Risk Reporting

Internal and External Expert

Group

IORWG CONFERENCE
APRIL 2015
 Expert Group Agenda
2

 Introduction:
 Expert Group Objectives

 Membership

 Review Industry Scan Materials

 Practices and Perspectives

 Interviews

 Review Survey Outcomes

 Expert Group Summary Conclusions
 Open Q&A
 Expert Group Objectives
3

 Study reporting of operational risks (both internally to

Bank management and externally to governing bodies)
 Identify best practices in reporting using the workgroup,
IORWG members and industry research to draw
conclusions
 Provide sample templates and examples to serve as a
repository for risk reporting, using sample data
 Identify lessons learned through improvements
incorporated over time
 Expert Group Membership
4

 European Central Bank (co-chair)

 Federal Reserve Bank of Philadelphia (co-chair)
 Bulgarian National Bank
 South African Reserve Bank
 Bank Al Maghrib (Morocco)
 Banco de la República (Colombia)
 Bank of Lithuania
 Central Bank of Ireland
 Reserve Bank of Australia
 Industry Scan
5

 Conducted industry literature scan (e.g. relevant

articles and working papers)

 Interviewed Director, Governance, Regulatory and

Risk Strategies at Deloitte and Touche (International
Accounting and Consulting Firm)

 Interviewed Director, Enterprise Risk Management

at Vanguard (Investment Firm)
 Risk Reporting
Best Practices and Challenges
6
 Risk Reporting
Best Practices and Challenges: Risk Transparency and Insight
7

Best Practices
 Prioritized risk heat map
 List and classify risks by potential impact and likelihood
 Consider all risk drivers, even insignificant ones, as their impact may change over time
 Risk Reports should prioritize key risks with management’s assessment including:
 A description of tradeoffs
 Management's conclusion and reasoning

Challenges
 Dig deeper than likelihood and impact
 Contemplate preparedness and lead time
 Is the bank ready to respond if a risk occurs?
 How far ahead can the bank see the risk event occurring?

 Compare exposures across the bank and develop a consistent view across business areas
 Business areas may use different names for the same or similar risks
 Too generic and verbose/formulaic
 Don’t report a risk just to satisfy a process
 Judgments on risk are inevitably subjective
 Risk Reporting
Best Practices and Challenges: Risk Appetite and Strategy
8

Best Practices
 Assess risk capacity
 What is the bank’s ability to withstand risk when/if it materializes?
 Decide which risks to accept, mitigate, transfer (e.g. insure), and to reject (e.g. exit
business with vendor if it proves too risky)
 A clear risk strategy
 Include in the bank’s strategic plan
 Responsibilities and roles of risk ownership should be established
 Business owners should ensure risk data is collected/reported in accordance with
bank policies
 Black Swan Events
 Can a risk report helpfully show the risks of a rare but catastrophic event?

Challenges
 Quantification of risk exposure and risk capacity
 Produce metrics that the bank can measure and track
 Risk Reporting
Best Practices and Challenges: Risk-related processes and decisions
9

Best Practices
 Regular testing of a bank’s ability to aggregate data and produce risk
reports in a both a crisis and steady environment
 Have performance indicators to monitor activities, progress toward
objectives, and identify issues

Challenges
 Risk management and strategic planning frequently operate with little
connection
 Strategic choices and budget should consider risk appetite when making decisions
 Risk Reporting
Best Practices and Challenges: Risk Organization and Governance
10

Best Practices
 Senior management and the Board should set the frequency of risk evaluations
based on the speed at which the risks can change and the importance of reports
in contributing to effective decision making
 The Board should interact with the managers who know the risks as opposed to
reports from senior management

Challenges
 The frequency of risk reports to senior management and the Board should be
increased during times of crisis
 Risk reports should be tailored to present relevant information depending on
the audience
 Board
 Senior Management
 Risk committees, etc.
 Risk Reporting
Best Practices and Challenges: Risk Culture
11
Best Practices
 Encourage a culture where employees can contribute to risk assessments
 ERM and Internal Audit provide management positive incentives to self-
identify risk issues, ensuring a strong, business-led risk culture.

Challenges
 Denial of risk
 Over-confidence
 Fear of bad news
 Lack of communication
 Poor understanding and tracking of risks
 Slow response to risk events
 Avoidance of risk processes
 Biased towards the positive
 Reluctance to be blunt
 KPMG Study
12

RESPONDENT COMMENTS
 Respondents revealed the following about the depth of
their reporting levels:
 “We have a Board level report, but further enhancements need to be
made. We are also focusing on entity, process, and business line
reporting.”
 “Reporting exists to cover all of these aspects, but we can improve
reporting by consolidating it into one coherent picture from risk
through to capital.”
 “Operational risk reporting is developmental. RCSA aggregation
allows for various reporting levels. Detailed reporting is at the
division and department levels. High-level reporting is made to ORM
and Board Risk Committees.”
 “The correlation to business strategy and performance is not
explicitly tied.”
 Industry Perspective:
Interview with Deloitte & Touche
13

Industry trends in terms of risk reporting

 There is a struggle between too detailed vs. too little
information (In general, Boards started receiving very
voluminous, hard to digest risk reports after the
financial crisis)
 One area of hope is the Basel Committee on Banking
Supervision principles; Banks have to comply by January
2016
 These principles include better data quality and aggregation ability
 Another trend is the importance of information/cyber
security in presentations to the Board
 Industry Perspective:
Interview with Deloitte & Touche
14

Challenges associated with risk reporting

 Difficult to determine the right metrics for risk
reporting and to be able to obtain these metrics
quickly
 Difficult to quantify capital for operational risk
(modeling); it is hard to measure because there are
so many different variables and drivers, making the
environment volatile
 Industry Perspective:
Interview with Deloitte & Touche
15

Use of automated tools for reporting

 Most banks still use Microsoft Office Products.
 One client developed a database that runs automated metrics
pulled from data dumped by various systems (e.g. metrics
focus on credit and market risk)
 Industry Perspective:
Interview with Deloitte & Touche
16

Key areas that should be included in reporting to the

Board of Directors or to Bank management:
 Banks should get input/guidelines from the Board on
what type of information they need in the risk
reporting
 There should be a framework of risk categories/types
as well as a definition of risk appetite and limits
approved by senior management
 Risk reporting should be done against defined limits
(e.g. what is the acceptable down time for xyz
system?)
 Industry Perspective:
Interview with Deloitte & Touche
17

Suggestions on balance of information to ensure

reports are comprehensive, but not information
overload:
 There needs to be a balance of graphics and
commentary in presentations to the Board
 An appropriate format would include an executive
summary, dashboard, and a deeper dive into each
risk
 It is helpful to have a standard reporting package,
but should be dynamic enough that you can bring on
additional topics, including emerging risks
Internal and External Reporting Conclusions
18

 Key Takeaways:
 Customize reports to the audience (BoD, Management, etc.)
 Reporting frequency should change in time of “crisis”
 Use reporting to tell the ORM “story”
 Balance reporting with a combination of narratives, graphics and
concise conclusions (be direct and to the point)
 Use of heat maps clearly illustrate the risks of an organization or
business line
 Wherever feasible, build in metrics to reports
 Integrate reporting with audit, strategy, information security, project
management and other disciplines
 Be committed to transparency and continued process improvement
 Demonstrate the value of ORM in reporting (e.g. change in profile
over time)
 Most reporting is still Microsoft office based (manual processes)