Add to collection(s) Add to saved
  1. Business
  2. Management

Enterprise Risk Management Framework

advertisement 
CONSUMER CREDIT DIVISION (CCD)
ENTERPRISE RISK MANAGEMENT FRAMEWORK
Document Owner:
Sheryl Lawrence (CRO)
Version Number:
V2.0
Document to be Approved By:
CCD Board
Effective Date:
22-Jun-2015
Next Review Date:
30-Sep-2016
CCD Enterprise Risk Management Framework
v1.2
Version Control
Version
Date
Status
Comment
V0.1
25/06/14
Draft
Initial draft
V1.0
29/08/14
Approved
Updated for David Merrett and Internal
Audit comments
V1.1
April 15
Draft
Revised V1.0 for review
V1.2
01/05/15
Draft
Draft reviewed for submission to EROC &
CCD Board for approval
V2.0
22/06/20
15
Approved
Approved by CCD Board
Related Documents

Provident Financial Plc Risk Management Framework

Provident Financial Plc Corporate Policies

CCD Internal Governance Framework

CCD Policy Framework

CCD Risk Management Policy

CCD Risk Event Reporting Policy

CCD Level 1 Risk Frameworks


Business/Strategic Risk Framework

Credit Risk Framework

Customer & Conduct Risk Framework

People Risk Framework

Operations Risk Framework

Technology Risk Framework

Sourcing and Supplier Management Risk Framework

Financial Accounting & Reporting Risk Framework

Legal Risk Framework

Regulatory Risk Framework

Financial Crime Risk Framework

Funding and Liquidity Risk Framework
CCD Compliance Manual
CCD - ERMF
Page 2 of 26
Strictly Private & Confidential – for internal use only
CCD Enterprise Risk Management Framework
CCD - ERMF
v1.2
Page 3 of 26
Strictly Private & Confidential – for internal use only
CCD Enterprise Risk Management Framework
v1.2
Contents
1
2
Purpose of the Framework............................................................................................ 5
Framework Overview ..................................................................................................... 5
3
Risk Principles ............................................................................................................... 7
4
Risk Culture & Capability .............................................................................................. 8
4.1 Culture................................................................................................................. 8
4.2 Communications.................................................................................................. 9
4.3 Capability ............................................................................................................ 9
Risk Organisation ........................................................................................................ 10
5.1 Enterprise Risk Management (ERM) Function ................................................... 10
5.2 Risk Oversight Functions ................................................................................... 10
5.3 Compliance Function ......................................................................................... 11
5.4 First Line Risk Partners ..................................................................................... 11
5.5 Three Lines of Defence ..................................................................................... 11
5.5.1 First Line of Defence ............................................................................ 12
5.5.2 Second Line of Defence....................................................................... 12
5.5.3 Third Line of Defence........................................................................... 13
5.6 Risk Management Forum .................................................................................. 13
Risk Committees ......................................................................................................... 13
Risk Categories/Universe............................................................................................ 14
Risk Appetite................................................................................................................ 16
Risk Management Strategy ......................................................................................... 17
5
6
7
8
9
10 Risk Policies & Frameworks ....................................................................................... 17
10.1 Level 1 Risk Framework .................................................................................... 17
10.2 Level 2 Policy/Framework.................................................................................. 18
10.3 Level 3 Processes and Procedures ................................................................... 18
11 Risk Management Lifecycle ........................................................................................ 18
11.1 Risk Identification .............................................................................................. 19
11.2 Risk Measurement............................................................................................. 19
11.2.1 PF Risk Assessment Model – Risk Impact ........................................... 20
11.2.2 PF Risk Assessment Model – Risk Likelihood...................................... 20
11.2.3 Gross and Net risk ............................................................................... 21
11.2.4 Model risk ............................................................................................ 21
11.3 Risk Response .................................................................................................. 21
11.4 Risk Monitoring.................................................................................................. 21
11.5 Risk Reporting & Escalation .............................................................................. 22
11.5.1 Integrated Risk Reporting .................................................................... 22
11.5.2 Other Risk Reporting ........................................................................... 23
11.5.3 Risk and Event Escalation ................................................................... 24
11.5.4 Risk data.............................................................................................. 24
12 Stress Testing & Capital Planning .............................................................................. 24
12.1 Stress Testing & Scenario Analysis ................................................................... 24
12.2 Capital planning ................................................................................................. 24
13 ERMF Maintenance ...................................................................................................... 25
14 Glossary ....................................................................................................................... 26
CCD - ERMF
Page 4 of 26
Strictly Private & Confidential – for internal use only
CCD Enterprise Risk Management Framework
v1.2
1 Purpose of the Framework
The Enterprise Risk Management Framework (ERMF) is a component of the CCD Internal
Governance Framework and fulfils the requirements of PF’s Risk Management and Risk
Appetite Frameworks. It provides a structured, joined-up and consistent approach to the
management of risks to and arising from CCD’s business strategy and environment.
PF Risk Appetite
Framework
PF Risk
Management
Framework
CCD Internal
Governance
Framework
CCD Business
Strategy &
Environment
CCD
Enterprise
Risk
Management
Framework
Embedding the ERMF involves integrating the management of risk into business
management and decision making at both the strategic and operational levels.
2 Framework Overview
The ERMF comprises the following components:
Enterprise Risk Management Framework
Risk Principles
Risk Categories/Universe
Risk Culture &
Capability
Risk Appetite
Risk Organisation
Risk Management
Strategy
Risk Committees
Risk Policies &
Frameworks
Risk Management
Lifecycle
Stress Testing &
Capital Planning

Risk Principles – form the foundations on which the ERMF is built. They represent the
fundamental guidelines through which CCD achieves effective risk management practice.

