Upload
vonguyet
View
218
Download
2
Embed Size (px)
Citation preview
Agenda
2
1
2
3
4
5
6
7
Establish a Risk Management Vision with Top-Down Support
Bottoms-Up Design to Reinforce Company Corporate Values
Convergence of Functional Groups in Risk Assessments
Risk Appetite and Integration into Strategic Planning Process
Communication of Top Risks, Emerging Risks and Strategic Risks
Resiliency/Sustainability: The Importance of How We React
Risk Pricing/ Risk Capital
Everyone is a Risk Manager
8
Goals of Risk Management
• Vision – Develop an industry leading discipline and be a valued partner to the
business, driving a culture of accountability for all employees, while striving to protect
the company within a defined risk appetite; seek to exhibit a proactive approach to
optimizing risk and reward
• High-Level Objective – Manage the firm’s risks and understand the drivers of
earnings volatility in order to add shareholder value and in turn, increases shareholder
returns
• Processes and Governance – Provide appropriate controls and ongoing
management of major risks in our business activities, creating risk awareness and
personal accountability for risk-taking
• Detailed objectives align with the vision
• Traditional risk management focuses primarily on market and credit risks; however,
Constellation’s risk management approach assesses risk across a broad risk
framework, including contingent liquidity needs, safety risk, cyber-security risks and
people risks
3
Risk Management assesses and links risks to business activities in a proactive and methodical
manner to optimize risk, levels of control and business returns
1
Top Down Support, Organizational Alignment and Risk Culture
Operating
Company
Heads
Company management establishes strategy, business plan and risk appetite. Board of
Directors is responsible for risk oversight of the Company’s activities. The Board
approves the risk appetite and authorizes management to establish risk policies and
limits. 4
Board of Directors
Chief
Strategy
Officer
Chief
Risk
Officer
General
Counsel
Corporate
Affairs
Chief Human
Resources
Officer
CEO
Chief
Financial
Officer
1
ERM Design to Reinforce Company Corporate Values
Accountability
Customer Commitment
Enterprise Thinking
Teamwork
5
ERM drives the integration of risk management into management decision-making and
promotes a culture of business ownership while simultaneously ensuring compliance with
industry and company standards
2
Standard Language R
isk
Fram
ewo
rk
Settlement Risk
Counterparty Performance
Supply Chain
Liquidity Market Credit
People
Process
System
Operational
External
Environmental Business & Strategic
Unethical Behavior
Crisis Management
Association Risk
Reputational
Fram
ewo
rk
Def
init
ion
s
Ability to generate or obtain sufficient cash, in a timely manner, to meet demands as they
arise (expected and unexpected)
Potential loss arising from adverse movements in
external market variables
Risk of loss inherent in business
segments, resulting from counterparty failure, decreased creditworthiness,
and poor performance
Risk of loss from inadequate or failed internal processes,
people, financial reporting, systems, or external events
Risk of loss and associated harm due
to the company’s interaction with the
environment
Risk of unsuccessful performance due to
potential threats, actions, or events
adversely affecting the organization’s
ability to achieve its objectives
Potential negative publicity regarding business practices,
regardless of validity
Corporate Funding
Collateral Requirements
Contingency Funding
Market Factor Sensitivity
Volume Risk
Market Liquidity
Investment Performance
Non-Compliance
Environmental Impacts
Environmental Positioning
Law Changes Industry Changes
Demand Changes
Competition
Political Risk
Financial Reporting
A company focused on strategic risk management constantly assesses risk factors
across multiple time horizons to ensure they reflect business realities 6
• Use a standard language to create consistency in language, processes and systems used for capturing
risk information and consistent approach to business unit risk control self-assessments with common
taxonomies, evaluation criteria and a central data repository
• The common framework approach enables each business and functional area to manage their own
• Enterprise-wide standard hierarchy and pre-defined libraries in a common system enable data aggregation
for clear, concise management reporting
2
Bottoms-up Risk Assessment of End to End Business Process Lo
ss D
ata
Key R
isk
Indic
ator
s
Categorize risks as critical, radar
or watch
Calculate overall risk level
Rate risk impactRate risk
probability Identify risks
Assign risk owners
Develop metric(s) to monitor
effectiveness of each control
Develop action plan
Identify current controls
Collect data
Rate control effectiveness
Rate control importance
Set threshold(s)
Workshop
Pre-work
Business Process
Assign control action plan
owner
Assess $ impact of new
investment
Define loss data ReportCollect loss data
Monitor & Report
Risk
/ Co
ntro
l Self
Ass
essm
ent Identify key
business processes
