Thomson Reuters Video Webinar Lessons Learned: Risk ... · Thomson Reuters Video Webinar Lessons Learned: Risk Management, Ethics ... –Causes –Post Dodd-Frank ... GLOBAL BANK

G R E E N B E R G T R A U R I G , L L P | A T T O R N E Y S A T L A W | W W W . G T L A W . C O M

©2013 Greenberg Traurig, LLP. All rights reserved.

Thomson Reuters Video Webinar

Lessons Learned: Risk Management, Ethics

and Governance

August 1, 2013

Robert Bostrom │Shareholder │[email protected] │212.801.6714

07/30/13

Greenberg Traurig, LLP | gtlaw.com

CONTENTS

I. Introduction:

– Pre-Sarbanes Oxley

– Post Sarbanes-Oxley: Financial Fraud and Legal/Compliance Breakdowns Continued

– Current Environment: Critical Need for Enterprise-Wide Risk Management and Governance

II. Recent History

– 2007-2008 Financial Crisis

– Causes

– Post Dodd-Frank Events

– Why Do these Events Continue

2


CONTENTS

III. Post Dodd-Frank: Financial Fraud and Legal/Compliance Breakdowns Continue

IV. What to do

– Develop a Risk Management Culture and Ethical Culture

– Develop Effective ERM and Crisis-Management Process and Governance at the Board and Management Levels

3


INTRODUCTION

“When the music stops, in terms of liquidity, things will get complicated. But as long as the music is playing, you’ve got to get up and dance. We’re still dancing.

The depth of the pools of liquidity is so much larger than it used to be that a disruptive event now needs to be much more disruptive than it used to be.

At some point, the disruptive event will be so significant that instead of liquidity filling in, the liquidity will go the other way. I don’t think we’re at that point.”

Chuck Prince, Citigroup CEO, “Citigroup chief stays bullish on buy-outs,” Financial Times, July 9, 2007

4


INTRODUCTION

> Different Kinds of Risk Events

– Fraud

– Violations of law and compliance

– Excessive risk-taking

– External market or environmental events

– Previously acceptable market practices that retroactively become the subject of enforcement actions

5


INTRODUCTION: PRE-SARBANES OXLEY

> By 2000, corporate scandals involving Enron, WorldCom, and a host of others leading up to the enactment of Sarbanes-Oxley made it clear that traditional corporate governance structures, internal controls and risk management systems did not address the challenges faced by companies and Boards of Directors.

6


INTRODUCTION: PRE-SARBANES OXLEY

> Events subsequent to Sarbanes-Oxley suggest that Sarbanes-Oxley was not the answer as reports and disclosures of accounting irregularities, earnings restatements, violations of law, enforcement actions, and corporate governance breakdowns continued.

7


INTRODUCTION: POST SARBANES OXLEY

> After Sarbanes Oxley from 2002 through 2005 Freddie Mac, Fannie Mae, the New York Stock Exchange, a number of mutual fund complexes, Halliburton, AOL Time-Warner, Tenet Healthcare, Raytheon, Vivendi, Parmalat and other companies were the subject of headlines.

8



> Investigations and reports issued in connection with these events identified the same fundamental breakdowns of corporate governance.

9



> The Report of the Special Examination of Freddie Mac, the Report on Fannie Mae, the Report on Corporate Governance for the Future of MCI, and the multiple Reports of the Court-Appointed Examiner in the Enron Bankruptcy, identified problems and proposed recommendations with disturbingly similar themes.

10

Title of PresentationGreenberg Traurig, LLP | gtlaw.com


> The problems identified include:

– Inappropriate corporate culture and tone at the top

– Ineffective compliance and risk management systems

– Inadequate internal control structure

– Executive compensation programs

11



– Inadequate disclosure and transparency

– Inadequate Board oversight as a result of a variety of factors including

Cronyism

Lack of relevant knowledge

Inattention to duties and responsibilities

12



> The key themes which merged were the importance of an ethical culture, transparency, trust, accountability, governance, reputation and independence.

13



> As a result of these developments and continuing legislative and regulatory changes, there was increased pressure in the Board room. In addition, there were a number of sources of pressure that pushed companies to go beyond the stated requirements of the law regarding risk management and corporate governance practices.

