Evolving Risk Governance & Internal Audit Implications

Risk Governance Evolving beyond the traditional Three lines of defense model Implications for Internal Audit Leon Bloom Partner lebloom@deloitte.ca May, 2015

Agenda Emerging risk governance requirements Context and expectations Current practices in risk governance Issues, challenges and shortcomings Guiding principles Roles, responsibilities and accountabilities Guiding principles Policies, processes and practices Three lines of defense Definition vs. effective application and the case for redesign Aligning the risk governance model with the business model and risk and capital management processes Structures for risk taking, risk oversight, risk assurance (Internal Audit) and board oversight The business case for transition, challenges and benefits 2

Among other things, regulators are giving emphasis to four high priority areas The inherent riskiness of the business model Where and how are earnings generated and is there is an extreme or concentrated dependency on a particular source or sources and how is the associated risk(s) articulated and addressed/mitigated? Tail risk Has a competent process been established to identify tail risks and have the risks been objectively and realistically assessed vs. being underestimated? Risk Governance How well defined and embedded is the risk governance model? Is the assurance function (Internal Audit) being used as a management control or substitute for quality assurance and peer review practices by risk taking areas and the risk management function? Does the governance model in practice align with and support the principals of a sound risk management and control culture? Operating culture the degree of awareness, attitudes, and behaviors of an organization s employees toward risk and how risk is managed within the organization. Risk culture is a key indicator of how widely an organization s risk management policies and practices have been adopted. 3

Risk governance requirements 4

Emerging risk governance requirements The significantly changed environment resulting from the continuing global financial crisis has resulted in a higher hurdle of regulatory requirements and Board expectations pertaining to the timeliness and quality of risk information, and robustness of risk management processes and practices. Increased emphasis on a clear, transparent risk governance model Clear accountability and role and responsibility structures and segregation of duties as in the so called three lines of defense model Governance Many global institutions are visibly benefiting of having an enterprise-wide risk management function CRO works closely with other senior executives to strengthen the management of the business, by explicitly incorporating consideration of risk into decision-making and performance measurement Closer alignment of risk and business considerations Driven by need to generate suitable investor returns in the face of greatly increased regulatory capital requirements, some organizations are pursuing risk optimization which requires a foundation of strengthened financial governance Closer alignment/harnessing of synergies between functions involved in risk management and risk measurement, capital management, financial performance measurement and management and tax Holistic risk governance approach 5

Risk governance Challenges Governance observations Roles, responsibilities and accountability are often unclear Second and third line functions being used as management assurance and quality control functions Communication paths are not defined Committee structures, responsibilities and mandates lack clarity Objectives and the target end state for ERM is unclear Insufficient focus and time spent discussing risks across the organization Monitoring fails to identify risk conditions and provide a competent understanding of exposure status ERM programs are often not dynamic and fail to proactively identify and adapt to unexpected events Relative to institution-wide business strategies and objectives Common framework to manage all types of risk ERM is a continuous activity that aggregates and integrates risk management activities in order to better optimize risk-adjusted returns Supports decision making and capital management decisions Providing accountability and transparency 6

Guiding principles Roles and responsibilities The governance model should promote transparency of accountability, communication, decision making, and information flows Decisions and accountability should reside with individuals, not committees, wherever possible Business areas retain accountability for managing their own risks That responsibility is not transferred to the risk oversight function All classes of risk should have clearly assigned responsible/accountable parties in the governance model (e.g., should not be purely focused on product risk) Decisions should be made with appropriate consideration of the enterprise impact - not just the impact of individual lines Risk governance structure should clearly reflect the roles and interaction with pricing, underwriting, reserving, and other critical, interdependent functions The structure should enable risks to be appropriately considered and factored in to broader business decisions Should clearly articulate the requirements for independent assurance (e.g., Independent Audit) 7

Guiding principles Processes and policies Risk governance must be supported and enabled by explicit policies with transparent accountabilities and authorities The governance processes should be as streamlined as possible, avoiding unnecessary levels of decision-making bureaucracy Risks should aggregate and integrate at the appropriate level of governance, including cross line, cross business unit, enterprise; the governance model should include owners of the aggregated risk at each level within an aggregation hierarchy Monitoring process must be clearly articulated in the governance model (including responsibilities, frequency, etc.) Governance must be linked to a philosophy/vision/or governing objective at the top Governance should enable making risk management processes proactive rather than reactive The governance model should not be static it should be re-evaluated every year to ensure appropriate evolution 8

