Module 4: How to do ERM - internal risk frameworks

Question 1

Define corporate governance

Answer 1

The way the Board CONTROLS the organisation, and the processes it establishes so that it is run by the management in the best interests of the shareholders. Good corporate governance is essential to establishing an effective ERM framework.

Question 2

3 Main responsibilities of the Board with regard to risk management

Answer 2

• Risk Governance - Setting ERM Policies - Determining Risk Compensation

Question 3

Outline the responsibilities of line managers with regard to risk management

Answer 3

Responsible to IMPLEMENT the ERM policies agreed by the Board. This involves … setting up suitable risk management processes and … integrating the risk information collected into business decisions. It is essential that line managers understand the risks that they are taking, and are aware of the extent of their risk-taking powers, eg when they can automatically take on a risk, and when they must seek agreement from a more senior decision-maker.

Question 4

7 Major structural components required for a company to apply ERM to its operations and decision making

Answer 4

1. CORPORATE GOVERNANCE - to establish organisational processes and controls 2. LINE MANAGEMENT - to integrate risk management into business processes 3. PORTFOLIO MANAGEMENT - to aggregate risk exposures and identify diversification effects and concentrations of risk 4. RISK TRANSFER - to mitigate excessive risk exposures cost-effectively 5. RISK ANALYTICS - to measure, analyse and report on risks. 6. DATA AND TECHNOLOGY RESOURCES - to support the analytics and reporting 7. STAKEHOLDER MANAGEMENT - to communicate and report on risk.

Question 5

List the main AIMS OF INTERNAL CONTROLS to which corporate governance codes of conduct refer

Answer 5

• ensuring accurate and adequate RECORD-KEEPING - PREVENTING FRAUD and safeguarding the company’s assets - guaranteeing the accuracy of FINANCIAL STATEMENTS - responding appropriately to risk - ensuring COMPLIANCE with law and any supervisory

Question 6

Outline the main recommendations of the Cadbury Code of Best Practice which is aimed at improving confidence in financial reports in the UK

Answer 6

• There should be a full Board meeting at regular intervals - The Board should be made aware of many significant activities such as acquisitions, capital projects - Non-executive directors (NEDs) should have key responsibility for certain control and monitoring functions - Shareholders should approve directors’ service contracts in excess of three years - Directors’ remuneration should be subject to review by a remuneration committee made up of NEDs - Company reports should be balanced and understandable

Question 7

Outline the key features of the UK Corporate Governance Code

Answer 7

• Applies to all UK-listed companies (the Code being annexed to the London Stock Exchange Listing Rules). - Corporate governance is not forced on companies by prescriptive rules. Compliance with this Code is voluntary, although there is a requirement for firms to disclose whether they comply with the Code and, in the case of non-compliance, explain any deviations. - It allows companies freedom to choose a suitable approach given their industry and their size, and to explain any material differences between their approach and the prevailing governance code to shareholders and to the market.

Question 8

Outline how external risk frameworks influence corporate governance in the USA

Answer 8

A more statutory approach to compliance has been taken through the introduction of legislation in the form of: - Securities and Exchange Commission (SEC) - rules requiring disclosure of Board structure, compensation and role in risk management - the Sarbanes-Oxley Act - requiring independent Board audit committees and at least one “financial expert” - the Dodd-Frank Act - requiring bank Boards to have a risk subcommittee that includes a “risk management expert”

Question 9

List the 4 Key principles for excellence in corporate governance

Answer 9

1. Communication with stakeholders 2. Independence of the Board 3. Board performance 4. Board compensation arrangements

Question 10

Outline the role of a risk subcommittee of the Board

Answer 10

Accountability for overseeing the management of risks within an organisation rests with the Board, however it may be delegated to a risk management subcommittee of the board. If a risk subcommittee is established, this will be done by drawing up a risk subcommittee charter.

Question 11

Outline the role of an audit subcommittee of the Board

Answer 11

• to give auditors direct access to the non-executive directors - to ensure the auditors retain their independence from any other business services provided by the audit firm. - emphasises the importance of the audit function to the rest of the business. The role of the audit subcommittee includes: - monitoring the integrity of financial statements. - monitoring and reviewing internal assurance functions such as financial control, risk arrangement and internal audit - recommending, monitoring and reviewing the external auditor.