Risk Culture & Capability – CCD aims to deliver a culture of risk awareness,
transparency and rewarding of correct behaviours that is championed by skilled and
experienced risk people.

Risk Organisation – identifies the roles and responsibilities of those involved in
providing and operating the framework. CCD adopts the 3 lines of defence model.

Risk Committees – support risk decision-making (first line) and oversight of risk
exposures (second line).
CCD - ERMF
Page 5 of 26
Strictly Private & Confidential – for internal use only
CCD Enterprise Risk Management Framework
v1.2

Risk Categories/Universe – provides a common language for the possible risks to
which CCD may be exposed given its strategic objectives, business model, size and
complexity. It also provides an organising structure for risk management activities and for
risk data.

Risk Appetite – aligns with PF’s risk appetite and expresses CCD Board’s
boundaries of acceptable risk exposure to support achievement of CCD’s strategic
objectives and business plan, in terms of risk appetite statements, measures and
related limits/thresholds.

Risk Management Strategy – details how a specific risk category or individual risk will
be managed, in terms of policies and key controls, taking into account the current internal
and external drivers of risk and within the overall context of CCD’s risk appetite.

Risk Policies & Frameworks – provides additional detail and clarity for risk
categories or individual risks:



Policies set out direction, responsibilities and requirements specific to a risk
category (Level 1) or individual risks (Level 2)

Frameworks apply the ERMF to a specific risk category or provide detailed
guidance as well as policy statements related to a specific risk.
Risk Management Lifecycle – defines a structured set of processes for identifying,
measuring, responding to, monitoring and reporting individual risks:

Identification – All CCD colleagues are responsible for the timely identification of
risks and events, throughout the business. A programme of education and training
driven by the ERM Function and line managers underpins this.

Measurement – consistent with PF, systems appropriate to the nature of the risks
and controls are employed to evaluate and assess the likelihood and impact of
the risk, and the effectiveness of control design and operation, setting priorities for
further action. Where models are deployed, they are subject to appropriate levels
of validation and monitoring to ensure they remain predictive and robust
throughout their lifecycle;

Response – involves a planning phase to determine what action should be taken
in response to a risk or event within the context of its measurement and CCD’s
appetite for that risk, followed by an execution phase where agreed actions are
implemented.

Monitoring – periodic or on-going review of risk exposures to determine whether
risk and control measurements remain valid and within risk appetite.

Reporting & Escalation – timely, accurate, comprehensive, integrated and
insightful collation of risk information to enable communication, escalation,
monitoring and oversight.
Stress Testing & Capital Planning – CCD contributes to PF’s capital and liquidity
planning.
CCD - ERMF
Page 6 of 26
Strictly Private & Confidential – for internal use only
CCD Enterprise Risk Management Framework
3
v1.2
Risk Principles
The following principles govern CCD’s approach to risk management:

Independent: CCD adopts the three lines of defence structure where the ERM Function
and delegated Risk Oversight Functions are separate from business management who
originate and own risks, and report to an Executive level Chief Risk Officer (CRO)
ensuring the voice of risk is considered and valued.

Robust: The ERM Function is ultimately responsible for the oversight and challenge to
business management, and ensures appropriate delegated risk oversight and risk control
are in place through policies, frameworks, tools, analysis and the Risk Oversight
Committee.

Integrated: The ERM Function supported by the delegated Risk Oversight Functions,
offers a business wide view of risk exposures, through the collation and integration of
risks information into a single reporting structure.

Technical excellence: CCD is committed to having people with the right capabilities in
the ERM Function and delegated Risk Oversight Functions, to ensure CCD’s risk
management activities are in line with industry ‘good practice’ and regulatory
expectations.

Proportionate: Risk management practice is commensurate with the nature, size,
diversity and complexity of CCD’s strategic objectives and business model and sufficient
to meet key stakeholder expectations.

Integrated into decision making: CCD is committed to risk-informed decision making,
based on a combination of analytically evidenced assessments and balanced subject
matter expert judgements.

Fair and Transparent: The ERM Function and the Compliance Function are committed
to ensuring that risks decisions are taken in the customer’s best interests, ensuring
customer outcomes (short and long term) are integral to the decision making process.

Flexible and Dynamic: Risk management is a rapidly evolving field, driven by changes
in technical analysis, regulatory expectations and the wider economic environment. It is
therefore essential that CCD’s risk capability remains agile to respond to known and
unexpected changes in the wider operating environment.

Outward looking: CCD maintains a close watch on external events and industry ‘good
practice’ to ensure its risk management capability continues to evolve, using strategic
partners to augment internal skills where appropriate.

Forward looking: The ERM Function, supported by the delegated Risk Oversight
Functions, is focused on delivering a holistic view of CCD’s risk exposures, covering
CCD - ERMF
Page 7 of 26
Strictly Private & Confidential – for internal use only
CCD Enterprise Risk Management Framework
v1.2
current profiles, historic trends and forecasts of future positions against a range of
scenarios.