The evolution of the lines of defense model 9

A risk governance framework helps clarify oversight responsibilities by establishing a common foundation Framework provides a design for the governance infrastructure and governance operating model. The top part of the framework depicts areas where responsibility of the board is typically heightened. A risk governance framework provides the foundation for oversight and establishing the necessary checks and balances regarding risk taking 10

Measuring the risk and control culture A focused assessment is needed to fully understand an organization s current Risk Culture and to track progress of cultural change 11

Risk practices maturity model Maturity Model Levels Unaware It is a characteristic of the processes/practices at this level that they are either non existent, not implemented, not commonly/clearly defined; lack formal process, and the enterprise is not conscious or aware of their importance. Fragmented It is a characteristic of the processes/practices at this level that they are at the starting point or are inconsistent across various business lines. The processes/practices exist in silos, or are defined differently at different levels and are not considered important within the enterprise. Integrated It is a characteristic of the processes/practices at this level that they are defined, documented and communicated to the entire enterprise. The processes/practices mostly exists at the enterprise level but are not implemented, leveraged or embraced across enterprise. Comprehensive It is a characteristic of the processes/practices at this level that they are mature, widely adopted and understood, repeatable, clearly defined, well-documented and aligned with an enterprise s risk management framework. The processes/practices are consistent, effective and widely applied across the enterprise. Optimized It is a characteristic of the processes/practices at this level that they well entrenched in business as usual, and the focus is on continually improving them. The processes/practices are at the optimum level and enterprise is able to sustain or strengthen such processes/practices. 12

Three lines of defense Issues and challenges Board of Directors & Senior Executive Management Assert Report Assure Assertions on status of risk exposure Validation & assurance reporting Risk Business Unit Management and Staff Risk identification and assessments Internal Audit Management Policies, governance and information flow Validation of controls Objective review of risk management process Risk assessment methods Actions to exploit, reduce, transfer, or avoid risk Assurance to senior executive management and Board on assertions of risk exposure Enable Measurement, aggregation rules and tools Provide assertions on risk exposure for each business unit or functional area within NFS Monitor risk exposure status and report to Board 2nd line 1st line 3rd line 13

Evolution of the three lines of defense Line of Business (1st line of defense): Risk & Compliance (2nd line of defense): Internal Audit (3rd line of defense): Risk management framework Day to day management & risk control Risk policies, methodologies & oversight Independent assurance Risk appetite & strategy Adheres with defined processes and complies with limits Monitors compliance with regulatory requirements Supports the business in the development of a risk appetite and strategy Independent monitoring of articulation of risk appetite and organizational compliance with limits framework regular status reporting, monitors risk profile, effectiveness of controls & residual risk, monitors & Regular risk model monitoring, peer or management compliance reviews of policies and controls, ensures capital adequacy, ensures data accuracy, implements controls and reporting framework, profile, review policies regularly to ensure alignment with business strategy, ensures regulatory escalated risks, reviews and challenges risk appetite considering emerging risks and change risk approach to regulatory changes, peer review/periodic self assessment on the effectiveness of Completes regular risk model validation, annual reviews of policies and controls, addresses Quality assurance review for internal controls, reviews compliance results, reviews overall reviews the impact of regulatory requirements to processes, policies and controls Risk management policies Executes tasks adhering to policies Provides feedback on the controls and policies in place Input to the business to develop and maintain policies Monitors compliance Develops and enforce risk governance model Independent monitoring of compliance with policies changes are developed and implemented in a timely manner Risk management methodologies Develops business processes, controls and policies aligned with the risk appetite (e.g. underwriting guidelines, trading policies) Executes tasks adhering to policies defined Provides feedback on the controls and policies in place Defines the risk controls and processes Monitors effectiveness of controls and residual risk Monitors ongoing application & operation of methodologies Manages risk IT systems Independent review of appropriateness of and compliance with controls and processes Tests implementation of any changes to methodologies internal audit Risk management reporting Provides input for risk reporting Implements reporting framework Develops and maintains reporting framework Implements reporting framework Monitors data accuracy Monitors risk reporting trends and issues Independent monitoring of the risk reporting framework Tests implementation and data accuracy Risk capital calculation & allocations Provides capital adequacy calculation inputs Defines the capital model and allocation process and tools Supports the business in the design of the capital model Completes regular risk model validation Monitors capital adequacy Provides independent assurance for the Board and senior management on assertions of risk exposure Tests implementation of model Regulatory change Reviews the impact of regulatory requirements to processes, policies and controls Identifies and assesses relevant regulatory changes Supports any updates required Monitors execution of change Tests implementation of process, policy and control Executive Management: Reviews and updates risk appetite and strategy, processes, risk model and reporting framework The Board of Directors: Reviews and approves risk appetite, processes, risk model and reporting framework 14

