30
100 Questions Directors Should Ask When Assessing the Effectiveness of Risk Systems

F. Edward “Ted” Price C.DIR.

Principal, Kingburg Governance; and Retired Deputy Superintendent, Supervision, Office of the Superintendent of Financial Institutions Canada (OSFI)

Introduction

Editor's Note: The following are publicly available speaking notes that accompanied remarks delivered by Ted Price, and are reproduced with permission from Mr. Price for a speech delivered by Mr. Price after the Global Financial Crisis, in September 2011. The notes, and the questions below, have not been edited.

Canada did not experience significant adverse effects of the above financial crisis, and had not had to bail out a financial institution. The federal financial regulator of banks, insurance companies, and other federally regulated financial institutions is very effective and emphasizes effective risk management. (In full disclosure, the editor has advised the federal regulator in the past, and came to meet and know Mr. Price.)

Although the questions below have not been edited since their inception, they are effective questions that any good board should be asking in the area of risk management, particularly boards of financial companies.

The editor is grateful to Mr. Price for permission to reproduce the notes and questions below.

The Challenge

  • Following the financial crises much has been written about the need to improve governance in financial institutions, particularly risk governance.
  • Corrective recommendations and action have focused on the characteristics of good governance (board expertise, risk governance process, reporting, etc.).
  • More attention needs to be paid to whether new risk governance systems are effective.
  • OSFI is often asked: “We have been working to improve our controls for years. How do we know whether our risk governance systems are working?”

Key Elements of Effective Risk Governance

  • Risk culture
  • Board composition and mandates
  • Risk appetite
  • Risk tolerance and limits
  • Risk reporting
  • Risk management
  • Risk taking and incentive alignment

How Do Directors Assess Whether Risk Systems Are Working Effectively?

  • The absence of failure in control systems provides little comfort that those systems are working.
  • In assessing whether risk systems are effective, boards should ask:
    • Is the board doing its part in managing risk?
    • Can the board rely on control functions?
    • Does the culture of the organization support risk management or risk taking?
    • Is the risk culture sustainable?

I. Is the Board Doing Its Part in Managing Risk?

  • Does the board know its blind spots?
    • What truisms has the board taken on faith?
    • What risks has the board recognized but chosen to ignore?
  • Is the board able to recognize weak controls?
    • How and where does the firm make money?
    • What director has the expertise to challenge management?
    • Does the board know its own weaknesses?
  • How does the board assess the quality of controls?
    • How does the board know what control standards are best practice?
  • Is risk important to the board?
    • Has the board membership changed to strengthen risk expertise?
    • What portion of board time is spent on risk?
    • Do risk discussions focus on what has happened or might happen?
    • Will the company approve new businesses before controls are in place?
  • What is the company's risk appetite?
    • How much are you willing to lose?
    • How robust is your economic capital model?
    • How adverse are your stress tests?
    • How does the organization use stress tests?
    • How is the risk appetite communicated?
  • Are risk and strategy aligned?
    • Is risk appetite considered in strategic planning?
    • Are strategy, risk appetite, and limits consistent?
    • Has the CRO signed off on strategic and business plans?
  • Is the board getting the information it needs?
    • What are the three key risks facing the organization?
    • Can risk reports be understood by directors?
    • Is there a single document that describes the risk profile clearly?

II. Can the Board Rely on Control Functions?

  • Whom does the board rely on?
    • Is Internal Audit working for the board or management?
    • Does IA test performance as well as process?
  • What has the board done to verify the effectiveness of control functions?
    • Has the board independently assessed the effectiveness of controls?
    • What happens when you behave like Crazy Ivan?
    • Are regulators, R/M, and audit telling the same story?
  • Is Risk Management able to counterbalance the business lines?
    • Is R/M credible? Does R/M have the same skills as the front office?
    • Can the CRO say “no”? How often is the CRO overridden by the CEO?
  • Is Risk Management independent?
    • Does Risk Management arrive at an independent view?
    • Do business lines have a say in R/M performance reviews?
    • Does R/M manage treasury, or hedging programs?
    • Is R/M embedded in business lines?
  • Are your risk controls as robust as your financial controls?
    • Do risk assessments address all material risks?
    • Does the board know the key points of risk control?
    • Does the CRO sign-off on the risk report?
    • Does R/M determine limit delegation?
  • Are limits effective?
    • Are limit breaches tracked? How frequently are limits breached?
    • What are the repercussions for limit breaches? Are managers also held accountable?
    • When was the last time the board rejected a request to raise risk limits?

III. Does the Culture Support Risk Management or Risk Taking?

  • Is the board captive to management?
    • Does the board invite dissenting views from management?
    • When was the last time a management recommendation was rejected by the board?
    • Does the board have direct access to CRO, CFO, IA, etc.?
  • Does the organization support self-assessment?
    • Does the organization welcome or resist challenge?
    • What business in the organization presents the strongest resistance to self-assessment?
    • Can you cite a time when an employee raised concerns about risk taking? How did the organization react?
  • Do business heads demonstrate the right behaviors?
    • When was the last time a line manager complained to the CEO: “Risk Management is in the way,” or “... doesn't get it”?
    • Are new products introduced without control function approval?
    • When was the last time a business head said “I don't understand the risk in this business, so let's get out of it”?
  • Are there parts of the organization that are “untouchable”?
    • Is anyone or any business outside the control perimeter?
    • Do any businesses generate their own risk reports?
  • Is compensation aligned with risk taking?
    • How much interaction is there between the board's Risk and Compensation Committees?
    • Do compensation systems adjust for unexpected adverse outcomes?
    • Are control functions paid based on the performance of the businesses they oversee?
  • Does the corporate succession plan support risk management?
    • Does the board expect C-suite members to have control function experience?
    • When was the last time a control function head was promoted to run a business?
  • Is risk management a compliance exercise?
    • If regulators did not require controls, what would you do?

IV. Is the Risk Culture Sustainable?

  • What are the board's warning systems?
    • Does the board ask whether control failures are recurring?
    • Does the board review IA reports to identify patterns of control weakness?
    • Does the board follow up findings from IA or regulators to see if weaknesses exist elsewhere in the organization?
  • Are risk systems providing the warnings you need?
    • How often is the board surprised?
    • Has your Risk Control Self-Assessment accurately predicted areas of vulnerability?
    • How do you know the models are behaving as expected?
  • How do you monitor change?
    • What is under your radar?
    • Does the company have a robust process to monitor new product approvals and growth?
    • What are the three fastest-growing products in the company?
    • What businesses have hired new teams to run new businesses?
    • Have control functions experienced high turnover?
  • Are control functions a part of change management?
    • Are risk and audit consulted before new products and businesses are launched?
    • Has the board ever rejected a new business or product?
  • How does the board react when warning bells ring?
    • How does the organization react to adverse events?
    • Are limit and risk appetite breaches ignored?
    • Does the board review its lessons learned?

About the Author

Photo of Ted Price.

Ted Price, C.Dir., is an independent advisor to global financial institutions and regulators on risk governance and the emerging global regulatory agenda.

Ted retired from the Office of the Superintendent of Financial Institutions (OSFI) in June 2013, where he was deputy superintendent and responsible for bank and insurance company supervision.

Prior to joining OSFI in 2001, Ted held a number of senior executive positions with a global investment bank in Toronto and New York.

Mr. Price is past member of the board of directors of Canada Deposit Insurance Corporation. He holds a Master of Arts degree in economics from the University of Toronto and a Bachelor of Commerce (Honors) degree from Queen's University.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset