Risk Oversight and Risk Management Questionnaire

NO. ASSESSMENT QUESTION YES NO NA COMMENT

Risk Culture Assessment Questionnaire
1 Is management periodically evaluating changes in the business environment to identify the risks inherent in the corporate strategy?
Is the board sufficiently involved in the process, particularly when such changes involve acquisition of new businesses, entry into new
1.a
markets, the introduction of innovative technologies or alteration of key assumptions underlying the strategy?
2 Is there an understanding of the threats in the business environment that could derail the execution of the organization’s strategy?
2.a Are these risk factors monitored over time to provide executive management and the board early warning?
3 Does management apprise the board in a timely manner of significant risks or significant changes in the organization’s risk profile?
3.a Is there an effective process for identifying emerging risks?
3.b Does it result in consideration of response plans on a timely basis?
4 Is the board aware of the most critical risks facing the company?
4.a Are board members cognizant of management’s risk concerns?
4.b Does the board agree on why these risks are significant?
4.c Do directors understand the organization’s responses to these risks?
Is there an enterprise-wide process in place that directors can point to that supports management’s answers to these questions, and is
4.d
that process effective in informing the board’s risk oversight on a timely basis?
Does the organization’s risk assessment process engage the appropriate executives and stakeholders to ensure that all appropriate risk
5
perspectives are understood and considered?
Is there a periodic board-level dialogue regarding management’s appetite for risk and whether the organization’s risk profile is consistent
6
with that risk appetite?
Is the board satisfied that the strategy-setting process appropriately considers a substantive assessment of the risks the enterprise is
6.a
taking on as it formulates and executes its strategy?
Are risks evaluated in the context of the strategy and incorporated as a key consideration in the organization’s decision-making process
7
on an ongoing basis over time?
Does the organization’s risk culture facilitate an open, positive dialogue on identifying evaluating opportunities and risks, including the
8
escalation of significant risk issues warranting attention by executive management and the board on a timely basis?

9 Does management's evaluation reflect the input of the unique perspectives offered by different executives and stakeholders?
10 Is there a process in place for identifying emerging risks?
For example, is scenario analysis applied to understand the potential impact of risks emerging from changes in the external
10.a
environment?
11 Is there is a process for identifying emerging risks?
11.a Does it consider the perspectives offered by different executives and stakeholders?
11.b Does it result in consideration of response plans on a timely basis?
Does executive management openly support each line of defense (e.g., LOB leaders and process owners, independent risk and
12
compliance management functions, internal audit, and defined, effectively functioning escalation processes)?
12.a Does executive management have direct, quality contact with all lines of defense?
12.b Is there effective collaboration across the lines of defense regarding important risk issues?
12.c Are unexpected issues escalated to executive management handled effectively?
13 Can LOB management identify and understand their risks and risk appetite?
13.a Do they identify and report issues to executive management in a timely manner?
13.b Do they own the risks their activities create and are they accountable for results?
Are there important subcultures that exist and must be considered separately to ascertain whether they contribute to effective risk
14
management or present exposure to excessive risk-taking?
15 What is the risk management organizational structure, and how is it viewed among the LOBs and throughout the firm?
15.a Is there an element of "effective challenge" and a degree of comfort with creative, healthy tension?
Alternatively, is there an emphasis on harmony, "getting along" and conformity that can result in decision making that discourages or
15.b
ignores alternative views and salient contrary information and, as a result, reaches risk/reward decision that may miss the mark badly?
16 What infrastructure is in place to support risk identification, measurement, analysis reporting, monitoring and management?
17 What types of risk culture training, awareness programs or other support are available within the organization?
Do these programs and initiatives emphasize elements of continuous learning and improvement (e.g., process improvement,
17.a
measurement and quantification, monitoring against expectations, and innovations to improve productivity, among other things)?

