erm2012_day2_07-raj_parthasarathy_protiviti_member_firm by saad alshammari

Changing contours of Changing contours of Enterprise Risk Appetite Towards a dynamic framework in uncertain times 27 November 2012 Raj Parthasarathy – Director, Risk Advisory Raj Parthasarathy – Director Risk Advisory

Agenda Agenda

S.No

Key lessons from the financial crisis

Key responses from regulators

Significance of risk appetite framework

Overview of a holistic risk appetite framework

Stylized risk appetite indicators

Appendix: About Protiviti

Key lessons from the financial crisis (1/2) Key lessons from the financial crisis with linkage to the establishment of a robust Risk Management Framework, Framework and in particular a Risk Appetite Framework, has been depicted below ►

Driven by easier availability of liquidity, firms mis‐perceived the risk environment by either not considering additional risks underlining business expansion or lowering tolerance levels on key risks despite no change in risk fundamentals

►

Firms exhibited an inadequate ability to adjust their business plans and revise their h i risk i k strategy in i line li with i h changing h i business b i conditions di i and d indications i di i off impending onset of a downturn due to insufficient understanding of the macroeconomic environment

►

Strategies framed during the upswing of the cycle preceding the financial crisis mis‐estimated the time horizon for which the prevailing conditions and the nature, and severity of the risks facing the organization and the firm’s vulnerability to the prevailing risks

►

Firms took risk above levels that capital, liquidity and risk management capabilities could bear. bear

Mis‐assessment of the risk environment risk environment

Inability to adjust risk y j tolerances to changing fundamentals

Mis‐estimation of time horizon for risks

Risk capacity misalignment

Key lessons from the financial crisis (2/2) Key lessons from the financial crisis with linkage to the establishment of a robust Risk Management Framework, Framework and in particular a Risk Appetite Framework, has been depicted below

Inadequate board level oversight

Insufficiently rigorous y g management and control processes

Misalignment of Boards’ risk perception and operational level risk perception

►

The board of directors, as the key custodian of shareholder interests , was not adequately connected via monitoring of adherence to the entity risk strategy by the management and business units .

►

Control and management processes constraining business activities to the prevailing ili risk i k environment i were either i h inadequate i d or not sufficiently ffi i l enforced; f d Changes to the business model of the company like products, geographies and business lines without understanding the underlying risk

►

Entity’s appetite for risk and extent of risk taking tolerance as articulated by the board was not adequately translated into executable and monitorable implementable steps at the unit level leading to a misalignment in the actions of the firm by the business and the vision and strategy of the firm

Sources: Protiviti internal research, Walker committee report, Basel committee principles on corporate governance, Institute of Risk Management (IRM) papers

The key lessons of the financial crisis reflect the need to develop a well-integrated risk appetite framework which allows ll f articulation for ti l ti off a comprehensive h i risk i k taking t ki capacity it att the th strategic t t i level l l and d effectively ff ti l translates t l t it to t implementable and monitorable control processes at the unit level 4

Key responses from regulators and guiding organizations o ga at o s As a response to the financial crisis, regulators, government authorities, international institutes and inter‐government bodies issued a series of regulations, recommendatory papers and committee reports which detailed guidelines for strengthening crisis prevention and management. Some of the key guidelines/recommendations are given below : B C itt Basell Committee Banking Supervision

Committee of Sponsoring Organizations of the Treadway Commission (COSO)

Enterprise Risk Management: Understanding and Communicating risk appetite, 2012

Walker committee report

A review of corporate governance in UK banks and other financial industry entities, 2009

European Authority (EBA)

Guidelines on Internal Governance: GL 44, 2011

Banking

Institute of International Finance

Principles for enhancing Corporate Governance, 2010

Implementing robust Risk Appetite frameworks to strengthen financial institutions (2011)

Core Components of Risk Management p g The Board has the primary responsibility in setting the risk appetite and tolerance limits