Question 12

Key principles for excellence in corporate governance: COMMUNICATION WITH STAKEHOLDERS

Answer 12

The Board has a duty to disclose certain information about the company to stakeholders, which may extend to details of risk management practices. This leads to greater transparency of information for shareholders, and facilitates more informed decision making on their part.

Question 13

Key principles for excellence in corporate governance: INDEPENDENCE OF THE BOARD

Answer 13

The Board should not be involved in actively managing the company on a daily basis. Rather, it should be distanced from the day-to-day running of the company in order to better oversee and monitor its management.

Question 14

Key principles for excellence in corporate governance: BOARD PERFORMANCE

Answer 14

The Board should engage in regular, formal self-assessments to rate its performance against any best practice codes it is subject to. This may be carried out at an individual, subcommittee or full Board level. This can be difficult to achieve in an unbiased way, so the use of external consultants may help. There should be regular, independent development reviews and training for new Board appointees.

Question 15

Key principles for excellence in corporate governance: BOARD COMPENSATION ARRANGEMENTS

Answer 15

Directors should not be overly compensated, however, the compensation should reflect the responsibility and risk of being a director. In order to align director’s interest with those of shareholders, it is important that a reasonable proportion of the compensation should be in the form of company stock. It is also important, for the implementation of ERM, to align directors’ compensation with risk management objectives, eg by linking remuneration to risk-adjusted return.

Question 16

When was the Walker Review of Corporate Governance of the UK Banking Industry initiated, and by whom?

Answer 16

February 2009, following the banking crisis in late 2008. It was led by Sir David Walker, and was initially to cover only banks, but its terms of reference were subsequently widened to cover all financial institutions in the UK.

Question 17

5 Key themes contained in Walker’s final recommendations

Answer 17

• The “comply or explain” approach under the UK Corporate Governance Code is still the best route to better corporate governance practice. - There is a need for more “challenge” in Board discussions, coming from the right mix of capabilities and experience on the Board, and from a greater time commitment from non-executive directors. - Board-level engagement of risk oversight should be materially increased, with particular attention to the monitoring of risk and discussion leading to decisions on the entity’s risk appetite and tolerance. The review recommended the set up of a separate Board risk committee with support from a CRO and with clear enterprise-wide authority and independence. - There is need for better engagement between fund managers acting on behalf of their clients as beneficial owners, and the Boards of investee companies. - The remit of Board remuneration committees should be extended to cover other senior influential employees, and this remuneration should be aligned with the medium- and longer-term risk appetite and strategy of the entity. The remuneration of these employees should be made publicly available on a “banded” basis.

Question 18

Define culture

Answer 18

An organisation’s culture is defined by: …. the APPROACH taken to its activities and describes the company’s —- shared values, —- beliefs and —- behaviours. This includes the attitude of employees to business undertakings and the way in which judgement is exercised.

Question 19

Define risk culture

Answer 19

A subset of its overall culture. A company’s risk culture is its —- SHARED VALUES, —- BELIEFS and —- BEHAVIORS in relation to risk.

Question 20

Define good risk culture

Answer 20

One in which people know, and do, the right thing, even if there is no specific rule or policy telling them what to do, rather than acting in their own interests.

Question 21

The board should ensure that an organisation has a culture which is conducive to good risk management. This culture should encourage (7)

Answer 21

• consultative leadership - participation in decision-making on risks - openness - accountability rather than blame - organisational learning (as opposed to box-ticking - knowledge sharing - good internal communication

Question 22

Outline the key features of an organisation with a supportive risk culture

Answer 22

Companies with a supportive risk culture: - focus on developing POSITIVE EMPLOYEE BEHAVIOURS with regard to risk - support the development of these behaviours with APPROPRIATE TRAINING for employees - praise those with good risk behaviours - set risk culture from the top of the organisation - the Board and senior management need to display appropriate risk behaviours - include a requirement for proactive responses to risk in job descriptions - incorporate risk management objectives into the performance management process - tie incentives to risk management performance objectives, with clear targets and measures of success - ensure that risk management responsibilities are clearly defined and that individuals are aware of their accountabilities - introduce a PROCESS TO ESCALATE RISKS to the appropriate level of seniority - develop an ENVIRONMENT OF OPENNESS where employees will raise issues in the knowledge that they will be heard and be open to new ideas - AVOID A “BLAME CULTURE”, in which the focus is on what went wrong, rather than how it can be prevented from happening again - EVALUATE THE RISK CULTURE, eg measure it through questioning the workforce, perhaps by inclusion in an existing staff survey, and review progress on an ongoing basis

