SlideShare uma empresa Scribd logo

Feedback on the COSO Enterprise Risk Management 20160929 Final

D
Darius Mayhew MCMI, SIRM, CSM
1 de 10
Baixar para ler offline
Feedback on the COSO Enterprise Risk Management Public Exposure Page 1 of 10 October 2016 Feedback on the COSO Enterprise Risk Management: Aligning Risk with Strategy and Performances (Public Exposure June 2016) Enterprise Risk Management in Banking & Financial Services Special Interest Group, a member led group within the Institute of Risk Management (The IRM) Members have provided comments based on their affiliation to the Special Interest Group not their working organisations. Core Members and contributors are: Raza Sadiq 2nd Line Risk Management at Covea Insurance & Chairman IRM’s SIG in ERM in Banking & Financial Services Sarah Christman (Deputy Chair) Risk Director UK&I at Equifax Ltd & Deputy Chair IRM’s SIG in ERM in Banking & Financial Services Markus Krebsz (Senior Advisor) UNECE GRM (United Nations Economic Commission for Europe - Group of Experts on Risk Management) Darius Mayhew MCMI Head of Finance Risk, Assurance & Advisory at Direct Line Group plc Gemma Clatworthy Senior Risk Manager at Nationwide Building Society Ipsita Pradhan Assistant Manager Risk at the State Bank of India Shiva Keihaninejad PhD Operational Risk Manager Capital & Risk Analytics at Lloyds Banking Group 1. General Comments Overall, we viewed the exposure draft as positive and comprehensive in nature. On many topics, there was a welcome theoretical and practical explanation to the concepts. A good example of this is where you described risk responses and discussed how an organisation might choose to ‘avoid’ a risk, but in doing so may introduce new risks to the organisation’s strategy. On some topics, it would be beneficial to go into more detail such as concepts around the level of the entity and the grouping of risks. This is a modern day challenge that many large and multi-national organisations face. For example, some practical approaches on how to deal with aggregation of lower level entity risk assessments, particularly where the organization faces highly varied regulatory, legislative and political landscapes, would be welcomed. Conduct risk is at the forefront of many financial services companies based in or operating in the UK. We include in this response an interpretation of the intent and execution of conduct risk – titled “The New Global Conduct Risk Paradigm” © authored by Markus Krebsz – as we believe the concepts within are relevant to effective implementation of enterprise risk management in an organisation’s strategy in many jurisdictions. 2. Conceptual discussions There are three fundamental concepts that we believe should be clarified further in the document. It is important that these concepts are fully explained as they form the basis of many of the challenges organisations face in gaining consistency in their Enterprise Risk Management processes. Additionally, we submit the “The New Global Conduct Risk Paradigm” © for consideration by the COSO Board and PwC and recommend they consider its key messages and their implication for integrating enterprise risk © Copyright 2016, Markus Krebsz. All Rights Reserved.
Feedback on the COSO Enterprise Risk Management Public Exposure Page 2 of 10 October 2016 management throughout an organization to include decision‑making in governance, strategy, objective‑setting, and day-to-day operations. ¶ 1-2, 22, 36, 65 – discussions on uncertainty Our view is that the concept of uncertainty is broader than the aspect discussed within the paper which outlines the potential relationship with risk and uncertainty. In the wider concept of uncertainty, it would not be possible to determine how much uncertainty is present because the outcomes are completely unknown. In general, our understanding from the paper is that there is a level of uncertainty related to a particular objective – such as the example with the airline provided on page 17. However, we believe that one should consider the broader aspect of uncertainty in that it is not just that “risk involves uncertainty” but also it is uncertainty that affects risk. For instance, an alternative way of presenting the second sentence point 2 on page 3 would be: “Uncertainty may affect the severity or materialisation of risk and as such affects an organisation’s ability to achieve its strategy and business objectives. In determining how much risk the organisation is prepared and able to take, management should consider how potential unknown elements caused by uncertainty could disrupt the achievement of their objectives”. The difference to us is that risk implies some level of certainty and that there is an understanding on the possible outcomes to make a somewhat appropriate assessment of the impact and likelihood (such as rolling a die for money). In the broader view of uncertainty, it suggests that you do not know what the outcomes will be and as such cannot make an appropriate assessment such as the case with businesses within the United Kingdom following the vote to leave the European Union. For the risks that businesses manage within the United Kingdom, there is no view on what will actually happen because there is no certainty on what the post exit deal will be. This means, that companies cannot effectively implement controls to manage the exposure. As such, a key difference between risk and uncertainty is the ability for a risk/ business manager to apply specific targeted controls to reduce the impact (which is contrary to the view given on page 6 in relation to the potential decline in future demand). The view is contrary because of the aspect of uncertainty portrayed in the paper which blurs the boundaries between risk and uncertainty rather than seeing uncertainty as a completely unknown element – such as the case with the emergence of autonomous vehicles and how consumers, governments, suppliers, and insurers might be affected by the numerous potential business models, regulatory possibilities, and societal pressures – thereby rendering specific, targeted controls as mostly inappropriate. We hope that you will include this broader view of uncertainty within the paper and not just the aspect that is a function of a specific risk and objective. ¶ 271 – discussions around likelihood There is good guidance on what likelihood means. It would be good to delve deeper into the theory and differentiate from the concept of frequency (which you have included as one of the expressions of likelihood). Our view is that likelihood and frequency are separate concepts. Likelihood suggests that the measurement relates to the future and is related to probability whereas frequency suggests previous occurrences. For instance, you can look at the frequency of a risk materialising over time to determine what the likelihood might be in the next 5 years. Also, with frequency, the relationship with risk presents itself on a curve and suggests that there is a direct dependency with the impact of the risk. An example being a one in two hundred year event occurring results in a high impact. This is common practice in the financial risk world such as around catastrophe risk. However, the suggestion that likelihood is related to probability does not mean that a connection with impact exists. For instance, ‘what is the likelihood that this risk will materialise in the next year?’ Hopefully this question illustrates the fundamental difference between frequency and likelihood. We will appreciate a more in-depth look at these two concepts in the measurement of risk because this is a key component in what drives the assessment of severity. If companies do not understand the intricacies of the
Feedback on the COSO Enterprise Risk Management Public Exposure Page 3 of 10 October 2016 concepts, there is a risk that severity ratings are wrong which may result in adverse impacts on the achievement of their strategies. ¶ 251 & 378-381 – discussions around key risk indicators The view differentiating key risk indicators (KRIs) to performance measures is welcomed as this is a common misunderstanding in some organisations. Further guidance will be welcomed on the link between key risk indicators and risk appetite. For instance, one can argue that for a KRI to predict a risk manifesting, there would need to be some relationship with the likelihood or impact of a particular risk. This will imply that the severity of a risk is changing at the same time as a KRI flags (the most obvious being the likelihood of occurrence – as the KRI continues to flag it implies that the likelihood of the risk manifesting increases). If this is the case, then the risk will require re-assessing and determining whether it is moving out of appetite. Your view on this relationship will add clarity on a much debated concept in the risk world. “The New Global Conduct Risk Paradigm” © Background The New Global Conduct Risk Paradigm i was introduced by Markus Krebsz at the 22 September 2016 meeting of the Special Interest Group for Enterprise Risk Management in Banking and Financial Services, a member led group within the Institute of Risk Management. The paradigm expresses the author’s interpretation of the UK Financial Conduct Authority’s internal methodical approach to understand how regulated firms manage conduct risk. Following his research into the global financial crises, rogue trading/ misbehaviours of markets and, in particular, since the inception of the UK FCA in mid-2013, the author has been keen on understanding the implications for the future financial markets’ infrastructure. The author’s initial thoughts on the matter were published in a November 2013 article entitled, “Conduct Risk – Doing what is “Right”. The author’s conduct risk definition set out in this article is: “Conduct risk is caused by action(s) – or inaction – of an individual financial institution or the financial services industry that result in customer detriment, negatively impacts market stability or restrict effective competition”. (Markus Krebsz, Nov. 2013) In July 2015, the FCA’s Tracey McDermott gave further detail on regulatory focal points in a speech at the BBA, which is accessible on the UK FCA’s website. The “five conduct risk questions” postulated in this speech were: Q1) How do you identify the conduct risks inherent within your business? Q2) Who is responsible for managing the conduct of your business? Q3) What support mechanism do you have to enable people to improve the conduct of their business or function? Q4) How do the board and executive committees gain oversight of the conduct of the organisation? Q5) Do firms have any perverse incentives or other activities that may undermine any strategies put in place to answer the first four questions? Following the speech and widely used references to the “5 Questions”, the author undertook a quest to better understand “what does this really mean” for the management of conduct risk within firms. The new conduct risk paradigm evolved organically from many (informal and somewhat intimate) one-to-one discussions with senior staff at the UK FCA and other regulators globally over a period of 15+ months. The author collated information, analysed the piece and further questioned the UK FCA in order to fill in the gaps and paint the full picture. Finally, large gaps have very recently been closed resulting in the paradigm as it stands now.
