Enterprise Risk Management ERM More Value and More

Enterprise Risk Management (“ERM”): More Value and More Challenges Dolores Atallo-Hazelgreen Deloitte & Touche LLP April, 2007

Today’s topics • Introduction • ERM: Setting Expectations • ERM Marketplace Perspective – Deloitte & Touche LLP 2006 Global Risk Survey • ERM: Unlocking the Value • Questions and Comment Copyright © 2007 Deloitte Development LLC. All rights reserved. 1

ERM: Setting Expectations Copyright © 2007 Deloitte Development LLC. All rights reserved. 2

ERM: Setting Expectations Although there are multiple definitions of ERM, COSO provides a broad definition to support a broad mandate: “… a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. ” Source: COSO Enterprise Risk Management – Integrated Framework. 2004. Committee of the Sponsoring Organizations (COSO). Copyright © 2007 Deloitte Development LLC. All rights reserved. 3

ERM: Setting Expectations ERM IS • A process for providing a risk adjusted view of the achievability of enterprise objectives • A means to enhance informed decision making and risk taking • An aggregated portfolio view of risks and vulnerabilities and their potential interactions ERM IS NOT • A substitute for management’s judgment • A bureaucratic exercise that is isolated from the business units • A guarantee of a zero risk environment • A methodology that supports accountability for risk across the organization Copyright © 2007 Deloitte Development LLC. All rights reserved. 4

ERM Foundation Linkage of ERM to Business Decisions: ERM Goals • Align risk appetite and strategy • Enhance risk response decision making • Reduce operational surprises and losses • Identify and manage cross-enterprise risks • Seizing opportunity • Improving the deployment of capital • Ensure effective compliance and regulatory reporting • Focus on Achievement of Objectives – – Top-Down and Bottom-Up: Components of ERM • • Internal environment Objective setting Event Identification Risk Assessment Risk Response Control Activities Information and Communication Monitoring Strategic Operations Reporting Compliance Copyright © 2007 Deloitte Development LLC. All rights reserved. 5

ERM: Enterprise-Wide View of Risk Board of Directors Senior Management Risk Committees Illustrative Aggregation and Integration • Risk metrics and limit data • Business unit risk assessment reporting The Top Down View • Risk appetite, risk policies, guidelines, and framework ERM function Data Collection • Risk metric inputs Operationalized View • Practices and procedures • Guidance on risk mitigation and limit information Business Units Copyright © 2007 Deloitte Development LLC. All rights reserved. 6

Why ERM: Drivers in Marketplace Competition Customers Investors • Significant, well capitalized competition in all sectors • Consolidation results in winner survivor bias, continually strengthening competitive environment • Competition and provider’s inability to differentiate increase customer power and pricing pressure • Create credit risk which must be priced or otherwise accounted for • Superior risk adjusted returns sought out – winners rewarded • Low appetite for unexpected losses Institution Rating Agencies • Rating agency expectations for sophisticated risk management • S&P requirements for ERM benchmarking • High leverage in industry increases RA focus Products • Explicitly focused on risk transfer, risk/reward, risk mitigation • Priced including effects of risk • Revalued on MTM basis daily or more frequently • Innovation continues at high level of complexity Copyright © 2007 Deloitte Development LLC. All rights reserved. Regulators • Detailed, comprehensive risk based regulatory requirements • Regulatory capital required for all risks taken • Proactive regulatory approach taken 7

Concern for Cost and Overlapping Initiatives • Increasing Laws and Regulations • Overlapping Requirements / Increasing Costs Regulator expectations “The evolution of the financial markets and the number of significant governance issues recently faced by complex financial firms clearly underscore the need to view risk management on an enterprise-wide basis… The silo approach to compliance has prevailed for far too long. ” Federal Reserve Governor Susan Bies A consolidated – or “enterprisewide – approach to compliance risk management has become “mission critical” for large, complex banking organizations…. Federal Reserve Governor Mark Olsen Copyright © 2007 Deloitte Development LLC. All rights reserved. Current Industry Focus “We mustn't allow inefficiencies into our business. We must carefully manage costs going forward, so that we can maintain our ability to continue to invest” Clive Standish, CFO of UBS You'd better be good at controlling expenses, " Kenneth D. Lewis, Chairman, President, and CEO Bank of America "Our 2007 priorities are clear: generating sustainable growth in U. S. consumer, … focusing sharply on expense management, and remaining highly disciplined in credit management, " Charles Prince, CEO of Citibank "In this interest rate environment we're just going to have to be focused on expenses all the time, " Kennedy Thompson, Chairman and CEO Wachovia Corp. “We have commenced some initiatives to look at our operating expenses" Alan Levan, Chairman and CEO Bank. Atlantic "It's hard to predict when the environment will improve, but we're going after the things that we can control, which is the cost structure” Kerry Killinger, Chairman and CEO Washington Mutual 8