> Nonetheless, we were about to enter a new chapter, even after Sarbanes Oxley.

14


CRITICAL NEED FOR EFFECTIVE RISK

MANAGEMENT

> Consequences flowing from a headline event are extremely severe in the current environment because of:

– the politicization of headline events,

– the criminalization of corporate events,

– the extreme and activist reaction of shareholders and the public, and

– the velocity of consequences.

15


CRITICAL NEED FOR EFFECTIVE RISK

MANAGEMENT

> The importance of preventative enterprise-wide risk management programs and post-event crisis management programs is magnified by the exponential multiplier effect of the consequences of a headline event.

16


IMPORTANCE OF ERM

> Historically an event could lead to SEC, criminal and civil actions

> New era now -- Congressional Hearings and investigations, intervention by the Executive Branch, actions by State AGs, public vilification, political and governmental reactions, shareholder reaction, customer reaction, executive officer dismissals, and more.

17


VELOCITY AND POLITICIZATION OF

CONSEQUENCES

> For example, a headline event in 2012 led to 14 consequences in the first 10 days of public reporting:

– SEC investigation

– DOJ investigation

– FBI investigation

– Civil class actions

– Congressional hearings

– Internal investigations

18



CONSEQUENCES

– Congressional legislative reaction

– Political reaction

– Shareholder activism – unsuccessful efforts to split CEO and Chairman

– Public vilification

– Executive officer dismissals

19



CONSEQUENCES

– Significant market cap loss

– Fitch rating downgrade

– CFTC investigation

> One year later renewed controversy to split Chairman and CEO roles and a 1500 page Congressional Investigative Report.

20


NEED FOR AN ERM PROGRAM AND A CRISIS-

MANAGEMENT PLAN

> Unintended Consequences.

> Publicity and headlines are very “sticky” – they seem to last indefinitely.

21


GLOBAL BANK $407 MILLION LOSS IN 2007

Report of Investigation by the Board, April 2008.

Conclusions:

1. Charged senior management with a “failure to demand holistic risk assessment,” a “failure to manage [its] agenda,” and a “lack of succession planning.”

22


GLOBAL BANK $407 MILLION LOSS IN 2007

2. Critical of the firm’s risk management controls and testing methodologies, asserting “complex and incomplete risk reporting,” “lack of substantive assessment,” “inadequate systems,” “lack of strategic coordination,” and “inability to accurately assess valuation risk on a timely basis.”

3. Board processes also lacked accountability for evaluating the firm’s risk exposures, assessments, and management.

23


RECENT HISTORY: 2007-2008 FINANCIAL

CRISIS – WHO, WHAT and WHY?

> Washington Mutual

> Merrill Lynch

> Lehman

> Bear Stearns

> Wachovia

> Fannie Mae

24


RECENT HISTORY: FINANCIAL CRISIS –

WHO, WHAT and WHY?

> Freddie Mac

> Countrywide

25


2007-2008 FINANCIAL CRISIS: WHY?

26


FINANCIAL CRISIS INQUIRY COMMISSION –

INQUIRY REPORTRED FLAGS

– Explosion in subprime lending and securitization

– Unsustainable rise in housing prices

– Widespread reports of predatory lending practices

– Dramatic increases in household debt

27



INQUIRY REPORT

– Exponential growth in financial firms trading activities

– Unregulated derivatives

– Short term lending “repo markets”

All previously acceptable business activities.

28



INQUIRY REPORT

Causes:

> Dramatic failures of corporate governance and risk management

> Reliance on mathematical models replacing judgment – risk management became risk justification

> Compensation systems encouraged short term gain with no long term consequences.

29



INQUIRY REPORTCauses:

> Failure to convey information to executive management about risk –

– Senior executives lack of awareness of $79 billion derivative exposure

– Executive management lack of knowledge of $55 billion of exposure to mortgage securities.

> Breakdown in accountability and ethics

30


2007-2008 FINANCIAL CRISIS: WHY?