The senior management establishes a method to monitor the firm's compliance to policies, particularly in regard to risk management

A dedicated risk management function should be formed with sufficient authority, stature, independence, resources and access to board

The sophistication of the risk management infrastructure should keep pace with the changing risk profile and to the external risk landscape

Robust risk appetite framework

Significance of risk appetite framework One of the fallouts of the financial crisis and the regulatory response to it has been the need for an integrated risk appetite framework to manage the existing and changing vulnerabilities of the firms to their risk environment. The need for an integrated risk appetite framework by the different sectors of the economy are detailed below:

Financial Institutions

Energy

• Financial institutions are vulnerable to a series of risks due to high leverage, binary payoffs of assets and the role of banking activities in the liquidity and financial stability of the system (due to the banks basing spreads on liquidity matching)

• The energy segment, especially oil and gas sector faces significant vulnerability to risk due to the nature of business environment, cost structures and demand cycles. Uncertainties in return s on investment (for upstream), high sensitivity to demand conditions, volatility in prices, uncertainties in input prices and complexity of operations result in ever‐present vulnerability to the sector

• Manufacturing firms face vulnerabilities due to a changing economic environment due to leveraged expansion, increased competitive conditions, product demand cycles, technological obsolescence, supply shocks (increase in raw material prices, shortage in key inputs, etc) and periodic stresses on cash balances Manufacturing due to operating requirements

Due to the incidence of inherent risks specific to each industry sector, the establishment of a comprehensive risk appetite framework based on the identified risk universe and monitored through tolerance limits, governance structures and measurable indicators plays a crucial role in planning and execution of an entity’s business activities 6

Overview of the risk appetite framework Key components of the risk appetite framework y p pp

Detailing existing risk profile fil

This involves detailing the risk universe comprising of the level and distribution of risks across the entity and across the level and distribution of risks across the entity and across the various risk categories

Assessing risk Assessing risk capacity

This involves assessing and planning the amount of risk that the organization will be able to support with technical and h i i ill b bl ih h i l d human resources in pursuit of its objectives

Articulating risk tolerance

Inculcating attitudes towards risk

This involves setting the acceptable level of variation an entity is willing to accept in its key indicators of risk in pursuit of its objectives

This involves attitudes towards growth, risk and returns as articulated at the board level and its implementation across the organization and as part of the business operations of the organization

RISK APPETITEE

The following elements act as key components of the risk appetite Framework

Overview of the risk appetite framework Linkage of risk appetite and strategy g pp gy

• Where are good growth options • How to optimize the risk‐return trade‐off ?

Where should Where should we allocate excess capital ?

• Where are good growth options • How to optimize the risk‐return trade‐off ?

How much capital do we need ?

The key components of risk appetite, when integrated present crucial links between risk, integrated, risk corporate and finance strategy. • A well integrated risk appetite helps direct corporate strategy towards risk‐adjusted growth p and optimize p returns for shareholders while options limiting the downside • The risk appetite framework also forms the basis for allocation of capital within the organization crucial to the firm's finance strategy • A well developed risk appetite framework also enables the board and senior management to take important decisions on extent of leverage to be undertaken and the allocative basis for a stable growth process. process This has implications on corporate and finance strategy

Overview of the risk appetite framework Operationalizing risk appetite (1/2) p g pp ( / ) The linkages between the risk , corporate and finance strategy define the strategic level of the risk appetite framework. This is the risk appetite as articulated by the board. The Strategic level of the risk appetite is linked to operationalization at the unit level (operational level) via the tactical level. The tactical level represents the translation of the enterprise strategy into measurable, and monitorable indicators and tolerance limits

Strategic • Agree forward looking appetite for taking risk • Constrained optimization of risk‐returns within ik t ithi tolerance limits through ‐ Strategic planning ‐ Budgeting ‐ Proactive Proactive communication

