The Rochdale Group, Inc. 10/11/2013 1 Jeff Owen The Rochdale Group 2
The�Rochdale�Group,�Inc. 10/11/2013
1
Jeff�Owen�
The�Rochdale�Group
2
The�Rochdale�Group,�Inc. 10/11/2013
2
Agenda
• ERM�Overview
• Why�Do�(or�Should)�I�Care?
• ERM�– Roles�&�Responsibilities
• Risk�Appetite
• Economic�Capital
• Getting�Started
My�Objective
1. Spur�action�on�your�part
2. Provide�some�tips�on�getting�started
3. Clear�up�some�potential�misconceptions�on�ERM
As�a�leader�of�a�financial�institution,�you�are�expected�to�be�aware�of�and�appropriately�
manage�organizational�risk�exposures6
The�Rochdale�Group,�Inc. 10/11/2013
3
Risk�Ownership
• Who�owns�organizational�risk?
• Who�is�the�ultimate�risk�manager?
• Who�does�much�of�the�‘stuff’�and�deals�with�risks�daily?
RiskǦresilience�is�only�really�possible�when�the�people�who�are�responsible�for�driving�business�results�are�
accountable�for�the�associated�risks
Enterprise�Risk�Management
• An�orchestrated�and�formalized�process�of�identifying,�assessing�and�managing�key�organizational�risks
• ERM�drives�improved�organizational�decision�making�through�unobstructed�knowledge,�yielding�better�organizational�performance
The�Rochdale�Group,�Inc. 10/11/2013
4
What�is�RISK?
What�is�Risk?
• “The�possibility�that�an�event�(internal�or�external)�will�occur�and�affect�the�achievement�of�objectives”
• “The�effect�of�uncertainty�on�objectives”
What�is�Risk?
• Known�knowns
• Known�unknowns�
• Unknown�unknowns
The�Rochdale�Group,�Inc. 10/11/2013
5
“One�organization’s�‘black�swan’�is�another’s�identified�emerging�risk.”
What�is�RISK?
$�Worth�Now $�Worth�Later
Intervention
Avoid Reduce Share Accept
Amount�of�Loss/Opportunity�$$$
Risk
Probability�of�a�specific�loss�of�worth�occurring
What�is�Risk�Management?
• Unlike�risk�elimination�(military�and�law�enforcement),�risk�management�includes�the�coordinated�activities�used�to�direct�and�control�an�organization�with�regard�to�risk
• Effective�risk�management�allows�for�multiple�risk�responses�to�scenarios
The�Rochdale�Group,�Inc. 10/11/2013
6
Risk�versus�Return“Risk�and�return” is�an�inseparable�concept
RiskǦAdjusted�Return
Risk�Level
Zone�1Insufficient�Risk�Taking
Zone�2Optimal�
Risk�Taking
Zone�3Excessive�Risk�
Taking
• Effectiveness
• New�Standard
ERM�is�Here�to�Stay
• Corporate�Credit�Unions• §704.21�Ǧ Enterprise�Risk�Management
• 2013�GAC�– “Hot�Exam�Issues”• Effective�risk�management• Balance�too�little�and�too�much• Involves�both�an�art�and�a�science• Balance�risk�and�capital�adequacy• Increasing�complexity�of�CUs
ERM�is�Here�to�Stay
The�Rochdale�Group,�Inc. 10/11/2013
7
• Examination�2013:�What�to�Expect
ERM�is�Here�to�Stay
My�soapbox…It’s�all�about�perspective
Enhanced�risk�management�processes…
• Increased�communication�and�transparency�and�assisted�in�the�breakdown�of�silos
• Defined�organizational�risk�profile�
• Drove�strategic�alignment
• Provided�more�proactive�focus�
• Allowed�for�a�riskǦweighted�view�of�capital�adequacy�
• Resulted�in�improved�organizational�prioritization
The�Rochdale�Group,�Inc. 10/11/2013
8
What�ERM�is�NOT!
