2. Session 1 – The Risk Management
a. The Foundation of Risk Management
b. What is Enterprise-Wide Risk Management (ERM)
c. Risk Acronyms and definitions
d. The Committee of Sponsoring Organisation and
the practicalities (COSO)
Day 1
2
3. Session 1a – The Foundation of Risk
Management
Banks face several types of risk.
The following are examples of various risks banks
encounter:
• Borrowers may submit payments late or fail
altogether to make payments.
• Depositors may demand the return of their money at
a faster rate than the bank has reserved for.
• Market interest rates may change and hurt the value
of a bank’s loans.
3
4. Session 1a – The Foundation of Risk
Management
• Investments made by the bank in securities or private
companies may lose value.
• Human input errors or fraud in computer systems
can lead to losses.
4
5. Session 1a – The Foundation of Risk
Management
To monitor, manage, and measure these risks, banks
are:
• actively engaged in risk management.
• the risk management function contributes to the
management of the risks by continuously measuring
its current portfolio of assets and other exposures,
• communicating the risk profile to other bank
functions
• taking steps either directly or in collaboration with
other bank functions to reduce the possibility of loss
or to mitigate the size of the potential loss.
5
6. Session 1a – The Foundation of Risk
Management
• From a regulatory perspective, the size and risk of a
bank’s assets are the most important determinants of
how much regulatory reserve capital the bank is
required to hold.
• A bank with high-risk assets faces the possibility that
those assets could quickly lose value.
• If the market—depositors—perceives that the bank is
unstable and deposits are in peril, then nervous
depositors may withdraw their funds from the bank.
• If too many depositors want to withdraw their funds
at the same time, then fear that the bank will run out
of money could break out.
6
7. Session 1a –– The Foundation of Risk
Management
• And when there is a widespread withdrawal of
money from a bank, the bank may be forced to sell its
assets under pressure.
• To avoid this, regulators would want a bank with
high risk assets to have more reserves available.
• Therefore, understanding banking regulation
requires understanding risk management.
• This training introduces the Enterprise Wide Risk
Management and various types of risk a bank may
face.
7
8. Session 1a –– The Foundation of Risk
Management
The risks identified by the Basel Accords forms the
cornerstone of international risk-based banking
regulation. ERM takes a holistic approach of the risk:
• Credit risk is the potential that a bank borrower will
fail to meet its obligations in accordance with agreed
terms.
• Market risk is the risk of losses in on- and off-
balance-sheet positions arising from movements in
market prices.
• Operational risk is the potential loss resulting from
inadequate or failed internal processes or systems,
errors or external events.
8
9. June 2014 Slide 9
The Major drivers behind ERM
Regulations growing:
Basel II – credit and operational risk
SOX – key processes
CBN/NDIC/SEC/EFCC regulations
Cyber-threats
Terrorism
Employee Fraud
Organized Crime
Natural Disasters
Reputation
Crisis
Market Drop
Systemic
Failure
Supplier
Failure
Competitor Failure
New
Products
Demand
Fluctuation
New Channels
Events continue:
People / Process :
BACS, Incident
IT:: Slammer Virus
Infrastructure:
Power Failure
Strikes
Businesses want
Resilience designed in
Return on resilience
investment
Process Change
Global Processes
Key Staff Dependencies
Consolidation of
IT and business processes
10. Session 1b – What is Enterprise- Wide Risk
Management (ERM)
Enterprise risk management deals with risks and
opportunities affecting value creation or preservation,
defined as follows:
“Enterprise risk management is a process, effected by an entity’s
board of directors, management and other personnel, applied in
strategy setting and across the enterprise, designed to identify
potential events that may affect the entity, and manage risk to be
within its risk appetite, to provide reasonable assurance regarding
the achievement of entity objectives”.
10
11. Session 1b – What is Enterprise- Wide Risk
Management (ERM)
The definition reflects certain fundamental concepts.
