Professional Documents
Culture Documents
IORWG 2015 Risk Reporting Best Practices and Challenges
IORWG 2015 Risk Reporting Best Practices and Challenges
IORWG CONFERENCE
APRIL 2015
Expert Group Agenda
2
Introduction:
Expert Group Objectives
Membership
Interviews
Best Practices
Prioritized risk heat map
List and classify risks by potential impact and likelihood
Consider all risk drivers, even insignificant ones, as their impact may change over time
Risk Reports should prioritize key risks with management’s assessment including:
A description of tradeoffs
Management's conclusion and reasoning
Challenges
Dig deeper than likelihood and impact
Contemplate preparedness and lead time
Is the bank ready to respond if a risk occurs?
How far ahead can the bank see the risk event occurring?
Compare exposures across the bank and develop a consistent view across business areas
Business areas may use different names for the same or similar risks
Too generic and verbose/formulaic
Don’t report a risk just to satisfy a process
Judgments on risk are inevitably subjective
Risk Reporting
Best Practices and Challenges: Risk Appetite and Strategy
8
Best Practices
Assess risk capacity
What is the bank’s ability to withstand risk when/if it materializes?
Decide which risks to accept, mitigate, transfer (e.g. insure), and to reject (e.g. exit
business with vendor if it proves too risky)
A clear risk strategy
Include in the bank’s strategic plan
Responsibilities and roles of risk ownership should be established
Business owners should ensure risk data is collected/reported in accordance with
bank policies
Black Swan Events
Can a risk report helpfully show the risks of a rare but catastrophic event?
Challenges
Quantification of risk exposure and risk capacity
Produce metrics that the bank can measure and track
Risk Reporting
Best Practices and Challenges: Risk-related processes and decisions
9
Best Practices
Regular testing of a bank’s ability to aggregate data and produce risk
reports in a both a crisis and steady environment
Have performance indicators to monitor activities, progress toward
objectives, and identify issues
Challenges
Risk management and strategic planning frequently operate with little
connection
Strategic choices and budget should consider risk appetite when making decisions
Risk Reporting
Best Practices and Challenges: Risk Organization and Governance
10
Best Practices
Senior management and the Board should set the frequency of risk evaluations
based on the speed at which the risks can change and the importance of reports
in contributing to effective decision making
The Board should interact with the managers who know the risks as opposed to
reports from senior management
Challenges
The frequency of risk reports to senior management and the Board should be
increased during times of crisis
Risk reports should be tailored to present relevant information depending on
the audience
Board
Senior Management
Risk committees, etc.
Risk Reporting
Best Practices and Challenges: Risk Culture
11
Best Practices
Encourage a culture where employees can contribute to risk assessments
ERM and Internal Audit provide management positive incentives to self-
identify risk issues, ensuring a strong, business-led risk culture.
Challenges
Denial of risk
Over-confidence
Fear of bad news
Lack of communication
Poor understanding and tracking of risks
Slow response to risk events
Avoidance of risk processes
Biased towards the positive
Reluctance to be blunt
KPMG Study
12
RESPONDENT COMMENTS
Respondents revealed the following about the depth of
their reporting levels:
“We have a Board level report, but further enhancements need to be
made. We are also focusing on entity, process, and business line
reporting.”
“Reporting exists to cover all of these aspects, but we can improve
reporting by consolidating it into one coherent picture from risk
through to capital.”
“Operational risk reporting is developmental. RCSA aggregation
allows for various reporting levels. Detailed reporting is at the
division and department levels. High-level reporting is made to ORM
and Board Risk Committees.”
“The correlation to business strategy and performance is not
explicitly tied.”
Industry Perspective:
Interview with Deloitte & Touche
13
Key Takeaways:
Customize reports to the audience (BoD, Management, etc.)
Reporting frequency should change in time of “crisis”
Use reporting to tell the ORM “story”
Balance reporting with a combination of narratives, graphics and
concise conclusions (be direct and to the point)
Use of heat maps clearly illustrate the risks of an organization or
business line
Wherever feasible, build in metrics to reports
Integrate reporting with audit, strategy, information security, project
management and other disciplines
Be committed to transparency and continued process improvement
Demonstrate the value of ORM in reporting (e.g. change in profile
over time)
Most reporting is still Microsoft office based (manual processes)