31


PERMANENT SUB-COMMITTEE REPORT

> Wall Street and Financial Crisis: Anatomy of a

Financial Collapse Report of the Permanent Sub-

Committee on Investigations; United States Senate:

April 13, 2011, 635 Page Final Report

– Conflicts of interest

– Needless risk-taking

32


PERMANENT SUB-COMMITTEE REPORT

– Failures of Federal oversight – overruling and intimidating weak regulators

– Inflated credit ratings

– Investment bank abuses

– Knowingly selling toxic securities for fees

– Governance breakdown

33


LEHMAN BROTHERS EXAMINER’S REPORT

March 11, 2010 (2209 pages)

Observations

> Changed business strategy marked by aggressive growth and risk

> Significantly greater risk

> Substantial increase in leverage

> Relaxation of risk controls to accommodate changed strategy

> Compensation system rewarded excessive risk and leverage

34


LEHMAN EXAMINER’S REPORT

> Desperation

> Lack of transparency with the Board

> Faulty valuation procedures

> No risk culture

35



> Arcane, outdated IT internal control systems

> Lost confidence of lenders and counterparties

> Senior management disregard for risk managers, risk policies, risk limits

36



> Repeatedly going to Board to raise risk limits and continually exceeding risk limits

> Removal of CRO

> Other banks were doing it

> Risk management model not changed to reflect new risky business model

37



> Not responding to internal audit findings

> Inadequate stress testing

> Doubling down

> Terminations for failure to meet revenue targets

38


POST DODD-FRANK: FINANCIAL FRAUD AND

LEGAL/COMPLIANCE BREAKDOWNS

> Dodd-Frank Wall Street Reform and Consumer Protection Act enacted July 21, 2010.

39


POST 2008 CRISIS - NON-FINANCIAL -

HEADLINE EVENTS

> BP

> Toyota

> News Corp

> Massey

> Chesapeake Energy

> Siemens

40


POST DODD-FRANK: LEGAL COMPLIANCE –

HEADLINE EVENTS

– BSA/AML

– FCPA

– OFAC

> Leading to criminal enforcement actions and/or supervisory consent orders involving DPAs, NPAs, and civil action including remediation plans and monitors

41


POST DODD-FRANK: LEGAL COMPLIANCE

> Global Bank: $2.0 billion fines and sanctions

– Anti-money laundering and sanctions violations

> Global Bank: $619 million fines and sanctions

– Illegal transactions with OFAC Sanctioned Countries

> Global Bank: $298 million fines and sanctions

– Illegal transactions with OFAC Sanctioned Countries

42


POST DODD-FRANK: STILL HAPPENING!

> Bribery and corruption are still widespread

> 39% of respondents reported bribery or corrupt practices occur frequently

> Control environment not strong enough

> Tone at the top diluted by failure to penalize misconduct

Source: 2012 E&Y 12th Global Fraud Survey

43


STILL HAPPENING!

> CFO respondents

– 15% willing to make cash payments

– 4% willing to misstate financial performance

– 46% attended anti-corruption training

– 46% of respondents said company would cut corners to meet targets

Source: 2012 E&Y 12th Global Fraud Survey

44


WHY DO THESE EVENTS CONTINUE?

> It Can’t Happen Here – Arrogant Suspension of Belief

45


SUSPENDING DISBELIEF – IT CAN HAPPEN

HERE, LEHMAN

> “At no point in time, until that Sunday, did I think it was a real possibility…..I did not think such a stupid decision could be made by intelligent people.”

Source: Lehman Lawyer, Corporate Counsel Magazine

46


WHY?

> If it is too good to be true, it probably is not

> Relationship between risk and reward

47


WHY?

> No one expected the unexpected

– House prices to fall

– Commercial paper markets to shut down

– Conservatorship

– No government bailout

– Greece, Cyprus, Spain, Italy

– Arab Spring

48


WHY?

> Failure to escalate and report

– “Doubling down” to avoid problems

– It ain’t the crime – it’s the cover-up

49


WHY?

> Everyone else is doing it….

– Safety in numbers

– Can't all be wrong

– Competitive disadvantage

– It is legal

50


WHY?

> Absence of an effective Enterprise-Wide Risk Management System at Board and Management Levels to proactively identify, assess, prioritize and mitigate risk.

51


WHY?

NO RISK CULTURE

> Lack of awareness and priority

> Complacency

> Arrogance

> Reliance on models

> Suspension of belief

> Accountability

> Escalation

> Clear roles and responsibilities

52


WHY?

