Spyro Karetsos
In 2003, the Federal Reserve System emphasized the importance of risk management by creating an ERM guidance document providing direction and defining a common risk language. In 2004, Spyro Karetsos, the Philadelphia Fed's enterprise risk management officer, developed an ERM implementation guide to plan Philadelphia's approach to integrating existing risk-based practices and tools. This ERM plan is being developed for the bank to strengthen its own risk management practices and is in no way a prescription for the financial institutions the Fed supervises. The effort does show banks throughout the U.S. that what's sauce for the goose is sauce for the gander. Similar efforts are being undertaken at banks throughout the Federal Reserve System. In fact, one of Karetsos's roles has been to pull together the ERM initiatives of all entities in the Federal Reserve System to provide a high-level enterprise view of risks and associated mitigation activities.
I think of enterprise risk management as a continuous journey. That's because it is not exact science but rather an evolving improvement initiative. Similar to quality programs such as Six Sigma, ERM is something that you're always working toward and may always be trying to refine. As a Federal Reserve Bank, we view our reputation as our greatest asset; therefore, our bank has always had a strong emphasis on controls. What ERM offers is an opportunity to leverage existing risk assessments and tools to form a holistic view of aggregate risk and interdependencies. The world of financial services is constantly evolving, and enterprise risk management must continue to evolve with it.
So if we're implementing something that may never be finished, how do we know if we're doing a good job? It's all about adding value. We want to feel confident that every step we take--integrating risk management activities, reducing redundancies, and enabling better-informed decisions--adds value. Also, all risk management decisions are made on a cost/benefit basis. A zero-risk tolerance environment not only is impossible, it's undesirable and cost prohibitive. The key is to balance risk and reward, and the Fed employs various risk specialists to vet the impact of actions taken by business lines and assess the effect on the institution within a given risk category.
The bank's approach to implementation is influenced by components it has deemed essential, including:
* Clear guiding principles, strong and visible corporate governance, and a common risk language that provides ERM definitions and a set of risk categories and subcategories.
* A bottom-up approach using a risk assessment process, risk response options, communication mechanisms, and monitoring techniques.
* A top-down approach of high-level, informal discussions of overarching strategic issues.
Many of our approaches to risk management are qualitative, as opposed to quantitative, and we are wary of developing a false sense of precision. We are mostly interested in identifying areas of concern, fostering an environment that promotes early communication of issues, and analyzing the potential impact to stakeholders. For that reason, we think in terms of "high," "medium," and "low" inherent and residual risk levels.
Corporate Governance
The corporate governance chart shown in Figure 1 is not an organizational chart, but rather a visual representation of responsibilities, interactions, and information flows, rib carry out its oversight responsibilities, the Board of Directors must have a sufficient number of independent outside directors who possess an appropriate degree of management, technical, and other expertise. We expect two existing subcommittees--the Budget and Operations Committee and the Audit Committee--to be responsible for the ongoing monitoring of the ERM program and the bank's risk profile. The Risk Management Council (RMC) provides top-down sponsorship, approval, and oversight of the bank's ERM program. This group reviews and approves the bank's risk policies, sponsors the bank's risk-aware culture, and communicates the bank's risk appetite.
[FIGURE 1 OMITTED]
The ERM officer establishes a risk management process to identify, prioritize, mitigate, measure, and report on risks at an enterprise level. This officer promotes ERM through training, education, and facilitated sessions and provides tools to business area management that are used to generate the enterprise-wide perspective. The officer periodically reports the bank's risk profile to the RMC and the Board of Directors.
The risk specialists conduct five main activities related to their area of expertise:
1. Validate best-practice controls.
2. Assess centrally owned controls on behalf of the bank.
3. Review the bank's risk profile, focusing on their areas of expertise.
4. Provide consulting/guidance to business areas to mitigate exposure.
5. Report on the bank's risk profile to the RMC as it relates to their areas of expertise.
ERM Self-Assessment
Management is accountable for managing risks in its business area and is credited for self-identifying and correcting control gaps. Each business manager prepares an assessment of only those risks and controls for which he or she has direct responsibility and accountability. Wherever possible, assessments incorporate results from other existing risk management activities to reduce redundancies and relieve management of unnecessary burden. For example, instead of having business areas reproduce business continuity plans in the assessment, each area identifies the essence of the plan and notes if it has been updated to reflect changing business processes, technology, and contact information. If the contingency plan has been tested, the assessment provides a means to attach test results, highlight issues, and identify action plans, if necessary. Figure 2 provides a process flow of the bank's assessment process.