Effective risk control: A key outcome of the ERMF and its principles is that the risks of
the business are effectively controlled within Board approved appetites and limits.
4
Risk Culture & Capability
4.1
Culture
A strong CCD-wide risk culture is a key element of effective risk management. CCD aims to
deliver a culture of risk awareness, transparency and rewarding of correct behaviours. A
number of activities are undertaken to ensure consistency of message and appropriate
cultural reinforcement:

Non-Executive Risk Education: A rolling programme of Board level briefings on key
risk issues and projects ensures that all Board members are appropriately educated
and risk aware.

CRO & ERM Function briefings: Senior management briefings are delivered by the
CRO & ERM Function to support a shared vision, philosophy and culture.

Risk awareness briefings: A series of senior management briefings delivered to all
key business functions, ensuring they understand their risk management roles and
responsibilities.

Modular risk training: Specialist risk training will be provided to those who are
actively involved in providing and operating the ERMF based on identified training
and development needs.

Job descriptions: All job descriptions will specify risk management responsibilities
and, where appropriate, include ‘risk management’ as an essential or desired
competency.

Staff appraisal: CCD’s performance development and review (PDR) process include
setting and appraising specific ‘Risk Management’ objectives for Executives, HOFs,
Senior Managers and Managers.

Staff surveys: Future surveys of CCD staff will consider the risk management culture
to assess the effectiveness with which this is being embedded.

Whistle-blowing: CCD offers protection against dismissal or any other detriment
when an employee discloses information which is in the public interest or ‘blows the
whistle’ on a specific event or practice.

Incentive schemes: The CRO reviews and oversees remuneration and reward
schemes and systems to ensure they are appropriate and supportive of CCD’s risk
principles. The CRO is also involved in the review of executive performance.
CCD - ERMF
Page 8 of 26
Strictly Private & Confidential – for internal use only
CCD Enterprise Risk Management Framework
4.2
v1.2
Communications

Enterprise Risk & Compliance SMT: ‘People’ is retained as a standing agenda item
for these meetings to ensure recruitment, development and retention matters are
given due consideration.

Risk functional briefings: Key communications are cascaded consistently via
members of the Risk Management Forum.

Team meetings: Ensure the flow of key messages on a regular basis.
4.3
Capability

Risk People Plan: Creates an integrated view of the ‘people agenda’ for colleagues
in the ERM and Risk Oversight functions, including those that are delegated.

Resource planning: The appropriateness of resources and the aggregate mix is
reviewed periodically to ensure the ERM and Risk Oversight functions remains able
to deliver their objectives.

Integrated recruitment: Campaigns are run jointly across the specialist teams.

Talent management: The ERM and Risk Oversight functions ensure colleagues with
potential are identified and developed.

Succession Planning: CCD recognises the importance of succession planning and
ensures that across key risk roles appropriate talent management is used to plan for
the future.

Training & Development: On-going training and development is acknowledged as
critical to retain top risk talent, ensure a continued awareness of emerging ‘good
practice’ and integrate this learning into CCD.

Strategic partnering: There is recognition that strategic partnering can bring benefits
to CCD through transfer of knowledge, rapid progress or an external window to
continued support and ‘good practice’.

Rewards & Incentives: As with risk culture, the CRO and ERM function seek to
embed appropriate criteria within the ratings process to encourage and to foster the
development of risk capability across CCD.
CCD - ERMF
Page 9 of 26
Strictly Private & Confidential – for internal use only
CCD Enterprise Risk Management Framework
5
v1.2
Risk Organisation
The functions that report to the CRO are shown below.
CRO
Enterprise Risk
Management
5.1
Credit &
Financial Crime
Oversight
Business Risk
Oversight
Compliance
First Line Risk
Partners
Enterprise Risk Management (ERM) Function
The ERM Function aims to:

Establish and embed the ERMF such that CCD has an effective structured approach to
ensure risk exposures do not exceed Board approved risk appetite and policies;

Operate within the ERMF to provide an integrated view of risk appetite and transparent
and insightful consolidated risk analysis and reporting to CCD Board and Risk Oversight
Committee; and

Maintain a CCD-wide perspective across all risks.
5.2
Risk Oversight Functions
The Risk Oversight Functions provide independent, expert advice, guidance and challenge to
CCD’s Board, Executive and Management in a manner that ensures:

Risk coverage is viewed holistically to ensure risks do not fall between other
functions;

Risk strategy is integrated and resources are directed to those single or combined
areas of risk most prevalent within CCD;

Risk policies are consistent in level and style and reviewed to ensure no gaps exist;

Risk reporting and communications form a total risk perspective and ensure
aggregation and correlation issues are addressed; and

Risk management is embedded as a core part of business processes.
CCD - ERMF
Page 10 of 26
Strictly Private & Confidential – for internal use only
CCD Enterprise Risk Management Framework
5.3
v1.2
Compliance Function
The Compliance Function has 2 primary aims:

To support, challenge the business to ensure fair outcomes for customers are
considered and embedded through having the appropriate frameworks in place.

To interpret, implement regulatory change and provide pragmatic regulatory advice to
all business functions within CCD.
Further details are set out in the Compliance Manual.
5.4
First Line Risk Partners
First Line Risk Partners provide first line risk management support to management and risk
committees. This involves:

Ensuring risk appetite is understood across the business, used to inform risk
decisions and regularly monitored.

Providing support to the business to determine the appropriate response where it
appears to be operating outside risk appetite.

Working with business areas to ensure risks are identified, assessed, managed,
reported and monitored, and that related controls are effectively designed, evidenced,
documented and monitored.

Facilitating risk assessments and documentation of key risks, controls, monitoring,
and application of regulation and the design of effective controls.

Providing guidance and support in relation to risk events or issues raised in audits,
compliance reviews or regulatory investigations.
Details of the three lines of defence are provided in Section 5.5 below.
5.5
Three Lines of Defence
CCD adopts the ‘three lines of defence’ model which has become accepted practice within
the financial services industry with the following features and benefits:

Risk is originated and owned by line management;

The management of risk is integrated into business processes;

Appropriate supporting arrangements exist to ensure independent risk expertise and
assurance is available;

Segregation of duties exists to ensure the avoidance of conflicts of interest within
individual roles; and
CCD - ERMF
Page 11 of 26
Strictly Private & Confidential – for internal use only
CCD Enterprise Risk Management Framework

v1.2
Risk management is a partnership between the Risk Function and the business.
First Line
Risk Origination, Ownership
& Management
Identify, manage and report on
risks and events, including the
risk registers and event logs
Effective design, implementation
and operation of controls
Monitor risks, policy compliance
and execution of controls.
Second Line
Risk Oversight Functions
Provide oversight and challenge
to 1st line.
Supports the appropriate risk
taking via policies, frameworks,
tools, aggregation and analysis.
Third Line
Internal Audit
Provides independent assurance
over the first 2 lines of defence.
The key responsibilities for each line of defence are set out below.
5.5.1
First Line of Defence

Establish and maintain an effective risk and control environment;

Ensure key decision making recognises the associated risks, and balances both short
and long term considerations;

Identify and measure risks inherent in business objectives and activities.

Respond to and control risks in line with approved appetite, frameworks and policies.

Undertake first line monitoring of risk exposures, controls and policy compliance.

Report risks to first line risk committees including the provision of Key Risk Indicators
and relevant commentary.

Promptly raise any risks and events at the appropriate level.

Record risks on risk registers and related systems provided by the ERM function.
Effectiveness will be evidenced through the successful delivery of the corporate plan with all
risks managed within CCD’s Risk Appetite.
5.5.2

Second Line of Defence
Provide independent integrated oversight and challenge to the ‘1st line of defence’;
CCD - ERMF
Page 12 of 26
Strictly Private & Confidential – for internal use only
CCD Enterprise Risk Management Framework
v1.2

Ensure Level 1 Risk Frameworks, including risk appetite, measures and thresholds, is
developed and in line with industry 'good practice', providing guidance and support
where required.

Review and challenge the identification and management of risks and events, in line
with approved appetite, frameworks and policies.

Undertake second line monitoring of risk exposures, controls and policy compliance

Challenge first line risk reporting, including related systems and controls and data
quality

Report to CCD Board and Risk Oversight Committee;

Support stress testing and scenario analysis to assess CCD’s risk exposures, risk
mitigants and contingency arrangements under a range of environments.
Effectiveness will be evidenced through achievement of the Risk Management Strategy and
effective risk control.
5.5.3
Third Line of Defence
 Provide independent assurance to Executive and Board across the ‘1st and 2nd lines
of defence’ and the appropriateness and effectiveness of internal controls. This is
provided by PF Internal Audit.
Effectiveness is evidenced through timely delivery of an Audit Committee approved riskbased audit plan.
5.6
Risk Management Forum
HOFs and Senior Managers from the CRO Risk Functions and the First Line Risk Partners,
under the direction of the CRO, form the Risk Management Forum with the following
responsibilities:

Consistently communicating a common risk vision and strategy;

Ensuring clearly defined roles and responsibilities for risk management across CCD;

Ensuring a holistic approach to integrated risk management;

Creating a balanced risk focus with sufficiently robust independent challenge;

Driving ‘best practice’ in each risk category; and

Provide a positive working environment in which the Risk Function is trusted and
respected, facilitating the recruitment, development and retention of skilled risk
people.
6 Risk Committees
The committee structure supporting the management and oversight of risk is shown below.
CCD - ERMF
Page 13 of 26
Strictly Private & Confidential – for internal use only
CCD Enterprise Risk Management Framework
v1.2
PF Board
PF Risk Advisory
Committee
PF Audit Committee
Strategy & Performance
PF Risk Advisory
Group
Customer &
Conduct Risk
CCD Board
Chair: PF CEO
Internal Audit
Internal financial control
All other risk categories
First Line
Second Line
Third Line
CCD ExCo
Chair: CCD MD
CCD Enterprise Risk
Oversight
Committee
Chair: CCD CRO
Legal
Regulatory
Financial Crime
Business/Strategic
CEL Management
Committee
Chair: CEL MD
CCD Customer &
Conduct Risk
Management
Committee
SMT
Home Credit
Business
SMT
Satsuma Business
SMT
glo Business
SMT
Commercial
Function
SMT
Technology &
Change Function
SMT
Finance Function
Chair: MD
Chair: HCD
Chair: NMD
Chair: NMD
Chair: CD
Chair: TCD
Chair: FD
Conduct
Credit Issuing
Credit Collections
Credit Issuing
Credit Collections
Credit Issuing
Credit Collections
Technology
Operations
Credit Modelling
Fin Acc & Rep
Funding & Liq
Sourc & Supp
SMT
Enterprise Risk &
Compliance
Function
Chair: CRO
7

First line committees support risk decision-making in relation to risks and events and
continually improve the effectiveness of risk management and control

Second line committee reviews and challenges risk exposures against risk appetite,
monitors external trends and developments and ensures the ERMF is fit for purpose.