Feedback on the COSO Enterprise Risk Management Public Exposure Page 4 of 10 October 2016 Structure The conduct risk paradigm is composed of the following five pillars or components that are subjected to regulatory scrutiny: • Strategy, in particular focusing on ethics, values and cultures • Firm-wide conduct risk framework incorporating governance, ownership & accountability, programme/ implementation and audit • Quantitative components incorporating conduct risk identification, key performance/ risk indicators and monitoring/ reporting • Qualitative components addressing standards/ comms, training, personnel and external expertise • Regulatory interaction and dependencies. The following section explains these pillars and the individual elements in more detail. A diagram of the paradigm is included at the end of this paper. Strategy The regulatory lens within the strategy pillar is aimed at better understanding the ethics, values and culture at regulated firms. Regulatory analysis of the following elements and due diligence questions are used in order to determine a firm’s conduct risk maturity and also the level of embedment of conduct risk into the firm’s cultural fabric. • Conduct risk definition. Has the firm got a specific conduct risk definition (Y/N?) and if so, how does it define conduct risk (evidence? e.g. policy/ procedure and evidence of implementation). • Five questions approach. What is the firms overall strategy to translate the five questions (identification/ responsibilities/ enabling mechanisms/ board and exec oversight/ incentives) into its conduct risk strategy? What is the chosen approach? How granular is this? • Culture clusters. Culture clusters help supervisors such as the UK FCA to join the dots and become more consistent in its approach to measuring effectiveness. The UK FCA defines and focusses on the following “culture clusters” in order to consistently understand conduct risk: Business model and strategy/ Leadership/ Purpose & Values/ People/ Stakeholders/ Intangibles/ Running the business. • Strategy embedment: Analyses how well conduct risk has been embedded into the firms’ strategy and business model. In particular, it will question whether this is due to a push (by Compliance for instance) for a pull (driven by the business desire to having a strong conduct risk framework). • Committee(s) linkage. Looks to understand how well relevant committees are linked to the 5 questions approach. Firm-wide conduct risk framework The firm-wide conduct risk framework is the largest pillar and contains a large variety of areas facing regulatory scrutiny with a focus on how the firm is governed, who is responsible, how the conduct risk framework is managed and implemented (1LoD and 2LoD) and finally, how this is all audited (3LoD). The following section explains these focal points further. a. Governance • Conduct risk policy and procedures: essentially articulates how the firm is aiming to manage its conduct risk throughout. • Board engagement: means how involved and engaged is the board, ExCo and Non Execs and how embedded is this into the overall governance structure of the firm. • Strategy implications: looks into how the strategy of the firm permeates via its business model both across global businesses and functions.
Feedback on the COSO Enterprise Risk Management Public Exposure Page 5 of 10 October 2016 • OpRisk and ERM framework embedment: is important as conduct risk is not a stand-alone risk and as such must be deeply embedded into the OpRisk framework/ risk register as well as the over-arching enterprise-wide risk management framework. • Group/ Regional/ Local oversight: shows the level of conduct risk management incorporation throughout the firm. • Conduct risk committee (incl. board/ ExCo): identifies delegated authorities and escalation routes from conduct risk and/or risk committee to the board and vice versa. • Integration with related (risk) committees: shows the level of information exchange and intelligence sharing within the firm and evidences the level of alignment/ mis-alignment throughout the firm’s risk space. • Role of committee(s): takes a look at the empowerment and capabilities of risk committee with a focus on conduct risk. What is the committee’s ability to drive strategy and are decisions taken followed through? • Role of control functions (1/2/3LoD): aims to develop a better understanding of the demarcation and collaboration across the three lines of defence within a firm. b. Ownership & Accountability • Clearly defined: ownership and accountability are paramount for every individual, team and department to know what they can and cannot do. As such, it is important for instance to have clear job descriptions or a job catalogue that helps determining individuals’ responsibilities. • Business ownership/ engagement: Conduct risk is not a one-way street and requires proactive engagement and continuous involvement of the business (e.g. the areas generating revenue). • Accountable executives: are very important from a regulatory perspective as this will be the key contact points between firm and regulator, particularly crucial if remedial action is required. • Delegated authorities: are crucial to understand how the strategy, translated into the business model breaks down right to a very granular level for each individual. • Escalation routes: is looking at the opposite direction of delegated authorities and explains both formal and informal routes for staff to “speak up” if necessary. • Frequency of committee(s) and conduct risk reviews: are important as proper conduct risk management on a quarterly basis for instance may have the tendency to become too much of a point-in-time assessment. Ideally, some KPIs/KRIs should be identified that enable continuous monitoring, for instance behavioural pattern recognition. c. Programme/ Implementation • Programme overview/ structure: will provide the regulator with a comprehensive summary of the firm’s conduct risk programme. • Programme work streams: go into more granular detail and provide the nature of each work stream, schedule and any current issues leading to “Red” on the work streams’ RAG status • Mapping - Themes vs. Strategy: gives the regulator a view whether all areas of the chosen strategy have been addressed within the conduct risk programme and helps identifying any gaps within the implementation plans. • Operating model integration: looks beyond implementation of conduct risk and BAU integration into the firm’s target operating model. • Processes: need to be documented as part of desk-top instruction manuals or similar and documentary evidence needs to be provided. • Business involvement: looks to understand how much the business is actively involved in developing conduct risk and the level of interaction between different business areas.
Feedback on the COSO Enterprise Risk Management Public Exposure Page 6 of 10 October 2016 • Push/Pull: aims at understanding the key drivers behind the conduct risk implementation programme and whether this overall effort is more a push (i.e. driven by the compliance teams) or a pull (i.e. by the business itself). d. Audit • 3LoD involvement: is an important element as part of the firm-wide conduct risk framework. • Programme audit: will have to be conducted by the audit team to understand whether the programme and implementation is both on track and effective. • Thematic reviews: are becoming an increasingly important analytical tool deployed to identify patterns, for instance in sale staff behaviour and to understand areas that require mitigations. • Deep dives: are often used to inform thematic reviews, particularly in data-rich environments by looking at big data sets at a fairly granular level, e.g. at individual staff or customer level. Quantitative components a. Identification • Risk taxonomy: looks to understand whether a firm-wide risk taxonomy exists and whether or not this includes conduct risk and people risk related definitions. • Risk drivers: are the drivers of conduct risk exposure within firms and need to be articulated by the firm guiding the discussion with the regulator. • Forward/ backward-looking: both are important as analysis is only possible based on historical data. However, it is more so important to use historical data/ analysis and overlay this on a forward-looking timing horizon enabling better risk prediction. • Self-assessment process: is the process firms deploy to assess themselves in how good/ bad they are doing at managing conduct risk effectively. • Self-assessment validation: same as previous point, but giving the firm an opportunity to validate its self-assessments. • Whistleblowing and complaints handling: are closely linked to conduct risk and hence need to be integrated within the overall conduct processes. • Approach: the firm’s conduct risk management approach, following from the completion of the conduct risk programme. • Point-in-time or continuous process: aimed understanding the analytical/ timing horizon of conduct risk management within a firm. b. KPIs & KRIs • Severity (Risk/ Misconduct): identifies the risk of the misconduct/ misbehaviour for the firm (e.g. Low, Medium, High, Very High) as well as the nature of the misconduct (e.g. similar scale as to risk) • OpRisk losses due to breaches: record the firm’s actual losses caused by misconduct within the firm. • Training stats: can give a detailed picture of the number of staff failing mandatory training exercises • Categories: of misconduct for instance whether the misconduct is due to staff fraud, bullying, harassment and discrimination or regulatory compliance breaches • Nature of the KxIs: provides for each KxI whether it is a leading or lagging indicators • Consequences – for individual: identifies whether or not the individual(s) involved in misconduct cases have been disciplined and gives more detail about the actual consequence, i.e. verbal warning, written warning, summary dismissal, bonus claw back etc. • Consequences – for the firm: provides detail as to how the firm has responded, for instance improving a badly worded policy or some additional supervisory staff has been added.