Enterprise risk management is:
• A process, ongoing and flowing through an entity
• Effected by people at every level of an organisation
• Applied in strategy setting
11
12. Session 1b – What is Enterprise- Wide Risk
Management (ERM)
• Applied across the enterprise, at every level and unit,
and includes taking an entity level portfolio view of risk
• Designed to identify potential events that, if they occur,
will affect the entity and to manage risk within its risk
appetite
• Able to provide reasonable assurance to an entity’s
management and board of directors
12
13. Session 1b – What is Enterprise- Wide Risk
Management (ERM)
• Geared to achievement of objectives in one or more
separate but overlapping categories
• Business process to continually evaluate and manage
risk to business strategies and objectives on an entity
wide basis
• A common framework to manage all types of risk to
achieve maximum risk-adjusted returns.
13
14. Session 1c – The Committee of Sponsoring
Organisation and the practicalities (COSO)
• Over a decade ago, the Committee of Sponsoring
Organizations of the Treadway Commission (COSO)
issued Internal Control – Integrated Framework .
• This is to help businesses and other entities assess and
enhance their internal control systems.
• That framework has since been incorporated into policy,
rule, and regulation.
14
15. Session 1c – The Committee of Sponsoring
Organisation and the practicalities (COSO)
• COSO Model is used by thousands of enterprises to
better control their activities in moving toward
achievement of their established objectives.
• In 2001, COSO initiated a project, and engaged
PricewaterhouseCoopers, to develop a framework
that would be readily usable by managements to
evaluate and improve their organizations’ enterprise
risk management.
15
16. Session 1c – The Committee of Sponsoring
Organisation and the practicalities (COSO)
• The period of the framework’s development was
marked by a series of high-profile business scandals
and failures where investors, company personnel, and
other stakeholders suffered tremendous loss.
• In the aftermath were calls for enhanced corporate
governance and risk management, with new law,
regulation, and listing standards.
16
17. Session 1c – The Committee of Sponsoring
Organisation and the practicalities (COSO)
• The need for an enterprise risk management
framework, providing key principles and concepts, a
common language, and clear direction and guidance,
became even more compelling.
• COSO believes this Enterprise Risk Management –
Integrated Framework fills this need.
• The expectation is that it will become widely accepted
by companies and other organisations and indeed all
stakeholders and interested parties.
17
18. Session 1c – The Committee of Sponsoring
Organisation and the practicalities (COSO)
• Among the outgrowths in the United States is the
Sarbanes-Oxley (SOX) Act of 2002, and similar
legislation has been enacted or is being considered in
other countries.
• This law (i.e SOX Act) extends the long-standing
requirement for public companies to maintain
systems of internal control.
• It requires management to certify and the
independent auditor to attest to the effectiveness of
those systems.
18
19. Session 1c – The Committee of Sponsoring
Organisation and the practicalities (COSO)
• Internal Control – Integrated Framework, which
continues to stand the test of time, serves as the
broadly accepted standard for satisfying those
reporting requirements.
• This Enterprise Risk Management – Integrated Framework
expands on internal control, providing a more robust
and extensive focus on the broader subject of
enterprise risk management.
• Among the most critical challenges for managements
is determining how much risk the entity is prepared
to and does accept as it strives to create value.
19
20. Session 1c – The Committee of Sponsoring
Organisation and the practicalities (COSO)
Who/ What can assist?
COSO
• A good control environment
• Properly assessed risks
• Effective controls (appropriate policies/procedures)
• Relevant/ Timely information
• Focussed/ Timely monitoring/ review
20
21. Session 2 – The ERM framework in Wema Bank
a. The key objectives
b. The structure of modern ERM framework in
practice
c. The eight components of ERM and application in
Wema Bank
d. Practical examples and case studies
Day 1
21
22. This enterprise risk management framework is geared to
achieving an entity’s objectives, set forth in four
categories:
• Strategic – high-level goals, aligned with and
supporting its mission
• Operations – effective and efficient use of its resources
• Reporting – reliability of reporting
• Compliance – compliance with applicable laws and
regulations.
Session 2a – The Key Objectives
22
23. Enterprise risk management encompasses:
• Aligning risk appetite and strategy – Management
considers the entity’s risk appetite in evaluating
strategic alternatives, setting related objectives, and
developing mechanisms to manage related risks.