CCD Board is responsible for the approval of the Risk Appetite Statements, measures
and limits/thresholds.
Risk Categories/Universe
The principal categories of risk to which CCD is exposed, given its business strategy,
business model and operating environments are set out below:
Risk
Risk Sub
Categories Categories
Description
First Line
Committee
Customer
& Conduct
Risk
-
The risk that our behaviours, attitudes,
motivations and actions lead to unfair
customer outcomes or poor standards
of customer conduct in any of our
trading activities.
CCD Customer &
Conduct Risk
Management
Committee
(C&CRMC)
Business/
Strategic
-
The risk arising out of the delivery of the CCD ExCo
Corporate Plan. This may arise through
CCD - ERMF
Page 14 of 26
Strictly Private & Confidential – for internal use only
CCD Enterprise Risk Management Framework
v1.2
Risk
Risk Sub
Categories Categories
Risk
Description
Credit Risk
The risk that unexpected losses may
arise as a result of customers or market
CCD Home Credit
counterparties failing to meet their
SMT
obligations to repay the debt.
CCD Satsuma
SMT
-
First Line
Committee
the selection of the wrong strategy, its
improper implementation, a lack of
responsiveness to external business
developments or through changes in
the business environment forcing
deviation from the plan.
CCD glo SMT
CCD Finance SMT
Operational  People
Risk
 Operations
 Technology
 Sourcing &
Supplier
Management
 Financial
Accounting &
Reporting
Legal &
Regulatory
Risk
Funding &
Liquidity
Risk
 Financial
Crime
 Regulatory
 Legal
-
The risk of loss resulting from
inadequate or failed internal processes,
people and systems or from external
events.
CCD Technology
& Change SMT
(Operations &
Technology risk)
CCD Finance SMT
(Financial
Accounting &
Reporting risk,
Sourcing &
Supplier
Management risk,
People risk)
The risk of legal or regulatory sanctions, CCD Risk
material financial loss or loss to Leadership Team
reputation CCD may suffer as a result of (RLT)
its failure to comply with laws,
regulations, rules, principles, selfregulatory organisation standards, and
codes of conduct applicable to its
activities.
The risk that CCD is unable to meet its
financial obligations as they fall due.
CCD Finance SMT
Generic risks, within these categories and relevant to CCD, form the risk universe and
contributes significantly to a common risk language. The risk universe is defined in Level 1
policies for each risk category.
CCD - ERMF
Page 15 of 26
Strictly Private & Confidential – for internal use only
CCD Enterprise Risk Management Framework
8
v1.2
Risk Appetite
The CCD Board establishes Risk Appetite Statements at divisional level and for each risk
category that describe those risks, and the aggregate amount, it is willing to take and those it
will not take in pursuit of its strategic objectives and business plans. These statements
support and align with the risk appetite approved by the PF Board.
The CCD Risk Appetite Statements for each risks category are supported by quantitative and
qualitative measures of risk for which limits/thresholds are defined as:

Green – acceptable, within appetite

Amber – outside of appetite with formal plans to reduce risk sufficiently and in
acceptable timeframes, relatively high confidence of delivery

Red – outside of appetite with large scale, complex, insufficient, inadequate or no
plans to remediate, reasonable degree of risk associated with their delivery
Volatile amber and green risks should be shown with a red outline where the risk is volatile
due to external events which could result in impact or likelihood increasingly rapidly, and
where existing mitigating controls or future actions are appropriate but need to be reviewed
frequently.
The Risk Appetite Statements, measures and limits/thresholds establish a framework for
taking risk decisions and may affect wider business decision-making. To be effective, these
statements, measures and limits/thresholds should be:

based on forward looking perspectives of risk rather than on backward looking
perspectives of loss;

communicated to Executives, HOFs, Senior Managers and Managers who are
responsible for taking risk decisions; and

utilised by Risk Management and Oversight Committees to support and challenge risk
decisions.
Risk category owners are responsible for proposing Risk Appetite Statements, measures and
limits/thresholds to the CCD Board for approval. The proposal should describe the approach
taken to developing and defining the risk appetite as well as the factors and influences
considered.
The ERM Function is responsible for reviewing the proposed risk appetites for each risk
category for consistency with each other and for alignment with PFG’s overall risk appetite
and for presenting a unified view to the CCD Board.
Performance against the risk appetite measures will form part of the monthly risk reporting
and assessed as follows:
CCD - ERMF
Page 16 of 26
Strictly Private & Confidential – for internal use only
CCD Enterprise Risk Management Framework
 Sufficient & effective controls in
place to manage the risk
 No / minor historical risk events
recorded
 Monitoring on ongoing basis
Amber
Risk outside of appetite with
formal plans to reduce risk
sufficiently and in acceptable
timeframes, relatively high
confidence of delivery




Reporting
Assessment
Green
Acceptable, within appetite
-
v1.2

Red Outline
Amber and Green risks where the
risk is volatile due to external
events which could result in
impact or likelihood increasingly
rapidly, and where existing
mitigating controls or future
actions are appropriate but need
to be reviewed frequently
 Insufficient, inadequate or lack
of controls to mitigate risk
 Action plans do not reduce the
risk within appetite quickly
enough
 Monitoring required frequently
Risk outside appetite
Controls in place not
adequate to manage risk
Historical risk breaches
recorded
Monitoring required regularly
and frequently until
acceptable
Risk /action plans discussed
at divisional Board level
Red
Risk outside of appetite with large
scale, complex, insufficient,
inadequate or no plans to
remediate, reasonable degree of
risk associated with their delivery

Risk /action plans discussed
at divisional Board level
 Risk/action plans discussed at
Group Board
Where more detailed measures are used for risk and control monitoring, the related
limits/thresholds should align with the risk appetite statements and limits/thresholds.
Risk appetite statements, measures and limits/thresholds are subject to annual review and
approval unless an earlier update is appropriate.
9
Risk Management Strategy
Risk category owners are responsible for defining the risk management strategy for each risk
category for approval by the CCD Board on an annual basis or more frequently if
appropriate.
The risk management strategy defines, in the context of CCD’s strategic objectives and
business plan, the overall approach to managing that risk category in terms of Level 2
policies and key controls. This necessarily takes into account the internal and external
drivers of risk within the risk category and must address what is required to ensure that the
risks remain within risk appetite.
The effective delivery of the Risk Management Strategy should result in CCD having an
effective risk and control environment for all of its risk categories, in which risk exposures are
managed within CCD Board approved appetites and limits/thresholds to ensure ‘no
surprises’.
10 Risk Policies & Frameworks
The Polices and Frameworks in place to support the management of risk categories and
risks is set out in the map in Appendix 1.
10.1
Level 1 Risk Framework
Risk category owners are responsible for documenting key aspects of the ERMF relevant to
their risk category in a Level 1 Risk Framework, including:
CCD - ERMF
Page 17 of 26
Strictly Private & Confidential – for internal use only
CCD Enterprise Risk Management Framework
v1.2

Risk Categories/Universe – specify and define the generic risks that fall within the
category

Risk Appetite – provide the Risk Appetite Statements, measures and limits/
thresholds approved by the CCD Board

Risk Management Strategy – specify the internal and external drivers of risk and the
Level 2 policies and key controls that will be deployed to manage the risks in the
category

Risk Organisation – define first and second lines of defence relevant to the risk
category

Risk Committees – define the risk management (first line) and risk oversight (second
line) committees, as well as lower level supporting working groups as appropriate.

Risk Management Lifecycle – specify the triggers that should initiate the risk
identification process, specific risk reporting and monitoring to be undertaken by the
first and second lines.
10.2
Level 2 Policy/Framework
These documents set out, for a specific risk, formal statements that give effect to CCD’s risk
principles and risk management strategies. They provide direction and guidance, as well as
establish responsibilities, requirements or limits. Risk category owners are responsible for
ensuring that the Level 2 policies specified in their Level 1 risk frameworks are assigned
owners who will develop, implement and monitor the policy.
10.3
Level 3 Processes and Procedures
Level 3 Processes & Procedures outline the processes and standard operational procedures
by which policies are implemented.
11 Risk Management Lifecycle
Identify
Report &
Escalate
Measure
Respond
Monitor
CCD - ERMF
Page 18 of 26
Strictly Private & Confidential – for internal use only
CCD Enterprise Risk Management Framework
11.1
v1.2
Risk Identification
Executive and line management within the first line of defence are responsible for identifying
sources of risk, their causes and potential consequences. This is the identification phase of
the Risk Management Lifecycle. The aim is to generate a comprehensive list of risks and
events that might enhance, accelerate, delay or obstruct the achievement of objectives.
Comprehensive identification is critical because a risk that is not identified at this stage will
not be included in further analysis.
Risk identification should:
 Include consideration of knock-on effects
 Involve people with appropriate knowledge
 Consider relevant and up to date information
 Be initiated whenever there is likely to be a change in the nature of the risk
Risks should be identified, assigned an owner and recorded on Risk Registers by Senior
Managers and Managers within CCD and aggregated through HOFs and Executives for
consideration at the relevant risk management and oversight committees. It is the
responsibility of each HOF to determine, with an appropriate rationale, where Risk Registers
are maintained.
In addition, there should be a top-down risk assessments at least annually linked to strategy
setting. The risk assessments required here should be set out in further detail within the
Business/Strategic Risk Framework.
11.2
Risk Measurement
Credit risk models and the adjusted PF’s risk assessment model, provided below, are the
primary tools used within CCD for measuring risks. The adjustments are intended to set
financial impact levels that are more appropriate to be applied at the functional level.
Whatever approach is used, the aim is to develop a detailed understanding of the risk and its
potential consequences. It is also important to consider the interdependence of different risks
and their sources. Any assumptions, gaps in information or other limitations should be noted
and communicated to those involved in the response phase of the Risk Management
Lifecycle.
CCD - ERMF
Page 19 of 26
Strictly Private & Confidential – for internal use only
CCD Enterprise Risk Management Framework
v1.2
11.2.1 PF Risk Assessment Model – Risk Impact
11.2.2 PF Risk Assessment Model – Risk Likelihood
Remote
May happen in a 50 year cycle
1 : 50 or 2%)
e.g. loss of 1 Godwin Street
CCD - ERMF
Unlikely
Could happen at some stage
within a 1-10 year period
1 : 10 or 10%
e.g. credit/economic cycle
Possible
within a 1-4 year period
1 : 4 or 25%
e.g. industry mis-selling
Page 20 of 26
Probable
within a 1 year period or already
happened
1 : 2 or 50%
e.g. routine transactional
Strictly Private & Confidential – for internal use only
CCD Enterprise Risk Management Framework
v1.2
11.2.3 Gross and Net risk
All risk categories will use the PF’s risk assessment model to measure risk on a gross and
net basis. This will require management judgement on the effectiveness of the design and
operation of controls using the following criteria.
Design effectiveness
•
Does the control activity clearly address the relevant control
objective and risk
•
Is the control is documented well enough to allow an
alternate to perform the control in an emergency
•
Has a control owner been assigned
•
Consider if there have been any material incidents and/ or
regulatory breaches as a result of the control activity not being
appropriate.
•
Have there been any Internal Audit reports or Compliance
Monitoring results during the quarter that provide cause for
concern with regards to the design of the control
Operating effectiveness
•
Is the control is monitored
•
Have there been repeated instances of non-performance of
the control during the quarter
•
Has the control failed to operate during the quarter
•
Is there evidence of control performance
•
Have there been Risk Events due to the non performance or
break in control
•
Have Internal Audit and/ Compliance Monitoring reported that
the key control has not been performed.
11.2.4 Model risk
As CCD evolves its disciplines with regards to quantitative model development,
implementation, usage and monitoring, the Risk Oversight Functions will ensure there are
appropriate controls surrounding model risk throughout the model lifecycle.
11.3
Risk Response
Decisions on how to respond to a specific risk will depend on its criticality to business
objectives, how the net risk compares with risk appetite. Selecting the most appropriate
response involves balancing the associated costs and benefits and being alert to knock-on
risks or unintended consequences.
Response options include:
 Avoiding the risk by terminating or not starting the activity that gives rise to the risk
 Taking action to change the likelihood or the potential consequences
 Accepting the risk
Accepted risks must be documented, including rationale, approved at an appropriate level
depending on the scale of the risk, and monitored periodically.
Controls implemented to bring gross risks within appetite must be assigned an owner,
documented, monitored and evidenced.
11.4
Risk Monitoring
Monitoring involves regular checking and review by all lines of defence with the aim to:
 Ensure controls are effective and efficient in design and operation
 Learn lessons from events, including near misses
CCD - ERMF
Page 21 of 26
Strictly Private & Confidential – for internal use only
CCD Enterprise Risk Management Framework
v1.2
 Detect changes in the nature and scale of the risks and in the internal and external
environment
 Identify emerging risks
Regular checking and review will take the form of:
 on-going monitoring, including 121s/challenge meetings, risk committees/working
groups, monitoring key indicators
 separate evaluations, including sample-based checks, ‘deep dive’ reviews and control
testing
It is the responsibility of each line of defence to plan their monitoring activities commensurate
with the gross and net risk assessments, level of change in the internal and external
environment, as well as the degree of complexity, formalisation and centralisation.
A summary of the monitoring plans for the first and second lines will be captured in the Level
1 policy for each risk category.
Results of monitoring will be recorded and provided to the appropriate risk management and
oversight committees.
11.5
Risk Reporting & Escalation
The ERM Function is the focus for integrated risk reporting and escalation across CCD
ensuring that at all levels risk reporting provides clarity on the current risks and events and
supports decision making at all levels.
Risk reporting is subject to continued evolution with the following key principles embedded;

is focused and provides insightful commentary, analysing themes and trends to help
inform and prioritise business decisions and actions;

informs the formulation, challenge and oversight of Risk Appetite;

provides a multidimensional view across businesses and risk types through a
standard set of key risk criteria and metrics;

includes forward-looking analysis under a range of potential scenarios; and

enables the governance and oversight of risk management activities.
11.5.1 Integrated Risk Reporting
The CRO is responsible for preparing the CCD ERM Report which integrates risk information
across all risk categories. The report provides an integrated view of the current and
emerging risk profile of CCD, performance against risk appetite, impacts on corporate plan
and external risk influences. The main sources of information are shown below.
CCD - ERMF
Page 22 of 26
Strictly Private & Confidential – for internal use only
CCD Enterprise Risk Management Framework
v1.2
The Risk Dashboard and Heat Maps are the primary form of regular first line risk reporting.
These are prepared and reviewed monthly by the relevant first line committees. The CCD
ERM Report is prepared and reviewed monthly at the Enterprise Risk Oversight Committee.
The following principles govern risk reporting:

Environmental monitoring: External events or circumstances may change risk
measurements rapidly and frequent monitoring is undertaken to ensure that existing
controls and future actions remain appropriate. These risks are identified on the risk
heat map using a red outline.

Risk benchmarking: CCD undertakes to periodically review its risk profile and risk
management practices against external sources.

Risk forecasting: A forward-looking approach is integral to the management
judgement applied within risk reporting. Risks should be noted as volatile where
external events that are wholly or largely outside of PF’s control could quickly change
the status of a risk without warning.

Reporting standards: The ERM Function validates its own models and reporting to
ensure reporting is based on data and information sources with the highest standards
of integrity, accuracy, timeliness and relevance.
11.5.2 Other Risk Reporting

‘Deep dive’ reviews: In addition to regular risk reporting, additional reports will be
prepared for the Risk Management and Oversight Committees that provide further
detail on key issues, major exposures and developments. These may be based on a
rolling programme of reviews or triggered by specific risksand events or control
deficiencies identified through risk management activities. Each committee should
have a ‘calendar of events’ that sets out the forward schedule of risk information to be
provided.

