ERM Adds Strategic Value

August 2, 2011 Leave a comment

As enterprise risk management (“ERM”) becomes a more widely accepted practice, many companies are realizing the value of including a risk viewpoint in their strategic planning exercises. In the past, many executives viewed risk management purely as a loss avoidance exercise.  However, now that ERM is providing a broader view of risks and allowing companies to become more resilient, companies are more willing to incorporate the employment of calculated risks into their strategy formation.  A recent study by the Economist Intelligence Unit provides the following insight into this changing view of ERM.

One important indication that a shift might be occurring, however, is that 75% of executives think that risk considerations are playing an increasingly important role in strategy at their organisations. This suggests that rather than playing a preventative role—avoiding financial losses, for example—risk management could be moving towards an enabling role that contributes more fully to corporate strategy.

To navigate risks for both the shorter and the longer term, many firms are beefing up their risk management systems. ABB, for one, is increasingly moving away from a decentralized risk management model and putting in place a more group-wide strategy. “We’ve put in place a centralized enterprise risk management program over the last 12 months, and viewing holistically all the risks we face in the organisation,” confirms Mr Hall. “What we realized in the financial crisis, particularly from a financial point of view, is that the best way to manage risk is centrally.”

Martin ten Brink, a director at Shell, a British oil giant, says his company intends to refine some aspects of its enterprise risk management system in the coming year, particularly the pricing of risk. Furthermore, he says, Shell is improving the way it gauges risk velocity. The firm is targeting “a better understanding of the speed with which a risk can materialize and impact business performance.”

Wheelhouse Advisors is uniquely qualified to help companies build ERM programs that can be a source of strategic value. To learn more, visit www.WheelhouseAdvisors.com.

Filed under Enterprise Risk Management, Strategic Risk Tagged with , , ,

New Proposed Guidance on Stress Testing for Banks

June 10, 2011 Leave a comment

Yesterday, the Office for the Comptroller of the Currency (”OCC”), the Federal Reserve and the Federal Deposit Insurance Corporation (”FDIC”) issued proposed guidance for banking institutions to create a robust stress testing framework to adequately assess potential risks. The largest financial institutions have been subject to direct stress testing during the financial crisis in association with the administration of the Troubled Asset Relief Program (”TARP”). This new guidance formally outlines requirements for a broader population of institutions, specifically those with $10 billion or more in assets. According to the guidance, all banks of this size should structure their framework in the following manner.

“….. a banking organization’s stress testing framework should include, but are not limited to, augmenting risk identification and measurement; estimating business line revenues and losses and informing business line strategies; identifying vulnerabilities and assessing their potential impact; assessing capital adequacy and enhancing capital planning; assessing liquidity adequacy and informing contingency funding plans; contributing to strategic planning; enabling senior management to better integrate strategy, risk management, and capital and liquidity planning decisions; and assisting with recovery planning.”

While this guidance does not explicitly meet the requirements of section 165(i) of the Dodd-Frank Wall Street Reform and Consumer Protection Act for non-bank companies, the OCC, Federal Reserve and FDIC plan to issue rules consistent with this guidance for those companies. So, this serves as a preview of what is to come. Public commentary on this proposed guidance is requested by June 29, 2011.

Filed under Credit Risk, Government Regulation, Market Risk Tagged with , , , , , ,

Collaboration is Key for GRC Success

June 6, 2011 Leave a comment

An interesting study on the current state of Governance, Risk Management & Compliance (“GRC”) programs has just been released and the results are quite revealing. Entitled “The Role of Governance, Risk Management & Compliance in Organizations”, the study was conducted independently by the Ponemon Institute for EMC.  The study covered four primary domains – IT GRC, Operations GRC, Finance GRC and Legal GRC – and surveyed 190 GRC practitioners across the United States.

One of the primary findings was the fact that organizations are still limited by their ability to collaborate and communicate risk information across the enterprise. Part of the problem lies in the lack of a comprehensive strategy to improve collaboration. Beyond the lack of a strategy, organizations are also limited by their technological support of GRC programs. Here’s what the Ponemon Institute surmised.

We believe this study reveals the importance of an enterprise-wide strategy and increased collaboration among domains to meeting eGRC objectives. Currently, only 20 percent have an enterprise-wide strategy and collaboration among GRC areas is far from perfect. Only 28 percent of respondents say their organizations enjoy frequent collaboration or cooperation among GRC areas. However, the good news is that only 12 percent say GRC areas operate in silos in their organizations.