ERM: Value Proposition • Compliance with laws and regulations, particularly regarding governance and oversight • Favorable views from credit agencies, insurers, analysts and other stakeholders • Improved understanding on the part of senior management and the board about the nature of risk in their business, including concentrations of risk exposures across risk types and business units • Identifying situations where the enterprise’s aggregate risk exposure exceeds its risk appetite • Freeing up capital and making improved capital investment and capital allocation decisions • Promoting a risk-aware operating culture and accountability • Enhancing reputation and transparency Copyright © 2007 Deloitte Development LLC. All rights reserved. 9

ERM Marketplace Perspective: Deloitte & Touche LLP 2006 Global Risk Survey Copyright © 2007 Deloitte Development LLC. All rights reserved. 10

Increasing Trend of Risk as a Board Responsibility • Risk management continues to be elevated in priority – 70% of institutions said risk management – 60% of participating institutions reported that the board takes at least a “somewhat active” role in risk management – 76% of institutions reported that their risk committee of the board played a “somewhat active” role in overseeing risk management Copyright © 2007 Deloitte Development LLC. All rights reserved. 11

Strategic Role of the Chief Risk Officer (CRO) CRO Reporting Institutions with a CRO Copyright © 2007 Deloitte Development LLC. All rights reserved. 12

Risk Oversight Approach Varies 44% of institutions said they have a centralized approach, 35% said decentralized, while the remaining 21% used a mixed of both • Key is to tailor the approach to the institution’s governance approach, organizational structure, size and operating philosophy Copyright © 2007 Deloitte Development LLC. All rights reserved. 13

Traditional Risk Management Viewed as More Effective Risk Management Effectiveness – Over 70% of participants rated their institutions highly in managing market, credit and liquidity. – With companies placing a greater dependence on models, an emerging risk that needs to be considered is model risk Copyright © 2007 Deloitte Development LLC. All rights reserved. 14

ERM- A work in Progress • Despite its appeal, ERM implementation is still fairly limited – only 35% of institutions have an ERM program in place • Continued interest in integrating ERM with the organization's decision making framework – 2/3 reported having a formal, enterpriselevel statement of their risk appetite that is either quantitative or qualitatively defined and approved Copyright © 2007 Deloitte Development LLC. All rights reserved. 15

ERM Value Exceeds the Costs for Many Institutions • Most institutions lack quantitative understanding of costs and benefits – Only 13% of firms in the survey quantify ERM costs and just 4% quantify ERM value. • ERM benefits cited most often: -“improved understanding of risks”, “improved regulator perception” and “reduction in losses due to risk events” Copyright © 2007 Deloitte Development LLC. All rights reserved. 16

Risk Types Included in ERM Vary Copyright © 2007 Deloitte Development LLC. All rights reserved. 17

Lacks Integration with Other Initiatives – Less than half the institutions have integrated ERM with IT risk or strategic planning – Only about one-third have integrated it with budgeting or project management risk, and even fewer with vendor risk assessments Copyright © 2007 Deloitte Development LLC. All rights reserved. 18

Technology Integration Concerns • 58% of executives saying it is a major concern • Additional concerns were: • a lack of flexibility in extending current systems • high cost of maintenance and vendor fees • inability to provide frequent and timely reporting Copyright © 2007 Deloitte Development LLC. All rights reserved. 19

Recap of Key Themes • Risk Management responsibility is being elevated to the Board level much more commonly than in prior years • The importance of the CRO role continues to increase with majority of CROs reporting directly to the CEO or the Board • Fully implemented ERM is still work in progress • Most institutions perceive benefits of the ERM programs to outweigh the costs, but few have quantified them • Integration throughout the organization and with other risk initiatives is still a challenge in most cases Copyright © 2007 Deloitte Development LLC. All rights reserved. 20

ERM: Unlocking the Value Copyright © 2007 Deloitte Development LLC. All rights reserved. 21

