"Capitalizing on Opportunity: How an Increased Focus on Operational Risk Helped Build an ERM Framework"
Blair Himmerlreich, Director at Canadian Western Bank
Starts off covering the size and success of the bank. Has approximately doubled in size every five years for the last 20 years. Consistent management (same CEO for 23 years, new CEO promoted internally after 22 years with CWB.) Very conservative risk profile, despite rapid growth. Even though growth increases risk, they are focused on limiting losses. Focus on chosen areas in "plain vanilla" banking. The CEO is the reputational risk manager.
Recommends one-on-one meetings with regulators. Over time it will help influence policy, particularly for small firms.
CWB has set a definition of risk management and a statement on the principle of risk, that the goal isn't to eliminate it but to manage it prudently. This is directly from the Chairman of the Board, and the message has been consistent over time. What you do want to eliminate are surprises. Note that a missed risk is *also* a missed opportunity. He sees a lot of value in the stable senior management and the focus on people.
Operational risk program started in 2002. He sees this as laying the foundation for the ERM program. Mentions the need to summarize at a high level for senior management. In 2004 some ERM standards are issued. CWB decides to hold off; ends up being repealed. EVP ends up deciding some of the standards are useful, so they paused OR and developed ERM (CSOX.) Again, deep connections with regulators is key. See slide 18 for a graphic showing CWB's risk management structure. Slides are here: http://www.ermsymposium.org/2013/concurrent-sessions.php. The word "useful" needs to be attached to anything (as opposed to a compliance exercise.)
Have annual operational risk workshops. Generates dialog, builds consensus/team perspective, and commits people to action. His personal focus is on building a structure that will support the future, whatever that may be. Create a winning environment.
Advice: 1. find your champions, 2. gain support from key stakeholders (clear Board message, supported by executive), 3. find your framework (doesn't recommend starting from scratch), 4. use the right guidance, and 5. root is the culture and values which has to be built from within by someone who lives it. Also remember that it all must link to corporate strategy.
COSO themes: 1. support from the top, 2. build ERM incrementally (not as a project but as part of DNA), 3. focus on a small number of top risks [KR: I particularly like this last point, and it reflects some of my concerns from yesterday.], 4. leverage existing resources, 5. build upon existing activities, 6. embed ERM [KR: redundant.], and 7. Ongoing updates and education for directors and senior management.
Developing the framework is easy, but embedding is hard. Constantly develop new champions. Keep it simple/dumb it down. Managing residual risk is easier than inherent risk. May need to increase risk appetite in certain areas. Hard to define ownership of OpRisk, because it's diffuse through the organization. Makes tweaks to the system as he goes (and informs the Board.)
Question: Are things different if you start with ERM and then add OpRisk?
Whatever the order, you should view them as partners (more efficient that way.) However he sees OpRisk as what should come first. It's a build-up process.
Question: Do you have risk committees for the Board?
No, because we have an active Board who sees strategy and risk as their job, so in a sense all committees are risk committees.
Question: Internal audit overlap with OpRisk, is that an issue at CWB?
Internal audit and risk management need to talk to each other. Understanding risk is how audit adds value. A lot of things get more difficult though with larger organizations and with additional regulations.
How does risk get reported up the chain? How it evolved?
Self-reporting through branches and partners. Needs data that can be reconciled, though, so getting data from finance is more reliable. A lot easier when they all report up through you, though.
What approach did you take to identify the key risk indicators?
Sat down with the risk owners, told them what he wanted measured, and let them figure out how best to measure and report that.
What about risks that can't be quantified like reputational risk?
Maintain a very strict view of privacy within the firm. [KR: couldn't hear first part of his answer.]
End Concurrent Session 1.
No comments:
Post a Comment