Enterprise Risk Management and Culture Jai Ramaswamy Managing Vice - - PowerPoint PPT Presentation

Enterprise Risk Management and Culture

Jai Ramaswamy

Managing Vice President Enterprise Risk Management May 14, 2019

Agenda

• 1. Who am I?
• 2. How did we get here?
• 3. What is Enterprise Risk Management?
• 4. What is the relationship between Enterprise Risk Management and culture?
• 5. How do you manage conduct risk?

Confidential 3

• 1. Who am I?
• Currently Managing Vice President at Capital

One for the past 2 ½ years leading ERM function

• Previously Global Head of AML Risk

Management at Bank of America

• Served for over a decade in the Department of

Justice catching bad guys

• Lawyer who came late in life to the risk

management

• Current interests involve understanding risks

arising from the use and misuse of technology

Confidential 3

This Photo by Unknown Author is licensed under CC BY-NC

Misconduct Financial Crisis Accounting Fraud Breach of Public Trust

• 2. How did we get here?
• Regulatory

Enforcement

• Focus on Compliance

and Operational Risk

• Internal Controls
• Criminal Prosecution

has proved challenging

• Dodd-Frank
• Focus on financial risk

management

• “Stress Tests”
• Volcker rule
• Consumer Protection
• Sarbanes-Oxley
• Criminal prosecution
• Focus on financial

reporting controls and testing

• Reputational Harm
• Focus on what should

we do, not what can we do

• Rules not clearly

established

2000 Present

LIBOR/FX

• 3. What is Enterprise Risk Management?

Executive Summary from the 2004 COSO Enterprise Risk Management – Integrated Framework: “Among the most critical challenges for managements is determining how much risk the entity is prepared to and does accept as it strives to create value.” Executive Summary from the 2017 COSO Enterprise Risk Management – Integrating with Strategy and Performance “Organizations need to be more adaptive to change. They need to think strategically about how to manage the increasing volatility, complexity, and ambiguity of the world, particularly at the senior levels in the

• rganization and in the boardroom where the stakes are highest.”

The Evolution of Enterprise Risk Management

The 2017 COSO ERM Framework

Strategy & Objective Setting

Objective Three

Review & Revision Information, Communication & Reporting

• Exercises Board Risk

Oversight

• Establishes Operating

Structures

• Defines Desired

Culture

• Demonstrates

Commitment to Core Values

• Attracts, Develops,

and Retains Capable Individuals

• Analyzes Business

Context

• Defines Risk Appetite
• Evaluates Alternative

Strategies

• Formulates Business

Objectives

• Identifies Risk
• Assesses Severity of

Risk

• Prioritizes Risks
• Implements Risk

Responses

• Develops Portfolio

View

• Assesses Substantial

Change

• Reviews Risk and

Performance

• Pursues Improvement

in Enterprise Risk Management

• Leverages Information

and Technology

• Communicates Risk

Information

• Reports on Risk,

Culture, and Performance

• Increasing the range of
• pportunities
• Increasing positive
• utcomes and

advantage while reducing negative surprises

• Reducing performance

variability

• Improving resource

deployment

• Enhancing enterprise

resilience

Governance & Culture Performance

(Risk Lifecycle)

Enterprise Risk Management

Effective Enterprise Risk Management Should Drive Grounded Risk Taking Not Risk Avoidance

Confidential 9

Common traps to avoid

• ERM is seen as a function or

department

• ERM maintaining a risk inventory but

does not connect the dots

• ERM is focused principally on internal

controls

• ERM becomes a “check the box”

compliance exercise

9 Confidential

• 4. What is the relationship between Enterprise Risk Management and

culture?

Confidential 11

For culture, the lessons I take from these examples are about the power of simple ideas, responsibility, commitment as represented by skin in the game,

• accountability. None of these big ideas is

new, in fact quite the opposite. Nor do they require sophisticated tools to apply and

• monitor. They go with the grain of good

incentives, and they act to support the public interest and its objectives. But, they do require effective and consistent

• implementation. This is where good

governance comes in, a strong role for senior management and particularly boards. ~ Andrew Bailey, Financial Conduct Authority (U.K.)