Checklist
Audit
Compliance� /�policy�assessment
Isolated�technology�solution
OneǦtime�project
A�Conceptual�View�of�Risk�Management�
Credit
Market
FinancialRisk Management
Credit
Market
Operations
Business
Organizational
EnterpriseRisk Management
Credit
CreditRisk Management
Evolution�of�ERM
The�Rochdale�Group,�Inc. 10/11/2013
9
Introduction�to�COSOCOSO�– Committee�of�Sponsoring�Organizations�of�the�Treadway�Commission• American�Accounting�Association,�American�Institute�of�CPAs,�Financial�Executives�International,�Association�of�Accountants�and�Financial�Professionals,�and�Institute�of�Internal�Auditors• Standard�for�defining�ERM�for�all�types�of�companies�• Serves�as�a�model�of�how�to�implement�an�effective�ERM�process,�and�how�to�maintain�an�ERM�process�over�time
COSO�ǦDefinition�of�ERM
• A�process,�ongoing�and�flowing�across�an�entity�• Applied�in�strategy setting�• Applied�across�the�enterprise,�at�every�level�and�unit,�and�includes�an�entityǦlevel�view of�risk�
• Designed�to�identify�potential�events�that,�if�they�occur,�will�affect�the�entity�and�to�assist�in�managing�risk�within�an�agreed�upon�risk�appetite�
• Able�to�provide�reasonable�assurance regarding�the�achievement�of�objectives
The�Rochdale�Group,�Inc. 10/11/2013
10
Risk�Identification• Identify�the�material�events�that�can�transpire�within�
each�functional�area’s�responsibility:
• Consider�internal�and�external�factors:
• Develop�scenarios�to�demonstrate�each�risk
Primary�Risk�Categories
Credit
Reputation
Interest�Rate
Compliance
Strategic
Operational/�Transaction
Liquidity
The�Rochdale�Group,�Inc. 10/11/2013
11
Assessment�Factors¾Impact�– Potential�magnitude,�in�the�absence�of�responses,�measured�consistently�against�assets�and�capital
¾Likelihood�–The�frequency�with�which�an�event�may�occur�in�a�given�time�period,�again�in�the�absence�of�responses
¾Mitigation�–The�degree�to�which�the�organization’s�responses�manage�down�the�impact�or�likelihood
Other�ERM�Definitions
• Inherent�Risk• Before responses
• Residual�Risk• After responses
• The�difference�is�the�benefit�of�the�responses
• Allows�us�to�prioritize�risks�and�opportunities
ERM�Process�Overview• ERM�is�a�process
• Should�be�a�small�part�of�everyone’s�dayǦtoǦday�duties�and�thought�process:• “Culture�eats�strategy�for�lunch”
• Involves�a�variety�of�key�periodic�steps:�Risk�ID�and�assessment
Review�of�mitigating�responses
Risk�management�committee�meetings
Reporting
Integration�with�strategic�planning�and�other�risk�processes
The�Rochdale�Group,�Inc. 10/11/2013
12
34
• Total�of�$10.7+�billion�in�2012�penalties�for�U.S.�financial�institutions
• BOA�has�incurred�$29�billion�in�settlements�since�2009
• JPMorgan�Chase�and�BOA�lost�$110�and�$410�million�cases,�respectively,�on�debit�card�overdrafts�in�2012
• UBS�fined�$1.2�billion�for�manipulating�LIBOR
• HSBC,�ING�and�Standard�Chartered�penalized�$3.2�billion�for�money�laundering
• WesCorp and�U.S.�Central�Corporate�– no�longer�exist
Financial�Institutions�Have�Been�Hit�with�Large�Lawsuits�and�Regulatory�Intervention
35
Yeh,�but�only�the�big�ones�have�those�problems…right?
36
The�Rochdale�Group,�Inc. 10/11/2013
13
As�a�financial�institution…
Understanding�and�managing�risk�should�be�central�to�all�we�do!