Feedback on the COSO Enterprise Risk Management Public Exposure Page 7 of 10 October 2016 c. Monitoring/ Reporting • Dashboard/ Heat maps: will form part of the regulatory assessment and as such some current examples will be required for further analysis. • Reports: same for conduct risk-specific reports • Recipients (incl. Board/ ExCo): the regulator with closely look at the recipients of each of these reports to ensure this is aligned with other information given. • Effectiveness of the MIS: by understanding the number of and detail used for KxIs as well as reporting frequency and the horizon of the reporting. Qualitative components a. Standards & Communications • Tone from the Top (Delegation): is important for embedding a solid and robust culture breathed and lived by the board and cascaded downwards. • Tone from the Tail (Escalation): is equally, if not more, important to inform senior management of issues giving rise for early escalation with a view of containing the issue at hand. • Comms campaigns/ Message cascading: looks at how messages are conveyed throughout the firm, in particular at how conduct risk is explained and how these messages permeate the cultural fabric. • Comms effectiveness: looks at measuring the comms feedback, participation levels in town halls and team meetings. • Fostering a “speaking up” culture. b. Training • Mandatory training: needs to include a strong focus on conduct risk and the regulator may look at eLearning and face-to-face course materials. • Ongoing mentoring: is difficulty to audit on an individual basis, but some random samples of annual performance review records may give an indication as to how much (or how little) mentoring on conduct happens. • Training effectiveness. c. Staff related • Senior Managers & Certification Regime (SMCR): informs the regulator of how integrated SMCR is into the firm’s governance. • Attestation process: details thereof need to be provided to the regulator. • HR policies/ procedures: that refer to conduct risk and consequence management need to be provided to the regulator. • Career progression/ reward: details of which need to be provided to the regulator in order to understand the firms general approach on staff incentives. • Consequence management: similarly to the previous point, needs to be provided to the regulator in order to understand how misbehaviour is managed. d. External expertise • External consultants: for instance the percentage of contractors and consultants that are deployed to provide services primarily aimed at conduct risk management. • Reliance on external expertise: similar to previous point, this would be a percentage that indicates overall contractor/ consultant levels at the firm.
Feedback on the COSO Enterprise Risk Management Public Exposure Page 8 of 10 October 2016 • SLAs/ controls: give an indication of how well external consults are managed and the regulator may request some sample contracts. • Vendor conduct/ third party risk management: is equally important as a third party’s negligence or misconduct may equally threaten the firm and contribute to additional reputational risk. Regulatory Interaction/ Dependencies • Day-to-day relationship with the regulator: looks at whether the firm is confrontational or collaborative in the way it works with the regulator as this may be an indicator of the firms underlying culture. • Co-ordination/ Global alignment of requirements: is particularly important as some firms are operating in a global environment across many jurisdictions where regulatory initiatives may not always be aligned, potentially increasing systemic risk. • Industry-wide working groups and lessons learnt: This is a tricky one as firms may not be willing to share lessons learnt with competitors, although there is benefit in sharing intelligence and mistakes made across firms. • Peer reviews/ thematic reviews/ data & intelligence: this is really a task for the regulator to ensure all information available to them is used in the most efficient fashion. • Regulatory KPIs: similarly, this is one for the regulator to understand and tricky as the best KPIs for regulators are “absence-based”, i.e. no fines and/or reduced fines, less frequency of events and lesser severity may all mean that the regulator has performed better. 3. Practical considerations ¶ 4 - We wondered whether the “value” definitions in paragraph 4 may confuse people as value at risk is a market risk term used often in risk management. It might be worth putting a short sentence to differentiate between the two. Section 7 – there may be scope to refer to KRIs here. ¶ 266 & 275 (Example 8.2 and Figure 8.7) – typically once the target residual rating is reached, an entity is unlikely to expend further resource decreasing the risk. The word ‘target’ suggests that they are comfortable with the extent the risk is mitigated. For Example 8.2, please consider re-wording the sentence to “while the existing manual process has mitigated some of the risk exposure, the actual residual risk is still more than the target residual risk. The automated workflow system could offer an additional risk response to lower the risk within the target residual range, and would do so in a cost effective manner”. For Figure 8.7, the same argument applies, for management, if they are at their target residual rating, they are unlikely to use resources to further reduce the risk. Doing so may imply that they may be over cautious and foregoing other opportunities. As such, for this diagram we suggest changing the positions of residual risk rating and target residual risk rating (example shown below).
Feedback on the COSO Enterprise Risk Management Public Exposure Page 9 of 10 October 2016 ¶ 73-75 & Principle 8: Defines Risk Appetite – in the definition and discussion of risk appetite, the use of the word ‘accept’ suggest a one dimensional view of risk i.e. negative. Given that risk can also be an opportunity it would be better to describe it as the risk that an organisation is willing to seek/ take. The use of “acceptable” in the context of variation does not carry the same connotation and is therefore appropriate. ¶ 78 – consider expanding on the risk appetite discussion to bring out the link to informed decision making, which is relevant in the running of the business more broadly than just setting performance targets. Although, there is coverage later in the paper on this, it is worth noting here. The additional detail should portray the importance of finding the right balance and continuously adjusting this, both with short-term (liquidity) and long- term (capital) lenses, as well as generating a long-term sustainable benefit and, ultimately, on-going survival of the organisation. ¶ 179 - although the paragraph brings out the point around the maturity of an organisation enterprise risk management, our view is that the use of ‘low’ or ‘high’ appetite should not be recommended for any organisation – regardless of their maturity. As you noted, such terms are vague and could potentially encourage inappropriate decision making due to individual interpretations based on individual predispositions to risk. If you choose to retain the suggestion that it may be sufficient, we recommend that you qualify it by stating that the organisation should define what low and high mean in its own context. ¶ 181 – our view is that the critical point around risk capacity and prospect of failure should be made more prominent and not hidden as part of a series of bulleted points. Success and failure is the underlying premise for getting your risk appetite correct. This concept should be promoted to earlier in this section and added to Section 4 in line with the feedback on ¶ 78 above. ¶ 183 (Example 7.5) – the example given for high appetite in the diagram on the risk appetite continuum should be changed. It would irresponsible for any management team to convey a ‘high’ appetite, implying acceptance of high degree of uncertainty, if they are seeking operational efficiency. An alternative example that suggests a more appropriate balance between potential gain and loss might be: “A high appetite for collaborating with other universities recognising that our intellectual property might be compromised”. 4. Minor changes ¶ 244 Figure 8.2 – typo in potential root causes section – moral instead of morale. ¶ 245 – the standard sentence structure provided can be more simply defined as: event, cause, and impact. This keeps definitions in line with other risk management guidance. Thank you Our group is available and would be interested in being actively involved in further consultations. Should you wish to contact us please do not hesitate to do so on either of the details below. Raza Sadiq – raza.sadiq@coveainsurance.co.uk Darius Mayhew – Darius.sjm@live.com ERM in Banking & Financial Services Special Interest Group.
Feedback on the COSO Enterprise Risk Management Public Exposure Page 10 of 10 October 2016 i Why ‘paradigm’ - not ‘model’? A conceptual model is a representation of a system, made of the composition of concepts which are used to help people know, understand, or simulate a subject the model represents. Conceptual models are often abstractions of things in the real world whether physical or social. In contrast, a paradigm is a distinct set of concepts or thought patterns, including theories, research methods, postulates, and standards for what constitutes legitimate contributions to a field. Although, on paper, the new global conduct risk paradigm resembles a method, an approach or a model, given its genesis and the fact that it is based on an interpretation of discussions rather than hard evidential documentation, the author felt it most appropriate to describe the result of his work as a “paradigm” rather than model and hopes that going forward it will be seen contributory to the risk management area, in particular the management and mitigation of conduct risk.

