2. The Broad Steps to Risk
Governance Reform
• Build a case
• Develop a framework
• Perform pilots
• Develop learning strategies
• Implement across the organization
Peter J Schild 2
3. Change Management
Corporate systems are self-preserving and
resistant to change. Only when the need is
widely recognized and a solution exists
that appears to work does the desire to
change exceed the natural tendency to
resist it.
Peter J Schild 3
5. Does the board truly understand the
strategic objectives, the top risks
the company faces in executing
strategies, and the strength of the
processes that keep the board and
senior management informed?
Peter J Schild 5
6. To evaluate the company’s capacity to achieve
objectives, directors need confidence in a
system of effective internal controls and the
reliability of its maintenance, as well as evidence
of widespread attentiveness to risk. They must
believe in management’s capacity to stay within
the boundaries of established tolerances and to
report clearly and concisely when those
boundaries are approached.
Peter J Schild 6
8. Without the right culture the risk taken can easily
exceed the risk intended, regardless of the
processes employed to measure and monitor it.
The goal is an environment where personal
visions connect and employees come to
understand and agree with intended outcomes
and their individual and team roles in achieving
them.
Peter J Schild 8
9. Are all lines of business that
contribute to any given strategic
objective, while likely to be managed
separately, evaluated as a complete
set of activities?
Peter J Schild 9
10. Corporations in their entirety are more than
collections of individual activities subject to the
separate interests of their components.
Operating units work together across the
enterprise not in relation to their positions within
segments, but according to their relative roles in
support of defined strategies.
Peter J Schild 10
12. Neither capital nor risk can be calculated
precisely and confidence in predictable
outcomes is necessarily limited; therefore,
managing to the measurable alone is
insufficient. To provide reasonable assurance
that the risk taken is equivalent to the risk
intended, enhanced processes of risk
evaluation coupled with assessments of
human capital must be added to traditional
tools of measurement.
Peter J Schild 12
13. Do all lines of business (particularly
support activities) coordinate so that
their duties do not overlap and their
reports to the board and senior
management are compatible?
Peter J Schild 13
14. Reliable financial reporting and strict
regulatory compliance are unconditional yet
costly requirements. Efficient processes
that boost coordination and enable leverage
across risk, finance, compliance, audit and
lines of business are both reasonable
expectations and consistent with the
imperative of operational effectiveness.
Peter J Schild 14
15. Does the market perceive corporate
governance as a strong point in
evaluating the company’s
reputation?
Peter J Schild 15
16. Disciplined, reliable and comprehensive
systems of risk management and
corporate governance foster investor
confidence in management’s capacity to
take and manage risk.
Peter J Schild 16
17. Deliverables
• Properly executed, effective risk governance satisfies:
Management’s need for line of business control and supervision
The board’s need for perspective to perform oversight, make
strategic decisions, and evaluate management
Regulatory expectations for effective, observable risk
management practices
• And leads to:
Efficient processes that enable leverage across finance, risk,
compliance and audit
Market confidence in management’s capacity to take and
manage risk
Peter J Schild 17
18. Aspirations
• Enhanced reputation
• Higher P/E multiple
• Increased shareholder value/
market capitalization
If the market’s appraisal of management’s competence
is reflected in the amount by which total capitalization
exceeds net worth, then enhancing one’s reputation
leads to increased shareholder value.
Peter J Schild 18
19. Essential Principles + Employee Connection
Yields Increased Shareholder Value
Process:
Enterprise- • Assurance
wide risk • Facilitation Clear oversight
management Reliable reporting
perspective
• Verification Efficient operations
principles Observable Increased
Compliance with governance practices shareholder
laws
Culture: Market & regulatory value
• Awareness Capital confidence
Employees preservation
who feel Better reputation
• Literacy
connected to
• Accountability
the company
Peter J Schild 19
21. The Central Framework
• The operating framework includes:
Employee Engagement
Core Objectives
Uniform Procedures
Shared Corporate Hierarchy
Management & Board Reporting
• The roles necessary for the framework’s
execution and maintenance are:
Assurance of its Effectiveness
Facilitation of its Performance & Upkeep
Verification of its Reliability
Peter J Schild 21
22. Employee Engagement:
“Once you blow the whistle you can’t inhale.”
(Bill Chadwick, former National Hockey League referee)
Unless those who initiate transactions care
about and understand their impact on the
company’s risk appetite, the outcome may
depart from that which was intended.
