Implementing Enterprise Risk Management. Lam James

Скачать книгу

ERM's role increasing within organizations and across industries, the roles of the board and upper management have to adapt. Certainly, the CRO bears the brunt of this change, but the CEO, CFO, and board of directors all find that ERM is taking a more prominent position in their priorities. Here's how these parties will increasingly work together as ERM becomes embedded in corporate culture.

      The CRO carries the central responsibility of ensuring that each gear in the ERM process is meshed and moving properly. He or she develops the risk appetite statement (RAS) in collaboration with the CEO and the CFO to ensure that it complies with regulations, current markets, and the organization's business strategy and objectives. The CRO monitors the risk climate, ensures compliance with regulations, sees that the firm operates within its risk appetite, and keeps the CEO and the board of directors well informed through established reporting processes.12

      The CEO in turn sets “the tone from the top” in words and actions. He or she sets the appropriate business and risk management objectives, holds organizational leaders accountable for their decisions and actions, and ensures that a strong risk culture is in place. The CFO is responsible for incorporating the RAS into financial decision making, including investment, funding, and hedging strategies. If risk exposures exceed the RAS, the CFO, along with the CRO, must take mitigating action and bring it to the attention of the CEO and board.

      Finally, the board of directors provides risk governance, independent oversight, and credible challenge. It reviews the RAS for compatibility with the organization's goals, approves it, and holds senior management accountable for its implementation. The board monitors the business plans against the RAS to check if they are aligned. The board also provides oversight of key business, regulatory, and reputational risk issues, as well as monitors the organization's ERM effectiveness and risk culture.

      As we've seen, ERM is providing value for a large number of corporations despite its current challenges. But it is my view that we're really just beginning to see how much value ERM can offer. In less than a decade, risk management has risen to the top of corporate agendas for senior management and the board across all industry sectors. What form are these efforts taking? This question will be the focus of the next chapter, in which we'll take a deeper look at the economic, financial, and cultural drivers that are changing the face of enterprise risk management.

CHAPTER 2

      Key Trends and Developments

      INTRODUCTION

      The world of risk management fundamentally changed in late 2007 with the onset of the global financial crisis. Longstanding financial institutions such as Lehman Brothers and Washington Mutual were left to fail, while many other banks and non-banks received bailouts from nervous national governments around the world. It was clear that excessive debt and fatally compounded risks were the primary drivers of the crisis. What's more, a relatively strong global economy had disguised the fact that many institutions were betting on unsustainable levels of growth in pursuit of greater market share and increased profitability. In this chapter, we'll review the lessons learned from the financial crisis and other corporate disasters, and how the practice of enterprise risk management has fundamentally changed.

      LESSONS LEARNED FROM THE FINANCIAL CRISIS

      The economic landscape that emerged following the Great Recession was vastly different from what existed prior to the 2007–2008 period. Regulators demanded that banking institutions increase capital and liquidity reserves, enhance transparency, curb risk appetite, and tighten controls. This had positive as well as negative effects. On the positive side, the regulations provided a basis for forward-looking analysis such as stress testing and scenario modeling. On the downside, however, many companies failed to take these hard-won lessons to heart, focusing exclusively on meeting regulatory requirements without considering ERM in a broader, more strategic context. In addition, many firms effectively overreacted to the economic hardship that followed the crisis. Rather than becoming risk-smart, they became risk-averse. Without risk, of course, there can be no reward, so these companies stumbled on without much of a strategic outlook beyond mere survival.

      In all, seven fundamental trends emerged after the financial crisis that together have shaped the practice of risk management for the past decade:

      1. Much stricter compliance requirements

      2. Increased board-level risk oversight

      3. Greater risk management independence

      4. Focus on enterprise-wide risk management

      5. Improved board and management reporting

      6. Creation of objective feedback loops

      7. Better incentive compensation systems

      Below, we'll take a look at each of these in greater detail.

      Much Stricter Compliance Requirements

      For better or worse, compliance quickly became a primary driver of risk management. The formalization of heightened regulatory scrutiny in the financial services industry fundamentally increased the scope and responsibility of the risk management function. The same held true in other sectors as well. The insurance industry, for example, implemented the Own Risk and Solvency Assessment (ORSA) in order to determine the ongoing solvency needs of insurance institutions with regard to their specific risk profiles.

      Compliance with laws and regulations is an important objective in any risk management program, but we must remember that it is a necessary but insufficient condition for success. Regulations are blunt instruments designed to establish minimum standards for an entire industry, but they don't always represent best practices. For example, banking regulators established Basel II, and more recently Basel III, to link regulatory capital requirements with a bank's risk profile. However, leading banks have developed more sophisticated economic capital models that better represent the risk-return economics of their businesses. Moreover, new regulations often overreact to past problems. The Sarbanes-Oxley Act (SOX), for example, was enacted in the aftermath of accounting frauds at large corporations such as Enron and WorldCom. While accounting controls are important, they are only a subset of operational risk management techniques, and operational risk is itself a subset of enterprise-wide risks. In fact, one can argue that the emphasis on accounting controls in the post-SOX period has been misguided, given that risk is mainly driven by future events, whereas accounting statements reflect past performance. In order to be effective, a risk management program must be forward-looking and driven by the organization's business objectives and risk profile, not by regulatory requirements.13

      Increased Board-Level Risk Oversight

      These new laws and regulations also shaped risk governance and oversight at the board level. Section 165 of the Dodd-Frank Wall Street Reform and Consumer Protection Act specifies that “FRB (Federal Reserve Bank) must require each publicly traded bank holding company with $10 billion or more in total consolidated assets…to establish a risk committee [of the board]…Risk committee must…include at least 1 risk management expert having experience in identifying, assessing, and managing risk exposures of large, complex firms.”14

      According to PwC's 2014 corporate directors survey, boards are becoming increasingly uncertain that they have a solid grasp on their company's risk appetite, with 51 % saying they understand it “very well” in 2014, down from 62 % in 2012.15 It seems that boards are beginning to recognize that it's not enough to be the “audience” with respect to risk reporting and updates, but they must become active “participants” in providing credible challenges and setting policies and standards.

Скачать книгу