World Bank Risk
Management Seminar
Corporate Governance and
ERM:
A Framework for Integrating Risk
and Performance Management
May 21, 2004
Presented by:
Richard C. Reynolds, PwC Partner
PricewaterhouseCoopers LLP
Agenda
I.
Overview of Enterprise-wide Risk Management
II.
Designing and Implementing an ERM Framework
and Organization Structure
III. Impact of International Financial Reporting
Standards on ERM
2
PwC
Overview of COSO ERM Framework
• COSO ERM project launched in 2001 (PwC Authored)
• Builds on COSO Internal Control Framework (PwC Authored)
• Consists of conceptual framework and application guidance
Application
Guidance
Framework
3
PwC
Why ERM is Important
 Underlying principles:
 Every entity, whether for-profit or not, exists to realize
value for its stakeholders.
 Value is created, preserved, or eroded by management
decisions in all activities, from strategy setting to operating
the enterprise day-to-day.
 ERM supports value creation by enabling management to:
 Deal effectively with potential future events that create
uncertainty.
 Respond in a manner that reduces the likelihood of
downside outcomes and increases the upside.
4
PwC
Enhancing Management Capabilities
Enterprise risk management provides enhanced capabilities to:
 Align risk appetite and strategy
 Link growth, risk and return
 Enhance risk response decisions
 Minimize operational surprises and losses
 Identify and manage cross-enterprise risks
 Provide integrated responses to multiple risks
 Seize Opportunities
 Rationalize capital
5
PwC
Framework Components
The Framework Has Eight Interrelated Components
6
PwC
The COSO ERM Framework lays the foundation for
organizations to advance ERM.
Ensure market
understands risk
adjusted performance
Strategy
selection
Set value targets to
satisfy investor and
analyst expectations in
line with well
articulated risk
appetite
Capital
allocation
Improving/maintaining credit rating
Improved risk management strategy
Value and risk
management
principles
Link executive
remuneration to value
creation to align
management and
shareholder interests
Improving shareholder value
Economic capital savings
Investor and
credit rating
agency
communication
Reward
Schemes
Opportunities
Closer working relationship between
Finance & Risk functions
Alignment of individual’s compensation
to risk-sensitive behaviour
Performance
reporting
Improved MI in other related areas
Set performance
measures to drive
creation
7
Cost reduction through organisational
realignment and/or process
improvement
PwC
Leading organizations have many building blocks in place. The
challenge is in creating seamless connectivity top to bottom.
SVA / Risk Adjusted
Performance Measurement
Active PM
Portfolio Risk
Identification
Link risk adjusted performance measurement to
shareholder value and planning processes

Align performance measures with desired behavior

Rebalance, hedge the portfolio (capital optimization)

Correlation, VaR, marginal contribution

Manage concentrations through limits

Establish allowances (capital preservation)

Portfolio reporting and analysis


Aggregation of exposure (notional & risk adjusted)
Analysis of Loss & default experience

Data management / MIS

Relationship profitability analysis

Risk adjusted pricing (value creation - MTM / RAROC)
 Structuring individual transactions
Transactional risk management

Allocation of limits to clients / products

Risk Assessment

Risk Modeling
 Pricing Analysis
Transactional risk identification
Data Management
8

Client, Industry and Market information

Data acquisition, maintenance and distribution
PwC
Linking the Building Blocks
Traditional PM

