Concurrent Session 1G: A New Role of ERM as an

Independent Function: A Case in Point from

Malaysia

Chen Voon Chong

Affeiz Abdul Razak

12/4/2013

PublicInformation

MalaysiaDepositInsuranceCorporation
ANewRoleofEnterpriseRiskManagement(ERM)asan
e oeo
te p se s
a age e t (
) as a
IndependentFunction:ACaseinPointfromMalaysia
22 24April2013

PublicInformation

Contents
Objectives
AbriefbackgroundofMalaysiaDepositInsuranceCorporation
(MDIC)
(M IC)
RegulatorylandscapeofERMinMalaysia
KeyRolesandResponsibilitiesinrelationtoERMinMDIC
ValueaddedIndependentERMFunctionatvariousstagesofthe
ERMProcessinMDIC
ERM P
i MDIC
KeyTakeaways

12/4/2013

PublicInformation

Objectives

PublicInformation

Objectives
To provide a different perspective on the roles and reporting
structure of the Chief Risk Officer (CRO) and the ERM Function as an
independent function
To evaluate the importance of having an independent CRO and ERM
Function
To provide an alternative reporting structure and roles of CRO and
ERM Function in your respective organizations

12/4/2013

PublicInformation

ABriefBackgroundofMDIC

PublicInformation

MDICasaComponentofSafetyNet

FINANCIALSAFETYNET

Prudential
regulationand
supervision

Lenderoflastresort
facilitytoassistbanks
facingtemporary
facing temporary
liquidityproblems

Deposit
insurance
system

Depositinsuranceenhancesdepositors confidence

12/4/2013

PublicInformation

EstablishmentofDepositInsuranceSysteminMalaysia

iii) Th M l i
iii)TheMalaysia
DepositInsurance
CorporationAct2005
enactedbyParliament.
July2005

v)MDICAct2011enacted
byParliament expanded
iv)LaunchofMDIC(locally mandatetoadminister
knownasPIDM)
TakafulandInsurance
establishedtoadminister BenefitsProtectionSystem
thedepositinsurance
(TIPS)
systeminMalaysia.
31December2010
1September2005

ii)DepositInsuranceTaskForce
formedbyCentralBankof
Malaysia studied&compared
bestpracticesofestablished
best practices of established
depositinsurancesystemsinother
countries.
2001
i)FinancialSectorMasterPlan
recommendedtheestablishmentofa
depositinsurancesysteminMalaysia.

MDICwastheDeposit
InsuranceOrganizationfor
2011bytheInternational
AssociationofDeposit
Insurers(IADI)

PublicInformation

WhatProtectiondoesMDICProvide?
MDIC administers2separatefinancial
consumerprotectionschemes
DepositInsuranceSystem

TakafulandInsuranceBenefitsProtectionSystem(TIPS)

Protectsagainstlossof
depositsuptoRM250,000
((USD81,000))

Protectsagainstlossofeligibletakafulandinsurance
benefitsuptotheprescribedlimits
Conventional

Conventional
Deposit
Insurance
Fund

Islamic
Deposit
Insurance
Fund

General
Insurance
Protection
Fund

Life
Insurance
Protection
Fund

Islamic

General
Takaful
Protection
Fund

Family
Solidarityy
Takaful
Protection
Fund

Funding (Combinedexanteandexpostfundingbymemberinstitutions)
Annualpremiumcontributions coverannualoperatingexpensesandbuilddepositandinsurancereservefundsovertime
Expostleviestofundunexpectedlosses governmentcreditlinefacilityforliquidityneedsandandcanraisefundsfrom
thecapitalmarket
Nocomminglingoffunds

12/4/2013

PublicInformation

RegulatoryLandscapeofERMinMalaysia

PublicInformation

KeyERMGuidelinesandStandards
TheCommitteeof
Sponsoring
Organizationsof
g
theTreadway
Commission
(COSO)

FederationofEuropeanRisk
ManagementAssociations(FERMA)
A Risk Management Standard
ARiskManagementStandard

EnterpriseRisk
Management
Integrated
Framework

AS/NZSISO31000:2009
RiskManagement
Ri k M
t Principles
Pi i l
andGuidelines
ISO31000:2009
RiskManagement GuidelinesonPrinciples
andImplementationofRiskManagement
10

12/4/2013

PublicInformation

FinancialStabilityBoardsThematicReviewonRiskGovernance
Recommendations on the CRO:
Set requirements to elevate the CROs stature, authority, and
independence in the firm.
Direct reporting line to the CEO and a distinct role from other
executive functions and business line responsibilities (e.g. no dual
hatting).
Involve in activities and decisions (from a risk perspective) that may
p
affect the firms p
prospective
risk p
profile
Source:FinancialStabilityBoard,ThematicReviewonRiskGovernance PeerReviewReport,
12February2013

11

PublicInformation

PrimaryLegislativeandRegulatoryRequirements
forERMinMalaysia
Regulatory Body

Guidelines

Companies

CentralBankofMalaysia

RiskGovernance

FinancialInstitutions

Securities Commission
SecuritiesCommission

Malaysian Code on
MalaysianCodeon
CorporateGovernance

Public Listed Companies

PublicListed

BursaMalaysia(Malaysias
StockExchange)

CorporateGovernance
PublicListed Companies
Guide TowardsBoardroom
Excellence

BursaMalaysia(Malaysias
StockExchange)

GuidelinesforDirectorsof
PublicListed Companies
ListedIssuers Statementon
RiskManagement&Internal
Controll

PutrajayaCommitteeonGLC TheGreenBook Enhancing Governmentlink Companies

HighPerformance(PCG)
BoardEffectiveness

12

12

12/4/2013

PublicInformation

SalientFeaturesofRiskGovernanceGuidelines
issuedbyCentralBankofMalaysia
SeniorManagementoversight
Principle 3: Senior management is responsible for ensuring that the daytoday
orgnizationss activities is consistent with the risk strategy,
strategy
management of the orgnization
including risk appetite, and policies approved by the board.