SSetting tti th boundaries the b d i f for long‐term value realization 9

Tactical • Translation of appetite into monitarable risk indicators and corresponding limits • Risk type, product type, business unit, etc • Senior management early warning reporting • Tactical re‐setting of limits • Breach management

Keeping framework aligned to current business conditions

Operational • Cascading of high level limits into operational limits • Monitor against trigger levels • Implementing Implementing escalation procedures for breaches • Contingency plans • Performance incentives and risk‐return target and risk return target alignment

Unit U it decision d ii making ki within ithi agreed boundaries

Overview of the risk appetite framework Operationalizing risk appetite (2/2) STRATEGIC LEVEL

Group strategy

Risk tolerance limits

Strategic Planning Risk profile

Board level risk appetite statement defines risk return objectives based on corporate philosophy and stakeholder interests

Board level risk appetite statement in turn determines the direction in which the businesses will grow. Key elements will include: • Medium term focus • Strategic dialogue including projected impact on key risk indicators • Prospective group‐wide group wide risk map

Medium-term

Capital Allocation Capital is in turn allocated to Business Units to optimize risk‐adjusted profitability. Key elements include: • Assessment of group risk exposure and risk‐adjusted profitability on a consistent basis • Regular g monitoringg of risk exposure p

TACTICAL LEVEL Integration of process and tasks • Forecasting of risk capacity • Scenario definition/analysis • Product and methodology review

• Limits, authorities, controls • Definition of standards and policies p

• Report: Risk profile performance • Identification of BU specific issues

OPERATIONAL LEVEL Business line processes and decision making Day to day activities 10

Department/unit 1

Department/unit 2

Department/unit 3

Overview of the risk appetite framework Monitoring and reporting framework (1/3) g p g ( ) RISK APPETITE MONITORING AND REPORTING STRUCTURE

GOVERNANCE

MONITORING TOOLS MONITORING TOOLS

A three tiered governance structure at strategic level (by the board), tactical level (by management with h escalation l to the board and operational level (risk department and head of department forms the governance structure. The risk department acts as the chief coordinator and enabler of the monitoring function

Monitoring tools include dedicated data systems, monitoring IT applications, standardized dashboards t d di d d hb d presenting a consolidated view of risk appetite adherence, self assessment questionnaires, assessment scoring carried out by risk management, etc

REPORTING

A variegated reporting framework with very frequent reporting cycles at the operational level and decreasing periodicity at tactical and strategic levels. Standardized reporting templates developed and administered d i i d b by risk ik management function in coordination with units. The relevant units will provide inputs

Overview of the risk appetite framework Monitoring and reporting framework (3/3) g p g ( ) An illustrative dash board for the banking sector containing the key risk appetite indicators to be monitored on a periodic and proactive basis with necessary trigger prompts and related action plans is given below Capital Status

Name

Regulatory Capital movement Actual

Target

Variance

Time Period

Regulatory Capital

Nov 12

Market Value

Nov 12

RAROC

Nov 12

30 25 20 15 10 Jan

Credit Risk Status

Name

Actual

Target

Variance

Time Period

Fe b

Mar

A pr

May

J un

J ul

A ug

Sep

Oc t

N ov

De c

J un

J ul

Aug

Sep

Oc t

N ov

Dec

Credit Risk Metric History 3 2.5

Indicator 1

Nov 12

2 1. 5

Indicator 2

Nov 09

1 0.5

Credit Exposure

Nov 09

Market Risk Status

Name

Target

Variance

Time Period

Indicator 1

Nov 09

Indicator 2

Nov 09

VaR

Nov 09

Name

Fe b

Mar

Apr

May

Metric Narrative Actual

The regulatory capital has increased by 53% from January 2009 to December 2009. The highest percentage movement was observed in the period of August to September 2009.