Confidential

This Photo by Unknown Author is licensed under CC BY-SA

• Risk Management is

practiced across all lines of defense

• Focus on driving clear

business ownership of risks

• Performance management

is designed to promote balanced risk taking

• Purpose of risk

management is to promote risk culture Drives Risk Culture

• Focus on minimizing losses
• Monitors and reports on

control environment effectiveness

• Maintains enterprise risk

inventory

• Monitors and reports on

performance within risk appetite Associated with Operational Risk

• Focus on standard setting
• Credible challenge largely

ensured by “check the box” compliance

• Administers enterprise risk

management processes

• Collects and reports

information from other risk management functions Sets Risk Governance Framework & Methodology

Maturing Enterprise Risk Management

• Don’t focus solely on internal or external

audit/regulatory findings

• Creates a reactive, piecemeal, crisis management

approach, not a holistic and integrated risk framework

• Don’t start with technology
• Culture is driven by processes, governance, and

metrics, not technology

• Don’t rely exclusively on high-level ERM

leading practices and related regulatory guidance

• More granular guidance in policies and procedures

drives clarity for the business and drives consistency

Don’t

• Work back from the customer
• Developing stakeholder trust is key to

sustaining and maturing ERM

• Identify quick wins and apply an iterative/ agile

approach to deliver them

• Focus on end-to-end processes, metrics,

and governance first

• Develop programs that drive clear business

accountability for risks

• Perform regular validation, testing and

assurance across the lines of defense Do

Maturing Enterprise Risk Management: Do’s and Don’ts

Attributes of an Effective Risk Culture

• Risk culture is set through “tone-from-the-top”
• Management leads by example and models preferred behaviors
• ”Find it first” business culture
• Escalation is not limited to formal risk governance channels but exists

through all three lines of defense

• Risk skills and competencies are evaluated in all three lines of defense

Common Challenges Hallmarks of Success

• Hesitation to formally identify risks
• Reluctance to document control weaknesses
• ERM seen principally as “overhead”
• Business views ERM as a low-value “documentation exercise” resulting

in low engagement in day-to-day risk identification and escalation

• Emphasis on risk skills in 1st line hiring/ performance evaluation is still

low

• 5. How do you manage conduct risk?

Root cause analyses of many recent cases

• f misconduct in the financial sector

suggest that misconduct is not just the product of a few individuals or bad processes, but rather the result of wider

• rganizational breakdowns, enabled by a

firm’s culture. ~ Kevin J. Stiroh, Executive Vice President Federal Reserve Bank of New York

Current Challenges in Establishing a Conduct Risk Program

• Conduct risk has traditionally been managed through a variety of

programs, e.g., anti-corruption, internal fraud, identity, access management to name a few

• Creating a single ministry of culture does not necessarily mitigate risk

better

Defining Conduct Risk Distributed Oversight of Conduct Risk Varieties of Misconduct

• Illegal conduct such as fraud and bribery
• Violations of internal policies, e.g. taking risks outside of risk appetite
• Conduct that Breach of public trust, reputation where there is no

establish or clear rule of conduct

• Emerging consensus points to employees adverse impact on customers,

market integrity/fair competition, public trust

• Defining conduct risk too broadly risks creating a ”Department of Do The

Right Thing”

A healthy organizational and risk culture is a necessary but not sufficient to mitigate conduct risk – it does not replace an effective control environment

• Clear rules of conduct
• Measuring and monitoring of key metrics
• Clear governance structures that promote

escalation of cases of misconduct

• Aggregation and reporting of conduct risk

An Effective Conduct Risk Program Draws on Foundational Risk Framework Elements

Key challenge: meaningful metrics to proactively measure and monitor conduct risk

• Employers have a wealth of data from

employee communications, length of time spent at the desk, and to patterns of entering and leaving the building.

• Although still in its infancy, machine-learning

algorithms can be used for behavioral analysis to proactively detect misconduct

• Behavioral science is being increasingly

leveraged to understand and mitigate conduct risk

The “Big Data” Revolution

I would say to my team I want data, I want numbers and I want stories, and this is what I want to

• combine. I then get a feel, a picture of patterns around behaviors and I can pin down the most

important patterns, and also pin down the impact of these patterns. And then I try to understand something about the risk.

~ Mirea Raaijmakers

Global Head of Behavioral Risk, ING and Former Supervisor with the Dutch National Bank

• Perception of excessive surveillance

undermines organizational trust and cohesiveness

• Can drive a risk-averse culture if

every mistake is perceived to be a catastrophic risk

• May create a disincentive to report

misconduct resulting in less effective identification and management of conduct risk

• But behavioral science can potentially

be used to incentivize good behavior not merely penalize misconduct

Right-Sizing Conduct Risk