How people communicate matters as much as
how they measure.
Peter J Schild 22
23. Employee Engagement
Employee engagement is founded on
four principles:
Leadership accountability
Education and awareness
Recruitment and hiring
Development and retention
Accountability plus literacy produces a
shared vision.
Peter J Schild 23
24. Core Objectives
To implement processes that provide for:
Achievable strategies – reasonable
assurance of sustainable results
Reliable financial and non-financial reporting
Effective and efficient operations
Compliance with prevailing laws and
regulations
Preservation of economic and human capital
resources
Peter J Schild 24
25. Uniform Procedures
Begin with articulating strategic
objectives and cycle through
identifying, accepting and
monitoring risks, determining
residual risk, and, based on the
results, reaffirming or adjusting
risk appetite and strategy.
Peter J Schild 25
26. Uniform Procedures
Articulate
strategic
objectives
Evaluate
outcomes/ Identify
renew inherent
strategy risk
acceptance
Recursive
Escalate Establish
and resolve evaluation and control
exceptions reaffirmation activities
Determine Assess and
actual accept
residual intended
risk Monitor risk
controls/
report
actual vs.
expected
Peter J Schild 26
27. Inherent Risk, Control Activities,
Residual Risk
• Inherent risk is a function of generic and unique
determinative factors that give rise to uncertainty
– change, volume, complexity and what can go
wrong with an entity’s specific activities.
• The control environment is the set of activities
intended to keep things from going wrong or to
raise warnings when they start to.
• Residual risk is determined by combining the
relative level of inherent risk with the observed
control effectiveness.
Peter J Schild 27
28. Corporate Hierarchy
• How the enterprise is subdivided into levels of
assessable parts starting with all segments and
ending with the lowest level of separately managed
silos (“operating units”).
• To assure efficient communication and consistency
of reporting, a common hierarchy should be shared
by the entire enterprise (especially Finance, Risk,
Compliance and Audit), at least to the point that
they can map their individual procedures to the
shared hierarchy.
Peter J Schild 28
29. Corporate Hierarchy
Enterprise Level I Level II Level III
Segments: Operating
1 unit 1
2
3 Line of Operating
Business 1 unit 2
4
5
Operating
6 unit 3
7 Segment 1
8 Operating
9 unit 4
Line of
Business 2
Operating
unit 5
Peter J Schild 29
30. Senior Management & Board Reporting
• Information travels many paths to reach
senior management and the board
• Coordinating the diverse sources of data
while respecting their distinct voices requires
deliberate structure and dedicated resources
• Oversight is only as effective as the clarity of
knowledge necessary to exercise it
Peter J Schild 30
31. Senior Risk Committee & Risk
Governance Council
Two innovative groups help to promote senior
management literacy and enhance board
reporting:
Senior Risk Committee: chaired by CEO, comprised
of Chief Operating Officer, Chief Risk Officer, Chief
Audit Executive, Chief Financial Officer, General
Counsel, Head of HR...
Risk Governance Council: chaired by CRO,
comprised of CAE, Chief Accounting Officer, Heads of
Operational, Credit & Market Risk, Chief Compliance
Officer...
Peter J Schild 31
32. Senior Risk Committee
• No formal agenda, meet periodically (e.g.,
monthly)
• Review high and emerging risks to
strategies, incidents and incident
responses; discuss economic and human
capital resource allocations; renew
commitments to intended risk
Peter J Schild 32
33. Risk Governance Council
• Provide assurance to senior management and the board
that residual risk across the enterprise is continuously
monitored
• Determine that residual risk is based on actual, as
opposed to expected, internal control environments
• Examine identified control weaknesses for potential
damage; recommend changes to accepted risk
tolerances, both up and down
• Calibrate risk tolerance by clarifying choices among
reducing inherent risk, tightening controls, or allowing
greater residual risk, and present analysis to Senior Risk
Committee
Peter J Schild 33
34. Senior Committee
Organizational Structure
Board of
Directors
Risk
Senior Risk Internal
Governance
Council Committee Audit
Operational
Credit Risk Market Risk
Risk
Committee Committee
Committee
Peter J Schild 34
35. Apply the Framework
1 In each entity of the hierarchy…
2 execute the uniform procedures…
3 to determine whether the objectives are being
met.