Question 23

10 Common themes in best-practice corporate governance

Answer 23

The Board: - assessment of performance - composition of the Board of Directors - independence of the Board - frequency of Board meetings Individual Directors: - remuneration - skills required and performance assessment - terms of appointment Board Subcommittees: - functions of Board subcommittees: appointments, audit, remuneration, risk - composition of Board subcommittees Stakeholder communication and disclosure

Question 24

6 Key stakeholders and their roles in good corporate governance

Answer 24

BOARD OF DIRECTORS — vigorous leadership, — setting RM policies, — governance, — responsible for key strategic risks — determining risk compensation CHIEF RISK OFFICER (CRO) - responsible for implementing Board’s RM strategy RISK SUBCOMMITTEE - verify compliance with, and challenge risk policies AUDIT SUBCOMMITTEE — integrity of financial statements — oversight of assurance functions — link with external auditor MANAGERS - responsible for identification / management of risks in their area, - lead by example ALL EMPLOYEES - responsible for identifying new / changed risks, adhere to codes of conduct

Question 25

Responsibilities of the Board with regards to risk management: RISK GOVERNANCE

Answer 25

• setting the —- vision, —- strategy and —- risk culture of the organisation - establishing a FRAMEWORK for —- measuring, —- managing and —- monitoring the risks facing the organisation - reviewing the outcomes of and lessons learnt from the risk management process on an ongoing basis to achieve its goal of delivering long-term value to its investors.

Question 26

Responsibilities of the Board with regards to risk management: SETTING ERM POLICIES

Answer 26

• defining the company’s RISK APPETITE - establishing what SKILLS are needed to implement ERM strategies successfully, and implementing training programmes where these skills are deficient - guiding decisions on the most appropriate approach to, and structure for, ERM internally or arise from legislation or regulation.

Question 27

Responsibilities of the Board with regards to risk management: DETERMINING RISK COMPENSATION

Answer 27

• aligning the interests of management with investors through appropriate remuneration packages

Question 28

What is the role of the BOARD OF DIRECTORS in good corporate governance?

Answer 28

— vigorous leadership, — setting RM policies, — governance, — responsible for key strategic risks — determining risk compensation

Question 29

What is the role of the CHIEF RISK OFFICER (CRO) in good corporate governance?

Answer 29

• responsible for implementing Board’s RM strategy

Question 30

What is the role of the RISK SUBCOMMITTEE in good corporate governance?

Answer 30

• verify compliance with, and challenge risk policies

Question 31

What is the role of the AUDIT SUBCOMMITTEE in good corporate governance?

Answer 31

— integrity of financial statements — oversight of assurance functions — link with external auditor

Question 32

What is the role of the MANAGERS in good corporate governance?

Answer 32

• responsible for identification / management of risks in their area, - lead by example

Question 33

What is the role of the ALL EMPLOYEES in good corporate governance?

Answer 33

• responsible for identifying new / changed risks, adhere to codes of conduct

Question 34

Outline the key content of a risk subcommittee charter.

Answer 34

• purpose - responsibilities - membership: needs to have knowledge of the organisation and relevant experience, but be able to remain objective; consider the split between independent and non-independent directors - frequency of meetings - performance assessment: what criteria will be used - resources available: which departments the subcommittee will work with; whether external consultants may be used

Question 35

Risk subcommittee charter: Purpose

Answer 35

overseeing and challenging management’s treatment of key risks; setting risk policy; gathering relevant information on risks.

Question 36

Risk subcommittee charter: Responsibilities

Answer 36

ensuring a suitable ERM framework exists within the company; assessing whether risk management objectives have been achieved; ensuring compliance with any supervisory requirements for risk management; reporting on a risk to the Board; keeping abreast of developments in risk management

Question 37

Key items of best practice w.r.t. the audit subcommittee

Answer 37

• ensuring members of the audit subcommittee are drawn from the non-executive directors. Many international codes go further and stress the independence of the subcommittee.