37
• Poor�performance�in�CUSO�(CEO�vs.�Staff�perspective)• Call�center�and�branches�operating�on�separate�
procedures• Vendor�management�– tracking�contract�but�not�
performance�issues�• Perceived�pay�inequality�(lawsuit�potential)• Unreconciled accruals�• Compliance�inconsistencies�• Core�and�loan�system�inadequacies• Insurance�gaps• Communication�lapses
….AND�THESE�ARE�NOT�POORLY�RUN�CUs
Unfortunate�Findings
• Merger�opportunity
• Ability�to�reǦenter�indirect�lending
• Strengthen�management�alignment�around�strategic�objectives
• Engaged�management�team�about�operational�risk�in�order�to�make�product�/�service�decisions
• Better�prioritization�and�improved�utilization�of�resources
Opportunities
The�Rochdale�Group,�Inc. 10/11/2013
14
• “We�utilize�the�ERM�process within�every�strategic�decision.”• “It�is�critical�to�have�the�right�person�oversee�the�ERM�process.��
You�can’t�delegate�ERM�to�a�lowǦlevel�staff�member�and�expect�to�receive�the�strategic�benefit.”
• “The�ERM�process�has�made�a�significant�difference�in�how�we�discuss�and�make�decisions.��Our�organization�operates�and�views�things�differently�after�having�gone�through�the�ERM�implementation�process.”
• “We�benefitted�greatly�from�the�upǦfront�ERM�risk�identification�discussions.��I�learned�a�tremendous�amount�about�the�organization�that�I�otherwise�would�not�have�known.”
• “Performing�periodic�updates�forces�me�to�consider�the�major�risks�in�my�area,�including�what�my�thoughts�were�in�prior�periods�and�what�has�changed�to�reǦdirect�my�priorities�in�the�current�period.���This�often�gets�overlooked�in�the�busyness�of�day�to�day�‘survival’.”
What�We’ve�Heard
41
Fundamental�Shift�in�Thinking
Org�Level Balance�of�Focus Time�Horizon
Board
Senior�Management
Business�Units
Functional�Units
10�to�20�Years
5�to�10�Years
1�to�5�Years
0 to�1�Year
Uncertainty
Commitments
The�Rochdale�Group,�Inc. 10/11/2013
15
Key�FocusBoard Management Operations
What�could�threaten�our�survival?
What�could�undermine�our�
strategy?
What�could�derail�our�operations?
Strategic�Flexibility Strategy�Commitment
Target�Achievement
Risk�CentricScenario�Planning
StrategyAssessment
Tactical�and�Operational�
Execution�Plans
43
ERM�Organization�Structure
44
ERM�Function�–Coordinates�meetings,�reporting,�assignmentsand�training
Board/Board�Committee
Risk�Management�Committee
Functional�Area�1
ERM�Liaisons
Functional�Area�2 Functional�Area�X…
Senior�Management
� Set�risk�culture�and�tone
� Understand�and�balance�strategy�and�risk
� Validate�risk�appetite
Board’s�Role
The�Rochdale�Group,�Inc. 10/11/2013
16
• Understand�and�communicate�risk�culture�
• Ensure�process�diligence
• Define�risk�appetite
• Identify�and�manage�risks�proactively
• Ensure�process�transparency
Management’s�Role
Risk�Management�Committee�(RMCO)
• Oversee�ERM�process
• Identify�emerging�risks
• Provide�crossǦfunctional�perspective
• Take�actions�on�key�risks
• Ensure�major�risk�management�processes�are�appropriate
• Advise�executive�management
ERM�Function
• Execute�program
• Help�identify�and�analyze�risks
• Analyze�and�communicate�risk�issues
• Provide�guidance�and�coaching
• Develop�and�present�reports
The�Rochdale�Group,�Inc. 10/11/2013
17
• Communicate�risks�through�an�open�and�honest�framework
• Be�vigilant�for�emerging�risks
• Implement�responses�to�mitigate�risk,�where�appropriate
• Identify�opportunity�to�leverage�risk�for�enhanced�returns
Staff’s�Role
• Review�mitigating�responses
• Feed�key�risks�back�into�ERM�process
• Focus�audits�and�exams�based�on�key�risks
Auditors�and�Regulators
Risk�Function�Alignment�/�Integration