Alerts New: Retail Credit Metrics have fallen beyond targets New: Credit Risk Data Quality metrics are poor (red) status

Operational Risk Status

Jan

Actual

Target

Variance

Time Period

Indicator 1

Nov 09

Indicator 2

Nov 09

Actual Losses

Nov 09

Generate Reports Consolidated Balance Sheet Total Counterparty Exposures Income Statement (Periodic)

Overview of the risk appetite framework Key outcomes from developing risk appetite framework (1/2) Key outcomes from developing risk appetite framework (1/2) Risk as an integral part in key business decisions and performance management

Better process for strategic debate

Understanding drivers of value

Enable senior management discussion on key risks discussion on key risks

• Risk integrated in portfolio management and annual planning/budgeting • Performance management system incorporates risk elements resulting in better comparison across units • Risk accountability across business and risk functions • Consistent capital allocation of resources

• Integration of bottom‐up plans and top‐down targets • Full incorporation of capital and risk strategy • Better linkage between strategy and planning • Consideration of stress testing and valuation

• Identification of key value drivers • Enabling the assessment of the value impact of strategies • Comparison of relative value contribution of businesses

• Enabling monitoring through "Risk Dashboard" highlighting risk positions vis‐à‐vis tolerances g g g • Mechanism for escalating discussion of emerging risks • Tangible metrics enabling real risk related discussions

Overview of the risk appetite framework Key outcomes from developing risk appetite framework (2/2) Key outcomes from developing risk appetite framework (2/2) Better understanding of market

• Enabling estimation of market size • Enabling benchmarking of current market position • Analysis of trade‐offs Analysis of trade‐offs between strategic variables (eg: margins vs growth) between strategic variables (eg: margins vs growth)

Alignment of external and g internal views of risk

• Ensuring prudent alignment and thereby facilitating confident external Ensuring prudent alignment and thereby facilitating confident external communication (analysts, regulators, rating agencies, etc)

Proactive risk oversight over business initiatives

• Firm confident that overall risk profile is appropriate and monitored

Enforcing risk discipline at senior management levels

• Clearly establishing boundaries of strategy • Clear articulation of acceptable levels of risk (through their impact)

Stylized risk appetite indicators (1/3) Risk appetite indicators are the key tactical level element of the risk appetite framework which translate the articulate the risk perceptions and strategy of stakeholders via the board to monitorable and measurable metrics at the unit level. Risk appetite indicators are determined from the risks identified in the risk universe of the entity. Risk appetite indicators are made functional by clearly defined tolerance limits which define the range of deviation accepted by the board. Risks impacting business Risks impacting the business form part of the risk universe facing the firm. The risk universe will differ depending on the industrial sector, nature of macroeconomic environment and the diversity of business lines operated by the firm. The wieghtage ascribed to each risk or the risk prioritization within the risk universe may vary from firm to firm. Risks impacting business are applied taxonomically, either at the entity wide level where a list of sources of risks are mentioned or at the department/unit level where only the risks relevant to the particular unit are detailed.

Risk appetite indicators It is necessary that risk appetite statements be conceptualized in clear‐cut measurable terms which can be monitored on a periodic basis. basis The risk appetite indicator gives the parameter on which the tolerance limits can be applied and the operational indicators like Key Risk Indicators (KRIs) or Key Control Indicators (KCIs) can be derived.

Risk tolerance limits Risk tolerance signifies the boundaries of risk taking outside of which the organization is not prepared to venture in pursuit of its long term objectives. Risk tolerance is encapsulated in terms of very specific limits corresponding to each risk appetite indicator. The risk tolerance limits can be graded as per an escalation matrix, banded within a range or specified as a one‐point numeric or condition

Stylized risk appetite indicators (2/3) Stylized risk appetite indicators and corresponding tolerance limits will differ by industry sector. Here we look at key risk appetite indicators and corresponding limits for the banking and Oil and Gas sector as an illustration Illustrative stylized risk appetite indicators for Banking sector Key Risks Pillar I risks (Credit + Market + Operational) Counterparty credit risk Asset quality risk l k Market risk Operational risk Concentration risk Liquidity risk Interest rate risk Currency risk Compliance risk Earnings risk 16