EPM and Compensation Systems

> Rewarded the wrong behavior

> Did not incentivize the right behavior

53


WHY? - Lack of Sensitivity

> Stay sensitized

> Constant “headline training” and awareness

> Stay ever vigilant and mindful

> Be skeptical

> Constantly adjust risk-reward balance and risk tolerance

> Trust but verify

54


WHY?

Inadvertent vs. Advertent

> Inadvertent

– Lack of sensitivity and awareness leads to “bad” decisions or no decisions

– Business “justification” or “rationalization” clouds judgment – whether risk or violation of law or both

– Formal and informal reminders – training, tone at the top, risk culture

55


WHY?

> Ignoring Red Flags

– Lack of sensitivity

– Not seeing

– Disbelief

– Business justification

– Lack of verification

56


WHY?

> Regulatory arrogance

> Absence of regulatory and enforcement sensitivity

57


WHY?

Long-Standing Market Behavior

> Be aware of, and always self-assess, long-standing market behavior and activity

– Libor rate setting

– Market-timing cases

– Off-shore tax havens

58


WHY?

> Absence of a sound stress test and contingency plan to identify potential problems and risks, crisis management plans, and risk-adjusted analysis of business activities based on geography, lines of business, organization and governance.

59


WHY?

Models Failed

> Always think critically – be skeptical

> Use judgment

60


WHY?

> Absence of thinking forward with hindsight

– How will actions today be viewed with the benefit of hindsight

61


WHY?

Accountability

> Acceptance/tolerance of de minimus violations of law because there is “no harm” and the business or individual is a key producer or part of management.

62


WHY?

Use of Independent Reviews

> Need to conduct periodic third party assessments before problems occur to ensure periodic, objective, unbiased assessments of governance and risk management practices and business practices.

> Learn from mistakes

– Root cause analysis of problems after they occur

63


WHY?

> Management and Board indifference and tolerance of Internal Audit findings not being remediated

64


WHY?

> Lack of independence of internal control functions

– Legal

– Audit

– Compliance

– Risk

– Internal controls

65


WHY?

> Ineffective internal controls and ethical culture

> DOJ prosecution of investment bank employee for FCPA violations but not investment bank because it maintained an effective system of internal controls and culture designed to prevent violations of law.

66


WHY?

> Failure to focus on, identify and manage risk in significant business transformations

67


FAILURE OF MF GLOBAL HOLDINGS OCTOBER,

2011

> Report of Investigation of Louis Freeh, Chapter 11 Trustee of MF Global Holdings – February 16, 2012

Observations:

‒ Risky business strategy

‒ Significant business strategy transformation

‒ Inadequate systems and procedures

68



2011

> Failure to learn from earlier risk management failures

> Adoption of risk framework that was never fully implemented or embraced by management

– Escalation policy

– ERM policy

69



2011

> Failure to develop procedures to implement risk framework

> No stress testing

> Management ignoring internal audit reports of significant deficiencies

– Only 2 of 32 remediated – including implementation gaps in risk control systems

70



2011

> Lack of appropriate systems for liquidity monitoring

> Pattern of continued and sustained requests to the Board to increase exposure limit from $2 billion to over $8.5 billion

> Demotion and departure of Chief Risk Officer

71



2011

> “Doubling down”

> Suspension of belief – it can’t happen

> Governance breakdown

> No risk management culture

72


LIBOR RATE SCANDAL

> Major global bank agrees to pay $360 million to settle with the Commodity Futures Trading Commission and the Department of Justice over LIBOR interest rate manipulation charges on June 26, 2012.

73


LIBOR RATE SCANDAL – WHY?

> Bank Board of Directors commissioned an Independent Review: a 265 page Independent Review of the Bank’s Business Practices, released in April 2013

74


REPORT CONCLUSIONS: COMPENSATION

> “There was an over-emphasis on short-term financial performance, reinforced by remuneration systems that tended to reward revenue generation rather than serving the interests of customers and clients.”

75


REPORT CONCLUSIONS: BUSINESS

TRANSFORMATION

> “However, it is our view that this rapid journey, from a primarily domestic retail bank to a global universal bank twenty or so years later, gave rise to cultural and other growth challenges. The result of this growth was that Bank became complex to manage, tending to develop silos with different values and cultures.”