ERMBCP
Vendor�Mgt
ALCO
InsuranceCompliance
Fraud
Data�Security
Credit�Committee
Other�Risk�Functions
51
The�Rochdale�Group,�Inc. 10/11/2013
18
Internal�Lines�of�Defense
Line�of�BusinessLine�of�Business
ǦOwns�and�manages�risks
Ǧ Establishes�appropriate�risk�processes�and�programs
Ǧ Identifies�and�escalates�risk�issues
ǦOwns�and�manages�risks
Ǧ Establishes�appropriate�risk�processes�and�programs
Ǧ Identifies�and�escalates�risk�issues
1Risk�ManagementRisk�Management
Ǧ Sets�risk�limitsǦQuantifies�and�monitors�risksǦChallenges�risks�and�mitigating�actionsǦAggregates�risks�across�organizational�boundaries
Ǧ Sets�risk�limitsǦQuantifies�and�monitors�risksǦChallenges�risks�and�mitigating�actionsǦAggregates�risks�across�organizational�boundaries
2Internal�AuditInternal�Audit
ǦValidates�risk�programs
Ǧ Reports�on�risk�management�effectiveness
3
52
53
Risk�Appetite
Performan
ce
Time/Risk
Expected�Performance
Risk�Universe
Best�outcome�if�“good�things”�happen
Worst�outcome�if�“bad�things”�transpire
Risk�CapacityRisk�
Appetite
54
The�Rochdale�Group,�Inc. 10/11/2013
19
Risk�Appetite
• Quantitative�vs.�qualitative
• We�will and/or�will�not do
• Expectations�of�members
• Dialogue�– establish�over�time
• Establish�appetite�pertaining�to:
o Members,�processes,�financials,�regulatory�compliance,�people
55
56
Introduction�to�Economic�Capital• Estimate�of�the�equity�needed�to�survive�a�nearǦ
worstǦcase�loss�scenario
• Most�credit�unions�expect�to�have�fairly�large�losses�every�year�and�consider�the�expected�losses�in�pricing�loans�and�other�products
• It�is�the�deviation�of�actual�losses�from�expected�losses�that�subjects�the�credit�union’s�capital�to�risk
57
The�Rochdale�Group,�Inc. 10/11/2013
20
�$Ǧ
�$10
�$20
�$30
�$40
�$50
�$60
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Millions
Potential�Annual�Losses
Percentile
99+th percentile�losses
Une
xpec
ted�losses
Economic�capital
Expe
cted�lo
sses
50th percentile
59
• Start�somewhere
• Engage�management�/�board�
• Discuss�top�risks�(across�all�risk�categories)o Impact,�likelihood�and�responses�(quantitatively)o Agree�on�completeness�of�mitigation,�and�create�an�action�
plan�to�further�address�risk
• Identify�greatest�opportunities�within�credit�union
• Continue�to�roll�the�ERM�process�out�across�the�organization�over�time
• Use�ERM�in�strategic�planning
Where�do�we�start?
60
The�Rochdale�Group,�Inc. 10/11/2013
21
Strategic�Risks
• Loss�of�tax�exemption
• Loss�of�fee�income
• Basel�capital�requirements
• Lack�of�membership�growth
• Qualified�mortgages�risk
• Data�breaches
• NonǦtraditional�competition
• Natural�disasters
• Regulatory�compliance
• Lack�of�board/management�succession�plan
• Rising�interest�rates
• Loss�of�interchange�income
• Technology�advancements
• IT�terrorism�risk
• Restrictions�on�geographic�and�charter�expansions
• Inadequate�volunteer�training�and�financial�literacy
• Infrastructure�weaknesses
• Talent�management
• Operating�inefficiencies
• It’s�about�establishing�a�culture
• CEO�and�Board�engagement�is�critical
• ERM�leader�must�have�the�political�capital�to�make�things�happen
• Boards�and�CEOs�do�NOT�like�surprises
• Must�be�forwardǦlooking
• Don’t�shoot�the�messenger
• Open�and�honest�communication�is�crucial
Lessons�Learned
In�Summary…
• ERM�is�not�intended�to�replace�current�risk�management�practices;�rather,�it�should�be�a�means�through�which�you�can�integrate�each�of�the�existing�functions
• It�is�important�that�ERM�encompass�all�facets�of�the�organization�(vertically�and�horizontally)�
• Risk�information�must�be�incorporated�into�strategic�discussions