Incorporating ERM Successfully
Laura Olle
Chief Enterprise Risk Officer
Capital One Financial Corporation
Capital One at a Glance
•
A leading financial services company
•
6th largest credit card issuer in the U.S.; 6th largest issuer in the UK
–
–
$71 billion in managed loans
47 million accounts
•
Located in 8 U.S. cities, Canada, U.K., France and South Africa
•
A FORTUNE 200 Company (#200)
•
Numerous awards including:
–
–
–
Top 100 training organization – Training magazine
One of the “Best Companies to Work for” in the U.K. – The Sunday Times
“A top 100 company in Customer Relationship Management” – CIO magazine
2
The need for more formalized risk management results from
internal and external forces
Capital One is a large and complex
organization
External events have undermined
confidence
Corporate Failures
1995
2003
–
Enron
-- Worldcom
Customers
6 million
47 million
–
Tyco
-- IM Clone
Loans
$10 B
$71 B
Associates
3,000
17,000
Business
Card focus
Diversified
Organization
structure
Functional
20+ LOB’s
Asset type
Prime
Full spectrum
– Quest
Monoline Credit Card Failures
–
Providian
–
Metris
-- Nextcard
Wall Street Revelations
Value in a more sophisticated approach
–
Biased equity research
–
IPO allocations
–
Market timing scandals
Increased scrutiny from regulators, rating
agencies, and analysts
3
Our increasing size and diversification strategy required that
we make risk management much more explicit
Risk Management Elements
New or increased
emphasis
Previously in place
Formalized Explicit
Decision Making
Governance
Annual Risk
Identification &
Assessment
IBS Testing
Conservative
Reserves
Conservative
Credit
Decisioning
High Quality
Hiring Standards
Customer Value
Emphasis
Collaborative
Decision Making
Enhanced
Procedures and
Controls
Updated
Policies
4
Our goal is to avoid some key pitfalls as we transition into a truly
great company that values managed risk taking
Organizational Evolution
High
Hierarchical
Organization
Great
Organization
Bureaucratic
Organization
Start-up
Organization
Culture of
Discipline
Low
Low
High
Ethic of
Entrepreneurship
5
Capital One has taken a number of actions to strengthen risk
management and governance
•
Declared risk management to be a strategic imperative in 2002
“Embrace formal controls and governance to enable continued successful growth”
• Build a state of the art risk management process
• Make effective process controls commonplace
• Create a culture that values “Managed Risk Taking”
•
Created independent Credit Risk Management and Enterprise Risk
Management functions (headed by Peter Schnall and Laura Olle)
•
Implemented a new governance structure in 2003, including Executive
Committee and five sub-committees
6
We’ve established a risk management style that best fits
our culture
‘Top Down’ Risk Management Style
‘Bottom Up’ Risk Management Style
 Strategy and process defined from
‘the center’
 Implementation of the strategy
performed by associates from ‘the
center’
 Monitoring and control are the
responsibility of the ‘the center’
 Strategy and process determined at
business area level
 Implementation of the strategy
performed by business area
associates
 Risk monitoring and control are the
responsibility of the business area
‘Integrated’ Management Style
Best Fit
 Strategy and process defined by the center, in
collaboration with business areas
 Implementation of the strategy performed by
business area associates with corporate
support
 Risk monitoring and control are the
responsibility of the business area
7
We drew upon internal and external expertise to develop our
Enterprise Risk Management (ERM) function
•
Followed a structured process with leadership, oversight and involvement
by senior management and the Board
•
Considered current risk management capabilities
•
Assessed industry best practices and regulatory expectations
•
Involved external subject matter experts in risk management
and regulatory matters
8
The ERM Department strengthens Capital One’s ability to manage
risk
ERM Mission:
To drive Capital One’s capability to balance risk
and reward and to minimize surprises by:
Leading the development
of an environment where
consideration of risk
is a natural part of everyday
management and
decision-making
Providing tools,
methodologies, and
standards to enable
business areas to assess
and manage their own risk
9
Independently monitoring,
assessing and reporting
on key risks
ERM drives the overall governance of risk management
Board
of