However, beyond financial risks, executives have a much
different view as to what are the most significant risks.
How important are the following risks to your institution’s financial services business?
(percentage of respondents rating each risk as the biggest their organization faces)
Non-Financial Risks
Financial Risks
Credit Risk
34%
Reputational Risk
53%
Market Risk
23%
Regulatory Risk
28%
Operational Risk
24%
Political/external risk
11%
• Source: Economic Intelligence Unit and PricewaterhouseCoopers survey of 160 senior financial executives
9
PwC
Leading organizations are moving towards an integrated
approach to governance, risk and compliance.
Governance
Determining
Objectives
and Knowing
We Are Executing
Appropriately
Enterprise Risk Management
Identifying Risks That May Affect Our Ability to
Achieve Objectives
And Determining How to Respond
Compliance
Executing as Expected To Support Achievement of All Objectives
10
PwC
They are also implementing frameworks that deliver integrated
profitability and risk information for decision making…
Best Practice Methodologies for Managing business functions
Revenue
Cost
Market
Profitability
Credit
Op.
Risk
Risk-adjusted Performance
Shareholder Value Drivers
Organizational Level
Legal Entity Level
Business Unit Level
Product Level
Customer Level
Achieving operational
excellence
Enabling consistent
business management
Tactical, operational
and strategic
decision support
Integrated Planning
Cycle
Achieving Strategic
Excellence
Shareholder Value Creation
11
PwC
Revenue
Cost
Profitability
Market
Earnings Sensitivity
Credit
Risk
Risk-adjusted Performance
Shareholder Value Drivers
Op.
Organizational Level
Legal Entity Level
Business Unit Level
Product Level
Customer Level
Scenario analysis
Complexity Modeling
…and support forward looking analysis for strategic planning.
Impact on future earnings and Shareholder Value
12
PwC
Risk measures are aligned with both control objectives and value
creation targets to provide management a dynamic view of current
financial results and risks to the strategic plan.
Types of Measures:
Value
Metrics
Focus:
Strategy
Dashboard
Value Metrics – financial and non-financial measures that
demonstrate value creation for investment community
Corporate Dashboard – provide management with insight into
actions that need to be taken to achieve strategy
Key Risk Indicators*
Key Risk Indicators
Leading Indicators
(Proactive)
Focus:
Steady
State
Leading/Risk Indicators – identify systemic
issues or causal factors related to strategy; and
they are tactical and predictive
Escalation Triggers – are reported after a
predetermined trigger is tripped, they are designed to
facilitate management intervention prior to day-to-day
risks manifesting beyond an expected or acceptable
tolerance.
Escalation Criteria
(Reactive)
Lagging Indicators
Lagging Measures – are after the fact
Transactions and Data
* PwC defines key risk indicators as measures that can be collected at
ANY time during the period as required by management
13
PwC
Strategic risk management focuses on balancing capital
optimization with capital preservation.
Transaction
Relationship
Line of Business
Analyze
Portfolio
Structure
Enterprise
Measure
Monitor
Capital Optimization
Report
Capital Preservation
Too often, the pendulum swings; towards lax controls and overly aggressive risk taking in good times, and overly
restrictive controls and risk aversion in bad times.
14
PwC
We have utilized the following framework with several leading financial
institutions to gain better role clarity, particularly around the integration of
strategic, financial and risk management planning.
Validate/refine strategy
Business
Cycle
Business Strategy
and Planning
 Business mission and
strategy
 Value proposition and
risk appetite
 Organization and
governance
 Business planning and
budgeting processes
 Capital allocation and
balance sheet
management
 Business and individual
performance objectives
Key
Controls
Limits
Capital
Business Process
and Execution
 Risk policies and
procedures
 Risk measurement
methodologies
 Risk-based pricing
and customer
profitability
 Risk aggregation and
reporting
 Active portfolio and
balance sheet
management
strategies
Evaluation
 Value drivers
 Internal reporting
 Performance
measures
 External disclosure
Procedures
Policy
Analysis
Reporting
Re-allocate capital/limits
Risk Management Systems Infrastructure
15
PwC
ERM is a key enabler of value creation and preservation
Value is created, preserved, or eroded by management decisions,
from strategy setting to operating the enterprise day-to-day.
Trust
Transparency
Performance
Reputation
Brand
16
PwC
Agenda
I.
Overview of Enterprise-wide Risk Management
II.
Designing and Implementing an ERM Framework
and Organization Structure
III. Impact of International Financial Reporting
Standards on ERM
17
PwC
A thorough understanding of your business objectives is critical to
designing an infrastructure that meets your specific needs and fits
within your culture and environment.
Enterprise-wide Risk Management Framework
Environment
Environment
Environment
Infrastructure
Process
Strategy
Business Mission
and Strategy
Risk Strategy
Validation/
Reassessment
Value Proposition
Risk Appetite
Risk
Assessment
and Action
Risk
Awareness
Organization
& People
Culture
Limits &
Controls
Methodologies
Training
Operations
Systems
CommuniCommunications
18
Value
Evaluation
Measurement
and Control
Data
Policies
Performance
Measures
Reporting
Rewards
PwC
The starting point is to define a clear mission statement for the
Corporate Risk Manager.
Key themes in a Mission Statement of the Corporate Risk Manager
Protect the franchise
Avoid surprises, no unexpected losses
Acknowledge the sources of earnings volatility
Facilitate risk taking
Support efficiency of capital usage and performance evaluation processes
Mold the risk culture
Partner with the business
 Build a risk management network
Report v. manage
Devolve risk management from the corporate level into the business units