Page 1
 Risk Oversight and Risk Management Questionnaire

NO. ASSESSMENT QUESTION YES NO NA COMMENT

Is risk culture a factor in the enterprise's incentive and rewards systems? What metrics are being used to monitor risk culture and gauge
18
the effectiveness of cultural change?
19 Are there patterns of behavior that provide an indication as to whether risk management and internal controls matter?
For example, are there warning signs that the tone at the top may not be optimal (e.g., turnover of key executives, tolerance of
19.a
significant control issues, a warrior culture, a shortsighted focus on profitability and evidence of an overly dominant CEO)?
Does executive management work closely with middle-line and functional managers to ensure that everyone is effectively aligned in
20
terms of the organization's vision, mission, core values, strategy and risk appetite?
Is there evidence of proactive, open and transparent communications; encouragement of challenges to ideas and options during
20.a decision-making processes; clear performance expectations aligned with risk strategy; and emphasis on continuous improvement and
learning?
Are there effective escalation protocols and processes to ensure that significant problems are recognized and addressed at the
21
appropriate level of the firm?
Are the organization's performance objectives at risk of not being met and, if they are being met, are they being met in a manner
22
consistent with the organization's overall risk appetite?
23 If at risk, which objectives are at risk, ranked by order of the greatest risk of not being met, and why?
24 Have actions been defined that will sufficiently mitigate risks to an acceptable level?
25 If not, what are the recommendations for executive management's consideration:
25.a Change tolerances,
25.b Lower performance expectations,
25.c Change investment budget,
25.d Change objectives, or
25.e A combination of the above?
26 When the crucial moment comes where an unacceptable situation must be called out:
26.a Will risk management be able to tell the full story to decision-makers who matter?
26.b Will the decision-makers listen?
26.c Will risk management be allowed to continued to function once access rights are exercised?
27 What are the roles of the board and the CEO in providing risk oversight?
28 Does management executive committee allocate sufficient time to focus on risk management issues?
29 Is there a separate executive risk committee? If so:
29.a What is its composition?
29.b What are its roles and responsibilities?
29.c How does it interface with the strategy-setting process?
29.d How does it interface with the operating and functional units, as well as with the board?
29.e Does it have a charter?
29.f What risks does it oversee and govern?
Does the organization designate a single officer to assume certain overall responsibilities for risk management (e.g., a CRO or
30
equivalent executive)? If yes:
30.a Is he/she independent of the core business activities?
To whom does he/she report (e.g., to the CEO, another C-level executive and/or to the board of directors or a standing committee of the
30.b
board)?
30.c What are his/her overall role and responsibilities, as articulated in the job description?
30.d Is his/her role authoritarian (approve and escalate)? If not, what is it , e.g., consultative (assess, advise, recommend, champion)?
30.e Is he/she responsible for developing and/or coordinating execution of the overall risk management framework?
30.f Does he/she chair the institution's executive risk committee?
30.g Does he/she serve as a designated liaison with regulators?
30.h Is there adequate support staff to enable the executive to carry out his or her responsibilities?
31 What are the roles and responsibilities of lines of business and functional units (e.g. IT, legal, HR, etc.) as they relate to managing risk?
What governance or independent validation units are there (e.g., internal audit, model risk/validation, compliance management, value-at-
32
risk review and other risk management back-office activities)?
32.a To whom do they report, and how often?
To what extent should management of risks be centralized (e.g., all personnel with risk management responsibilities report through the
33
CRO's line rather than through tier respective lines of business and functional areas)?

Page 2
 Risk Oversight and Risk Management Questionnaire

NO. ASSESSMENT QUESTION YES NO NA COMMENT

34 Is there clarity as to roles and responsibilities regarding management of the priority enterprise risks?
34.a Is there an enterprise-wide view as to what they are?
34.b Is there a risk owner assigned to manage each risk?
Are there gaps (no risk owner who makes decisions with respect to managing the risk and designing and monitoring risk management
34.c
capabilities) to be filled?
34.d Are there overlaps (too many risk owners, effectively diluting accountability) to be eliminated?
34.e Are compensation practices incenting the desired behaviors?
35 What is the quality of the communications and cooperation between the CRO and:
35.a The business units?
35.b The back-office risk management functions?
35.c Key functional units (e.g., IT, legal, HR, etc.)?
35.d Validation units (e.g., internal audit, compliance etc.)?
Are there unique market, credit operational and other risks inherent in the organization's lines of business requiring special attention?
36
For example, are derivatives being used to speculate on markets or to hedge risk? If so:
Whose activities create the risks and why (e.g., if derivatives are used to hedge risks, what is being hedged, how is it being done and for
36.a
how long)?
36.b Do the organization's systems provide sufficient disclosure regarding the risks?
36.c Are the sources of the risks and how they affect operations known and understood?
36.d Are valuations appropriate (e.g., are derivatives positions market to market)?
Does the compensation structure sufficiently balance short-term versus long-term interests, or does it encourage unacceptable risk-
36.e
taking?
36.f Who is overseeing the management of the risks?
Do any of these risks require one or more risk units to house and maintain the competencies needed to assess and manage them
36.g
enterprise-wide?

Page 3