Framework for RM and control
Appropriate framework for ERM
How to adopt best practice in ERM in compliance and corporate governance
Cultural aspects of risk assessment and management including the problems of bias
Cover good practice in terms of framework, governance and culture (in detail)
Exam Note
Need to be able to evaluate the quality of these aspects with a hypothetical organization and to recommend an appropriate framework or improvements given specific circumstances
Seven major components of ERM framework
Corporate goverence:
Establish organizational processes and controls
Line management:
Integrate risk management into business processes
Portfolio management:
Aggregate risk exposures and identify diversification effects and concentrations of risk
Risk transfer:
Mitigate excessive risk exposure cost effectively
Risk analytics:
Measure, analyze and report on risk
Data and technology resources:
Support the analytics and reporting
Stakeholder management:
Communicate and report on risk
The same Board principles below applies to other bodies of governance roles
(e.g. Board of a mutual co. or the trustees of a pension scheme)
Corporate governance:
The way in which the Board controls the company and the processes that it puts in place to ensure that the company is being run by the management in the best interests of shareholders
Board responsibilities with regard to risk management
Risk governance:
Setting the vision, strategy and risk culture of the organization
Establishing a framework for measuring, managing and monitoring the risks facing the organization
Reviewing the outcomes of and lessons learnt from the risk management process on an ongoing basis to achieve its goal of delivering long-term value to is investors
Setting ERM policies:
Defining the company’s risk appetite
Establishing what skills are needed to implement ERM strategies successfully, and implementing training programmes where these skills are deficient
Guiding decisions on the most appropriate approach to, and structure for, ERM within the organization incl. roles and responsibilities
Approving suitable internal controls and ERM policies
To ensure that ERM is being applied to the required standards, whether these standards are set internally or arise from legislation or regulation
Determining risk compensation:
ERM initiative needs the full backing of the Board
Line mangers responsibilities with regard to risk management
Implement the ERM policies agreed by the Board
Understand the risks that they are taking
Awareof the extent of their risk taking powers
CRO is responsible for the excecution of the Board’s risk management vision and strategy
Board responsiblility: Overall sucess of a company
\(\therefore\) Responsible for ensuring the full range of risks face by the company are managed effectively
Sucessful ERM can help the Board to discharge its responsiblities by setting the company’s risk appetite
Which then lays down the amount of risk the company is willing to take and establishing a suitable ERM framework to manage risk within the boundaries
Unique value proposition of the Board to the ERM process:
They have the unique opportunity to consider the risks of the company as a whole since they are at the top
They are best placed to question and challenge corporate activities and practices
Board has unique influence over the success of the ERM programme through their other activities
Sets the direction, structure, and culture of the company
Guides the allocation of financial and human resources to new initiatives
Or else it is easy for RM to be squeezed out as viewed as low priority
Roles and responsibilities of other employees
There must be clarity in responsibilities for the idenficiation and management of risks
e.g. Who does what, and individuals should be held accountable
Organization’s employees should have codes of honesty and fair dealing
Sr mgr must lead by example to make sure the principles are honored in practice
Line managers should be held responsible for the identification and management of risks in their own areas of responsibilities
Most serious strategic risks should be supervised by the Board
Every employee has a responsibility for the identification of new and increased risk
Should be communicated to a central point in a timely fashion
Board should have an annual self-assessment
Check to assess its progress towards full ERM
See RBS example
Corporate goverance codes of conduct
Development of codes of conduct conerning best practice in the area of corporate governance driven by investor concerns over company failures
Refer explicitly to RM and to the sysmtem of internal controls used to ensure that a company operate in a sound and secure way
Main aims of the internal controls:
Ensuring accurate and adequate record-keeping
Preventing fraud and safeguarding the company’s asset
Guaranteeing the accuracy of financial statements
Responding appropriately to risk
Ensuring compliance with law and supervisory guidance
Cadbury Code of Best Practice main recommendations
(Aimed to improve confidence in financial reports in UK)
Full board meeting at regular intervals
Board should be aware of significant activities
(e.g. M&A, capital projects)
NED (non-exec directors) should have key responsibility for certain control and monitoring functions
Shareholders should approve directors’ service contracts in XS of 3 years
Directors’ remuneration should be subject to review by a remuneration committee with a majority of NEDs
Company report should be balanced and understandable
Key features of UK corporate goverance code
Applies to all UK listed companies
Corporate governance is not forced on companies by prescriptive rules
Compliance is voluntary
Need to be disclosed and explain non compliance
Companies are free to choose a suitable approach given their industry and size
Need to explain material differences
Requirements for directors under the Companies Act
Act in accordance with the company’s articles of association