76


REPORT CONCLUSIONS: RISK CULTURE

AND CONTROL FRAMEWORK

> “To develop a consistently strong risk culture, Bank should communicate clear statements as to its Group risk appetite for all types of risk; embed adherence to Group risk appetite into all business units; reinforce limits with strong management action for breaches; and embed risk and compliance criteria in performance evaluations, and in remuneration and promotion decisions.”

77


REPORT CONCLUSIONS: ABSENCE OF

CULTURE OF ISSUE ESCALATION

> Bank should maintain robust arrangements for raising concerns (“whistleblowing”) which are perceived to protect those raising them and to lead to actions being taken to address the underlying culture and values issues. There should be regular reports to the Board which are detailed enough for the Board to form insights and to the culture and behaviors within the organization.

78



CULTURE OF ESCALATION

> “There is also evidence from Bank’s internal Employee Opinion Survey of a cultural unwillingness to escalate issues. A significant proportion of employees in the investment bank, for example, said that they were “reluctant to report problems to management”, and that they did not feel able to “report unethical behavior without fear of reprisal”.

79


REPORT CONCLUSIONS: CHECK THE BOX

> “These problems may have been caused, in part, by an inconsistent implementation of operational risk policies. In some business, Risk Control Assessments (RCAs), were viewed by the businesses as a ‘box ticking’ exercise and the responsibility of the Operational Risk function.”

80


REPORT CONCLUSIONS: COMMUNICATION OF

IMPORTANCE OF RISK MANAGEMENT

> “To develop a consistently strong risk culture, Bank should communicate clear statements as to its Group risk appetite into all business units; reinforce limits with strong management action for breaches; and embed risk and compliance criteria in performance evaluations, and in remuneration and promotion decisions.

81



CULTURE OF ESCALATION

> “There was also in some parts of the Group a sense that senior management did not want to hear bad news and that employees should be capable of solving problems. This contributed to a reluctance to escalate issues of concern.”

> “Bank should foster a culture where employees feel that escalating issues is safe and valued.”

82


REPORT CONCLUSIONS: LEARN FROM

MISTAKES

> “Bank should maintain effective processes for learning from its mistakes. It should endeavor to understand and address underlying root causes of issues so as to be able to apply lessons learned more broadly. Investigations should be carried out following a consistent Group-wide methodology.”

83


REPORT CONCLUSIONS: IDENTIFICATION

AND INTEGRATION OF RISK> “Bank should ensure its conduct, reputational and

operational risk framework includes the articulation of a tangible risk appetite statement and mechanisms to ensure that conduct, reputational and operational risk are fully factored into business decisions and governance.

84


REPORT CONCLUSIONS:

LACK OF ACCOUNTABILITY

> “We did not find it easy to discern who is responsible for each aspect of the daily management of risks and the associated controls. This is important if performance management is to reinforce accountability for risk…. In addition, risk and control themes were rarely mentioned in the actual performance assessments and were typically not explicitly weighted in the overall performance grade.”

85


REPORT CONCLUSIONS: LACK OF

INDEPENDENCE OF CONTROL FUNCTIONS

> “Most of the control functions in the business units reported directly to the business unit management as their primary reporting line. While we acknowledge that this enabled the function to collaborate closely with the business, we consider such arrangements could compromise their ability to challenge the business.”

86



OTHER HIGH RISK INDUSTRIES

> The banking industry can and should learn from the

business practices of other high-risk industries, for

example:

– focusing leadership and operational discipline on areas

of highest risk

– creating mechanisms for sharing risk-related data cross-

industry

– fostering a culture of speaking up

– working collaboratively with regulators and with other

stakeholders

87



OTHER HIGH RISK INDUSTRIES

– continually evaluating risks and the appropriateness of

business practices

– maintaining a balanced view of the different risks faced

– being vigilant about industry-wide practices which may

cause reputational and other risks

– focusing on managing not only individual or business-

level risks, but also organization-level and systemic

industry risks.