Op
era
tio
nal
Ris
k P
roce
sse
s
• The initial phase of the Integrated Risk Assessment (IRA) is the Risk and Control Self-Assessment (RCSA)
• A Risk Control Self-Assessment (RCSA) process creates a mechanism where each business unit and
functional group identifies key processes, and the risks that impact those processes
• Each risk is assigned probability and impact rating. Each risk is linked to mitigating controls and each
control is regularly evaluated for effectiveness
7
IRA process clarifies key business processes, risks and controls ownership
2
Risk Governance • Create a top down and bottoms up approach to shifting the culture of risk identification and management
throughout the enterprise:
o set the tone at the top via an Integrated Risk Executive Steering Committee
o incentivize employees to do the right thing and make risk-informed decisions
• Educate individuals across the company take responsibility for risk management, understanding how their risks
aggregate, and how to take the appropriate steps needed to bring risk levels to acceptable levels
• Improve enterprise risk through enhanced communication and making information more readily and efficiently
available
• Integrate risk assessment into management decision-making while simultaneously ensuring compliance with
industry and company standards
Role Process Output
Board of Directors • Review & assess changes and outputs • Improved understanding of the Company’s
risk profile
• Provide risk appetite
Management
Committee
• Perform priority risk assessment
• Own priority risks of the company
• Common vocabulary and assessment of risk
• Risk based Corporate Audit plan
• Insurance evaluations
Risk Committee • Prioritize risks in business units • Business and functional support Priority
Risks
Risk Management
Group
• Measure, aggregate and report operational
risks
• Risk capital
• Standard reporting
Business Units
and Functional
Support
• Risk and control self-assessment
• Metrics
• Loss event data
• Risk register
• Business-owned risk & control self-
assessment
• Action plans
Bo
tto
m-U
p A
pp
roac
h
Top
-Do
wn
Ap
pro
ach
8
2
Convergence of Functions in Support of “Risk Assessment” in Business Process
Challenges
• Each business unit had its own risk and control
terminology
• Control functions duplicated efforts by reviewing
similar, if not the same, risks and controls
• Risks were highlighted based on business unit
versus corporate impact
• Large data sets needed to be merged at various
levels of granularity
• Different systems housed control information
• Silos had the potential to continue to exist
Constellation rapidly transitioned from a siloed and fragmented functional structure to an
integrated business model requiring a new standardized risk framework to enterprise risk
management
9
3
Risk Appetite and Integration into Strategic Planning Process
Management Committee
Agrees on Risk Appetite
Management Committee
Agreement on Strategic Direction
Business Dreaming Session
Business Unit Articulation of
Viable Initiatives
Risk Management
Highlights Potential Risks of
Offerings
Business and Functional
Groups Assess Controls
1 5 4 3 2 6
RISK
APPETITE
What risks can I take?
How much risk can I take?
Who is willing to take the
risks?
When do we take the
risk?
Risk Identification
Risk Assessment
Risk Balancing
Risk Limits
Risk Control
Strategic
Plan
Capital
Allocation Results
Assessment Articulation Action
Functional support areas play a critical role in evaluating a company’s strategic risks 10
4
Communication of Top Risks, Emerging Risk and Strategic Risks
To build and maintain an effective risk management framework, a company must continuously
evaluate the risk landscape
• Top risks are highlighted to
ensure that executive
management is focusing on the
priority risks to the company
• Emerging risks are identified
based upon new systemic,
political and market factors, as
well as other current events
• Strategic risks assess
underlying emerging and
systematic risks incorporated in
the strategic plan that could derail
the strategy and business plan
By understanding the enterprise risk factors, a company can develop strategies to
optimize controls, improve performance and reduce the negative impacts to the business 11
5
Resiliency/Sustainability: The Importance of How We React
12
Ris
k F
ram
ew
ork
Settlement Risk
Counterparty
Performance
Supply Chain
People
Process
System
External
Unethical
Behavior
Crisis
Management
Association
Risk
Corporate
Funding
Collateral
Requirements
Contingency
Funding
Market Factor
Sensitivity
Volume Risk
Market
Liquidity
Investment
Performance
Non-
Compliance
Environmental
Impacts
Environmental
Positioning
Law ChangesIndustry
Changes
Demand
Changes
Competition
Political Risk
Financial
Reporting
Disaster Risk Framework
Incident (Cause) - Examples Impact (Effect)
Fire, Hurricane, Utility Outage, Workplace
Violence
Loss of Building
Datacenter / Network Failure, Cyber Attack Loss of Technology
Pandemic / Health Crisis, Management
Committee Compromised
Loss of Personnel
Plant Explosion, Nuclear Accident, Coordinated