The resulting database includes, by operating unit,
inherent risks, control environment evaluations,
control exceptions, and residual risks
Peter J Schild 35
36. Systems Thinking
• While complete in their silos, operating units – entities of
sales and support – work together, not only according to
their individual nature, but also according to their relative
roles and positions in the system.
• Inherent delays between actions and outcomes naturally
give rise to unintended consequences because actions
taken in one part do not affect all related parts at the
same time, but do so at the pace of their movement
through the system.
• By delivering consistent assessments of each of the
parts and enabling an assembled view of the whole, the
framework provides perspective that augments
preparation, anticipation, response, and recovery.
Peter J Schild 36
37. 37
Risk Management
9
Human Resources
8
Legal/Compliance
7
Operations
6
Technology
5
Manage by Segment
Finance
4
Line of Business 3
3
Management
Line of Business 2
2
1 Line of Business 1
Oversee by
Strategy
Peter J Schild
C
D
B
A
38. Presentation Format: Segment Risk
• The following slide is a compilation of individual
assessments of all operating units within a sample
segment: Technology.
• It displays how control concerns in separate parts affect
the entire segment.
• Risk tolerance can be defined as the intended risk – the
inherent risk intentionally taken with the assumption of
an acceptable control environment.
• Comparing actual risk to intended risk presents senior
management and the board the opportunity to quickly
evaluate the segment capacity to take on additional risk,
such as new products, strategies or acquisitions.
Peter J Schild 38
39. Actual vs. Intended Risk:
Technology Segment Risk Control Environment
Low Acceptable
Medium Marginal
High Unacceptable
Inherent + Tested Control = Residual Intended
Strategy Risk Environment (Actual) Risk Risk*
A
B
C
D
Composite Segment
* Inherent Risk + Acceptable Control Environment = Intended Risk
Peter J Schild 39
40. 40
Risk Management
9
Human Resources
8
Legal/Compliance
7
Operations
6
Technology
5
Manage by Segment
Finance
4
Line of Business 3
3
Line of Business 2
2
Oversight
1 Oversee by Line of Business 1
Strategy
Peter J Schild
C
D
B
A
41. Presentation Format: Strategy Risk
• The following slide is a compilation of individual
assessments of interdependent entities engaged in the
execution of a particular strategy (a “strategic domain”) .
• It displays how control concerns in separate parts affect
the strategy.
• Comparing actual risk to intended risk presents senior
management and the board the opportunity to quickly
evaluate strategies and determine exactly where they
need to focus their attention to increase assurance that
strategies are most likely to achieve intended objectives.
Peter J Schild 41
42. Actual vs. Intended Risk:
Strategy “A” Risk Control Environment
Low Acceptable
Medium Marginal
High Unacceptable
Strategic Domain: Inherent + Tested Control = Residual Intended
Operating units Risk Environment (Actual) Risk Risk*
Line of Business
Finance
Technology
Operations
Compliance
Human Resources
Risk Management
* Inherent Risk + Acceptable Control Environment = Intended Risk
Peter J Schild 42
43. Is This What We Want?
• Both inherent and residual risk are important to monitor –
well-managed/high inherent or poorly managed/low
inherent can each lead to unacceptable outcomes.
• In its silo, the line of business may be well-managed; but
if other components of the strategy exhibit high residual
risk, the overall risk may exceed that which was
intended.
• Decision: resolve the control issues, reduce the inherent
risk, or accept the residual risk.
• Comparing segment and strategy evaluations:
Are any operating units stressed supporting multiple strategies?
Are economic and human capital resources distributed most
favorably?
Peter J Schild 43
44. Four Key Roles to Execute and Sustain
1 Monitor employee engagement – a function of human resources. As with
any initiative, employee engagement must be tracked and tested to
evaluate the depth of its understanding and fulfillment.
2 Assure effectiveness – to align accountability with ownership, lines of
business should be responsible for assurance by attesting to the design
and operating effectiveness of their identified controls, and for reporting
and resolving exceptions.
3 Facilitate performance and upkeep – a discrete risk management function
is desirable to facilitate process execution through focused support units
that consult on building, implementing, and maintaining the framework.
Risk units serve as a central clearing organization for retaining shared
databases, and promote replication of the pattern of evaluation and
reporting across the enterprise.
4 Verify continued reliability – internal audit verifies through independent,
objective oversight that management’s assurances can be relied upon,
internal controls are designed and operating as reported by management,
exceptions are appropriately escalated, and practicable resolutions are
prescribed and on track.
Peter J Schild 44