Material control failures: any control failure with an operational loss exceeding
£500k must be reported to the Risk Oversight Committee, including the nature of the
event , the underlying cause, the impacts and any actions taken/planned to address
the event.

Risk oversight reports: These are prepared by risk category for discussion at the
Risk Oversight Committee with the aim to present oversight outcomes and concerns
and review progress on oversight activities. These reports are scheduled so that each
category is covered at least twice a year.

CCD Board: An overview of the most significant risks to CCD’s strategic objectives
and business plan, across all risk categories, are reported to the CCD Board bimonthly. This includes key current risks and events and position against risk appetite.
CCD - ERMF
Page 23 of 26
Strictly Private & Confidential – for internal use only
CCD Enterprise Risk Management Framework
v1.2

PFG Advisory Group/Committee: CCD risks that are material to the Group, material
control failures in excess of £1m, and performance against risk appetite are reported
quarterly or sooner in line with the escalation requirements below.

External risk reporting: CCD risk information may be included in external reporting
including the annual report and accounts, and risk capital reporting (Pillar 3
disclosure). The CRO and Risk Oversight Committee will ensure that these reports
contain relevant, reliable, understandable and comparable information that useful to
external stakeholders.

ERMF embedding: The CRO will provide an update to the CCD Board on the
deployment and effectiveness of the ERMF on a half-yearly basis, including an
opinion on adherence to the risk principles, a summary of progress and status of risk
culture and capability development and the effectiveness of the delegated risk
oversight model.
11.5.3 Risk and Event Escalation
Risks and Events need to be reported in a timely manner as set out in the CCD Risk
Management Policy and the CCD Risk Event Reporting Policy.
11.5.4 Risk data
Each process in the Risk Management Lifecycle generates risk data that is the basis for risk
decisions and risk reporting, and form key input to risk models. Strong data management and
control is therefore required to ensure integrity and availability:

The specific data fields to be captured and retained should be specified along with
quality expectations

Data capture processes should be reviewed periodically with a view to continuous
improvement

Data quality should be sufficient to allow causal analysis, statistical analysis and
analysis of loss behaviour that may result from trends in the internal and external
environment
12 Stress Testing & Capital Planning
12.1
Stress Testing & Scenario Analysis
Stress Testing and Scenario Analysis may be deployed from time to time as required to
support CCD’s strategic planning or as directed to support PFG’s capital and liquidity
planning. The approach used should follow the Risk Management Lifecycle and include
processes for identification, measurement, response, reporting and monitoring.
12.2
Capital planning
Capital planning is coordinated by PF and from time to time CCD is required to input risk
information to the process.
CCD - ERMF
Page 24 of 26
Strictly Private & Confidential – for internal use only
CCD Enterprise Risk Management Framework
v1.2
13 ERMF Maintenance
The ERMF is owned by the CRO and is submitted to Enterprise Risk Oversight Committee
for review and challenge ahead of approval by the CCD Board. It is also to be submitted to
the Head of Corporate Strategy & Risk to ensure consistency and alignment with PF
requirements and the PF Risk Advisory Group for information. The ERMF may be reviewed
on a more frequent basis in the event of a material change in business strategy or CCD’s
operating environment.
It is the responsibility of the CRO (supported by the ERM Function) to review and maintain
the ERMF and ensure its effective implementation, advising any material changes to
Enterprise Risk Oversight Committee for review and CCD Board for approval.
CCD - ERMF
Page 25 of 26
Strictly Private & Confidential – for internal use only
CCD Enterprise Risk Management Framework
v1.2
14 Glossary
Control
A process, action or activity effected by the CCD Board, management
and/or other colleagues, designed to minimise either or both of the impact
or probability of a risk crystallising, avoiding the loss or damage or failure to
meet a strategic objective or business plan.
ERC
Enterprise Risk & Compliance
CRO
Chief Risk Officer
ERMF
Enterprise Risk Management Framework
Event
A risk that has crystallised.
Gross risk
The probability and impact of the risk, before any mitigation or controlling
activities.
Net risk
The probability and impact of the risk, after any mitigation or controlling
activities.
Risk
An event that, if crystallised, would detract from the achievement of CCD’s
strategic objectives or business plan.
Risk category
A group of risks that are classified together because of common
characteristics.
Risk category
owner
The Risk Oversight Function with primary responsibility for the effective
oversight of the risk category
Risk owner
The individual or role holder with primary responsibility for the effective
identification, management, monitoring and reporting of the risk
Standard
operating
procedures
A high level description of the essential steps, responsibilities and, where
appropriate, work organisation to complete the tasks associated with
processes and policies.
CCD - ERMF
Page 26 of 26
Strictly Private & Confidential – for internal use only
Related documents
Rules & Regulations - Catholic Community of Gonzales and Waelder
Rules & Regulations - Catholic Community of Gonzales and Waelder
Cultural Competence
Cultural Competence
The Denver Transfer Initiative
The Denver Transfer Initiative
CCD CMOS
CCD CMOS
Colony Collapse Disorder
Colony Collapse Disorder
Yukiko-Kamata
Yukiko-Kamata
February 23 rd – March 1 st
February 23 rd – March 1 st
Individual counseling - Community College of Denver
Individual counseling - Community College of Denver
Download
advertisement