19
PwC
The mission must balance the risk management objectives and
the complexity of the risks assumed by the organization.
Risk Management Styles
Strategic:
A
• Assist in molding views of
regulators
• Frequent global stress testing to
analyze potential impacts of
market events
• Risk Management partners with
the business in decision-making
• True understanding of positions
and risks
• Development and analysis of
risk-adjusted returns
B
C
D
E
F
Your Company????
Control Focused:
I
Control Focused
G
J
H
K
M
L
Simple
Complex
Risk Profile
20
• Respond to requests by
regulators
• Quarterly stress testing at the
desk or business unit level (to
meet regulatory requirements)
• Risk Management performs a
purely limit monitoring role
• Monitoring of positions and
risks against limits
PwC
The next step is to define the overall approach for corporate risk
management. Below is an illustration of a risk management
framework.
Risk Control
Framework
Limits
Re-allocate capital/limits
Capital
Procedures
Policy
Analysis
Reporting
The allocation of capital to the business units:

signifies approval of the business plan

serves as an overall limit on risk taking activities

provides a benchmark for required returns
Risk management policies and procedures:

define and set the standards for Client risk taking activities

set parameters for permissible risk taking

clearly define roles, responsibilities and accountabilities
An effective risk and performance reporting framework:

provides timely feedback to evaluate the business strategy

effectively communicates risk, elevates awareness and promotes consistency
and transparency