Key Risk Appetite Indicators

Risk tolerance limits

Capital adequacy ratio

>=14%

Target credit rating

> = Moody's Baa (stable)

Gross NPL ratio

<=4.5% %

Maximum permissible market risk VaR

<=10 million USD

Occurrence of operational risk events recorded in the past month

<= 4

PL ratio

<=39.5%

Maximum cumulative gaps/Total liabilities in all buckets up to one year

<=14.25%

Earnings at risk g

<=16%

Foreign exchange open position

40%

Number of instances of fines being paid to regulator for non‐ p compliance

Risk adjusted return on capital

> = 12%

Stylized risk appetite indicators (3/3) Stylized risk appetite indicators and corresponding y pp p g tolerance limits will differ byy industryy sector. Here we look at keyy risk appetite indicators and corresponding limits for the banking and Oil and Gas sector as an illustration Illustrative stylized risk appetite indicators for Oil and Gas sector (upstream) Key Risks

Key Risk Appetite Indicators

Risk tolerance limits

Revenues from largest field

<=35%

Number of on‐field accidents/equipment damage/operational disruptions per quarter

<=1

Currency risks k

Maximum permissible Fx VaR bl

<= 1 million USD ll

Liquidity risk

Average debt maturity

>=8 years

Leverage risk

Leverage ratio

<=40%

Maximum financial loss due to environmental lawsuits filed against company

0 million USD

Political risk

Minimum Country Sovereign rating

>=Baa on Moody's scale

D Demand risk d ik

M i Maximum % f % of revenue derived from a single geographic destination d i df i l hi d ti ti

<=30% 30%

Number of oil and gas blocks covered by independent third party reserve assessment in the pre‐exploration phase

100%

Annual turnover rate

<=10%

% of spot transactions to total transactions

<=25%

Earnings variability risk Operational risks

Reputational risk

Exploration risk Human resource risk Price risk 17

Appendix: About Protiviti

About Protiviti

Protiviti is a leading global independent Risk Consulting and Internal Audit firm composed of experts specializing in risk, advisory and transaction services. The firm helps solve problems in finance, transactions, operations, technology, corporate governance, risk and compliance.

Protiviti’s headquarter is in the USA and our clients include more than 25% of all “Fortune 500” companies and more than 35% of all “Fortune 100” companies.

Established in Mayy 2002 byy Robert Half International ((“RHI”), ), byy hiringg over 700 experienced p and highly g y qualified partners and professionals from the risk advisory practice of Arthur Andersen. RHI is a $4.65 billion Fortune 500® company listed on New York Stock Exchange and named as America’s most admired companies by Fortune® magazine (March 17, 2008).

Our clients in the banking sector include almost all of the world’s top 20 banks and the two largest Islamic banks (Kuwait Finance House and Al Rajhi Bank)

Recently, in December 2011, Protiviti has been positioned as a “Leader” by Gartner Inc. in the Magic Quadrant for Financial Management Consulting Services. Protiviti is one of 10 global consulting firms that Gartner evaluated ranking ahead of ranking ahead of Mc Kinsey & Co, IBM, Cap Gemini and a number of other consulting firms

55% % off top 20 investment i companies i and d 25% 2 % off top 25 2 banks b k in i Middle iddl East are our clients. li

Protiviti locations

* Member Firms

Thank you

Contact Details Raj Parthasarathy Director Protiviti Member Firm (Middle East) Director ‐ Protiviti Member Firm (Middle East) Bahrain Financial Harbor, PO Box 12031, Manama, Bahrain Tel: +973 1715 2640, Mob: +973 3902 7611 Email: raj parthasarathy@protivitiglobal com kw Email: raj.parthasarathy@protivitiglobal.com.kw