ERM: Value in the Sum and the Parts Economic Capital & Value Based Management Integration Integrate Risk Learning Capability Risk Management Quantitative Analysis & Scoring Risk Quantification Calibration with Loss Event & Qual Data Business Unit Risk Business Process Analysis & Structure & Value Diagnostics Chain Assessment & Design Structure & Strategy Strategic Planning & Oper. Charges Current Initiatives & Goals Review Risk Identification Framework Operational Risk Policies & Procedures Risk Mitigation Risk Indexing and Aggregation Performance & Risk Metrics Dashboard Cultural Risk Assessment Key Metrics & Risk Indicators Identification Vision Strategy & Operational Structure Executive Management & Board Support Roles and Responsibilities Corporate Governance Copyright © 2007 Deloitte Development LLC. All rights reserved. 22

ERM: Value in the Sum of the Parts Vision Governance Culture Methodology Common Language Risk Measurement Risk Policies Risk Monitoring Risk Appetite Reporting Risk Assessment Independent Verification/ Testing Copyright © 2007 Deloitte Development LLC. All rights reserved. 23

ERM: Establishing a Shared Vision Maturity Description Commentary Level 5 Strategic Risk management is built into decisionmaking. The organization selectively seizes opportunities because of its special ability to exploit risks. • Focus on value creation and preservation • Institutionalized • Confidence in ability to manage risks based on track record Level 4 Integrated Risks are treated as a portfolio at the enterprise level and are correlated and aggregated across risk types and business units. • Calculation of risk measures that can be aggregated • Risk treatment integrated and costs optimized Risk management is enterprise-wide and encompasses all risk types including strategic and operational. • Risks clearly linked to strategic objectives • Defined and documented • Forward looking • Clear accountability Risk management functions independently within business units. Risk types managed are limited to hazard, financial, and compliance. • Capabilities vary across BUs • No cross-BU coordination • Some expertise within limited number of risk types such as market, credit, or hazard Risk management activities are ad hoc. No overarching risk management philosophy or objectives are defined. • Success depends on individuals • People are unaware of risks • Risks managed reactively No risk management capabilities are in place. There is a lack of any recognizable process. • Applies to new entities • Ephemeral state Level 3 Comprehensive Level 2 Fragmented Level 1 Initial/Ad Hoc Level 0 Nonexistent Copyright © 2007 Deloitte Development LLC. All rights reserved. 24

ERM Governance: Key Stakeholder Roles and Responsibilities • • • Business Units ERM Function Risk Committees Executive Committee Audit Committee Internal Audit Take and Manage Risks Monitor & Aggregate Oversee Approve Ratify Validate Ownership of business unit activities which give rise to risk and responsibility for risk management and mitigation Risk identification and self-assessments Developing strategy & taking actions to manage and mitigate risks within policy and risk appetite Providing assertions on risk exposure and controls for their business area / function Business Unit Risk Managers coordinate the Business Unit risk assessment, monitoring, and mitigation activities • • • Establishment of consistent risk policies, governance framework, standards, and information reporting mechanisms to facilitate effective risk management Monitoring and participation in specific risk committees for the purpose of providing the enterprise view Providing summary information and analysis to the Executive Committee to assess, evaluate, and act on risk • • Oversight over risks within scope of authority Oversight and approval of measurement and management methodologies for risks within scope Oversight of changes in risk profile Oversight of Business Unit management of designated risk categories Copyright © 2007 Deloitte Development LLC. All rights reserved. • • • Approval of key documents, such as: – ERM Policy, – Risk Appetite, – Risk Governance Model, – Authorities, – Committee Charters Monitoring risk exposure status Approving Board reporting package Monitoring Business Unit mitigation plans and their status for top risks Approve limit exceptions • Ratification of key documents, such as: – ERM Policy, – Risk Appetite, – Risk Governance Model, – Authorities, – Committee Charters • Independent Verification and Testing of: – Internal Controls, – Quality of the Operational Risk Management Program, – Quality and integrity of risk models Illustrative 25

ERM: Migrating from “minimizing risk” to “managing risk” Culture 4 Focus on establishing a culture within the organization that “manages risks” rather than just “minimizes risks” 4 Need to identify what is your organization’s style and ability to absorb an ERM initiative 4 Cultural issues with the great impact on organizations: 4 Tone at the top 4 Organizational alignment 4 Communication 4 Embedding ERM in organizational processes Copyright © 2007 Deloitte Development LLC. All rights reserved. 26