[FIGURE 2 OMITTED]
An aggregation of all of the assessments performed by business areas and risk specialists results in an enterprise perspective of risk for the bank. Because the common risk language is being used as a lowest common denominator to aggregate the assessments, business areas have the flexibility to determine the level of granularity of the scope of the assessment. For example, assessments could be performed at the project, process, department, business area, or bank level.
Figure 3 lists triggers that may lead a manager to review his or her ERM self-assessment. To be effective, the trigger questions must be addressed at least quarterly. Used properly, the questions provide a systematic approach for updating assessments and ensure that the assessment becomes a "living" document.
The Role of Key Risk Indicators
Key risk indicators (KRIs) are a critical component in a comprehensive ERM program. When designed effectively, KRIs should identify business vulnerabilities or serve as warning signals for potential dangers in the business environment. KRIs are generally viewed as a key complement to the ERM self-assessment process because they provide objective indicators of the bank's risk profile and can be linked to exception-based reporting to focus attention on emerging issues.
Existing indicators are leveraged to develop a few critical, leading, multi-dimensional KRIs. KRIs differ from the more commonly known key performance indicators (KPIs) in that KRIs focus on the bank's exposure to emerging risks as opposed to comparing current performance to internal/external benchmarks. Also, for each KRI, three exposure levels, or thresholds, are established: safe, cautionary, and warning. There is a predetermined data range in place for each threshold, and triggers are set up for immediate notification should a KRI breach the safe zone and enter into either the cautionary or warning zone. The bank is currently in the process of finalizing KRIs to gauge risk exposure levels. To that extent, Figure 4 uses generic examples to depict a dashboard approach to monitoring KRIs.
Initiative Generation
The bank also employs an informal top-down approach to risk management. Senior managers are asked about what keeps them up at night. Interview results are categorized using the common risk language, fleshed out further, and prioritized by the RMC based on residual risk levels. Where current initiatives inadequately address the risk, an action plan is generated to further reduce the bank's exposure. These risks and initiatives are typically strategic in nature and cross multiple business lines, such as the risk of losing key personnel. A watch list is created to monitor exposure to these key risks and to determine the effectiveness of the response.
Conclusion
As the nation's central bank, the Federal Reserve System operates in the public interest. The Federal Reserve, like every complex organization, faces uncertainties that affect its various functions and operations. ERM provides an opportunity to improve the quality and flow of information for decision-makers and stakeholders, focus attention on the achievement of organizational goals, and enhance overall governance.
ERM programs throughout the Federal Reserve System will continue to evolve and improve as we learn from each other and the industry. As industry participants implement their own programs, they can take solace in the fact that they are not alone in this endeavor. My goal for the Federal Reserve Bank of Philadelphia is to continue to evaluate our ERM program and modify it, as necessary, to ensure that the value-to-burden relationship remains high.
Figure 3
Trigger Question Checklist for Business Line Managers
Has your business area ...
--Assumed new responsibilities or offered new products and/or services?
--Introduced any new software or hardware?
--Been granted access to new confidential information?
--Experienced centralization of business processes or technology?
--Hired new vendors?
--Experienced any significant staffing or management changes?
--Identified issues during contingency tests?
--Initiated new major projects?
--Become subject to or been affected by new regulations, legislative
events, or changes to FRB policies/procedures?
--Experienced significant changes in performance metrics?
--Experienced an increase in the occurrence of unexpected events?
--Been cited for having control issues/findings by an oversight/
regulatory entity or Internal Audit?
--Completed action plans to address control issues/improve performance?
[C] 2005 by RMA. Spyro Karetsos is enterprise risk management officer for the Federal Reserve Bank of Philadelphia. The views expressed in this article are those of the author and do not necessarily represent the views of the Federal Reserve Bank of Philadelphia or the Federal Reserve System.
COPYRIGHT 2005 The Risk Management Association
COPYRIGHT 2008 Gale, Cengage Learning
No comments:
Post a Comment