Recomendados

The State of Enterprise Resilience - Resilience Survey 2015
The State of Enterprise Resilience - Resilience Survey 2015The State of Enterprise Resilience - Resilience Survey 2015
The State of Enterprise Resilience - Resilience Survey 2015
Julian R
 
CROs must be part of the cybersecurity solution by david x martin
CROs must be part of the cybersecurity solution by david x martinCROs must be part of the cybersecurity solution by david x martin
CROs must be part of the cybersecurity solution by david x martin
David X Martin
 
New Risk Management Paradigm for Not-For-Profits
New Risk Management Paradigm for Not-For-ProfitsNew Risk Management Paradigm for Not-For-Profits
New Risk Management Paradigm for Not-For-Profits
David X Martin
 
Esther R. Sawyer Research Manuscript - Final
Esther R. Sawyer Research Manuscript - Final Esther R. Sawyer Research Manuscript - Final
Esther R. Sawyer Research Manuscript - Final
Andrew John Hagen
 
Case study in Enterprise Risk Management
Case study in Enterprise Risk ManagementCase study in Enterprise Risk Management
Case study in Enterprise Risk Management
Chris Teniswood
 
Go fluent eWriting
Go fluent eWritingGo fluent eWriting
Go fluent eWriting
Eduardo Grassiotto
 
Creative Riches Limited Company Profile
Creative Riches Limited Company ProfileCreative Riches Limited Company Profile
Creative Riches Limited Company Profile
Steve Kim
 
DISC-Ryan_Shak
DISC-Ryan_ShakDISC-Ryan_Shak
DISC-Ryan_Shak
Ryan Shak
 

Recomendados

The State of Enterprise Resilience - Resilience Survey 2015
The State of Enterprise Resilience - Resilience Survey 2015The State of Enterprise Resilience - Resilience Survey 2015
The State of Enterprise Resilience - Resilience Survey 2015
Julian R
 
CROs must be part of the cybersecurity solution by david x martin
CROs must be part of the cybersecurity solution by david x martinCROs must be part of the cybersecurity solution by david x martin
CROs must be part of the cybersecurity solution by david x martin
David X Martin
 
New Risk Management Paradigm for Not-For-Profits
New Risk Management Paradigm for Not-For-ProfitsNew Risk Management Paradigm for Not-For-Profits
New Risk Management Paradigm for Not-For-Profits
David X Martin
 
Esther R. Sawyer Research Manuscript - Final
Esther R. Sawyer Research Manuscript - Final Esther R. Sawyer Research Manuscript - Final
Esther R. Sawyer Research Manuscript - Final
Andrew John Hagen
 
Case study in Enterprise Risk Management
Case study in Enterprise Risk ManagementCase study in Enterprise Risk Management
Case study in Enterprise Risk Management
Chris Teniswood
 
Go fluent eWriting
Go fluent eWritingGo fluent eWriting
Go fluent eWriting
Eduardo Grassiotto
 
Creative Riches Limited Company Profile
Creative Riches Limited Company ProfileCreative Riches Limited Company Profile
Creative Riches Limited Company Profile
Steve Kim
 
DISC-Ryan_Shak
DISC-Ryan_ShakDISC-Ryan_Shak
DISC-Ryan_Shak
Ryan Shak
 
The incorporation of sustainability risks into the risk culture | Albert Vila...
The incorporation of sustainability risks into the risk culture | Albert Vila...The incorporation of sustainability risks into the risk culture | Albert Vila...
The incorporation of sustainability risks into the risk culture | Albert Vila...
Albert Vilariño
 
40 whats different in the corporate world
40 whats different in the corporate world40 whats different in the corporate world
40 whats different in the corporate world
Carlos T.C. Fernandes
 
Risk Management Essay
Risk Management EssayRisk Management Essay
Risk Management Essay
Pay For Paper The American College of Financial Services
 
Risk management practices among commercial banks in ghana
Risk management practices among commercial banks in ghanaRisk management practices among commercial banks in ghana
Risk management practices among commercial banks in ghana
Alexander Decker
 
A Board Perspective on Enterprise Risk Management
A Board Perspective on Enterprise Risk ManagementA Board Perspective on Enterprise Risk Management
A Board Perspective on Enterprise Risk Management
Turlough Guerin GAICD FGIA
 
CRO Insight
CRO InsightCRO Insight
CRO Insight
Mike Wilkinson
 
EY Legal Risk Brochure LR_single-pages
EY Legal Risk Brochure LR_single-pagesEY Legal Risk Brochure LR_single-pages
EY Legal Risk Brochure LR_single-pages
Matthew Whalley
 
Datashop Alchemy
Datashop AlchemyDatashop Alchemy
Datashop Alchemy
InnovAccer
 
BBA 4226, Risk Management 1 Course Learning Outcomes
BBA 4226, Risk Management 1 Course Learning Outcomes BBA 4226, Risk Management 1 Course Learning Outcomes
BBA 4226, Risk Management 1 Course Learning Outcomes
MargaritoWhitt221
 
ERM -01- Introduction 06-10-2022.pptx
ERM -01- Introduction 06-10-2022.pptxERM -01- Introduction 06-10-2022.pptx
ERM -01- Introduction 06-10-2022.pptx
ManiPSamRCBS
 
Manigent Aligning Risk Appetite And Exposure
Manigent Aligning Risk Appetite And ExposureManigent Aligning Risk Appetite And Exposure
Manigent Aligning Risk Appetite And Exposure
Andrew Smart
 
PwC Insurance -Stress-testing
PwC Insurance -Stress-testingPwC Insurance -Stress-testing
PwC Insurance -Stress-testing
PwC
 
RISK MANAGEMENT Essays
RISK MANAGEMENT EssaysRISK MANAGEMENT Essays
RISK MANAGEMENT Essays
Buy Cheap Paper Online Virginia Union University
 
ASSESSING THE RELATIONSHIP EFFECTIVE RISK ANALYSIS HAVE ON BUSINESS SUCCESS
ASSESSING THE RELATIONSHIP EFFECTIVE RISK ANALYSIS HAVE ON BUSINESS SUCCESSASSESSING THE RELATIONSHIP EFFECTIVE RISK ANALYSIS HAVE ON BUSINESS SUCCESS
ASSESSING THE RELATIONSHIP EFFECTIVE RISK ANALYSIS HAVE ON BUSINESS SUCCESS
Robin Beregovska
 
Risk Compliance News September 2012
Risk Compliance News September 2012Risk Compliance News September 2012
Risk Compliance News September 2012
Compliance LLC
 
CHAPTER 34Turning Crisis into OpportunityBuilding an ERM.docx
CHAPTER 34Turning Crisis into OpportunityBuilding an ERM.docxCHAPTER 34Turning Crisis into OpportunityBuilding an ERM.docx
CHAPTER 34Turning Crisis into OpportunityBuilding an ERM.docx
keturahhazelhurst
 
ERM and value added risk management.docx
ERM and value added risk management.docxERM and value added risk management.docx
ERM and value added risk management.docx
bkbk37
 
Commercial: PwC Top Issues
Commercial: PwC Top Issues Commercial: PwC Top Issues
Commercial: PwC Top Issues
PwC
 
Preparing for Resilience
Preparing for ResiliencePreparing for Resilience
Preparing for Resilience
Dr Rupert Booth
 
Risk Management
Risk ManagementRisk Management
Risk Management
Marryam Khawaja
 

Mais conteúdo relacionado

Semelhante a Feedback on the COSO Enterprise Risk Management 20160929 Final

EY Legal Risk Brochure LR_single-pages
EY Legal Risk Brochure LR_single-pagesEY Legal Risk Brochure LR_single-pages
EY Legal Risk Brochure LR_single-pages
Matthew Whalley
 
BBA 4226, Risk Management 1 Course Learning Outcomes
BBA 4226, Risk Management 1 Course Learning Outcomes BBA 4226, Risk Management 1 Course Learning Outcomes
BBA 4226, Risk Management 1 Course Learning Outcomes
MargaritoWhitt221
 
CHAPTER 34Turning Crisis into OpportunityBuilding an ERM.docx
CHAPTER 34Turning Crisis into OpportunityBuilding an ERM.docxCHAPTER 34Turning Crisis into OpportunityBuilding an ERM.docx
CHAPTER 34Turning Crisis into OpportunityBuilding an ERM.docx
keturahhazelhurst
 
ERM and value added risk management.docx
ERM and value added risk management.docxERM and value added risk management.docx
ERM and value added risk management.docx
bkbk37
 

Semelhante a Feedback on the COSO Enterprise Risk Management 20160929 Final (20)

The incorporation of sustainability risks into the risk culture | Albert Vila...
The incorporation of sustainability risks into the risk culture | Albert Vila...The incorporation of sustainability risks into the risk culture | Albert Vila...
The incorporation of sustainability risks into the risk culture | Albert Vila...
 
40 whats different in the corporate world
40 whats different in the corporate world40 whats different in the corporate world
40 whats different in the corporate world
 
Risk Management Essay
Risk Management EssayRisk Management Essay
Risk Management Essay
 
Risk management practices among commercial banks in ghana
Risk management practices among commercial banks in ghanaRisk management practices among commercial banks in ghana
Risk management practices among commercial banks in ghana
 
A Board Perspective on Enterprise Risk Management
A Board Perspective on Enterprise Risk ManagementA Board Perspective on Enterprise Risk Management
A Board Perspective on Enterprise Risk Management
 
CRO Insight
CRO InsightCRO Insight
CRO Insight
 
EY Legal Risk Brochure LR_single-pages
EY Legal Risk Brochure LR_single-pagesEY Legal Risk Brochure LR_single-pages
EY Legal Risk Brochure LR_single-pages
 
Datashop Alchemy
Datashop AlchemyDatashop Alchemy
Datashop Alchemy
 
BBA 4226, Risk Management 1 Course Learning Outcomes
BBA 4226, Risk Management 1 Course Learning Outcomes BBA 4226, Risk Management 1 Course Learning Outcomes
BBA 4226, Risk Management 1 Course Learning Outcomes
 
ERM -01- Introduction 06-10-2022.pptx
ERM -01- Introduction 06-10-2022.pptxERM -01- Introduction 06-10-2022.pptx
ERM -01- Introduction 06-10-2022.pptx
 
Manigent Aligning Risk Appetite And Exposure
Manigent Aligning Risk Appetite And ExposureManigent Aligning Risk Appetite And Exposure
Manigent Aligning Risk Appetite And Exposure
 
PwC Insurance -Stress-testing
PwC Insurance -Stress-testingPwC Insurance -Stress-testing
PwC Insurance -Stress-testing
 
RISK MANAGEMENT Essays
RISK MANAGEMENT EssaysRISK MANAGEMENT Essays
RISK MANAGEMENT Essays
 
ASSESSING THE RELATIONSHIP EFFECTIVE RISK ANALYSIS HAVE ON BUSINESS SUCCESS
ASSESSING THE RELATIONSHIP EFFECTIVE RISK ANALYSIS HAVE ON BUSINESS SUCCESSASSESSING THE RELATIONSHIP EFFECTIVE RISK ANALYSIS HAVE ON BUSINESS SUCCESS
ASSESSING THE RELATIONSHIP EFFECTIVE RISK ANALYSIS HAVE ON BUSINESS SUCCESS
 
Risk Compliance News September 2012
Risk Compliance News September 2012Risk Compliance News September 2012
Risk Compliance News September 2012
 
CHAPTER 34Turning Crisis into OpportunityBuilding an ERM.docx
CHAPTER 34Turning Crisis into OpportunityBuilding an ERM.docxCHAPTER 34Turning Crisis into OpportunityBuilding an ERM.docx
CHAPTER 34Turning Crisis into OpportunityBuilding an ERM.docx
 
ERM and value added risk management.docx
ERM and value added risk management.docxERM and value added risk management.docx
ERM and value added risk management.docx
 
Commercial: PwC Top Issues
Commercial: PwC Top Issues Commercial: PwC Top Issues
Commercial: PwC Top Issues
 
Preparing for Resilience
Preparing for ResiliencePreparing for Resilience
Preparing for Resilience
 
