© 2009 Towers Perrin April 1, 2009 Patrick T. Finegan DELVACCA Inaugural In-House Counsel...
-
Upload
jeffrey-nash -
Category
Documents
-
view
214 -
download
0
Transcript of © 2009 Towers Perrin April 1, 2009 Patrick T. Finegan DELVACCA Inaugural In-House Counsel...
April 1, 2009
Patrick T. Finegan
© 2009 Towers Perrin
DELVACCA Inaugural In-House Counsel Conference
Managing Risks in Today's Turbulent Economy
© 2009 Towers Perrin 2
Risk management as a discipline is under siege
There is widespread concern that something is wrong with risk management practices in corporate America.
From journalists, policymakers and investors
From management
— Towers Perrin and CFO Research interviewed 125 finance executives immediately following the collapse of Lehman Brothers in September, 2008.
— 72% expressed concern about vulnerabilities in their own risk management practices.
— 62% stated that their companies would change risk management practices as a consequence of the financial crisis.
Corroborated by a surge in requests for proposal
Yet the precise dimensions of what went wrong and what companies should do remain elusive.
This raises the question whether any amount of energy and investment could protect a company against the wrenching dislocations of another financial crisis.
And it creates a healthy sense of humility about attempting to describe risk management “best practices.”
© 2009 Towers Perrin 3
Reliance on dated risk management standards (or “best practices”) is part of the problem
There is growing uneasiness that COSO and its brethren:
Defined risk poorly
Categorized risk factors in a manner unsuited to effective economic analysis, assignment of responsibility, and identification of important interdependencies
Contributed to a highly tactical, compliance-oriented approach to risk identification, measurement and management
Created a false sense of security
© 2009 Towers Perrin 4
Enterprise risk management (ERM) is a young discipline that has only partially evolved
Link with strategy
High
Low
Medium
Risk control Balance sheet protection
Risk/return optimization
Value creation
Industry standard in the last 5 – 10 years
Industry standard in the next 5 – 10 years
Compliance
Loss minimization
Risk management
Risk measurement
Strategic integration
Return optimization
Today
Source: Standard & Poor’s.
© 2009 Towers Perrin 5
What we have learned so far:
Why Risk Management Programs Fail Why Risk Management Programs Succeed
Risk Management Foundation
Poorly defined objectives Ineffective reporting systems, tools, staffing Compliance-focused Not all risks identified or well understood
Consistent economic framework for defining, measuring, prioritizing and controlling risks
Regular and systematic examination of risks on a consolidated enterprise basis.
Risk Management Governance
Disjointed, overlapping or conflicting task forces, responsibilities and controls
Perfunctory involvement by senior management and the board
Clear line-of-sight assignment of responsibility and accountability for key risks
Sr. risk officer charged with supervising all risks, independent of operations; dotted line to the board
Risk Management
Culture
Weak, inconsistent tone from the top Limited consideration of risk in strategic
decision-making Limited employee risk awareness or
concern Open communication discouraged
Leadership and active involvement by the CEO and board of directors
Integration of risk management practices into strategic decision-making processes
Well-developed risk culture
Risk Management
Metrics
Inconsistent risk metrics and controls Metrics not well-understood or monitored
Employ simple, well-designed risk dashboards Embed risk management metrics into forward-
looking investment decisions and performance management assessments
Risk-Reflective Pay
Poor alignment of employee incentives with risk management objectives and parameters of acceptable risk
Payout of short-term incentive awards based on unsustainable profits
Rewards that encourage risk-taking within established parameters
Incentives based on defined risk-reflective metrics, calibrated properly given business risks
Timing of incentive payouts that allows for realization of impact of risk
© 2009 Towers Perrin 6
Effective risk management focuses on tail events, not expected losses
An entire generation of risk managers has been trained under COSO and other “standard-setting” frameworks to use “likelihood x impact” heat maps in setting risk priorities.
The result has been strong micromanagement of admittedly important periodic loss exposures, but weak and/or haphazard preparation for seismic, once-in-a-lifetime events.
COSO
n/a
n/a
n/aHigh (3)
Med (2)
Low (1)
Freq
uenc
y
Low (1) Med (2) High (3)
Severity
COSO
9
6
3
6
4
2
3
2
1
Low (1) Med (2) High (3)
Impact
High (3)
Med (2)
Low (1)
Like
lihoo
d
Modern ERMCOSO
© 2009 Towers Perrin 7
The typical risk map is a jumble of contributory factors, loss events, and direct and collateral consequences
There is no clear way to assign responsibility or evaluate interconnections.