Attack on Electric Grid
Loss of Critical Infrastructure
Fire at Supplier’s Only Production Facility Loss of Critical Materials /
Services
Major Hazmat Leak into Chesapeake Bay Environmental Disaster
Highlighted “impacts” fall within the scope of the
Business Continuity program
Operational Risk Framework• People
• Employee fraud
• Inadequate people resources• Employee disputes
• Aging workforce
• Process• Contract• Documentation• Model• Change management
• Client & service interaction• Transaction process failure
• Physical security
• Safety• Reliability
• Compliance• Privacy and confidentiality
• Business continuity• Financial Reporting
• Systems• Plant Assets
• Information security• Systems
• Hardware• Software
• Communications• Interfaces
• External
• Disaster• Outsourcing/third party• Customer/counterparty fraud
• Stakeholder actions (e.g., labor union, rating agency)
The Disaster Risk Framework recognizes various types of incidents (cause)
while emphasizing that emergency response focuses on the impact (effect)
Information Security
Liquidity Market Credit Operational Environmental Business & Strategic
Reputational
6
Capital Adequacy
Text • Show balance sheet is
consistent with target credit
rating and Company’s risk
appetite
• Potential use in discussions with
rating agencies
Capital Adequacy
Text
Text • Price all risks taken
• Compare profitability of
investments using a coherent
metric
• Determine “true” value added
• Identify portfolio synergies
Pricing & Profitability Performance
Measurement & • Measure performance relative to
risk taken by / allocated to
businesses and individuals
• Identify risk-adjusted value
added
Performance
Measurement
Risk Capital Framework
14
7
Appropriate Risk Pricing Drive Financial Performance
Risk-based metrics complement the financial metrics and help protect the company
against adverse events by measuring potential losses, capital and liquidity adequacy.
Risk adjusted returns help to incorporate risk charges into transaction pricing
Corporate Risk Metrics Capital Adequacy Liquidity Adequacy Economic Value Added/RAROC Credit Exposure RnF@Risk
Business Financial Metrics Gross Margin/Earnings Cash Flows NPV IRR Business Growth Metrics
Business Risk Metrics Transaction RAROC Risk Adjusted IRR Business Portfolio RAROC VaR/GMaR Credit/Liquidity Risk
Metrics Return on VaR
Corporate Financial Metrics EBIT/Earnings per Share Return-on-Equity FFO as a % of Net Income OpEx as a % of Gross Margin Credit Rating
Company
Performance
15
7
Risk Integration Benefit
Consolidation of financial reporting risks for SOX 404. Ability to perform control testing and evaluation, and to
issue/action plan management
Risk aggregation of risk and controls for regulatory reporting
Risk assessment for applications and infrastructure/disaster recover/cyber security
Identification and documentation of environmental risks and exposures. Consolidated metrics reporting
Leverage risk assessment results for business plan assessments of risk identification completeness and
adequacy of plans to enhance controls or the risk acceptance
Integrated risk identification, issue/action plan management, and loss event data management
Automates manual processes and disparate systems/websites. Also reduces inefficient communication traffic
16 16
Everyone is a Risk Manager
• Businesses and functions are responsible for identifying risk and controls in buisness activities
• A common system for risk data capture ensures the consistent processes and data sets are captured
using a common vocabulary of risks and controls
Business & Functions
Business Process
Risk Controls Enterprise Top Risks
Audit Plan Priorities
Board and Management Communication
8
Risk Management
Enterprise-Perspective &
Business-Aligned Risk Management
Business is the First Line of Defense in Risk Management
Generation Wholesale
Corporate
Asset Management & Development Intensive Business
Market Optimization Intensive Business
Ris
k L
iais
on
s
Ris
k L
iais
on
s
Ris
k L
iais
on
s
• Risk Factor Identification
• Oversight of Risk
• Integrated Risk Assessment
• Risk Systems and Standards
• Fraud Risk
• Policies and Procedures
• Financial Performance Risk
• Risk Metrics
• Liquidity Evaluation
• Portfolio Analysis
• Transaction Analysis
• Portfolio Management and Trading Limits
• New Product Review
• Credit Review
• Credit Workout
• Risk Measurement
• Risk Monitoring and Reporting
• Risk Mitigation
Retail BGE
Customer Relationship Intensive Business
Business Process and Execution
Business Strategy and Planning
Continuous Evaluation
Validate/refine strategy
Capital
Limits
Policy
Procedures
Reporting
Analysis
Re-allocate capital/limits
Market Risk Credit Risk Operational Risk Risk Capital Liquidity Risk Strategic Reputation
Corporate Audit
Control testing 9-month rolling audit plan Process & control consulting
Risk and Control Self-Assessments Control Environment
Legal Regulatory Compliance Environmental Audit SOX NERC Middle Office
B u s i n e s s
S e g m
e n t s
B u s i n e s s
C y c l e s
K e
y
C o n t r o l s
C o n t r o l
G r o u p s
L
IN
ES
O
F D
EF
EN
SE
1
2
3
17
8