The Future of Banking April 26, 2018 How to Utilize ERM to Invoke a - - PDF document

1

WELCOME

The Future of Banking

April 26, 2018

How to Utilize ERM to Invoke a Positive Change Within Your Institution

Steven Bank and Jessica Miller April 26, 2018

2

Agenda

• Current Risk Landscape
• Key Risk Areas for Financial Institutions
• Managing and Monitoring Risk through ERM
• Benefits and Successful Use of ERM

3

Bio for Steven Bank

• Risk Advisory Services Manager with Schneider

Downs – September 2016

• Prior: Risk and Control Director – JP Morgan Chase

Mortgage Bank

• 25+ Years in Internal Audit and Risk Advisory

Management

• Prior experience as a controller with a large public

manufacturing company.

• Strong background and experience overseeing and

conducting risk mitigation strategies including enterprise risk management program implementations, risk-based internal audits, process improvement reviews and governance risk and control activities to help companies improve their

• perational, financial and regulatory processes and
• versight.
• Certified Public Accountant (OH) and Certified

Internal Auditor

4

3

Bio for Jessica Miller

• Risk Advisory Services Manager with Schneider Downs –

June 2013

• Prior: PNC Bank
• 10 Years in Internal Audit and Risk Advisory Management
• Previously worked for a large regional, publicly-traded

financial institution with products and services in consumer and commercial banking. Previous to that, worked for a small regional accounting firm specializing in community and regional banking.

• Strong background and experience in banking including

creation and monitoring of the annual risk assessment and annual audit plan, management of audit execution, as well as providing periodic reporting, industry hot topics and training to boards and audit committees.

• Graduate of the ABA National School of Compliance
• Certified Financial Services Auditor

5 6

4

Current Risk Landscape for Financial Service Organizations

Cu Current rrent Landsca Landscape

• Political (regulatory), economic and technological

environment

• Race to stay ahead of competitors
• Technological advances to customers.

Re Resulting R Risk t to O Organization

• Challenges to effectively monitor and manage risks.
• Understanding impact on the organization and

customer

7

Points of Focus for Current Regulatory Agenda

• Cybersecurity
• BSA/AML/OFAC, and Fair Lending
• Easing burden to lend money
• Regulatory relief

8

5

Key Risk Areas for Financial Service Organizations

• Cyber Security Risk
• Changes in Regulatory

Landscape Risk

• Strategic Risk
• Liquidity Risk and

Capital Availability

• Market Risk
• Credit Risk
• Operational Risk
• Technology Risk
• End User Computing

(EUC) Risk

• Vendor Management

Risk

• Reputation Risk
• Culture Risk
• Human Capital

Risk

9

Polling Question Setup

Please text SCHNEIDERDOWNS to 22333 This will allow you to answer the polling questions that we have designed for this presentation.

10

6

11

Cyber Security Risk

Remains the top concern for Financial Services companies and regulators.

• Innovative technologies to compete in the market

and provide advanced end-user capabilities.

• Organization adapting to keep up

with the changing times.

• Users opting to use online

technologies and applications

12

7

Changes in Regulatory Landscape Risk

Primary Concerns:

• Constant changing of rules and regulations
• Increased scrutiny of regulators

13

Changes in Regulatory Landscape Risk

Examples – Current Regulatory Requirements:

• Capital and Liquidity: CCAR, DFAST, Basel III, Basel

IV, Recovery and Resolution Plans

• Credit Risk: IFRS 9/CECL
• Market Risk: FRTB
• Cyber: NY Cybersecurity Rule 23

NYCRR 500

• Privacy/Third-Party Risk – GDPR

14

8

Reputation Risk

Primary Concern: Reputational damage can occur from a multitude of symptoms

• Fraud
• Cyber crimes
• Operational breakdowns
• Third parties

15

Managing and Monitoring Risk through ERM Incorporation of an Entity-Wide Enterprise Risk Management (ERM) Program

16

9

What is Enterprise Risk Management (ERM)?

• A continuance process to identify, analyze, mitigate

and monitor potential events that create uncertainty in the achievement of an organization’s business objectives.

• An approach for evaluating risks within each

business function to evaluate whether the risks being taken are too little or too much.

17

Key Drivers of ERM

• Protection of Life and Limb
• Protection of Capital
• Maximization of Earnings
• Achievement of Strategic Goals and Objectives
• Stakeholder Expectations
• Compliance with Laws and Regulations

18

10

Where is Your Organization’s Weak Link in Managing Risk

19

Incorporation of an Entity-Wide ERM Program

The need to understand the critical risks we face

• ERM provides a holistic organizational view of risk
• Risk should be understood and measured
• Preserves value and reduces downside exposure
• Connects risk, strategy and decision-making to

enhance organizational performance.

20

11

What is COSO ERM 2017?

• Committee of Sponsoring Organizations of the

Treadway Commission (COSO)

• Provide thought leadership through the development of

frameworks

– Enterprise risk management, – Internal control and governance – Fraud deterrence.

• Provide management with a holistic view of risk

throughout the organization

• Consider risk in strategy setting and driving

performance

21

What is COSO ERM 2017?

Framework organized into 5 interrelated phases:

• 1. Governance and Culture
• 2. Strategy and Objective Setting
• 3. Performance of a Risk Assessment
• 4. Information, Communication and Reporting
• 5. Review and Revision

22

12

Governance and Culture

• Governance – the organization’s tone, oversight for

ERM

• Culture – ethical values, desired behaviors

23

Governance and Culture

During this Phase:

• Define responsibility for oversight and governance of

the ERM program

• Establish the operation structure for the organization
• Define, assess and drive the desired culture
• Define the organization’s:

– Mission Statement – Vision – Core Values

• Define approach for obtaining resource talent

24

13

Strategy and Objective Setting

Enterprise risk management, strategy and objective setting work together in the strategic planning process.

• A risk

risk appe appeti tite is established and aligned with strategy;

• Busin

Business obje ss objectiv ives put strategy into practice while servicing as a basis for identifying, assessing and responding to risk.

25

Strategy and Objective Setting

During this phase:

• Define key strategies for achieving organizational success
• Align to the mission statement, vision and core values
• Establish business objectives to achieve strategies
• Set risk measurement (risk appetite) statements
• Define performance measures

26

14

Performance Measures

Aligning performance with the business objectives:

• Develop key performance measures
• Define performance targets
• Determine risk tolerances
• Develop key risk indicators
• Establish monitoring
• Define actions when thresholds are

exceeded

27 28

15

Performance of a Risk Assessment

During this phase - For each key business function:

• Assess inherent risk for critical risk factors

– Business Impact – Probability of Occurrence – Velocity of Onset to the Business – Frequency of Occurrence

• Identify all critical risks
• Prioritize the critical risks
• Determine risk responses

29

Identifying the Risks

30

16

Identifying the Risks

31

Str Strategy Cultur ure/C e/Conduct nduct Huma Human Capi Capital Operational/T erational/Transac saction ion Vend ndor

• r/Sub

ub-c

• con
• ntract

actor Int Interdependencies on

• n othe
• ther units

r units Finan Financial C ial Captu pture and e and R Repor portin ing Te Technology Adv Advancing ing t the Cause En Envi vironm nmental Mar Market/Price Lega gal/Regu gulat latory Exte ternal -

• Competito

tors/ Econ

• nom
• my/In

y/Innovation tions Li Liquidity quidity Re Reputation

• n

Fr Fraud Wast ste a e and M Mismanageme agement Saf Safety ty an and Se d Security ty Othe Other Traditionally, risk was viewed more from a financial risk perspective. The new standard is to look at risk throughout the enterprise.

Traditional vs. Leading Edge aditional vs. Leading Edge Risk T Risk Types pes

Financia nancial Opera Operational Com Compli lian ance ce

Identifying the Risks

32

Pri Privacy and acy and Securi Security ty Soci Social Med Media and a and Ne Netw tworki

• rking

Mob Mobile De Devi vice ces Mal Malware and are and Vi Viru ruses Spam, Spam, Scams Scams and and Phi Phishi hing Cor Corporate Esp e Espion

• nag

age Re Regulatory ( (ERM) Cloud Com Cloud Computing Hard rdwa ware a and Softwa ware Fa Failure

Traditional vs. Leading Edge aditional vs. Leading Edge Te Technology

Te Technology

17

Information, Communication and Reporting

Enterprise risk management requires a continu continual l pr process of obtaining and

• cess of obtaining and sharing

sharing necessary inf information rmation, from both internal and external sources, which flows up, down and across the organization.

33

Information, Communication and Reporting

During the Phase: Communication from the ERM program is continuous – upwards and downwards

• Results from monitoring
• Actions to address out of tolerance results
• Inherent risk and residual risk results
• Results from control assessments
• Changes in business strategy, business
• bjectives, policies and procedures,

performance measurements, processes and controls

34

18

Review and Revision

By reviewing entity performance, an organization can consider how well the enterprise risk management components are functioning over time and in light of substantial changes, and what revisions are needed.

35

Review and Revision

ERM is a continuous process

36

19

Review and Revision

For the ERM program to remain relevant:

• Keep up with evolving organization
• Design function(s) responsible for upkeep
• Maintain and assess the ERM program and all

components

37

Pro and Cons of ERM

Pros

• 1. Visibility and understanding of the critical risks

that impact the organization

• 2. Ability to proactive address risk events with a

defined action steps

• 3. Making informed risk based decisions to grow the

business and respond to changing business demands

• 4. Improved Regulator Confidence

38

20

Pro and Cons of ERM

Cons

• 1. It’s not practical or too complex to implement.
• 2. It’s too costly to implement. Executive leadership

won’t provide resources.

• 3. No one wants to own it.

39 40

21

Successful Use of ERM

Risk Area Risk Area: Liquidity Risk and Capital Availability Business Obje Business Objectiv ctive: e: Capital Growth Risk Risk: Capital is not effectively utilized for growth of business Measurement Measurement: Capital Adequacy Ratio

Percentage of Capital to Risk-Weighted Assets

Targe rget Range Range: 8 – 10% Ac Acti tion

• n: Communicate with ALCO Committee when

ratio is higher. Focus on opportunities for better use

• f capital to grow the business.

41

Successful Use of ERM

Risk Area Risk Area: Human Capital Risk Business Obje Business Objectiv ctive: e: Talent Acquisition to Implement Growth Strategies Risk Risk: Ability to retain talent Measurement Measurement: Turnover by business function Targe rget Range Range: 10 – 15% year Ac Acti tion

• n: Human Resources and business unit

management alerted; root cause investigation performed; corrective actions implemented

42

22

Successful Use of ERM

Risk Area Risk Area: Vendor Management Risk Business Obje Business Objectiv ctive: e: Use of Third Party Vendors to Perform Secondary Business Functions To Lower Costs Risk Risk: Untimely service delivery resulting in dissatisfied customers Measurement Measurement: Service days past due Targe rget Range Range: 0 days past due Ac Acti tion

• n: Past due delivery identified in daily

management dashboard; root cause investigation performed; corrective actions implemented

43

Benefits of ERM

Benefi Benefits of

• f Int

Integr grat ating g an Effective Enterprise Risk Management program: 1. Creating a risk focused culture 2. Identifying and Addressing Risk Events 3. Increasing the range of opportunities 4. Identifying and managing risk entity-wide 5. Increasing positive outcomes and advantage while reducing negative surprises 6. Reducing performance variability 7. Improving resource deployment 8. Strong focus on business goals and adding value

44

23

Thank you for your time!

Any questions?

45

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

THANK YOU FOR ATTENDING.

Don’t forget to fill out your evaluation form.