Risk taking structure Key Objectives & Responsibilities Overall accountability for the enterprise risk profile Delegates responsibility for risk management to Senior Management/Executive Management Committee Approves overall risk appetite and the philosophy on risk taking Board of Directors Ultimately responsible for accepting the risks taken by the businesses within the context of defined risk appetite and philosophy on risk taking Responsible for ensuring the proper management of those risks taken by the businesses Executive Management Committee Business/Fu nctional Head Responsible for the management and control of risks assumed by business unit or functional areas in accordance with approved risk appetite and limits Business Leadership Groups Forum for discussing and deciding on appropriate risk taking strategy in accordance with constraints established by the risk oversight structure Responsible for evidencing the in control status of the risks assumed by the businesses Risk taking as governed by approved risk appetite and limits Individual Risk Takers 15

Risk oversight structure Key Objectives & Responsibilities Overall accountability for the enterprise risk profile Delegates responsibility and authority for risk management to Senior Management/Executive Management Committee Approves overall risk appetite and the philosophy on risk taking Board of Directors Ultimately responsible for accepting the risks taken by the businesses within the context of the approved risk appetite and risk philosophy Responsible for ensuring the effective management and control of risk by the business Executive Management Committee Establishes risk management policy and recommends to the Executive Management Committee prior to submission to the Board for approval Provides oversight of risk identification, assessment, mitigation and exposure status monitoring, supporting analysis, and risk issue escalation/resolution Serves as a risk clearing house and forum for the evaluation of enterprise risk issues Monitors the exposure status of the enterprise risk profile and reports to Senior Management and the Board Enterprise Risk Management Committee Responsible for ensuring that individual business unit or functional risk governance structures are effective in accordance with Board, Senior Management, and Enterprise Risk Management Committee mandates Owns development and implementation of risk policy, processes and practices for individual business units or functional areas Monitors exposure status of the risk profile of the business, and reports to the Enterprise Risk Management Committee Individual Business CRO or Risk Leads Performs information aggregation, reporting, and analysis to support the risk governance structure Matrixed Risk Management Staff/Corp ERM 16

Risk assurance structure i.e. Internal Audit Key Objectives & Responsibilities Overall accountability for the enterprise risk profile Delegates responsibility for risk management to senior management i.e. to the Senior Executive Management Committee Approves overall risk appetite, authority for risk taking and philosophy on risk taking Reviews and challenges assertions by management on the exposure of the risk profile Board of Directors Reviews and approves governing policies and limits with respect to risk management and risk taking Reviews and challenges assertions regarding the risk profile and its exposure status that are provided by management, the risk management function and internal audit Engagement and oversight of independent auditors Oversight of financial reporting activities Oversight of Internal Audit function Audit and/or Risk Committee of the Board Periodic validation of control and compliance with laws , regulations and governing internal policies (Internal Audit) Periodic validation of risk management processes (Internal Audit or external expert review(s) Periodic assurance to senior executive management and Board on assertions regarding risk exposure (Internal Audit) Identify and communicate regulatory compliance policies and expectations (Compliance) Internal Audit and Compliance 17

Governance and culture How effective is an organization s governance and how ethical and risk intelligent is its operating culture? Communication and Awareness Reporting and Monitoring Performance Management Governance and Culture Organization Model Training People 18