ERM Methodology 4 ERM policies and procedures should include identifying, measuring, monitoring and controlling operational risk across the organization 4 Well defined ERM umbrella can provide and receive information to satisfy multiple initiatives 4 Common language needs to be established including risk categories and risk appetite 4 Delineation between “risk taking” and “risk management” 4 Data capture, analytical frameworks, reporting and escalation protocols 4 Enterprise-wide view of risk Copyright © 2007 Deloitte Development LLC. All rights reserved. 27

ERM: Measuring Risk Across a Maturity Continuum Risk Assessment and Scoring Key Characteristics • Risk framework • Self-assessment • Assessable entities are identified • Impact and Likelihood • Unmitigated Risk, Control Effectiveness, and Residual Risk • Quantitative Risk Scale • High, Medium, Low dollar thresholds • Risk Scoring, Analysis and Quantification Key Risk Indicators (KRIs) Key Characteristics • Indicators relevant as proxy’s of risk levels for different risk types • Possible metrics categories include those indicative of business volume, operational efficiency, error rates, losses or potential losses, control effectiveness • Indicators selected should be relevant as risk measures for specific risks and analyzed whether they are leading, lagging or coincident risk measures Copyright © 2007 Deloitte Development LLC. All rights reserved. Loss Event and Scenario Modeling Key Characteristics • External and Internal Loss event categories identified • Loss event database • Causation factors captured • Near misses captured • Direct and Indirect Costs are tracked • Thresholds set for reporting • Scenario modeling performed by business experts to supplement loss data Economic Capital Modeling and Allocation Key Characteristics • Overall framework and methodology for determining and allocating economic capital • Methodologies should address all relevant risk types for entity • Loss distribution (frequency and severity) • Statistical models to estimate risk exposure • Calculation engines (e. g. , Monte Carlo simulation engine for Value at Risk) 28

Enterprise-wide view of Risk Information Management, Reporting and Escalation Board of Directors Senior Management Risk Committees Illustrative Aggregation and Integration • Risk metrics and limit data • Business unit risk assessment reporting The Top Down View • Risk appetite, risk policies, guidelines, and framework ERM function Data Collection • Risk metric inputs Operationalized View • Practices and procedures • Guidance on risk mitigation and limit information Business Units Copyright © 2007 Deloitte Development LLC. All rights reserved. 29

Tools are Needed to Support Your Risk Management Process and Manage Data Tools play an important supportive role in providing efficiency and consistency in the on-going risk management process. The right people and process drive the quality of the information, the tool manages the information. The role of tools includes, but is not limited to: § Serves as a Central Data Repository § Allows for Customized Reporting § Encourages Action Planning § Provides on-going Monitoring § Promotes Accountability § Supplies Management Reporting § Presents Consistent Formatting. Copyright © 2007 Deloitte Development LLC. All rights reserved. 30

ERM: Sample Supporting Architecture Enterprise Level Analysis & Reporting Risk Correlation Risk Appetite Capital Calculation & Modeling Aggregate Risk Portfolio Scenario Analysis Risk Reporting Dashboarding Risk Management Applications Workflow Management System Document Management System Issue Management System Risk Treatment Systems Market Risk Engine Credit Risk Engine Monitoring/ Alerts/Limits/ KRIs Enterprise Applications Risk Data Warehouse IT Management Systems HR Management Systems Financial Systems Audit Systems Data Quality Management Engine Extract, Transform and Load Treasury/ALM Risk Engine Operational Risk Engine Hazard Risk Engine Strategic Risk Engine • Limits • Op. Var, Exposure • Tolerances • Va. R • CVa. R, CE, PFE • Va. R • Qualitative Exposure • Correlations • Scenarios • Financial Projections • Pricing Engines • KRIs • Transactions • Counterparty Info. • Transactions • RCSA • Internal Loss Data • External Loss Data • Transactions • Scenarios • Initial Financials & Projections • Fraud & AML Copyright © 2007 Deloitte Development LLC. All rights reserved. 31

Integration Brings Both Challenges and Value Marketplace recognition that many risk and control initiatives overlap • Demand for Efficiency • Demand for Data • Demand for Value Illustrative SEC Public Co Standards FDICIA Sarbanes. Oxley People Process Technology Basel II Copyright © 2007 Deloitte Development LLC. All rights reserved. Internal Policies 32