© 2009 Towers Perrin 8
Effective ERM requires a structured way of thinking about risk — a sound risk “taxonomy”
Insufficient training
Events Consequences
Lack of managementsupervision
Inadequateauditing procedures
Poor HRpolicies
Poor systemsdesign
Inadequate segregation of duties
Employment Practices and Workplace Safety
Execution, Delivery and Process Management
Damage toPhysical Assets
Business Disruption and System Failures
Clients, Products and Business Practices
Regulatory, Compliance and Taxation Penalties
Restitution
Loss of Recourse
Reputation
Business Interruption
Monetary Losses
Non- Monetary Losses
(ForgoneIncome)
•
•
•
Write-down
Loss or Damage to Assets
Legal Liability
Causes Effects
ContributoryFactors
Insufficient riskmonitoring
External Fraud
Internal Fraud
© 2009 Towers Perrin 9
A sound risk taxonomy clarifies interdependencies and facilitates line-of-sight responsibility
Mutually exclusive, collectively exhaustive set of events
Better ability to anticipate (and prepare for) perfect storm and/or Black Swan conditions
Risk Event 1
Consequence 1
Consequence 2
Factor 1
Factor 2
Risk Event 2
Risk Event 3
Consequence 3
Consequence 5
Consequence 6
Consequence 4
Factor 3
Factor 4
Systemic Risk
Concentration of Risk
© 2009 Towers Perrin 10
What companies get from their ERM investment:
Value Proposition Evidence
More durable and higher quality of earnings
More efficient operations
Increasing body of research demonstrating significant improvements in share price, quality of earnings, and dollar savings from concentrating risk management resources around risks that matter, improving the "risk-awareness" of incentives, and reducing the incidence and impact of loss events
Improved standing among stakeholders, regulators and trade partners
Heightened interest by upper management, directors, capital providers and important third parties, including trade partners
Heightened interest by regulators and other governmental bodies
Lower cost of capital; better access to the capital markets
Strong empirical evidence that good risk management practices strengthen credit ratings
Stated ERM requirements of Standard & Poor's and Moody's
Sustainable long-term ability to grow the business
Strong inverse correlation between long-term corporate survival and the incidence of risk events
Empirical evidence that strong risk governance, incentives and culture improve revenue productivity
Fewer catastrophes. Better management of those that occur
Strong anecdotal evidence that ERM can improve preparedness against massive loss events, e.g., the ability of ERM leaders in the insurance industry to reserve losses from Hurricane Katrina and Rita more accurately than ERM laggards
© 2009 Towers Perrin 11
Diagnostic questions for your organization
Towers Perrin co-sponsored the most recent global risk briefing by the Economist Intelligence Unit, a unit of The Economist.1 In that briefing, the author compiled a list of questions that should be fully and candidly assessed in determining whether a company has effective risk governance.
The questions are divided into multiple callouts (or “shout boxes”), but have been extracted, paraphrased and/or copied here into a single table (next 4 slides).
Together, the questions present a diagnostic of the health of your enterprise risk management system.
1 Robert Mitchell, “Risk and recovery: Practical lessons for the morning after,” Economist Intelligence Unit Global Risk Briefing, March 23, 2009.
© 2009 Towers Perrin 12
Diagnostic questions for your organization (continued)
Topic Health check
Risk focus Have you properly identified your main risks? Are you confident that senior management and the Board of Directors are aware of these risks, their severity, and the potential impact on the business?
Does the filtering of information as it rises through the organization handicap the ability of senior management and the Board of Directors to manage risk effectively?
Risk authority Do risk professionals have appropriate authority within the organization? If a problem with potentially damaging reputational and/or financial consequences arises, are there adequate processes in place to escalate the issue to senior management?
Are there appropriate independent committees in place to review risk management practices?
Is there an individual, independent of operations, who is responsible for risk management across the Company? Does he or she have direct access to the Board?
Source: Robert Mitchell, “Risk and recovery: Practical lessons for the morning after,” Economist Intelligence Unit Global Risk Briefing, March 23, 2009
© 2009 Towers Perrin 13
Diagnostic questions for your organization (continued)
Topic Health check
Risk information
What information does the Company use to assess its risk position?
Are the sources of information generally accepted and are they tested against other sources to ensure validity?
Does the Company rely overly on historical data?
How dependent is the Company on human instinct and judgment in identifying and assessing risk? Does the weighting of qualitative and quantitative risk inputs seem appropriate?
Risk culture What is the standing of risk management in the Company? How close is it to the business?
To what extent is risk management seen as a support function? Would closer integration with the business lead to it having a more strategic role? In what ways might this benefit the Company?
How do employees and lower-level managers perceive the Company’s commitment to effective risk management?
Source: Robert Mitchell, “Risk and recovery: Practical lessons for the morning after,” Economist Intelligence Unit Global Risk Briefing, March 23, 2009
© 2009 Towers Perrin 14
Diagnostic questions for your organization (continued)
Topic Health check
Risk framework
Are risks identified and aggregated centrally and subject to an enterprise-wide view?
Do you understand the interaction between different risk categories and the way in which events in one part of the business can increase the frequency or severity of events elsewhere?
Is there a common language of risk to ensure clarity of understanding across the Company? Does it relate to measures that investors and rating agencies care about, such as financial stability and the return on capital? Is there a logical and usable risk taxonomy?
Do you have the IT infrastructure and analytics to support risk aggregation and the effective communication of risk information?
Risk strategy Does senior management devote time to studying market, political and economic scenarios, and the impact of these scenarios on their business? Should this exercise be formalized?
To what extent are different scenarios considered when setting long-term strategy? Is there a tendency to rely on an “official future” rather than test the business model against other plausible assumptions?
Does senior management seek a range of views and perspectives in order to test its assumptions?
© 2009 Towers Perrin 15
Diagnostic questions for your organization (continued)
Topic Health check
Risk agility How frequently does the Company review and update assumptions about the risk environment? Is this process frequent enough, given current external conditions?
How is information about the changing risk environment communicated to senior management?
To what extent do changes in the external risk environment lead to changes in risk management priorities and processes?
Risk-reflective pay
How is the link between corporate performance and compensation made? Are the right indicators being used throughout the Company, and are incentive programs designed in such a way that they motivate and reward, but do not encourage behavior that is detrimental to long-term shareholder interests?
Source: Robert Mitchell, “Risk and recovery: Practical lessons for the morning after,” Economist Intelligence Unit Global Risk Briefing, March 23, 2009