ensures monitoring of policy compliance
21
PwC
Integrating risk into the strategic planning and budgeting process is also
key. Annual business plans form a contract with shareholders for the
management of capital and required returns.
Annual Business and Risk Management Planning Process
Business
Units
Financial
Control
Corporate
Risk
Management
Formulate
Assist
Approve
Annual Business Plan
• Strategy
• Product and service offerings
• Capital budget
• Forecasted absolute and risk
adjusted returns
• Key risks and limits
• Infrastructure weaknesses and
action plans
• Other information
22
Total Return
Capital
PwC
Shareholders
ERM reports should clearly articulate the nature of the business,
including key risks, profitability, the risk-reward relationship and
the impact of external events.
RISK REPORTING OBJECTIVES:
 Do we acknowledge, understand and articulate our risks clearly, accurately and
comprehensively?
 Are these risks aligned with our stated risk appetite and strategy?
 Are we being adequately compensated for these risks?
 Are we overly reliant on any revenue, risk or other concentrations that could adversely
impact the quality or sustainability of earnings?
 What is the quality and sustainability of our earnings stream?
 What is the impact of the current and potential external environment on our business?
23
PwC
An effective ERM reporting framework should address the daily,
monthly and quarterly objectives of the target risk management
audience.
Enterprise-Wide Risk Reporting Framework
Risk Reporting Objectives:
• Heighten Awareness and Transparency of ALL Risks
• Include Quantitative and Qualitative Information
• Promote Shareholder Value Creation
Daily Risk Summaries
Monthly Risk Packages
Quarterly Risk Package
Key Objectives:
• Identify risk issues that require
immediate attention and
potential management action by
reviewing:
- limit excesses
- risk concentrations
- P&L changes
- market/credit/operational
risk events
Key Objectives:
• Reaffirm risk appetite, business
propositions and boundaries by
assessing:
- risk profile
- performance
- internal and external
business environment and
risk implications
Key Objectives:
• Promote shareholder value
creation by evaluating:
- capital/resource allocation
decisions
- earnings reliability and
sustainability
- short and long term
business opportunities and
their risks
Target Audience:
• Business, Line and Risk
Managers
Contents:
• Detailed market risk
• Selected credit, liquidity,
valuation and operational risk
metrics and issues
• P&L attribution analysis
Target Audience:
• Senior Management
Contents:
• Summary market risk
• Detailed credit, liquidity,
valuation and operational risk
• Trend analyses
• Business and market outlook
Scope:
• Business units globally
Scope:
• Desk level
Target Audience:
• Executive Management
Contents:
• Summary of all business and
customer risks
• Risk-adjusted performance
measurement
• Trend analyses
• Business and market outlook
• Status of key initiatives
Scope:
• Global Markets consolidated
24
PwC
An Illustration….
$MM
Economic Capital
2002
Last 12 m
Commercial
Personal
Life and Annuities
Investments
Banking
Treasury
International
TOTAL
Marginal Capital
2002
Last 12 m
Revenue Quality
2002
Last 12 m
Return on Economic Capital
2002
YTD
Revenue/Expense
90.6
147.0
49.1
60.8
63.1
30.7
298.4
66.0
156.7
46.2
63.4
94.5
17.3
306.1
22.4
130.5
33.7
35.1
(20.5)
7.7
249.3
25.4
134.6
34.8
20.6
8.3
(0.5)
268.8
3.0
1.3
4.9
1.9
0.5
0.3
(0.0)
4.6
1.3
5.1
1.6
0.9
0.4
0.1
263%
115%
506%
111%
40%
21%
0%
459%
149%
549%
93%
110%
40%
24%
2.5
2.5
3.3
1.7
2.0
2.0
2.0
458.3
491.9
458.3
491.9
1.9
1.9
138%
181%
2.0
Economic Capital represents capital needs based on monthly revenue volatility of each
business. The higher the volatility of a business’ revenues the higher the economic capital
required for the business (annualized monthly revenue volatility x 2.33).
Commercial
Frequency Over the Last 18 Months
Marginal Capital represents the relative contribution of each business to the total capital of
the Fixed Income business. It takes into account diversification/correlation effects across
businesses (2.33* 12-month Revenue volatility *Correlation).
7
6
5
4
Revenue Quality is the ratio between average monthly revenue and monthly revenue
volatility. It provides an assessment of the quality and sustainability of earnings over time.
The higher the ratio, the better the quality of earnings.
3
2
1
0
-75
-50
-25
0
25
50
75
100
$MM Monthly Revenue
125
150
175
200
Return on Economic Capital measures risk adjusted profitability across businesses. YTD
return on capital represents YTD annualized revenue divided by last 12 months economic
capital.
Revenue/Expense Ratio measures the degree of operational efficiency. These ratios were
estimated based on 1997 financial performance.
25
PwC
To implement ERM, a clear line between the responsibilities and
accountabilities of the corporate risk manager and the business unit
risk managers must be drawn.
Degree of Decentralization in Risk Management Approach
Business Unit Risk Managers
Corporate Risk Manager
 Set standards
Credit
Cards
• Policies
• Corporate data requirements
• Reporting to business managers, senior
management and the Board
• Risk measurement
 Aggregation of common risk factors across
business lines
• Scenario analysis / Stress testing
• Limit Setting
 Macro assessments of the risk profile and the
drivers of change (Windows on Risk)
 Capital allocation methodology, calculations
and decisions
 Support management of stakeholder
relations
Consumer
Loans
Treasury
International
 Risk identification
 Communicate key risk factors
 Risk aggregation by risk factor within the
business line
 Adhere to reporting and other standards
 Proactive implementation of appropriate
policies and procedures
 Support decisions regarding new products,
new businesses and new geographies
26
PwC
Some of our clients employ a decentralized approach that includes
company-level standards, endorsed by the board, with businessspecific delegations and accountabilities.
Office of
the
Chairman
Board of Directors
• Audit Committee
• Risk Committee
Corporate Risk Management
Investment Underwriting
Risk
Risk
Operational
Risk
Asset/
Liability
Risk
Risk
Capital
Business Risk Management
P&C
Life
International
Treasury
Board of Directors
 Provides broad, independent oversight of Company activities
