“What intersection is that?” you might ask. In banking, for instance, the Risk Profile is contained in the Capital Plan, which is developed hand-in-hand with the Strategic Plan. Pillar II of the Basel Accord (beginning at paragraph 683, page 139) lays out key guiding principles to which banks must adhere. Specifically, the first such principle is:
Banks should have a process for assessing their overall capital adequacy in relation to their risk profile and a strategy for maintaining their capital levels.
The Basel Committee goes on to specify what this means in several key paragraphs that relate to five areas:
- Board and senior management oversight.
- Sound capital assessment.
- Comprehensive assessment of risks.
- Monitoring and reporting.
- Internal control review.
Regulators in the US have adopted similar stances. The need for a bank to tie its capital requirements in with its strategic plan is an inescapable fact and central to the achievement of the stated strategic vision and objectives. In my experience, the Board considers the following variables when determining current and future capital needs:
- Current and projected comprehensive risk profile.
- Historical loss experience.
- Strategic business plan.
- Contingent claims and liabilities.
- Current and future profitability.
- Asset quality and planned asset sales.
- Insurance coverage for physical property & casualty and financial professional areas.
- Future levels of dividend payments.
- Regulatory capital requirements for a well capitalized institution.
- Ability of the corporate holding company to be a source of debt or equity capital strength.
- Formal agreements between the firm and its primary regulator (if under special supervision).
- Peer group statistics.
- Sustainable growth rate of capital in the judgment of executive management and the Board.
The number one item on this list deals with the comprehensive risk profile. It is also a key driver in Basel II for assessing capital needs. It summarizes the total risk exposures faced by the corporation by type of risk. It breaks the risk assessment out by quantity of risk (ranked low, moderate, or high), quality of risk management (ranked weak, satisfactory, or strong), aggregate level of risk (ranked low, moderate, or high), and direction of risk (ranked increasing, stable, decreasing). It contrasts the corporation’s assessment with that of the primary regulator (OCC in the case of banks having a national charter). An OCC regulated bank example appears below:
In order to complete this report, a great deal of information must be collected and analyzed—oftentimes manually by the CRO and his or her direct reports. It involves summarization of committee actions taken, internal audits performed, compliance reviews issued, new policies and procedures implemented (with accompanying risk and control assessments), policy and procedure changes during the reporting period (with accompanying risk and control assessments), results of quarterly compliance and self-assessment questionnaires for each business unit, corporate reporting on processing exceptions, security breeches, fraud incidents, lawsuits pending, credit and market risk exposures, losses realized, past due credit trends, collateral re-valuation, OREO liquidation, marketing programs, employee turnover, financial performance, balance sheet structural changes, portfolio sales/purchases, asset securitizations, debt and equity capital raised, branches opened/closed, etc.
After the information is summarized, trend analysis is performed in order to spot increasing, stable, or decreasing risk exposures. As a by-product of the total exercise, institutions perform process validation for a significant portion of their internal controls.
Kiss of death?
Note that Strategic Risk appears next to the bottom. It can be defined as an occurrence that prevents the attainment of a corporate strategic objective. A regulatory definition (e.g. OCC) is:
Strategic Risk: Risk arising from adverse business decisions or improper implementation of those decisions. A function of the compatibility of an organization’s strategic goals, strategies developed to achieve those goals and the quality of implementation.
Strategic risks tend to be multifaceted and due to a combination of circumstances. Evidence suggests that strategic risks have a far greater impact on shareholder value than operational or other financial risks and they can bring the “Kiss of Death” to any firm.
The increasing pace of change, regulation and globalization has made strategic risk a serious challenge for all organizations. An enterprise GRC solution that can effectively assess risk, in the context of strategy, will:
- Surface risks that need to be well-managed in order to achieve strategic objectives.
- Identify financial, market and operational strategic objectives that are at risk as a function of associated risk drivers and controls.
- Add clarity of purpose from dissemination of information about strategic objectives.
- Bring a common understanding across business silos relative to capacities, capabilities and strategic risks.
- Facilitate more holistic strategy assessment and possible course-correction due to risk/opportunity trade-offs.
- Enable more fluid strategy execution and modification through setting of observable performance, risk and control metrics.
- Improve the level of risk consciousness while moving towards a strategy-focused risk culture.
- Help sustain the strategic direction through explicit incorporation of risk factors in strategy development and execution.
The means for achieving this integration of strategy management and enterprise GRC is a topic I will comment on further in future posts. For an explanation of exactly how this is accomplished, please watch our webinar “Integrating Risk Management with Business Strategy.” I think you will find the examples thought-provoking and also instructive.
*NOTE: Excerpted from original post on The Principled Achiever.