Directors
Ultimate responsibility
for oversight
of risk management
CERO / ERM Committee
•
•
•
•
Synthesizes issues for the Board
Establishes ERM policies and tolerances
Reviews significant risk issues
Ensures governance and infrastructure for the
ongoing management of the risk profile
Business Area Managers
• Own risk management and mitigation
• Perform risk assessments at least annually
• Provide assertions on risk exposure for their business area
Risk Management Governance Model
10
We structured our approach after the COSO framework
Organization and Culture
Objective Setting
• Strategic and budget planning process
•
•
•
•
•
•
•
Organizational structure
Accountability
Authority levels
Staffing and capability
Ethical values and integrity
Risk management philosophy & culture
Risk Limits
• Measurability and alignment of
objectives
• Communication and understanding of
objectives
Monitoring
• Business performance monitoring
• Risk measurement and analysis
Risk Assessment Process
• Risk management and control self
assessment
• Independent evaluations
• Execution
• Risk (event) identification
• Risk evaluation
• Risk response
Information and Communication
Ongoing Control Activities
• Information infrastructure
• Business process and IT controls
• Common reporting metrics
• Physical controls
• Information reports
• Control documents – policies, procedures,
standards and guidelines
• Communication channels & methodologies
11
Capital One took a holistic approach to risk
ERM process looks at all aspects of risk, including:
•
•
•
•
•
•
•
•
Operational
Credit
Compliance
Legal
Market
Liquidity
Strategic
Reputation
Establishing these categories helps assure that all risks are considered and that
information about significant risks from different business areas, processes, and
geographic areas can be aggregated and reported to support our enterprise-wide
risk management program.
12
2003 ERM activities were directed at building many
components in the framework
ORSA,
Significant Risk Report
New Venture Assessment
Risk Mitigation
Organization and
Culture
Objective
Setting
Event database
KRI Pilot
ERMC Reporting
Package
Change Management
Policy Playbook
Risk Assessment
Process
Information and
Communication
Policies,
Spreadsheets
13
ERM Governance,
ERM and BRO
staffing
ERM Policy
Program
Foundation Course
Risk appetite
Compliance/CROW
MonitorN
ERMC Reporting
Secura
assessment
Regulatory exam
Audit reviews
Ongoing Control
Activities
There are four key players in our approach to managing risk
Drives Capital
One’s capability to
balance risk and
reward and to
minimize surprises;
sets overall
approach to
managing risk
Determine the
approach to
manage a
specific risk
category
ERM
B.R.O.s
Business
B.R.O.s
Areas
Internal
Audit
B.R.O.s
Risk
B.R.O.s
Stewards
14
Accountable for managing
risk and following the
defined approach
Test and validate controls
and that the approach is
being followed
We faced challenges in working disciplined risk management
into our culture
Our organizational personality was geared towards entrepreneurialism
–
Historical aversion to formalized structure
–
Company was evolving from “start-up” to complex Fortune 200 organization
Leadership support and local ownership of risk have helped us overcome
these challenges
Keys to success
Leadership
Support
Local ownership
of risk
Corporate imperative
Business Risk Officers
15
We continue to consider ways to further drive the use of riskrelated measures
•
Position reporting (credit exposure, liquidity, ALCO, etc.)
•
Loss experience (operational loss events, NACO, delinquencies)
•
Monitoring of risks and controls (KRIs)
•
Stress testing
•
NPV/IRR
•
Proactive measures (self assessments)
•
Risk-based performance measures
•
–
SVA (Shareholder Value Added)
–
RAROC (Risk Adjusted Return on Capital)
Capital allocation
16
Long-term benefits of implementing ERM
•
Improved risk-adjusted returns and reduced surprises
•
Improved strategic decision-making
•
Improved understanding of risks and control effectiveness
•
Support for growth and strategic initiatives
•
A culture that values managed risk-taking
•
Meeting expectations of external stakeholders
•
Greater shareholder value (greater EPS and P/E ratio)
17
Strengthening our risk management culture is a multi-year
proposition
Integrated
Risk
Management
Comprehensive
Risk
Management
Formalizing
Risk
Management
Put in place
everything we need
Formalize the
building blocks
18
Make sure it
all works together
Thank You