 Endorses Company Risk Management Standards and acknowledges
aggregate Group risk profile
BoD Audit Committee
 Reviews unintended exposures/risks that result from control
weaknesses, process fails or other shortcomings
BoD Risk Management Committee
 Reviews risks consciously taken through business decisions and
plans
 Reviews the overall Company exposure/risk profile, risk appetite, and
risk capacity
 Reviews Company Risk Management Standards
Corporate Risk Management
 Establishes Company Risk Management Standards
 Approves broad Company risk parameters and limits; allocates risk
limits to businesses
 Approves business-specific risk management standards and
practices and endorses the risk management culture embedded in
those standards and practices
 Maintains overall accountability and authority for the adequacy and
appropriateness of all aspects of the Company risk management
process
Business Risk Management
 Establish business-specific risk management standards, policies and
practices for the approval, measurement, reporting, monitoring,
limiting and analysis of exposure/risk
 Establish business-specific risk limits within allocated capital levels
27
PwC
The business units are responsible for establishing a comprehensive
risk organization within their businesses that interacts with other
risk management and support groups.
Business Units
Business
Operations
Business Unit
Risk Managers
Financial
Control
Other Support
Groups
Corporate Risk
Management
Global Risk
Managers
Financial
Control
To be defined
•Market Risk
•Credit Risk
•Insurance Risk
•Operational Risk
•Country Risk
Other Support
Groups
Operations &
Technology
Corporate
Audit
To be defined
Legal and
Compliance
Human
Resources
Risk
Architecture
Tax
Other
28
PwC
The business units, financial control, corporate risk and audit
should have clearly defined, collaborative roles supported by
appropriate infrastructure elements.
Validate/refine strategy
Business
Cycle
Business Units
Set
Strategy
Formulate
Request
Financial
Control
Review
Corporate Risk
Management
Review
Corporate
Audit
Review
Key
Controls
Request
Approve
Review
Budget/
Plan
Formulate
Execute
Control
Manage
Request
Approve
Manage
Formulate
Review
Review
Manage
Review
Facilitate
Approve
Formulate
Test
Review
Approve
Test
Test
Capital
Produce
Analyze
Analyze
Review
Test
Procedures
Limits
Reconcile
Review
Review
Approve
Review
Validate
Formulate
Facilitate
Evaluate
Policy
Test
Analysis
Reporting
Re-allocate capital/limits
Risk Management Infrastructure
(O&T, HR, Legal, Compliance, Tax, other)
29
PwC
Agenda
I.
Overview of Enterprise-wide Risk Management
II.
Designing and Implementing an ERM Framework
and Organization Structure
III. Impact of International Financial Reporting
Standards on ERM
30
PwC
Why talk about IFRS?
• Many non-US banks move to IFRS
• Similar to US GAAP – often subtle yet
important differences
• No more avoiding of “difficult” accounting
 Interest Method
 Hedge Accounting
 Impairment
• Implementation: new accounting, systems,
data requirements
31
PwC
IFRS and Risk Management
 Spotlight on transparency – more detailed analysis and disclosures
on:
 Concentrations of risk
 Sensitivity of cash flows to risk scenarios and market variables
 Failure to manage earnings and investment risks associated with
IFRS could seriously undermine financial stability and credibility
 IFRS will have an impact on credit, funding and liquidity risks
 IFRS will have extra demands on data capture, modelling and other
information systems
 Complying with IFRS will be fraught with potentially costly pitfalls
 A broader and more integrated approach to risk management could
help companies to turn IFRS compliance into shareholder value
32
PwC
IFRS - Key Aspects for Banks
Expected IFRS impact – Relevant accounting issues
 Financial statement presentation – Flows and disclosures
 Fair value of financial instruments
 Investment securities – Classification and transfers
 Impairment (investments, loans, other assets)
 Hedge Accounting
 Provisions – Recognition criteria
 Income and expense recognition – interest and commissions
 Deferred taxes
 Other complex issues?
33
PwC
Impact of IAS/IFRS on consolidated financial statements
+
Financial Impact
Provisions
(IAS 37)
-
Deferred taxes
(IAS 12)
Property, plant and
equipment
(IAS 16)
-
Investments/
consolidation
(IAS 27/28, SIC 12)
Commissions
(IAS 18)
Employee
Benefits
(IAS 19)
Financial
Instruments
(IAS 39/ IAS 32)
Impairment and
intangibles (IAS
38/IAS 36)
Business
Combination
(IAS 22)
Financial
statements and
cash flow
(IAS 1, 30 et 7)
Segment
Information
(IAS 14)
+
Complexity of implementation
34
PwC
Expected IFRS Impact – Business impacts
Overall Business Impacts
+
• Volatility of earnings
Financial Impact
• Difficulty in forecasting
and budgeting
-
• Product
profitability/design
• Regulatory compliance
• Performance
measurement and
reporting
-
• Tax planning strategies
+
Complexity of implementation
• Debt covenants
• Share-based
compensation plans
• Transparency
35
PwC
Top 15 implementation issues
1. Shareholder and analyst understanding
2. Understanding and analysing impact on financial performance
3. Commitment and involvement at all levels of the organisation
4. Significant resources required
5. Underestimation of the amount of work involved
6. Costly and time consuming to embed into the organisation
7. Data availability and system requirements
8. Re-alignment of management information reporting / systems
9. Co-ordination with regulator reporting requirements
36
PwC
Top 15 implementation issues
10. Training (“Knowledge transfer”) of management as well as
finance functions in all locations
11. Regulatory environment continues to change
12. Risk management
13. Earnings management
14. IAS continues to evolve
15. Minimal expertise
37
PwC
This document is protected under the copyright laws of the United States and other countries as an unpublished work. The document contains
information that is proprietary and confidential to PricewaterhouseCoopers LLP, which shall not be disclosed outside of the recipient's company
or duplicated, used or disclosed, in whole or in part, by the recipient for any purpose other than to review the document. Any other use or
disclosure, in whole or in part, of this information without the express written permission of PricewaterhouseCoopers LLP is prohibited.
Your worlds
PwCOur people