Enterprise Risk Management and Culture Jai Ramaswamy Managing Vice President Enterprise Risk Management May 14, 2019
Agenda • 1. Who am I? • 2. How did we get here? • 3. What is Enterprise Risk Management? • 4. What is the relationship between Enterprise Risk Management and culture? • 5. How do you manage conduct risk?
1. Who am I? • Currently Managing Vice President at Capital One for the past 2 ½ years leading ERM function • Previously Global Head of AML Risk Management at Bank of America • Served for over a decade in the Department of This Photo by Unknown Author is licensed under Justice catching bad guys CC BY-NC • Lawyer who came late in life to the risk management • Current interests involve understanding risks arising from the use and misuse of technology Confidential 3 Confidential 3
2. How did we get here? Breach of Public Accounting Fraud Financial Crisis Misconduct Trust • Dodd-Frank • Reputational Harm • Regulatory • Sarbanes-Oxley Enforcement • Focus on financial risk • Focus on what should • Criminal prosecution management we do, not what can • Focus on Compliance • Focus on financial we do and Operational Risk • “Stress Tests” reporting controls and • Rules not clearly testing • Volcker rule • Internal Controls established • Consumer Protection • Criminal Prosecution has proved challenging LIBOR/FX 2000 Present
3. What is Enterprise Risk Management?
The Evolution of Enterprise Risk Management Executive Summary from the 2004 COSO Enterprise Risk Management – Integrated Framework: “Among the most critical challenges for managements is determining how much risk the entity is prepared to and does accept as it strives to create value.” Executive Summary from the 2017 COSO Enterprise Risk Management – Integrating with Strategy and Performance “Organizations need to be more adaptive to change. They need to think strategically about how to manage the increasing volatility, complexity, and ambiguity of the world, particularly at the senior levels in the organization and in the boardroom where the stakes are highest.”
The 2017 COSO ERM Framework Enterprise Strategy & Information, Performance Objective Governance & Review & Risk Objective Communication Three Culture Revision (Risk Lifecycle) Management Setting & Reporting • Exercises Board Risk • Analyzes Business • Identifies Risk • Assesses Substantial • Leverages Information • Increasing the range of Oversight Context Change and Technology opportunities • Assesses Severity of • Establishes Operating • Defines Risk Appetite Risk • Reviews Risk and • Communicates Risk • Increasing positive Structures Performance Information outcomes and • Evaluates Alternative • Prioritizes Risks advantage while • Defines Desired Strategies • Pursues Improvement • Reports on Risk, • Implements Risk reducing negative Culture in Enterprise Risk Culture, and • Formulates Business Responses surprises Management Performance • Demonstrates Objectives • Develops Portfolio • Reducing performance Commitment to Core View variability Values • Improving resource • Attracts, Develops, deployment and Retains Capable Individuals • Enhancing enterprise resilience Effective Enterprise Risk Management Should Drive Grounded Risk Taking Not Risk Avoidance
Common traps to avoid • ERM is seen as a function or department • ERM maintaining a risk inventory but does not connect the dots • ERM is focused principally on internal controls • ERM becomes a “check the box” compliance exercise Confidential 9 Confidential 9
4. What is the relationship between Enterprise Risk Management and culture?
For culture, the lessons I take from these examples are about the power of simple ideas, responsibility, commitment as represented by skin in the game, accountability. None of these big ideas is new, in fact quite the opposite. Nor do they require sophisticated tools to apply and monitor. They go with the grain of good incentives, and they act to support the public interest and its objectives. But, they do require effective and consistent implementation. This is where good This Photo by Unknown Author is licensed under CC BY-SA governance comes in, a strong role for senior management and particularly boards. ~ Andrew Bailey, Financial Conduct Authority (U.K.) Confidential Confidential 11
Maturing Enterprise Risk Management Sets Risk Governance Associated with Operational Drives Risk Culture Framework & Methodology Risk • Focus on standard setting • Focus on minimizing losses • Risk Management is practiced across all lines of • Credible challenge largely • Monitors and reports on defense ensured by “check the box” control environment compliance effectiveness • Focus on driving clear business ownership of risks • Administers enterprise risk • Maintains enterprise risk management processes inventory • Performance management is designed to promote • Collects and reports • Monitors and reports on balanced risk taking information from other risk performance within risk management functions appetite • Purpose of risk management is to promote risk culture
Maturing Enterprise Risk Management: Do’s and Don’ts Do Don’t • Work back from the customer • Don’t focus solely on internal or external audit/regulatory findings • Developing stakeholder trust is key to • Creates a reactive, piecemeal, crisis management sustaining and maturing ERM approach, not a holistic and integrated risk framework • Identify quick wins and apply an iterative/ agile • Don’t start with technology approach to deliver them • Culture is driven by processes, governance, and • Focus on end-to-end processes, metrics, metrics, not technology and governance first • Don’t rely exclusively on high-level ERM • Develop programs that drive clear business leading practices and related regulatory accountability for risks guidance • Perform regular validation, testing and • More granular guidance in policies and procedures assurance across the lines of defense drives clarity for the business and drives consistency
Attributes of an Effective Risk Culture • Hesitation to formally identify risks • Reluctance to document control weaknesses • ERM seen principally as “overhead” Common Challenges • Business views ERM as a low-value “documentation exercise” resulting in low engagement in day-to-day risk identification and escalation • Emphasis on risk skills in 1 st line hiring/ performance evaluation is still low • Risk culture is set through “tone-from-the-top” • Management leads by example and models preferred behaviors • ”Find it first” business culture Hallmarks of Success • Escalation is not limited to formal risk governance channels but exists through all three lines of defense • Risk skills and competencies are evaluated in all three lines of defense
5. How do you manage conduct risk?
Root cause analyses of many recent cases of misconduct in the financial sector suggest that misconduct is not just the product of a few individuals or bad processes, but rather the result of wider organizational breakdowns, enabled by a firm’s culture. ~ Kevin J. Stiroh, Executive Vice President Federal Reserve Bank of New York
Current Challenges in Establishing a Conduct Risk Program • Emerging consensus points to employees adverse impact on customers, market integrity/fair competition, public trust Defining Conduct Risk • Defining conduct risk too broadly risks creating a ”Department of Do The Right Thing” • Conduct risk has traditionally been managed through a variety of programs, e.g., anti-corruption, internal fraud, identity, access Distributed Oversight of management to name a few Conduct Risk • Creating a single ministry of culture does not necessarily mitigate risk better • Illegal conduct such as fraud and bribery • Violations of internal policies, e.g. taking risks outside of risk appetite Varieties of Misconduct • Conduct that Breach of public trust, reputation where there is no establish or clear rule of conduct
An Effective Conduct Risk Program Draws on Foundational Risk Framework Elements A healthy organizational and risk culture is a necessary but not sufficient to mitigate conduct risk – it does not replace an effective control environment • Clear rules of conduct • Measuring and monitoring of key metrics • Clear governance structures that promote escalation of cases of misconduct • Aggregation and reporting of conduct risk Key challenge: meaningful metrics to proactively measure and monitor conduct risk
Recommend
More recommend