• Enhancing risk response decisions – Enterprise risk
management provides the rigor to identify and select
among alternative risk responses – risk avoidance,
reduction, sharing, and acceptance.
Session 2a – The Key Objectives - cont
23
24. Enterprise risk management encompasses:
• Reducing operational surprises and losses – Entities gain
enhanced capability to identify potential events and
establish responses, reducing surprises and associated
costs or losses.
• Identifying and managing multiple and cross-enterprise
risks – Every enterprise faces a myriad of risks
affecting different parts of the organization, and
enterprise risk management facilitates effective
response to the interrelated impacts, and integrated
responses to multiple risks.
Session 2a – The Key Objectives - cont
24
25. Enterprise risk management encompasses:
• Seizing opportunities – By considering a full range
of potential events, management is positioned to
identify and proactively realize opportunities.
• Improving deployment of capital – Obtaining robust
risk information allows management to effectively
assess overall capital needs and enhance capital
allocation.
Session 2a – The Key Objectives - cont
25
26. 26
This session covers:
I. Key elements of an enterprise risk management
framework
II. Roles and Responsibilities
Session 2b – The Structure of modern
ERM Framework
27. Session 2b - Key elements of an enterprise
risk management framework
Enterprise risk management is a structured, systematic method of:
•Identifying
•Analyzing
•Managing Risk
27
28. Session 2b – Key elements of an enterprise risk
management framework
Background
ERM
Governance
COSO
Strategic
planning
S.W.O.T
28
29. Session 2b – Key elements of an enterprise
risk management framework
Proactive &
Forward
thinking
Rigorous
thinking
Responsible
thinking
Improved
Accountability
29
30. Session 2b – Key elements of an enterprise
risk management framework
“We manage risks continuously, sometimes consciously
and sometimes without realising it, but rarely
systematically”
ERM has emerged through the need to balance
stability and innovation.
30
31. • Everyone in an entity has some responsibility for
enterprise risk management.
• The chief executive officer is ultimately responsible
and should assume ownership.
• The Chief Risk Officer, Chief Financial Officer,
Chief Internal Auditor, and others usually have key
risk management responsibilities.
Session 2b – Roles and Responsibilities
31
32. • Other managers support the entity’s risk
management philosophy, promote compliance with
its risk appetite, and manage risks within their
spheres of responsibility consistent with risk
tolerances
• Other entity personnel are responsible for
executing enterprise risk management in
accordance with established directives and
protocols.
Session 2b – Roles and Responsibilities
32
33. • The board of directors provides important oversight
to enterprise risk management, and is aware of and
concurs with the entity’s risk appetite.
• A number of external parties, such as customers,
vendors, business partners, external auditors,
regulators, and financial analysts often provide
information useful in effecting enterprise risk
management, but they are not responsible for the
effectiveness of, nor are they a part of, the entity’s
enterprise risk management.
Session 2b – Roles and Responsibilities
33
34. The Group Enterprise Risk Management Function is
responsible for:
• Maintaining the Minimum Standards to ensure that
external changes are reflected in the contents of the
risk policy document, whilst reflecting good practice
for the bank.
• Providing overall challenge to confirm that Divisions
and Business Units have a robust process to support
the identification, assessment, management and
escalation of their operational risks.
Session 2b – Roles and Responsibilities
34
35. The Risk Assessment Owner is responsible for:
• Ensuring that all material risks and key controls for
their area are included in the Risk & Control
Assessment, at an appropriate level of detail, and
categorised against the relevant LBG Risk and Process
Categorisation.
• Reviewing the appropriateness of inherent risk
assessments;
Session 2b – Roles and Responsibilities
35
36. The Risk Assessment Owner is responsible for:
• Reviewing that the residual risk assessment and
overall control effectiveness evaluations are
appropriate;
• Overseeing the implementation of mitigating actions
• Signing-off the Risk & Control Assessment as
complete and accurate;
Session 2b – Roles and Responsibilities
36
37. The Risk Owner is responsible for:
• Undertaking the Inherent and Residual Risk
Assessment;
• Providing input to the development and use of the
key controls, in relation to the risk;
• Satisfying themselves that the overall design of the
key controls for the material risk is effective and
monitoring their operational effectiveness;
Session 2b – Roles and Responsibilities
37
38. Roles and Responsibilities
• Notifying the Risk Assessment Owner of any control
gaps outside performance or appetite;
• Developing and monitoring actions to
strengthen/adjust controls.