Governance and culture Organizational model characteristics Unaware Fragmented Integrated Comprehensive Optimized The Board and its committees do not have a defined governance structure to oversee enterprise wide risk management Some of the Board's committees have written charters that include risk management roles and responsibilities of those committees The Board has written and detailed Board approved corporate governance guidelines and its committees have charters that explicitly include their risk management roles and responsibilities but these guidelines have not been communicated throughout the enterprise The Board has written and detailed Board approved corporate governance guidelines and its committees have charters that explicitly include their risk management roles and responsibilities that have been communicated throughout the enterprise The Board has written and detailed Board approved corporate governance guidelines and its committees have charters that explicitly include their risk management roles and responsibilities and these guidelines are clearly communicated and understood throughout the enterprise Lacks a structured executive-level risk committee in the enterprise A few senior executives have limited consideration for the risk of action or inaction as part of their core decision making processes A few senior executives periodically request information from management when they consider the risk of action or inaction as part of their core decision making processes Appropriate senior executives systematically consider the risk of action or inaction as part of their core decision making processes The executive-level risk committee holistically analyzes key factors and considers the risk of action or inaction as part of the core decision making processes Roles, responsibility and delegation of authority of the governance structure have not been clearly defined Discrete roles, responsibility and delegation of authority have been defined for a limited set of risks as a part of the governance structure Clearly defined roles, responsibilities and delegation of authority for risk management exist at the top but have not been embraced broadly as part of the governance structure Well defined and delineated roles, responsibility and delegation of authority for developing a governance structure exists throughout the enterprise Well defined and delineated roles, responsibility and delegation of authority promote collaboration and coordination for developing and sustaining a governance structure and executing on the enterprise's risk management strategy Enterprise-wide policies, procedures and controls to mitigate risks are lacking Enterprise-wide policies, procedures and controls to mitigate risks exists in discrete and unstructured manner in select silos Enterprise-wide policies, procedures and controls to mitigate risks are developed and communicated across all business units but not embraced or fully implemented Enterprise-wide policies, procedures and controls to mitigate risks are standardized, communicated and implemented across the organization; and are being used as a part of structured risk management Enterprise-wide policies, procedures and controls to mitigate risks are constantly reviewed and enhanced that lead to effective and optimized risk management Risk has not been commonly defined throughout the enterprise Risk is defined differently at different levels in the enterprise The enterprise has a common definition of risk and it is communicated to the rest of the enterprise using a top down approach The enterprise has a common definition of risk which addresses value preservation is used throughout the enterprise The enterprise has a common definition of risk and a clearly articulated risk management strategy, which addresses both value preservation and value creation, is used consistently throughout the enterprise globally 19

Governance and culture Communication and awareness characteristics Unaware Fragmented Integrated Comprehensive Optimized The Board does not communicate the expectations about completeness, accuracy and transparency of risk management information to executive management The Board inconsistently communicates expectations to siloed business units about completeness, accuracy and transparency of risk management information The Board periodically communicates expectations to executive management about completeness, accuracy and transparency of risk management information The Board regularly communicates expectations to executive management about completeness, accuracy and transparency of risk management information The Board proactively communicates expectations to executive management about completeness, accuracy and transparency of risk management information The Board has not set the tone for managing risks and the culture of risk awareness does not exist in the enterprise The Board sets the tone for managing risks but the culture of risk awareness exists in silos The Board sets the tone for managing risks and demonstrates a culture of risk awareness but it has not been embraced broadly The Board sets the tone for managing risks and establishes a culture of risk awareness, which is widely adopted and understood throughout the enterprise The Board sustains and strengthens the risk intelligent tone and promotes a risk intelligent culture The Board and other governing bodies lack transparency and visibility into the enterprise's risk management practices The Board and other governing bodies have limited transparency and visibility into the enterprise's risk management practices The Board and other governing bodies request and receive periodic updates into the enterprise's risk management practices The Board and other governing bodies receive regular updates on the enterprise's risk management practices The Board and governing bodies authorize the formation of an executive-level risk committee, with a composition including representatives from all business units or departments, to have transparency and visibility into the enterprise's risk management practices The Board does not assess the ethical culture of the enterprise and attitudes towards risk throughout the enterprise The Board performs a limited assessment of the ethical culture of the enterprise and attitudes towards risk The Board infrequently assesses the ethical culture of the enterprise and attitudes towards risk through a top down approach The Board regularly assesses the ethical culture of the enterprise and attitudes towards risk throughout the enterprise The Board assesses the ethical culture of the enterprise and attitudes towards risk throughout the enterprise through mechanisms such as employee and vendor surveys on an ongoing basis Minimal awareness of lessons learnt in risk related activities Lessons learned in risk related activities are identified and communicated in silos Lessons learned are identified and periodically communicated from the top down Lessons learned are identified and regularly communicated to appropriate personnel Lessons learned and feedback provided through whistleblower hotlines or other channels are identified and communicated to appropriate personnel on an ongoing basis 20

