data to analyse• Level of detail (quantitative and/or
qualitative)• Software needs and selection
Source: Current State of Enterprise Risk Oversight – 5th Edition (June 2014) AICPA & NCSU
Benchmarking ERM
Source: Current State of Enterprise Risk Oversight – 5th Edition (June 2014) AICPA & NCSU
1
2
3 4
Benchmarking ERM – con:
Source: Current State of Enterprise Risk Oversight – 5th Edition (June 2014) AICPA & NCSU
1
Benchmarking ERM – con:
2
Source: Current State of Enterprise Risk Oversight – 5th Edition (June 2014) AICPA & NCSU
2009 2013
Companies with a designated Chief Risk Officer 18 31
Financials with a designated Chief Risk Officer 53
Separate Risk Committees 22 43
Risk Inventories kept at an enterprise level ‐ all 20 37
Risk Inventories kept at an enterprise level – Large Co’s 72
Risk Inventories kept at an enterprise level – Public Co’s 66
Risk Inventories kept at an enterprise level ‐ Financials 44
Benchmarking ERM – con:
Integrating a Risk Framework into the
Business1.ERM Policy and Framework 2.Accountabilities (and the Chief Risk
Officer role)3.Risk Criteria (and appetite / tolerances)4.Risk Identification (and the use of Risk
Workshops) 5.Corporate Risk Profile6.Business Planning
ERM Policy and Framework• ERM Policy:
• “ERM provides uniform processes to identify, measure, treat and report on key risks.”
• This is the umbrella policy under which all other risk policies fall.
• Key principles include: portfolios of ALL types of risks, integrated with strategic and business planning, annual risk assessments, everyone’s responsibility.
• Key accountabilities: Board and/or board committee, the Chief Executive Officer, Chief Financial Officer, Management and Chief Risk Officer.
• Key definitions, e.g. of “risk”.
• ERM Framework:• Establishes the basic process for all risk
assessments etc.
Accountabilities in ERM
CORPORATE RISK
PROFILE
BOARD(OR COMMITTEE)
EXECUTIVEMANAGEMENT
POLICY &FRAMEWORK
RISK PROFILES & BUSINESS
PLANS
LINEMANAGEMENT
RISK CRITERIA
(TOLERANCES)
MANAGE RISKS, $$
The Chief Risk Officer Role• Alternative models, banks versus others• Decision maker, facilitator or “opinionator”?• Centralized/holistic view of the organization• Some issues:
• Who does the CRO work for? Management or the Board?
• Is the CRO a facilitator or a policeman?
Additional reading: “Managing the Multiple Dimensions of Risk—Part II: The Office of Risk Management” by Anette Mikes, Assistant Professor, and Robert S. Kaplan, Baker Foundation Professor, Harvard Business School (2011)“Becoming the Lamp Bearer: The Emerging Role of the Chief Risk Officer” by Anette Mikes, Assistant Professor, Harvard Business School (2009)“Enterprise Risk management – From Incentives to Controls” by James Lam, John Wiley & Sons (2003)
Accountabilities of Risk versus Internal Audit
Source: “The Role of Internal Auditing in Enterprise-wide Risk Management” Institute of Internal Auditors (2004) “Internal Auditing’s Role in Risk Management” Institute of Internal Auditors (2011)
Core internal audit roles Roles with safeguards Audit should not undertake
The Chief Risk Officer and the Board
• Touch-points between the Board and the CRO:• The ERM Policy and Framework approval• Strategic Planning & Business Planning
(Objectives)• Risk Criteria (e.g. impact scale, tolerances etc)• Formal Risk Profiles • Frequent Updates• Educator (e.g. best practices, benchmarking)• Advisor (e.g. hot topics, emerging risks)• Whistleblower (not recommended) • To be determined (e.g. risk workshops)
Appetite/Tolerances/Criteria
Term < 2004 2004+ 2009 2011AppetiteToleranceCriteriaAttitude
* = Implementation guide to
CAN/CSA-ISO 31000, Risk
management — Principles
and guidelines (2011)
Used
Interchangeably
COSO
COSO
ISO
31000
Canada*
Canada*
Canada*
Canada*
Use of Risk Criteria (Appetite & Tolerances etc.)
• In order to run effective risk workshops• In order to create a common understanding
of risks by the leadership team, the board and managers
• Criteria for Business Planning / Resource Allocation prioritization
“Risk is the effect of uncertainty on objectives”ISO 31000
Risk Criteria* Include:• the nature and types of causes and consequences
that can occur and how they will be measured;• how likelihood will be defined;• the timeframe(s) of the likelihood and / or
consequence(s);• how the level of risk is to be determined;• the views of stakeholders;• the level at which risk becomes acceptable or
tolerable; and• whether combinations of multiple risks should be
taken into account and, if so, how and which combinations should be considered.* = Per ISO 31000 Note: Underlines for emphasis by John Fraser
Turning Strategy into Risk Criteria (inc. Tolerances)
StrategicPlanning
How are we goingto achieve our
overall Corporateaims??
Business Objectives
KeyPerformanceIndicators
Risk Criteria(inc.
Tolerances)
What is ourattitude towardfailure for each
Key Performance Indicator??
How will wemeasure successfor each Business
Objective?
What 6-10 objectives
do we want tofactor in to
decision-making?
Risk Tolerances Business Objectives
Event Impact Description 5
Worst Case 4
Severe 3
Major 2
Moderate 1
Minor
Financial
Net Income shortfall (after tax, in one year)
$>150M shortfall $75-150M shortfall $25-75M shortfall $5-25M shortfall <$5M shortfall
Reputation
Negative Media Attention; Opinion leader and Public Criticism
National media attention; opinion leaders/customers nearly unanimous in public criticism
Provincial media attention; most opinion leaders/customers publicly critical
Significant local attention; Several opinion leaders/ customers publicly critical
Credible letter(s) to Ministry of Energy, to Premier, to Chair of OEB, or to Minister of Environment, that require action
Letter(s) to Senior Management
Customer /Reliability
Outages on the Hydro One system
One of: >100,000 Customers Distribution or >1000MW Tx for more than 7 days
One of: 40k-100k Customers Dx or 400-1000MW Tx for 4-7 days
One of: 10k-40k Customers Dx or100-400MW Tx for 2-4 days
One of: 1k-10k Customers Dx or 10-100MW Tx for 4-24 Hrs
One of: <1000 Customers Dx or <10MW Txfor <4 Hrs
Example of “Risk Tolerances” (Criteria)
TolerableIntolerable
Risk Identification and Evaluation
• The use of Risk Workshops • The use of Interviews• The use of Surveys
Risk Workshops
Risk Workshops are Facilitated for:• Major Projects, e.g. construction, Information Technology, Mergers & Acquisitions
• Major Types of Risks, e.g. environmental• Lines of Business, e.g. for business planning• Executive Team• Board of Directors
“Risk Management is a contact sport.”Diana Del Bel Belluz
Note: Risk workshops will not work well in a dysfunctional organization
Risk Interviews• Based on the Strategic Objectives• List of major external events since the last
Risk Profile• Prior list of top risks: to capture trends
and ratings• Listings of all possible existing and
evolving risks• Identification and input of organizational
context and learning's• Recognizes difference styles of
communicating (e.g. blue sky versus detailed)
Corporate Risk Profiles• Purpose and Benefits• Frequency, e.g. semi-annual (?) • Based on:
• Interviews & Databases (e.g. risk workshop results)
• Trends & Emerging risks (e.g. media scans)• Reviewed by:
• Executive (Risk) Committee• Board or delegated board committee
• Input to Strategic & Business Planning (and internal audit plan)
Roll Up of Risk Interviews/Workshops
Human Resources
(R=2.6 / C=2.1)
RetainingExpertise
R=2.6 / R=2.0)
Training(R=2.5 /
C=2.8)
LabourAgreements
R=2.4 / C=2.0)
Commercial Culture
(R=3.4 / C=2.1)
Volatile WorkSchedule
(R=2.5 / C=2.1)
Budget(R=2.8 /
C=2.6)
Skills(R=2.5 /
C=2.6)
Demographics(R=3.5 /
C=2.3)
Competition(R=2.7 /
C=2.5)
Risk Source March 2001 Dec. 2001 Risk Trend
Cost Reduction Very High Very High
Regulatory Uncertainty High Very High
Initial Public Offering High High
Customer Relationships
High Medium
Human Resources Medium Medium
Safety High Medium
Risk Profile Top Ten Format
Note: Each risk category is explained witha half page analysis outlining the sources of the risk and the mitigants in place or planned.
Heat MapTopic Risk description Likelihood Impact
A Compensation Dissatisfaction leads to higher turnover
Possible Moderate
B Recognition If unrecognized leads to errors and less focus
Unlikely Minor
C Downsizing More overtime so staff leave for better work/life balance
Likely Moderate
D Demographics Changing demographics leads to more turnover
Almost Certain
Moderate
Source: COSO 2004 Application Techniques – Page 47
Business Planning: Making Choices Based on Value
Vehicles??
House??
Medical??
Travel??
Intolerable Risks
Highest “Risk Mitigation” Value for money
+
Summary - The Basic Approach to ERM
• Establish a policy and procedure (framework based on ISO 31000)
• Identify a champion and resources• Agree on Risk Criteria e.g. an impact scale• Create conversations via workshops and interviews• Prepare semi-annual risk profiles (based on
interviews and/or risk workshops)• Incorporate risk prioritization into business
planning• Include risk assessments in capital projects• Monitor and improve
0
1
2
3
4
5safety
customer
environment
revenue growth
shareholder return
corporate image
employee relationship
technical innovation
Target Risk Attitude"Target" Attitude
0
1
2
3
4
5safety
customer
environment
revenue growth
shareholder return
corporate image
employeerelationship
technical innovation
"Target" Attitude
Business development dept
Operations dept
Accounting dept
Risk Attitude Comparison
Velocity Voting ScaleInterval between the initiating event or condition (which is the point at which the risk becomes inevitable) and its “peak” impact on our business objectives
Resilience Voting Scale• Ability to detect occurrence of initiating event/condition, and secure/deploy resources (plans, organizations, testing)
• Availability of or access to resources required to cope with or mitigate the business impact (people, knowledge, liquidity, equipment, etc)