Session 2b – Roles and Responsibilities
38
39. The Control Owner is responsible for:
Identifying and assessing the operational effectiveness
of individual controls on an ongoing basis; Reviewing
the outputs and findings of control testing and using the
conclusions to assess control effectiveness;
• Providing input on the use of control test plans.
Session 2b – Roles and Responsibilities
39
40. The Action Plan Owner is responsible for:
• Implementing the actions to strengthen/adjust
controls
• Providing regular updates to the Risk Owner on the
progress of actions until completion.
Session 2b – Roles and Responsibilities
40
41. The Action Plan Owner:
Board of Directors – The board should discuss with senior
management the state of the entity’s enterprise risk
management and provide oversight as needed. The
board should ensure it is apprised of the most
significant risks, along with actions
management is taking and how it is ensuring effective
enterprise risk management. The board should consider
seeking input from internal auditors, external auditors,
and others.
Session 2b – Roles and Responsibilities
41
42. The Action Plan Owner:
Senior Management – This study suggests that the chief
executive assess the organisation’s enterprise risk
management capabilities. In one approach, the chief
executive brings together business unit heads and key
functional staff to discuss an initial assessment of
enterprise risk management capabilities and
effectiveness. Whatever its form, an initial assessment
should determine whether there is a need for, and how
to proceed with, a broader, more in-depth evaluation.
Session 2b – Roles and Responsibilities
42
43. The Action Plan Owner :
Other Entity Personnel – Managers and other personnel
should consider how they are conducting their
responsibilities in light of this framework and discuss
with more senior personnel ideas for strengthening
enterprise risk management. Internal auditors should
consider the breadth of their focus on enterprise risk
management.
Session 2b – Roles and Responsibilities
43
44. The Action Plan Owner :
Regulators – This framework can promote a shared view
of enterprise risk management, including what it can do
and its limitations. Regulators may refer to this
framework in establishing expectations, whether by rule
or guidance or in conducting examinations, for entities
they oversee.
Session 2b – Roles and Responsibilities
44
45. The Action Plan Owner :
Professional Organizations – Rule-making and other
professional organisations providing guidance on
financial management, auditing, and related topics
should consider their standards and guidance in light of
this framework. To the extent diversity in concepts and
terminology is eliminated, all parties benefit.
Session 2b – Roles and Responsibilities
45
46. The Action Plan Owner :
Educators – This framework might be the subject of
academic research and analysis, to see where future
enhancements can be made. With the presumption that
this report becomes accepted as a common ground for
understanding, its concepts and terms should find their
way into university curricula.
Session 2b – Roles and Responsibilities
46
47. The Action Plan Owner :
With this foundation for mutual understanding, all
parties will be able to speak a common language and
communicate more effectively. Business executives will
be positioned to assess their company’s enterprise risk
management process against a standard, and strengthen
the process and move their enterprise toward
established goals.
Session 2b – Roles and Responsibilities
47
48. Enterprise risk management consists of eight
interrelated components. These are derived from the
way management runs an enterprise and are integrated
with the management process. These components are:
Session 2c – The eight components of
ERM
48
49. Session 2c – The eight components of
ERM
Establishes the entity’s risk culture
Sets the Enterprise Risk objectives
Identifies events that affect entity’s objectives
Assesses risks based on likelihood and impact
Evaluates possible responses to risks
Establishes policies, procedures and controls
Enables information exchange
Evaluates effectiveness of the ERM Program
49
50. • The four objectives categories – strategic, operations,
reporting, and compliance – are represented by the
vertical columns, the eight components by horizontal
rows, and an entity’s units by the third dimension.