Governance and culture Reporting and monitoring characteristics Unaware Fragmented Integrated Comprehensive Optimized Risk management is minimally monitored in the enterprise Risk management is monitored through separate and disconnected evaluations in the enterprise Risk management is monitored through separate evaluations by top management in the enterprise Risk management is monitored through standardized separate evaluations throughout the enterprise Risk management is monitored through extensive ongoing management activities and separate evaluations throughout the enterprise Risk events that have high impact and high vulnerability are not reported or minimally reported Limited number of risk events that have high impact and high vulnerability are inconsistently reported Risk events that have high impact and high vulnerability are reported Attention is drawn to risk events other than those that have high impact and high vulnerability Attention is drawn and resources are advocated to address risk events other than those that have high impact and high vulnerability Lack of data integrity in the reports Limited data integrity in the reports Moderate data integrity in the reports Adequate data integrity in the reports High data integrity in the reports due to adoption of technology and a focus on meeting data quality requirements Minimal consideration of the limitations of risk metrics and models used in the enterprise A few senior executives have limited consideration of the limitations of risk metrics and models used in the enterprise but these limitations are not addressed A few senior executives consider the limitations of risk metrics and models used in the enterprise but these limitations are not addressed Appropriate senior executives incorporate in risk management procedures the limitations of risk metrics and models used in the enterprise but these limitations are not addressed The executive-level risk committee explicitly incorporates in its procedures the limitations of risk metrics and models used in the enterprise; limitations are addressed by qualitative means, including expert judgment Minimal participation of business units in risk oversight Limited participation and accountability of business units in overseeing the risk management program A few business units are primarily held responsible by management for overseeing the risk management program and provide updates to management Appropriate business units oversee the risk management program and provide regular updates to management Appropriate business units gather, analyze, aggregate, communicate and report to management on the enterprise's risk management process on a ongoing basis 21

Governance and culture People characteristics Unaware Fragmented Integrated Comprehensive Optimized There is a reluctance to learn from the past mistakes when in comes to risks Opinions of others are sought only for a segment of risks Opinions of only the top management is sought for risks There exists a culture of consulting others when in doubt There is a pro-active sharing of best practices There is a culture of unnecessary risk taking Risk taking is done separately for each of the business units and there is no risk appetite defined Only the top management takes risks as per the defined risk appetite of the organization Calculated risks are taken and managed and there is a culture to admit to having made mistakes Risks are taken as per the risk appetite of the organization and people are personally accountable for managing risks Risks from/to actions are not considered while decision making Only some risks are considered while decision making Top management considers a set of risks while decision making All employees follow risk management practices in effectively weighing their actions during decision making There is a culture of involving risk experts in decision making Culture of integrity and ethical behavior is based on individual perceptions Culture of integrity and ethical behavior is not pervasive Culture of integrity and ethical behavior is proscribed by management Business units create an internal environment that is committed to promoting ethical behavior, trust, integrity and accountability Business units hold individuals accountable for supporting and sustaining a culture of integrity There is a reluctance to learn from the past mistakes when in comes to risks Opinions of others are sought only for a segment of risks Opinions of only the top management is sought for risks There exists a culture of consulting others when in doubt There is a pro-active sharing of best practices 22