Risk Management
Risk ManagementRisk Management
Risk Management
 

Feedback on the COSO Enterprise Risk Management 20160929 Final

  • 1. Feedback on the COSO Enterprise Risk Management Public Exposure Page 1 of 10 October 2016 Feedback on the COSO Enterprise Risk Management: Aligning Risk with Strategy and Performances (Public Exposure June 2016) Enterprise Risk Management in Banking & Financial Services Special Interest Group, a member led group within the Institute of Risk Management (The IRM) Members have provided comments based on their affiliation to the Special Interest Group not their working organisations. Core Members and contributors are: Raza Sadiq 2nd Line Risk Management at Covea Insurance & Chairman IRM’s SIG in ERM in Banking & Financial Services Sarah Christman (Deputy Chair) Risk Director UK&I at Equifax Ltd & Deputy Chair IRM’s SIG in ERM in Banking & Financial Services Markus Krebsz (Senior Advisor) UNECE GRM (United Nations Economic Commission for Europe - Group of Experts on Risk Management) Darius Mayhew MCMI Head of Finance Risk, Assurance & Advisory at Direct Line Group plc Gemma Clatworthy Senior Risk Manager at Nationwide Building Society Ipsita Pradhan Assistant Manager Risk at the State Bank of India Shiva Keihaninejad PhD Operational Risk Manager Capital & Risk Analytics at Lloyds Banking Group 1. General Comments Overall, we viewed the exposure draft as positive and comprehensive in nature. On many topics, there was a welcome theoretical and practical explanation to the concepts. A good example of this is where you described risk responses and discussed how an organisation might choose to ‘avoid’ a risk, but in doing so may introduce new risks to the organisation’s strategy. On some topics, it would be beneficial to go into more detail such as concepts around the level of the entity and the grouping of risks. This is a modern day challenge that many large and multi-national organisations face. For example, some practical approaches on how to deal with aggregation of lower level entity risk assessments, particularly where the organization faces highly varied regulatory, legislative and political landscapes, would be welcomed. Conduct risk is at the forefront of many financial services companies based in or operating in the UK. We include in this response an interpretation of the intent and execution of conduct risk – titled “The New Global Conduct Risk Paradigm” © authored by Markus Krebsz – as we believe the concepts within are relevant to effective implementation of enterprise risk management in an organisation’s strategy in many jurisdictions. 2. Conceptual discussions There are three fundamental concepts that we believe should be clarified further in the document. It is important that these concepts are fully explained as they form the basis of many of the challenges organisations face in gaining consistency in their Enterprise Risk Management processes. Additionally, we submit the “The New Global Conduct Risk Paradigm” © for consideration by the COSO Board and PwC and recommend they consider its key messages and their implication for integrating enterprise risk © Copyright 2016, Markus Krebsz. All Rights Reserved.
  • 2. Feedback on the COSO Enterprise Risk Management Public Exposure Page 2 of 10 October 2016 management throughout an organization to include decision‑making in governance, strategy, objective‑setting, and day-to-day operations. ¶ 1-2, 22, 36, 65 – discussions on uncertainty Our view is that the concept of uncertainty is broader than the aspect discussed within the paper which outlines the potential relationship with risk and uncertainty. In the wider concept of uncertainty, it would not be possible to determine how much uncertainty is present because the outcomes are completely unknown. In general, our understanding from the paper is that there is a level of uncertainty related to a particular objective – such as the example with the airline provided on page 17. However, we believe that one should consider the broader aspect of uncertainty in that it is not just that “risk involves uncertainty” but also it is uncertainty that affects risk. For instance, an alternative way of presenting the second sentence point 2 on page 3 would be: “Uncertainty may affect the severity or materialisation of risk and as such affects an organisation’s ability to achieve its strategy and business objectives. In determining how much risk the organisation is prepared and able to take, management should consider how potential unknown elements caused by uncertainty could disrupt the achievement of their objectives”. The difference to us is that risk implies some level of certainty and that there is an understanding on the possible outcomes to make a somewhat appropriate assessment of the impact and likelihood (such as rolling a die for money). In the broader view of uncertainty, it suggests that you do not know what the outcomes will be and as such cannot make an appropriate assessment such as the case with businesses within the United Kingdom following the vote to leave the European Union. For the risks that businesses manage within the United Kingdom, there is no view on what will actually happen because there is no certainty on what the post exit deal will be. This means, that companies cannot effectively implement controls to manage the exposure. As such, a key difference between risk and uncertainty is the ability for a risk/ business manager to apply specific targeted controls to reduce the impact (which is contrary to the view given on page 6 in relation to the potential decline in future demand). The view is contrary because of the aspect of uncertainty portrayed in the paper which blurs the boundaries between risk and uncertainty rather than seeing uncertainty as a completely unknown element – such as the case with the emergence of autonomous vehicles and how consumers, governments, suppliers, and insurers might be affected by the numerous potential business models, regulatory possibilities, and societal pressures – thereby rendering specific, targeted controls as mostly inappropriate. We hope that you will include this broader view of uncertainty within the paper and not just the aspect that is a function of a specific risk and objective. ¶ 271 – discussions around likelihood There is good guidance on what likelihood means. It would be good to delve deeper into the theory and differentiate from the concept of frequency (which you have included as one of the expressions of likelihood). Our view is that likelihood and frequency are separate concepts. Likelihood suggests that the measurement relates to the future and is related to probability whereas frequency suggests previous occurrences. For instance, you can look at the frequency of a risk materialising over time to determine what the likelihood might be in the next 5 years. Also, with frequency, the relationship with risk presents itself on a curve and suggests that there is a direct dependency with the impact of the risk. An example being a one in two hundred year event occurring results in a high impact. This is common practice in the financial risk world such as around catastrophe risk. However, the suggestion that likelihood is related to probability does not mean that a connection with impact exists. For instance, ‘what is the likelihood that this risk will materialise in the next year?’ Hopefully this question illustrates the fundamental difference between frequency and likelihood. We will appreciate a more in-depth look at these two concepts in the measurement of risk because this is a key component in what drives the assessment of severity. If companies do not understand the intricacies of the
  • 3. Feedback on the COSO Enterprise Risk Management Public Exposure Page 3 of 10 October 2016 concepts, there is a risk that severity ratings are wrong which may result in adverse impacts on the achievement of their strategies. ¶ 251 & 378-381 – discussions around key risk indicators The view differentiating key risk indicators (KRIs) to performance measures is welcomed as this is a common misunderstanding in some organisations. Further guidance will be welcomed on the link between key risk indicators and risk appetite. For instance, one can argue that for a KRI to predict a risk manifesting, there would need to be some relationship with the likelihood or impact of a particular risk. This will imply that the severity of a risk is changing at the same time as a KRI flags (the most obvious being the likelihood of occurrence – as the KRI continues to flag it implies that the likelihood of the risk manifesting increases). If this is the case, then the risk will require re-assessing and determining whether it is moving out of appetite. Your view on this relationship will add clarity on a much debated concept in the risk world. “The New Global Conduct Risk Paradigm” © Background The New Global Conduct Risk Paradigm i was introduced by Markus Krebsz at the 22 September 2016 meeting of the Special Interest Group for Enterprise Risk Management in Banking and Financial Services, a member led group within the Institute of Risk Management. The paradigm expresses the author’s interpretation of the UK Financial Conduct Authority’s internal methodical approach to understand how regulated firms manage conduct risk. Following his research into the global financial crises, rogue trading/ misbehaviours of markets and, in particular, since the inception of the UK FCA in mid-2013, the author has been keen on understanding the implications for the future financial markets’ infrastructure. The author’s initial thoughts on the matter were published in a November 2013 article entitled, “Conduct Risk – Doing what is “Right”. The author’s conduct risk definition set out in this article is: “Conduct risk is caused by action(s) – or inaction – of an individual financial institution or the financial services industry that result in customer detriment, negatively impacts market stability or restrict effective competition”. (Markus Krebsz, Nov. 2013) In July 2015, the FCA’s Tracey McDermott gave further detail on regulatory focal points in a speech at the BBA, which is accessible on the UK FCA’s website. The “five conduct risk questions” postulated in this speech were: Q1) How do you identify the conduct risks inherent within your business? Q2) Who is responsible for managing the conduct of your business? Q3) What support mechanism do you have to enable people to improve the conduct of their business or function? Q4) How do the board and executive committees gain oversight of the conduct of the organisation? Q5) Do firms have any perverse incentives or other activities that may undermine any strategies put in place to answer the first four questions? Following the speech and widely used references to the “5 Questions”, the author undertook a quest to better understand “what does this really mean” for the management of conduct risk within firms. The new conduct risk paradigm evolved organically from many (informal and somewhat intimate) one-to-one discussions with senior staff at the UK FCA and other regulators globally over a period of 15+ months. The author collated information, analysed the piece and further questioned the UK FCA in order to fill in the gaps and paint the full picture. Finally, large gaps have very recently been closed resulting in the paradigm as it stands now.