Unlocking ERM Value: Finding Opportunities for Integration Shared Information Risk Initiatives Management Reporting 1) 2)… ………. . 10) Now Later Regulatory Requirements Copyright © 2007 Deloitte Development LLC. All rights reserved. Complexity Maybe 33

ERM Integration: Unlocking Value Inputs Transformational Steps Regulatory Environment Requirements Managed Costs and Operational Efficiency and Effectiveness 7. Assess outputs to Desired Goals and Success Factors Internal Policies Market Pressures /Competition Outputs 6. Streamline Governance 5. Rationalize Infrastructure & IT 4. Refine and Optimize Processes Sustained Integrated Infrastructure Streamlined Governance and Interaction 3. Inventory Risk, Requirements and Controls Existing ‘Silos’ 2. Identify, Catalog and Assess Existing Risks & Controls Improved Transparency 1. Catalogue Existing Lines of Business Copyright © 2007 Deloitte Development LLC. All rights reserved. 34

Integrated ERM “RULES” GOVERNANCE Regulators (e. g. , SEC, Illustrative BOD and Sr. Mgmt FHFB, OCC, etc. ) • Risk Exposure • Capital Allocation • Losses • Compliance with SOX • IA Testing Results, etc. Ratified • Risk Policies Ratified • Risk Appetite • Capital Requirements Compliance • SOX Attestation INTERNAL AUDIT OFFICE OF THE CRO Aggregate / Analyze / Report RISK ASSESSMENT & MONITORING Reporting • • Methodology • Policies • Risk Limits • Guidance • Enterprise View Internal Audit Risk Assessment Results to feed the Risk Based Audit Plan Business Units, Finance, Legal Dept, etc. Mitigate Risk Report Control Deficiencies (e. g. , SOX) Allocate Capital Estimate Risk Exposure E. g. , Subject Matter Experts for Reputational Risk and Risk Analytics Engines for Market, Credit, and Operational Risk Loss Event Data Base Identify Risks (Market, Credit, Operational, Reputational, Financial Reporting, etc. ) Risk Events and Losses Test Internal Controls Including SOX controls Business Process [Policies, Procedures, Controls, Systems, People] RISK TAKING AND RISK MANAGEMENT Copyright © 2007 Deloitte Development LLC. All rights reserved. 35

ERM Case for Integration: Key Challenges Although organizations are interested in integration, as the results of the 2006 Risk Management Survey confirm, most are still in the process of investigating options and planning for future efforts. Some challenges commonly faced by organizations include: • Does underlying technology support integration? • Does the organization have a commonly shared language for risk? • Should integration efforts be divided into short-term and long-term efforts, or conducted at once? • What has and has not worked for other organizations in integration, and what does that mean for my organization? Copyright © 2007 Deloitte Development LLC. All rights reserved. 36

Questions and Comments Dolores Atallo-Hazelgreen Firm Director Deloitte & Touche LLP (212) 436 - 5346 datallohazelgreen@deloitte. com Copyright © 2007 Deloitte Development LLC. All rights reserved. 37

About Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, its member firms, and their respective subsidiaries and affiliates. As a Swiss Verein (association), neither Deloitte Touche Tohmatsu nor any of its member firms has any liability for each other’s acts or omissions. Each of the member firms is a separate and independent legal entity operating under the names “Deloitte”, “Deloitte & Touche”, “Deloitte Touche Tohmatsu”, or other related names. Services are provided by the member firms or their subsidiaries or affiliates and not by the Deloitte Touche Tohmatsu Verein. In the U. S. , Deloitte & Touche USA LLP is the U. S. member firm of Deloitte Touche Tohmatsu and services are provided by the subsidiaries of Deloitte & Touche USA LLP (Deloitte & Touche LLP, Deloitte Consulting LLP, Deloitte Financial Advisory Services LLP, Deloitte Tax LLP and their subsidiaries), and not by Deloitte & Touche USA LLP. The subsidiaries of the U. S. member firm are among the nation’s leading professional services firms, providing audit, tax, consulting and financial advisory services through nearly 30, 000 people in more than 80 cities. Known as employers of choice for innovative human resources programs, they are dedicated to helping their clients and their people excel. For more information, please visit the U. S. member firm’s Web site at www. deloitte. com/us. Copyright © 2007 Deloitte Development LLC. All rights reserved. 38