In order to address the barriers related to collaboration, it has been recommended that organizations make it a priority to encourage people from the various lines of business to talk together and establish “risk ambassadors”. The need to gain visibility and control through effective cross-enterprise eGRC collaboration is important to reducing gaps in how risk is assessed and managed.

Finally, according to respondents, managing risk is and will continue to be the biggest eGRC focus for their organizations. This is understandable because organizations are finding that the cost of complying with the plethora of regulations can be daunting. Taking a risk-based approach toward compliance requirements enables them to focus their resources on the most at-risk areas of their business and achieve real value from their eGRC activities.

Building the right processes, involving the right people and utilizing the right technology are all key to achieving the sort of value that GRC programs should provide. Wheelhouse Advisors is uniquely qualified to bring these key elements together for your organization. Email us at NavigateSuccessfully@WheelhouseAdvisors.com to learn more.

Filed under Enterprise Risk Management, GRC Software, Risk and Control Programs Tagged with , , , , , , ,

The Path to ERM Success

May 12, 2011 Leave a comment

The path to success in implementing an Enterprise Risk Management (”ERM”) program can be found in greater integration and better technology – that’s according to a recent survey presented at the 2011 Risk and Insurance Management Society (”RIMS”) Conference in Vancouver, British Columbia. Entitled “Excellence in Risk Management VIII”, this is an annual independent survey of executives conducted for RIMS by Marsh. The most common focus area noted in the survey is a desire to strengthen enterprise or strategic risk management approaches. While more than half of the survey respondents indicated this desire, a majority saw the primary barrier to achieving this goal was a lack of understanding of the risk landscape across numerous silos of information.

As a result, 55% of the respondents expect to integrate risk management deeper into and across operations and 54% of respondents expect to perform day-to-day risk management activities more efficiently. To meet these expectations, organizations will need to improve the way they gather and report risk data through more cost-effective technology. The survey report supports this notion through the following observation. “It’s worth noting to risk managers that their counterparts in the C-suite were the most likely to view technology upgrades as a focus area. This should help pave the way for technology that can ease the time spent on mundane tasks and open the door to developing the deeper integration of risk management with other departments.”

Source: Risk & Insurance Management Society, Excellence in Risk Management VIII

Filed under Enterprise Risk Management, GRC Software, Information Technology Tagged with , , , , ,

How to Strengthen Your IT Risk Management Program

April 28, 2011 Leave a comment

An essential component of any Enterprise Risk Management (ERM) program today is IT risk management. With ever-increasing threats to privacy and information security, companies are looking to strengthen their risk governance processes in many ways.

recent survey by Carnegie Mellon University’s CyLab highlights ten key steps to building a stronger ERM program with a focus on IT Risk. The CyLab 2010 survey is based on results received from 66 respondents at the board or senior executive level from Fortune 1000 companies. Twenty-seven percent of the respondents were board chairmen; 3 percent were outside directors; 47 percent were inside directors; and 50 percent were senior executives but not a board member. Forty-five percent of the participants were from critical infrastructure companies.

The survey revealed that governance of enterprise security is lacking in most corporations, with gaps in critical areas. If boards and senior management take the following ten actions, they can significantly improve their organizations’ security posture and reduce risk:

1. Establish a board risk committee separate from the audit committee and assign it responsibility for enterprise risks, including IT risks. Recruit directors with risk and IT governance expertise.

2. Ensure that privacy and security roles within the organization are separated and responsibilities are appropriately assigned. The CIO, CISO/CSO, and CPO should report independently to senior management.

3. Evaluate the existing organizational structure and establish a cross-organizational team that is required to meet at least monthly to coordinate and communicate on privacy and security issues. This team should include senior management from human resources, public relations, legal, and procurement, as well as the CFO, the CIO, CISO/CSO (or CRO), the CPO, and business line executives.

4. Review existing top-level policies to create a culture of security and respect for privacy. Organizations can enhance their reputation by valuing cyber security and the protection of privacy and viewing these as corporate social responsibilities.

5. Review the components of the organization’s security program and ensure that it comports with best practices and standards and includes incident response, disaster recovery, and breach response plans.

6. Establish privacy and security requirements for vendors based on key aspects of the organization’s security program, including annual audits or security reviews.

7. Conduct an annual audit of the organization’s enterprise security program, to be reviewed by the audit committee.

8. Conduct an annual review of the enterprise security program and the effectiveness of controls, to be reviewed by the board risk committee, and ensure that identified gaps or weaknesses are addressed.

9. Require regular reports from senior management on privacy and security risks and review annual budgets for IT risk management.

10. Conduct annual privacy compliance audits and review incident response and security breach notification plans.

These steps should be integrated into a holistic enterprise risk management approach to provide an effective and seamless program that is fully embraced at all levels within the organization. Doing so will not only raise a company’s risk mindfulness level, but also secure positive returns for key investors and stakeholders for years to come.

Filed under Enterprise Risk Management, Information Technology Tagged with , , , ,

New Breeding Ground for Risk Topics

March 10, 2011 1 Comment

Board members of public companies are accustomed to passing along any risk related issues to the Audit Committee and/or Risk Committee. However, many of these directors are discovering risk related issues are not necessarily the specific purview of those groups. One committee in particular is becoming a breeding ground for risk topics – the Compensation Committee. With incentive programs entering the spotlight through greater disclosure about their impact on risk taking and heightened investor scrutiny, a new set of board directors need to be concerned with risk management. Here is what a leading expert had to say recently about the change.

Finally, an important means for compensation committees to address the risks that they now face is to ensure that they and the compensation-setting process are fully integrated into the overall risk-oversight activities of the board and the company. The financial crisis and its legislative and regulatory aftermath have focused considerable attention on the relationship between incentives in compensation programs and the risks that arise for companies, and as a result the compensation committee has become a crucial component of the risk-oversight process. The compensation committee’s attention to risks—through a periodic evaluation of the compensation program and how pay elements could create risks—has now become a regular part of the analytical framework.

How is your Compensation Committee addressing risk? Having the ability to articulate the linkage between incentive programs and a company’s risk appetite is critical to proactively addressing investor concerns.  If you or someone else in your company is interested in learning more about bridging this gap, contact us at NavigateSuccessfully@WheelhouseAdvisors.com.

Filed under Corporate Governance, Incentives and Enterprise Risk Management Tagged with , , ,

Stepping Back to Move Forward

February 23, 2011 Leave a comment

New survey results on Enterprise Risk Management (“ERM”) practices at global financial institutions was released last week by Deloitte.  The survey points to the changing attitudes towards ERM as well as the continued challenges many institutions face as they implement ERM programs.  Here is a summary of the survey results.

The seventh edition of the report, titled “Navigating in a Changed World,” surveyed chief risk officersor their equivalent – from 131 financial institutions from around the world, with aggregate assets of more than $17 trillion and representing a range of financial services sectors including banks, insurers and asset managers.

Among other major findings in the survey:

  • While the majority considered their institution to be either extremely or very effective in risk management overall, one-third of survey participants graded themselves below that level.
  • Not only is the chief risk officer (CRO) role more prevalent at financial institutions, but he or she is reporting to higher levels in the organization. According to the survey, 86 percent of institutions had a CRO in place, up from 73 percent in 2008, and reports to the board level or to the CEO (or both) at 85 percent of institutions. In addition, they are playing a more strategic role.
  • More institutions have adopted enterprise risk management (ERM) programs — 79 percent of institutions reported having a program or equivalent in place or in progress, an increase from 59 percent in 2008.
  • While the value of ERM has increased, so have the challenges of implementing the information and technology infrastructures to support a comprehensive program; the importance of information and technology management in effective risk management has only been emphasized by the events of the global financial crisis.
  • The top-rated risk management technology challenge among those surveyed was integrating risk data across the organization, which was rated as an extremely or very significant issue by 74 percent of executives.
  • More than 80 percent of institutions experienced significant impacts from regulatory changes in the countries where they operate; at 40 percent of responding institutions, these impacts included the need to maintain higher capital levels and the need to maintain higher liquidity ratios.

It seems that while ERM is gaining in prominence within these organizations, the primary challenges to a successful ERM implementation remain.  Many companies will find themselves needing to take a step back to streamline ERM processes before trying to tackle the gaps in information and technology.

Filed under Enterprise Risk Management Tagged with , , ,

Incentive Pay & Risk Back in the Spotlight

February 8, 2011 Leave a comment

Yesterday, the Federal Deposit Insurance Corporation (FDIC) approved a proposal to limit excessive risk taking that is tied to incentive programs at large financial institution. The proposed rules are a result of the Dodd-Frank Act of 2010. Here is a summary of the new rules from the FDIC’s website.

The Board of Directors of the Federal Deposit Insurance Corporation (FDIC) today approved a joint proposed rulemaking to implement Section 956 of the Dodd-Frank Wall Street Reform and Consumer Protection Act. Section 956 prohibits incentive-based compensation arrangements that encourage inappropriate risk taking by covered financial institutions and are deemed to be excessive, or that may lead to material losses.

Consistent with Dodd-Frank, the proposed rule does not apply to banks with total consolidated assets of less than $1 billion, and contains heightened standards for institutions with $50 billion or more in total consolidated assets. For these larger institutions, the rule requires that at least 50 percent of incentive-based payments be deferred for a minimum of three years for designated executives. Moreover, boards of directors of these larger institutions must identify employees who individually have the ability to expose the institution to substantial risk, and must determine that the incentive compensation for these employees appropriately balances risk and rewards according to enumerated standards.

Chairman Bair said “This proposed rule will help address a key safety and soundness issue which contributed to the recent financial crisis – that poorly designed compensation structures can misalign incentives and induce excessive risk-taking within financial organizations. Importantly, we believe the rule will accomplish its objectives in a way that appropriately reflects the size and complexity of individual institutions. Importantly, this inter-agency proposal will apply across all types of US financial institutions, limiting the opportunity for regulatory arbitrage. Similarly, it will better align US compensation standards with those which have been adopted internationally under the framework approved by the Financial Stability Board in 2009.”

Public comment will be accepted for 45 days prior to final approval. In addition, the rules are a joint effort of the Federal Financial Institutions Examination Council (FFIEC), the Securities & Exchange Commission (SEC) and the Federal Housing Finance Agency (FHFA) who each must also approve the rules. These rules are a step in the right direction for those more interested in long-term results, but they will certainly be the subject of intense debate.

Filed under Incentives and Enterprise Risk Management Tagged with , , , , ,

Risk Won’t Wait

February 1, 2011 Leave a comment

After several years of delaying funding on risk management and IT security due to economic pressures, more and more companies are realizing that they cannot wait any longer. The stakes are simply too high to rely on outdated technology and a bare-bones approach to addressing ever-increasing risks.  Here is what was reported in InformationWeek magazine earlier this week,

A unique convergence of circumstances makes this the perfect time to bring IT and business units together under the flag of a risk-oriented approach to security. Economic stress and cutthroat competition on a global scale mean every dollar you spend on security had better matter. Executives are increasingly being held personally accountable, and unified risk management as a discipline is finally reaching maturity.

Plus, the money is there. Thirty-five percent of the 563 respondents to our InformationWeek Analytics IT Risk Management Survey say their companies’ IT risk management programs will get more funding in 2011 than they did last year. Very few will see cuts.

Don’t be left behind. With leaps in technology occurring in a matter of months rather than years, no company can afford to delay their improvements in risk management.

Filed under Information Technology Tagged with , , ,

Missed Opportunity on Stress Tests?

December 2, 2010 1 Comment

When the Federal Reserve Bank (“FRB” or “Fed”) conducted stress tests of the 19 largest financial institutions back in 2009, many viewed it primarily as an exercise to restore the public’s faith in the financial system. Now that the FRB has requested the financial institutions to perform the same tests again, some are wondering if the tests should be redesigned to be more realistic.  One of those raising questions is Sim Segal, an ERM expert who wrote an article on the subject this week in Forbes magazine. Here’s his view:

….to be meaningful, the Fed stress tests must be changed to include (1) multiple simultaneous risks events, to capture the biggest potential threats, (2) all sources of risk, particularly strategic and operational ones, which represent the bulk of risks, (3) a full quantification of risk exposures, measuring the impact on value rather than on capital, (4) examination of the largest companies in all sectors that can threaten the economy, not just banks, and (5) worst-case scenarios provided by company insiders, to test each firm’s most vulnerable spots.

Mr. Segal raises some very good points that should be considered by not only the FRB and the Financial Stability Oversight Council, but also the individual financial institutions.  For those financial institutions and other companies that are not performing stress tests in the manner suggested by Mr. Segal, it could represent a missed opportunity that could prove fatal.

Filed under Enterprise Risk Management, Government Regulation, Systemic Risk Tagged with , , ,

Older posts

Follow

Get every new post delivered to your Inbox.

Join 42 other followers