• This depiction portrays the ability to focus on the
entirety of an entity’s enterprise risk management, or
by objectives category, component, entity unit, or any
subset thereof
Session 2c – The eight components of
ERM
50
51. Internal Environment – The internal environment
encompasses the tone of an organisation, and sets the
basis for how risk is viewed and addressed by an entity’s
people, including risk management philosophy and risk
appetite, integrity and ethical values, and the
environment in which they operate.
Objective Setting – Objectives must exist before
management can identify potential events affecting their
achievement. Enterprise risk management ensures that
management has in place a process to set objectives and
that the chosen objectives support and align with the
entity’s mission and are consistent with its risk appetite.
Session 2c – The eight components of
ERM
51
52. • Event Identification – Internal and external events
affecting achievement of an entity’s objectives must be
identified, distinguishing between risks and
opportunities. Opportunities are channeled back to
management’s strategy or objective-setting processes.
• Risk Assessment – Risks are analysed, considering
likelihood and impact, as a basis for determining how
they should be managed. Risks are assessed on an
inherent and a residual basis.
Session 2c – The eight components of
ERM
52
53. • Risk Response – Management selects risk responses –
avoiding, accepting, reducing, or sharing risk –
developing a set of actions to align risks with the
entity’s risk tolerances and risk appetite.
• Control Activities – Policies and procedures are
established and implemented to help ensure the risk
responses are effectively carried out.
• Information and Communication – Relevant information
is identified, captured, and communicated in a form
and timeframe that enable people to carry out their
responsibilities. Effective communication also occurs
in a broader sense, flowing down, across, and up the
entity.
Session 2c – The eight components of
ERM
53
54. • Monitoring – The entirety of enterprise risk
management is monitored and modifications made
as necessary. Monitoring is accomplished through
ongoing management activities, separate
evaluations, or both.
• Enterprise risk management is not strictly a serial
process, where one component affects only the next.
It is a multidirectional, iterative process in which
almost any component can and does influence
another.
Session 2c – The eight components of
ERM
54
55. Top challenges being faced by banks to adapt ERM:
• Achieving greater efficiencies in the risk and control
processes, improving coordination, unifying and
streamlining approaches.
• Ever changing regulatory demands, high degree of
regulatory scrutiny, variation of regulations across
jurisdictions, preparing to Operationalize /
compliance with Basel II.
Session 2c – The eight components of
ERM
55
56. Top challenges being faced by banks to adapt ERM:
• Rapid business growth, competitive intensity, M&A
activity, global expansion, increasing product
complexity, increasing customer expectations
• Shortage of good talent in competitive markets,
especially in specialized areas or emerging
geographies
• Dealing with people and organizational issues as new
processes demand new methods of work
Session 2c – The eight components of
ERM
56
57. Addressing the challenges:
• Understand the fact that ERM as a process is a long
and arduous journey.
• Streamline the basic activities, and develop a
common risk language and framework, identify and
reduce redundancy, and share data.
Session 2c – The eight components of
ERM
57
58. Addressing the challenges:
• The banks which have embarked on the process find
silo infrastructures, people’s natural resistance to
embracing major operational changes, and
inflexibility of existing legacy systems.
• Establish an integrated approach and consistent set
of processes that reduce the redundant risk & control
activities.
Session 2c – The eight components of
ERM
58
59. Addressing the challenges:
• Eliminate duplication in the business units, and cut
down costs.
• Risk convergence should begin with senior
management by clearly defining the roles and
responsibilities of the personnel in various
departments related to the organisation’s risks.
Session 2c – The eight components of
ERM
59
60. Addressing the challenges:
• Laying the foundation needed to support a more
coordinated and effective risk management process.
• Creation of a common data structure and common
technology architecture.
• Ensure involvement from top management as this
foster communication, increases coordination among
various risk stakeholders and increases risk
understanding for the organization as a whole.
Session 2c – The eight components of
ERM
60
61. • Encourage contribution from each of the department
in the bank.
• Develop a holistic understanding of the risks facing
the bank and a common risk control process,
common technology architecture and ideally a
common data warehouse which has reconciled data
from all the business segments.
Session 2c – The eight components of
ERM
61