88


WHAT TO DO: REPORT OF SENIOR

SUPERVISORY GROUP: OBSERVATIONS ON

RISK MANAGEMENT PRACTICES DURING THE

RECENT MARKET TURBULENCE, MARCH 6, 2008

89


2008 REPORT

Summary of Key Observations and Conclusions

> Four Firm-Wide Risk Management Practices That Differentiated Performance

– Effective firm-wide risk identification and analysis

– Consistent application of independent and rigorous valuation practices across the firm

– Effective management of funding, liquidity, capital, and the balance sheet

– Informative and responsive risk measurement and management reporting and practices

90


2008 REPORT

Summary of Key Observations and Conclusions

> Senior Management Oversight that Differentiated Performance

– Balance between Risk Appetite and Risk Controls

– Senior Management’s Role in Understanding and Acting on Emerging Risks

– Timing and Quality of Information Flow up to Senior Management

– Breadth and Depth of Internal Communication across the Firm

91


2009 REPORT OF SENIOR SUPERVISORY

GROUP: RISK MANAGEMENT LESSONS

LEARNED FROM THE GLOBAL BANKING

CRISIS OF 2008, OCTOBER 21, 2009

Board Direction and Senior Management

> Increase board and executive engagement and to strengthen the resources, stature, and authority of risk management by:

– Increasing board and senior management engagement in risk management

92


2009 REPORT

Board Direction and Senior Management

> Improving risk reporting to the board and senior management

> Strengthening committee charters and the role of auditors and risk managers, including the chief risk officer’s membership on management committees

> Incorporating finance group into the risk management processes

93


2009 REPORT

Articulating Risk Appetite

> Insufficient evidence of board involvement in setting and monitoring adherence to firms’ risk appetite.

> Risk appetite statements are generally not sufficiently robust; such statements rarely reflect a suitably wide range of measures and lack actionable elements that clearly articulate firms’ intended responses to losses of capital and breaches in limits.

94


2009 REPORT

Compensation Practices

> Most firms recognize that past compensation practices were driven by the need to attract and retain staff and were often not integrated within firms’ control environments.

> Firms note the need to align better compensation with the risk appetite and are considering initial steps in this direction.

> Supervisors are concerned about the durability of proposed changes.

95


2009 REPORT

Information Technology Infrastructure

> The importance of a resilient IT environment with sufficient processing capacity in periods of stress is becoming increasingly evident.

> Firms are constrained in their ability to effectively aggregate and monitor exposures across counterparties, businesses, risk strands, and other dimensions because of ineffective information technology and supporting infrastructure.

96


2009 REPORT

Risk Aggregation and Concentration Identification

> Self-assessment responses suggest that identification of risk concentrations is an area of weakness; firms are now looking to automate identification of concentrations by counterparty, product, geography, and other classes.

97


2009 REPORT

Stress Testing

> Firms report enhancements to and increased use of stress testing to convey risk to senior management and boards, although significant gaps remain in their ability to conduct firm-wide tests; credibility of extreme scenarios, despite recent events, remains an issue for some firms. (emphasis supplied)

98


2009 REPORT

Liquidity Risk Management

> Organizational efforts to improve the coordination and

interaction between the treasury function, the risk

management function, and the business lines. The

extent to which such changes are formalized into

policies and procedures – and more important,

ingrained into the corporate culture – will determine

their sustainability and effectiveness. (emphasis

supplied)

99


WHAT TO DO? Develop a Risk Management

Culture and Ethical Culture

1. Self-assessment and testing

2. Escalation: encourage employees to raise the Red Flag early and often – early and often escalation of potential issues

100




3. Embrace whistleblowers – have systems and processes in place to facilitate

4. Incorporate into EPM and compensation systems

50% business results

50% compliance, risk and ethics

101




5. Develop and communicate to everyone risk tolerance and risk sensitivity

6. Training, Training, Training for everyone

102




7. Sensitivity and Awareness:

It can happen here, it will happen here.

Identify early, minimize consequences and have a plan.

8. Tone at the Top

Constant communication; commitment and involvement

Part of doing business – key part of tactics and strategy

Act like an industrial company – strive and pay for NO ACCIDENTS

103




9. Communication

10. Employees need to know what is expected; risk training and awareness programs should be implemented

on-line training and awareness

meetings

constant reinforcement and reminders

consistent, constant and by headline current example

104




10. Importance of an effective ethical and compliance culture consistent with the US Sentencing Guidelines

11. Investigate and learn from mistakes – root cause analysis

12. Be especially alert through business transformations

13. Risk awareness and culture in the business units and functions should be regularly monitored using techniques such as internal audit reviews, risk and control self-assessment workshops and employee surveys.