Act in the best long term interest of the company while avoiding (or declare) any conflict of interest
Canada:
Also adopted the method of voluntary compliance (UK standard) after the 1994 Dey report
US:
Follows a more statutory approach
SEC rules
Require disclosure of Board structure, compensation and role in RM
SOX
Require independent Board audit committees and \(\geq 1\) financial expert
Dodd Frank
Require bank Boards to have a risk subcommittee that includes RM expert
Principles for excellence in corporate governance
Communication with stakeholders
Board has a duty to disclose certain into to stakeholders
Leads to \(\uparrow\) transparency of info for shareholders
Faciliates more informed decision making
Independence of the Board
Board should distanced from the day-to-day running of the company
\(\hookrightarrow\) Better oversee and monitor its management
Board performance review
Board should engage in regular formal self assessments to rate its performance against any best practice codes is is subject to
Use on external consultant can help to be unbias
Regular independent reviews and training for new Board apointees
Board componesation arrangements
Compensation should reflect the responsibility and risk of being a director (not over compensate)
Reasonable proportion of the compensation should be stock options to align director’s interest with shareholders
Also important to align with RM objectives for the implementation of ERM
(e.g. bonus based on risk adjusted returns)
Fairness
Social responsibility
BoD can delegate RM to a risk subcommittee (e.g. RMC)
The risk committee charter will establish the following points and considerations
Purpose:
management's treatment of key risksResponsibility:
BoardRMMembership:
Frequency of meetings
Criteria for performance assessment
Resources available:
Purpose:
auditors direct access to the NEDsauditors remain independencerest of the businessKey roles:
Best practice:
Additional governance considerations for UK financial instituions stem from the Walker Review
Key themese of recommendations:
“Comply of explain” approach is still the best corporate governance practice
Need more challenge in BoD discussions
Need material increase on Board level risk oversight
Especially risk monitoring, risk appetite, and tolerance
Should establish risk subcommittee and CRO with enterprise wide authority and independence
Need better engagement between fund managers and the Board of investee
Board remuneration committees should cover other senior employees
Remuneration should align with medium and longer term risk appetite and strategy of the entity
Remuneration should be made publicly available on a banded basis
Culture:
Defined by company’s approach taken to its activities and describes the company’s shared values, beliefs and behaviours
Attitude of employees to business undertakings and the way in which judgement is exercised
“The way we do things around here”
Risk Culture:
Subset of overall culture related specifically to the approach taken to risk management
Culture in which people know and do the right thing even if there is no specific rule or policy telling them what to do, rather than acting in their own interests
Board needs to ensure the organziation has a good risk culture that encourages
Consultative leadership
Participation in decision-making on risks
Openness
Accountability (rather than blame)
Organizational learning
Knowledge sharing
Good internal communication
Value of good risk culture
Having a right culture enabling everyone to participate in managing the more important risks
Supportive risk culture is necessary for RM to be successful
Everyone should be involved in the identification of new and enhanced risks
RM process should be embedded in the mainstream management processes of the business
Line managers:
Should have responsibility for manageing the risk within their areas of responsibility
Subject to reporting on the more important risks to a central point
Board should supervise the management of a short list of the most important strategic risks and opportunities
RM should be approached as helping to achieve success
Risk conscious culture (that highlights the risk and opportunities) can sit alongside with a “can do” culture given good leadership
Encourage good communication about risk
(Openess that allows risk to be communicated up down sideways)
Easy reporting mechanism on:
Perceptions of new or enhanced threats or opportunities
Suggestions for mitgration of threats
Existence of defective procedures
Failure to operate established procedures properly
Culture should encourage such reporting without inhibitions, though this maybe difficult to achieve
Focus on developing positive employee behaviors w.r.t risk
With appropriate training for all employee
Educate on both up and downside risk
Job description should include a requirement for proative responses to risk
Performance management should include RM objectives
Tie incentives to RM performance objectives (With clear targets and measure of success)
Ensure that RM responsibilties are clearly defined and individuals are aware of their accountabilities
Introduce process to escalte risks
Develop environment of openness where employees will raise issues in the knowledge they will be heard and be open to new ideas
Avoid “blame culture”
Focus on how to prevent it next time instead of what went wrong
Set the appropriate tone at the top
BoD and Sr mgmt need to display appropriate risk behaviors
Praise those with good risk behavior (report on success)
Evaluate the risk culture
Measure through questioning the workforce
Culture can only be changed effectively
From the top (BoD and SM)
Incremental basis
As the profile of new recruites changes the views of the staff
Risk culture can be taken as a measure of how well ERM has become integrated into the company’s established way of doing things
attitude to risk, awareness of risk, RM and risk behaviors among its employeesNeed a supportive risk culture to avoid the problem of bias (Risks are not reported in a true and honest way)