Governance and culture Training characteristics Unaware The Board receives no training to understand and execute its fiduciary responsibilities for risk oversight Fragmented The Board receives limited training to understand and execute its fiduciary responsibilities for risk oversight Integrated The Board receives occasional training to understand and execute its fiduciary responsibilities for risk oversight Comprehensive The Board receives regular training to understand and execute its risk management responsibilities Optimized The Board receives regular and focused training to understand and execute its risk management responsibilities, such as ethics and fraud awareness training Have sustainable communication mechanisms internally, such as fraud awareness training and tax risk awareness to help people understand risks, develop their skills to perform their duties and externally to seek input from external sources Provide pertinent individuals minimal or no training to understand and execute their risk management responsibilities Provide pertinent individuals with limited training to understand and execute their risk management responsibilities Provide pertinent individuals with occasional training to understand and execute their risk management responsibilities Provide pertinent individuals regular and appropriate training to understand and execute their risk management responsibilities 23

Governance and culture Performance management characteristics Unaware Fragmented Integrated Comprehensive Optimized Risk management is not included in performance management systems Risk management has limited inclusion in performance management systems Risk management is included in performance management systems for management and not at lower levels Risk management is regularly included in performance management systems Risk management is integrated with performance management systems such as balanced scorecards, Key Performance Indicators, rewards and compensation and executive performance assessments Minimal improvement initiatives resulting from activities such as internal reviews, internal or external assessments, user feedback, complaints and other issues There are individual and inconsistent improvement initiatives resulting from activities such as internal reviews, internal or external assessments, user feedback, complaints and other issues There is a high level program of improvement resulting from activities such as internal reviews, internal or external assessments, user feedback, complaints and other issues There is a consistent and systematic program of improvement resulting from activities such as internal reviews, internal or external assessments, user feedback, complaints and other issues There is an integrated and detailed program of improvement resulting from activities such as internal reviews, internal or external assessments, user feedback, complaints and other issues 24

Board level governance considerations It is critical to consider the most effective design of Board level oversight of risk, including the establishment of Board committees What you have to believe Consideration All risk management oversight included among other duties legally required of the Audit Committee Centralization of risk management review and challenge in a Risk Committee or Audit and Risk Committee ) can promote effective risk oversight which can be achieved despite other significant committee responsibilities e.g., financial reporting The Audit Committee s existing responsibilities can provide solid foundation for comprehensive risk coverage Audit Committee Assign risk management review to Audit Committee Regular briefings at full Board meetings on the exposure status of the risk profile with periodic updates on specific significant risk related issues i.e. deeper dives Enterprise risk is an accountability for all Board members requiring them to be explicitly and directly focused on it vs. it being the focus of a Board sub-committee Regular reports to the entire Board will be sufficient to provide overall ERM oversight Full Board has capacity to comprehend and adequately deal with enterprise-wide risk issues Entire Board Make risk management review the purview of the entire Board rather than a separate committee Multiple Board committees will review different aspects of the overall risk profile Separately focused committees are required to achieve adequate coverage of distinct types of risk e.g. a Credit Committee for credit risk Audit Committee may already be overloaded with other responsibilities; potential overlap with Audit Committee will be minimal Effective Board oversight of the risk profile and its exposure status can be achieved despite a siloed Board structure Multiple Committees Segment risk oversight by risk category across distinct Board sub-committees, with an aggregated and integrated view at the full Board level Single Board committee dedicated to comprehensive risk oversight A Board Risk Committee will have sufficient capacity and technical depth to effectively oversee all categories and types of risk It is important to ensure an integrated view of all risk categories and the overall risk profile at the Board committee level Dedicated risk committee will evidence an explicit and strong commitment to risk management to external and internal stakeholders and interested parties Risk related responsibilities currently resident in other Board committees could be merged into the Risk Committee of the Board Risk Committee Establish Risk Committee of the Board 25

The business case for risk governance Risk governance is intended to help improve the odds in taking risk: reducing surprises, optimizing risk and return, thus improving shareholder value Risk governance should enable: optimized use of capital and resources through their allocation to business areas which will achieve superior risk/reward results. Improved understanding of interactions and interrelationships between risks. improved risk adjusted returns. clear accountability or ownership of risk. reduced likelihood of unpleasant earnings surprises. Anticipation risk thus minimizing the cost and effort in dealing with it. Demonstration and evidencing of the in control status of significant risks. Strengthened perceptions regarding governance and risk management by investors, supervisors, rating agencies and others. 26