  • 4. Feedback on the COSO Enterprise Risk Management Public Exposure Page 4 of 10 October 2016 Structure The conduct risk paradigm is composed of the following five pillars or components that are subjected to regulatory scrutiny: • Strategy, in particular focusing on ethics, values and cultures • Firm-wide conduct risk framework incorporating governance, ownership & accountability, programme/ implementation and audit • Quantitative components incorporating conduct risk identification, key performance/ risk indicators and monitoring/ reporting • Qualitative components addressing standards/ comms, training, personnel and external expertise • Regulatory interaction and dependencies. The following section explains these pillars and the individual elements in more detail. A diagram of the paradigm is included at the end of this paper. Strategy The regulatory lens within the strategy pillar is aimed at better understanding the ethics, values and culture at regulated firms. Regulatory analysis of the following elements and due diligence questions are used in order to determine a firm’s conduct risk maturity and also the level of embedment of conduct risk into the firm’s cultural fabric. • Conduct risk definition. Has the firm got a specific conduct risk definition (Y/N?) and if so, how does it define conduct risk (evidence? e.g. policy/ procedure and evidence of implementation). • Five questions approach. What is the firms overall strategy to translate the five questions (identification/ responsibilities/ enabling mechanisms/ board and exec oversight/ incentives) into its conduct risk strategy? What is the chosen approach? How granular is this? • Culture clusters. Culture clusters help supervisors such as the UK FCA to join the dots and become more consistent in its approach to measuring effectiveness. The UK FCA defines and focusses on the following “culture clusters” in order to consistently understand conduct risk: Business model and strategy/ Leadership/ Purpose & Values/ People/ Stakeholders/ Intangibles/ Running the business. • Strategy embedment: Analyses how well conduct risk has been embedded into the firms’ strategy and business model. In particular, it will question whether this is due to a push (by Compliance for instance) for a pull (driven by the business desire to having a strong conduct risk framework). • Committee(s) linkage. Looks to understand how well relevant committees are linked to the 5 questions approach. Firm-wide conduct risk framework The firm-wide conduct risk framework is the largest pillar and contains a large variety of areas facing regulatory scrutiny with a focus on how the firm is governed, who is responsible, how the conduct risk framework is managed and implemented (1LoD and 2LoD) and finally, how this is all audited (3LoD). The following section explains these focal points further. a. Governance • Conduct risk policy and procedures: essentially articulates how the firm is aiming to manage its conduct risk throughout. • Board engagement: means how involved and engaged is the board, ExCo and Non Execs and how embedded is this into the overall governance structure of the firm. • Strategy implications: looks into how the strategy of the firm permeates via its business model both across global businesses and functions.
  • 5. Feedback on the COSO Enterprise Risk Management Public Exposure Page 5 of 10 October 2016 • OpRisk and ERM framework embedment: is important as conduct risk is not a stand-alone risk and as such must be deeply embedded into the OpRisk framework/ risk register as well as the over-arching enterprise-wide risk management framework. • Group/ Regional/ Local oversight: shows the level of conduct risk management incorporation throughout the firm. • Conduct risk committee (incl. board/ ExCo): identifies delegated authorities and escalation routes from conduct risk and/or risk committee to the board and vice versa. • Integration with related (risk) committees: shows the level of information exchange and intelligence sharing within the firm and evidences the level of alignment/ mis-alignment throughout the firm’s risk space. • Role of committee(s): takes a look at the empowerment and capabilities of risk committee with a focus on conduct risk. What is the committee’s ability to drive strategy and are decisions taken followed through? • Role of control functions (1/2/3LoD): aims to develop a better understanding of the demarcation and collaboration across the three lines of defence within a firm. b. Ownership & Accountability • Clearly defined: ownership and accountability are paramount for every individual, team and department to know what they can and cannot do. As such, it is important for instance to have clear job descriptions or a job catalogue that helps determining individuals’ responsibilities. • Business ownership/ engagement: Conduct risk is not a one-way street and requires proactive engagement and continuous involvement of the business (e.g. the areas generating revenue). • Accountable executives: are very important from a regulatory perspective as this will be the key contact points between firm and regulator, particularly crucial if remedial action is required. • Delegated authorities: are crucial to understand how the strategy, translated into the business model breaks down right to a very granular level for each individual. • Escalation routes: is looking at the opposite direction of delegated authorities and explains both formal and informal routes for staff to “speak up” if necessary. • Frequency of committee(s) and conduct risk reviews: are important as proper conduct risk management on a quarterly basis for instance may have the tendency to become too much of a point-in-time assessment. Ideally, some KPIs/KRIs should be identified that enable continuous monitoring, for instance behavioural pattern recognition. c. Programme/ Implementation • Programme overview/ structure: will provide the regulator with a comprehensive summary of the firm’s conduct risk programme. • Programme work streams: go into more granular detail and provide the nature of each work stream, schedule and any current issues leading to “Red” on the work streams’ RAG status • Mapping - Themes vs. Strategy: gives the regulator a view whether all areas of the chosen strategy have been addressed within the conduct risk programme and helps identifying any gaps within the implementation plans. • Operating model integration: looks beyond implementation of conduct risk and BAU integration into the firm’s target operating model. • Processes: need to be documented as part of desk-top instruction manuals or similar and documentary evidence needs to be provided. • Business involvement: looks to understand how much the business is actively involved in developing conduct risk and the level of interaction between different business areas.
  • 6. Feedback on the COSO Enterprise Risk Management Public Exposure Page 6 of 10 October 2016 • Push/Pull: aims at understanding the key drivers behind the conduct risk implementation programme and whether this overall effort is more a push (i.e. driven by the compliance teams) or a pull (i.e. by the business itself). d. Audit • 3LoD involvement: is an important element as part of the firm-wide conduct risk framework. • Programme audit: will have to be conducted by the audit team to understand whether the programme and implementation is both on track and effective. • Thematic reviews: are becoming an increasingly important analytical tool deployed to identify patterns, for instance in sale staff behaviour and to understand areas that require mitigations. • Deep dives: are often used to inform thematic reviews, particularly in data-rich environments by looking at big data sets at a fairly granular level, e.g. at individual staff or customer level. Quantitative components a. Identification • Risk taxonomy: looks to understand whether a firm-wide risk taxonomy exists and whether or not this includes conduct risk and people risk related definitions. • Risk drivers: are the drivers of conduct risk exposure within firms and need to be articulated by the firm guiding the discussion with the regulator. • Forward/ backward-looking: both are important as analysis is only possible based on historical data. However, it is more so important to use historical data/ analysis and overlay this on a forward-looking timing horizon enabling better risk prediction. • Self-assessment process: is the process firms deploy to assess themselves in how good/ bad they are doing at managing conduct risk effectively. • Self-assessment validation: same as previous point, but giving the firm an opportunity to validate its self-assessments. • Whistleblowing and complaints handling: are closely linked to conduct risk and hence need to be integrated within the overall conduct processes. • Approach: the firm’s conduct risk management approach, following from the completion of the conduct risk programme. • Point-in-time or continuous process: aimed understanding the analytical/ timing horizon of conduct risk management within a firm. b. KPIs & KRIs • Severity (Risk/ Misconduct): identifies the risk of the misconduct/ misbehaviour for the firm (e.g. Low, Medium, High, Very High) as well as the nature of the misconduct (e.g. similar scale as to risk) • OpRisk losses due to breaches: record the firm’s actual losses caused by misconduct within the firm. • Training stats: can give a detailed picture of the number of staff failing mandatory training exercises • Categories: of misconduct for instance whether the misconduct is due to staff fraud, bullying, harassment and discrimination or regulatory compliance breaches • Nature of the KxIs: provides for each KxI whether it is a leading or lagging indicators • Consequences – for individual: identifies whether or not the individual(s) involved in misconduct cases have been disciplined and gives more detail about the actual consequence, i.e. verbal warning, written warning, summary dismissal, bonus claw back etc. • Consequences – for the firm: provides detail as to how the firm has responded, for instance improving a badly worded policy or some additional supervisory staff has been added.