105


WHAT TO DO? Develop A Risk Management

Process

1. Self assessment to identify, prioritize, manage and mitigate risk

2. Organizational culture encouraging risk management

3. Establish Management Enterprise-Wide Risk Management Committee

4. Appoint a chief risk officer

5. Establish an Enterprise-Wide Risk Committee at the Board level

106


WHAT TO DO: Have Effective Enterprise-

Wide Risk Management (ERM) And Crisis-

Management Process And Governance At

The Board and Management Levels

> Enterprise-wide Risk Management is the process of identifying, assessing, prioritizing, managing and mitigating ALL risk that an enterprise faces.

> Crisis-Management is the process of addressing a risk that has materialized but ERM is the first step for crisis-management, litigation prevention, and loss mitigation.

107


SCOPE OF ERM

> Enterprise-wide Risk Management encompasses all of the risks that a company faces including, in no particular order

– Financial markets disruption

– Credit

– Interest rate

– Capital

– Liquidity

– Human Capital

– Transactional

– Data privacy

– Legal

108


SCOPE OF ERM

– Regulatory and compliance

– Enforcement actions by Federal or state criminal authorities

– FCPA

– Governmental investigations

– Cyber attacks

– IT

– Cloud Computing

– Business Continuity

– Operational

– Supply chain

– Financial disclosure

109


SCOPE OF ERM

– Document retention and disclosure (obstruction of justice or civil contempt)

– Executive misconduct

– Brand

– Reputational

– Vendors

– Business partners

– Third party service providers

– Customers

– Environmental

– Political – geographic

– Ethics and integrity

110


REQUIREMENTS FOR ERM

> There are a number of reasons to have an effective compliance process and enterprise-wide risk management system.

– Provisions of Sarbanes-Oxley and disclosure requirements regarding risk factors

– Federal sentencing guidelines

– NYSE corporate governance guidelines

111


REQUIREMENTS FOR ERM

– Credit rating agencies incorporation of ERM

– D&O Liability and litigation (Caremark, Stone Ritter, Disney, etc., etc., etc.)

> Accounting and audit review standards for Internal Controls Certification.

> Provisions of Dodd Frank

112


IMPORTANCE OF ERM AS A BUSINESS

MANAGEMENT TOOL

> But most importantly, critical ERM is essential to:

– Assess and analyze business and activities on a risk adjusted basis

sound strategic planning and financial management requires that all risks of every line of business and activity be assessed and balanced against profitability, and

113


IMPORTANCE OF ERM AS A BUSINESS

MANAGEMENT TOOL

higher risk businesses should have higher rate of return to justify and pay for risk mitigation efforts and potential liability.

– Recognize and prepare for interdependency of events.

114


IMPORTANCE OF ERM

> Sound Implementation of a proactive, preventative approach to risk management and compliance at both the board and management level is critical. It sends a clear message to the officers and employees of the company, and to the public, that these issues are not only legal requirements, but also ethical and cultural imperatives, and represent sound business practices which are part of the company’s culture.

115


IMPORTANCE OF ERM

> The nature and intensity of regulatory and enforcement responses to problems has increased significantly, and all indications are that this will continue.

> A proactive, preventative approach to risk management will help to minimize problems and, where problems do occur, to minimize the litigation, regulatory, enforcement, reputational and financial consequences.

116


CONCLUSION

> Pre-Sarbanes, Post-Sarbanes, Post Dodd-Frank: Same Issues and Problems Identified

> Categories of Events

– Legal/Compliance Violations

– Financial Fraud

– External Events:

Financial Crisis

Environmental Events

– Retroactive unacceptability of previous market practices

117


LESSONS LEARNED

> Culture

> Governance

> Behavioral

> Analytical

118


TAKE-AWAYS

> Have an Enterprise-Wide Risk Management and Crisis Management Process in place at the Management and Board levels that is effectively communicated and embraced at all levels of the enterprise and becomes a corporate cultural imperative.

119

Greenberg Traurig, LLP | gtlaw.com 120

Thomson Reuters Video Webinar Lessons Learned: Risk ... · Thomson Reuters Video Webinar Lessons Learned: Risk Management, Ethics ... –Causes –Post Dodd-Frank ... GLOBAL BANK

Documents