  • 7. Feedback on the COSO Enterprise Risk Management Public Exposure Page 7 of 10 October 2016 c. Monitoring/ Reporting • Dashboard/ Heat maps: will form part of the regulatory assessment and as such some current examples will be required for further analysis. • Reports: same for conduct risk-specific reports • Recipients (incl. Board/ ExCo): the regulator with closely look at the recipients of each of these reports to ensure this is aligned with other information given. • Effectiveness of the MIS: by understanding the number of and detail used for KxIs as well as reporting frequency and the horizon of the reporting. Qualitative components a. Standards & Communications • Tone from the Top (Delegation): is important for embedding a solid and robust culture breathed and lived by the board and cascaded downwards. • Tone from the Tail (Escalation): is equally, if not more, important to inform senior management of issues giving rise for early escalation with a view of containing the issue at hand. • Comms campaigns/ Message cascading: looks at how messages are conveyed throughout the firm, in particular at how conduct risk is explained and how these messages permeate the cultural fabric. • Comms effectiveness: looks at measuring the comms feedback, participation levels in town halls and team meetings. • Fostering a “speaking up” culture. b. Training • Mandatory training: needs to include a strong focus on conduct risk and the regulator may look at eLearning and face-to-face course materials. • Ongoing mentoring: is difficulty to audit on an individual basis, but some random samples of annual performance review records may give an indication as to how much (or how little) mentoring on conduct happens. • Training effectiveness. c. Staff related • Senior Managers & Certification Regime (SMCR): informs the regulator of how integrated SMCR is into the firm’s governance. • Attestation process: details thereof need to be provided to the regulator. • HR policies/ procedures: that refer to conduct risk and consequence management need to be provided to the regulator. • Career progression/ reward: details of which need to be provided to the regulator in order to understand the firms general approach on staff incentives. • Consequence management: similarly to the previous point, needs to be provided to the regulator in order to understand how misbehaviour is managed. d. External expertise • External consultants: for instance the percentage of contractors and consultants that are deployed to provide services primarily aimed at conduct risk management. • Reliance on external expertise: similar to previous point, this would be a percentage that indicates overall contractor/ consultant levels at the firm.
  • 8. Feedback on the COSO Enterprise Risk Management Public Exposure Page 8 of 10 October 2016 • SLAs/ controls: give an indication of how well external consults are managed and the regulator may request some sample contracts. • Vendor conduct/ third party risk management: is equally important as a third party’s negligence or misconduct may equally threaten the firm and contribute to additional reputational risk. Regulatory Interaction/ Dependencies • Day-to-day relationship with the regulator: looks at whether the firm is confrontational or collaborative in the way it works with the regulator as this may be an indicator of the firms underlying culture. • Co-ordination/ Global alignment of requirements: is particularly important as some firms are operating in a global environment across many jurisdictions where regulatory initiatives may not always be aligned, potentially increasing systemic risk. • Industry-wide working groups and lessons learnt: This is a tricky one as firms may not be willing to share lessons learnt with competitors, although there is benefit in sharing intelligence and mistakes made across firms. • Peer reviews/ thematic reviews/ data & intelligence: this is really a task for the regulator to ensure all information available to them is used in the most efficient fashion. • Regulatory KPIs: similarly, this is one for the regulator to understand and tricky as the best KPIs for regulators are “absence-based”, i.e. no fines and/or reduced fines, less frequency of events and lesser severity may all mean that the regulator has performed better. 3. Practical considerations ¶ 4 - We wondered whether the “value” definitions in paragraph 4 may confuse people as value at risk is a market risk term used often in risk management. It might be worth putting a short sentence to differentiate between the two. Section 7 – there may be scope to refer to KRIs here. ¶ 266 & 275 (Example 8.2 and Figure 8.7) – typically once the target residual rating is reached, an entity is unlikely to expend further resource decreasing the risk. The word ‘target’ suggests that they are comfortable with the extent the risk is mitigated. For Example 8.2, please consider re-wording the sentence to “while the existing manual process has mitigated some of the risk exposure, the actual residual risk is still more than the target residual risk. The automated workflow system could offer an additional risk response to lower the risk within the target residual range, and would do so in a cost effective manner”. For Figure 8.7, the same argument applies, for management, if they are at their target residual rating, they are unlikely to use resources to further reduce the risk. Doing so may imply that they may be over cautious and foregoing other opportunities. As such, for this diagram we suggest changing the positions of residual risk rating and target residual risk rating (example shown below).
  • 9. Feedback on the COSO Enterprise Risk Management Public Exposure Page 9 of 10 October 2016 ¶ 73-75 & Principle 8: Defines Risk Appetite – in the definition and discussion of risk appetite, the use of the word ‘accept’ suggest a one dimensional view of risk i.e. negative. Given that risk can also be an opportunity it would be better to describe it as the risk that an organisation is willing to seek/ take. The use of “acceptable” in the context of variation does not carry the same connotation and is therefore appropriate. ¶ 78 – consider expanding on the risk appetite discussion to bring out the link to informed decision making, which is relevant in the running of the business more broadly than just setting performance targets. Although, there is coverage later in the paper on this, it is worth noting here. The additional detail should portray the importance of finding the right balance and continuously adjusting this, both with short-term (liquidity) and long- term (capital) lenses, as well as generating a long-term sustainable benefit and, ultimately, on-going survival of the organisation. ¶ 179 - although the paragraph brings out the point around the maturity of an organisation enterprise risk management, our view is that the use of ‘low’ or ‘high’ appetite should not be recommended for any organisation – regardless of their maturity. As you noted, such terms are vague and could potentially encourage inappropriate decision making due to individual interpretations based on individual predispositions to risk. If you choose to retain the suggestion that it may be sufficient, we recommend that you qualify it by stating that the organisation should define what low and high mean in its own context. ¶ 181 – our view is that the critical point around risk capacity and prospect of failure should be made more prominent and not hidden as part of a series of bulleted points. Success and failure is the underlying premise for getting your risk appetite correct. This concept should be promoted to earlier in this section and added to Section 4 in line with the feedback on ¶ 78 above. ¶ 183 (Example 7.5) – the example given for high appetite in the diagram on the risk appetite continuum should be changed. It would irresponsible for any management team to convey a ‘high’ appetite, implying acceptance of high degree of uncertainty, if they are seeking operational efficiency. An alternative example that suggests a more appropriate balance between potential gain and loss might be: “A high appetite for collaborating with other universities recognising that our intellectual property might be compromised”. 4. Minor changes ¶ 244 Figure 8.2 – typo in potential root causes section – moral instead of morale. ¶ 245 – the standard sentence structure provided can be more simply defined as: event, cause, and impact. This keeps definitions in line with other risk management guidance. Thank you Our group is available and would be interested in being actively involved in further consultations. Should you wish to contact us please do not hesitate to do so on either of the details below. Raza Sadiq – raza.sadiq@coveainsurance.co.uk Darius Mayhew – Darius.sjm@live.com ERM in Banking & Financial Services Special Interest Group.
  • 10. Feedback on the COSO Enterprise Risk Management Public Exposure Page 10 of 10 October 2016 i Why ‘paradigm’ - not ‘model’? A conceptual model is a representation of a system, made of the composition of concepts which are used to help people know, understand, or simulate a subject the model represents. Conceptual models are often abstractions of things in the real world whether physical or social. In contrast, a paradigm is a distinct set of concepts or thought patterns, including theories, research methods, postulates, and standards for what constitutes legitimate contributions to a field. Although, on paper, the new global conduct risk paradigm resembles a method, an approach or a model, given its genesis and the fact that it is based on an interpretation of discussions rather than hard evidential documentation, the author felt it most appropriate to describe the result of his work as a “paradigm” rather than model and hopes that going forward it will be seen contributory to the risk management area, in particular the management and mitigation of conduct risk.