Riskmanagementandinternalcontrols
Principle 6: Financial institutions must establish an independent senior risk
executive role with distinct responsibility for the risk management function and
the organizations risk management framework across the entire organization.
Principle 7: Financial institutions must establish and maintain an effective risk
management function with sufficient authority, stature, independence,
resources to the board.
Principle 8: Effective implementation of the risk management framework must
be reinforced with an effective compliance function and subjected to an
independent internal audit review.
13

PublicInformation

TraditionalvsIndependentRolesofCRO/ERMFunction
intheContextofMalaysia
Parties/Reporting
Line

TraditionalRoles

IndependentRoles

Board

Ultimateownersofrisk

Ultimateownersofrisk

BoardAudit
Committee(AC)/Risk
Management
Committee(RMC)

Assisttheboard toprovide
oversightontherisk
management

Assisttheboard toprovide
oversightontheriskmanagement

Management

Daytoday managementof
riskactivities

Daytoday managementofrisk
activities

ERMFunction

Partofmanagement
functions

Independentfromexecutive
functionsanddoes nothaveany
managementorfinancial
responsibilityfunctions

Reporting

CFO/CEO

AdministrativelytotheCEO;
FunctionallytotheAC/RMC

14

14

12/4/2013

PublicInformation

KeyRolesandResponsibilitiesinRelation
toERMinMDIC

15

PublicInformation

GovernanceofMDIC
MDICreportstoParliamentthroughMinisterofFinance.
BoardofDirectorsstructure:

Chairman appointed by Minister of Finance

ChairmanappointedbyMinisterofFinance.

GovernorofCentralBankofMalaysia(exofficio).

SecretaryGeneralofTreasury(exofficio).

Notmorethan6membersfromthepublicandprivatesectors
appointedbyMinisterofFinance.

CEO:

16

AppointedbyMinisterofFinanceontherecommendationoftheBoardof
Directors.

NotamemberoftheBoardofDirectors.
16

12/4/2013

PublicInformation

TheERMOversightStructureinMDIC
BoardofDirectors
Auditand
Consulting
Consulting
Services

Audit
Committee

ERMCommitteeiscomposed
ofheadsofkeyfunctionsand
ischairedbytheCEO

ERM
Committee

StrategicPlanningand
ERM(PERM)WorkingCommitteeis
composedofrepresentatives
fromalldivisionsand
ischairedbytheGMofStrategicPlanningDivision

PERM
Committee

ERM Division*
ERMDivision

ERM
Division
provides
secretariat
services
tothese
committees

RiskOwners
Communications
andPublicAffairs

Financeand
Administration

Human
Capital

Insurance,
Risk
Assessment
and
Monitoring

Intervention
andFailure
Resolution

Legal

Policyand
International

Strategic
Planning

*The CROreportsfunctionallytotheBoardviatheACandadministrativelytotheCEO.
17

PublicInformation

OtherERMRelatedRequirementsinMDIC
ERM Charter: sets out the mission, accountability & responsibility, ERM
oversight structure, independence & objectivity, authority, and quality
assurance & continuous improvements.
MDICss commitment to sound risk
ERM Policy: declares and affirms MDIC
management and reaffirms the roles and responsibilities of the Board, Audit
Committee, ERM Committee, CRO and Management on ERM.
ERM Procedure: sets out the ERM Framework and defines a consistent process
for identifying, assessing, evaluating, treating, monitoring and communicating
the significant risks faced by the Corporation.
ERM Effectiveness Assessment Framework:
Framework aims to measure the effectiveness
of the current ERM programme and practices against the spectrum of maturity
levels of ERM practices.

18

12/4/2013

PublicInformation

ValueaddedIndependentERMFunction
atVariousStagesof
theERMProcessinMDIC

19

PublicInformation

TheERMProcessinMDIC
1.EstablishtheContext
(Objectives;RiskImpact;and
RiskAppetite/Tolerance)

5.MonitortheEffectiveness
ofRiskActionPlans
ImplementedandReassess
theImpactonRiskRating

ERMRiskAssessment
2.Corporateand
Framework
DivisionalRisk
Assessment

3.RiskTreatmentOptionSelection
y
andPreliminaryRiskActionPlans
Preparation

4.Followuponthe
ImplementationofRisk
l
i
f i k
ActionPlans

20

10

12/4/2013

PublicInformation

Phase1:EstablishtheContext
Objectives

RiskAppetite/Tolerance

Risk Parameter:
Factors

Mandate
Vision
Mission

RISK APPETITE/
TOLERANCE:

Corporate
Values

Level of risk that

MDIC is prepared to
accept /tolerate in
the process of
achieving its
mandate and
objectives

StrategicThrusts
CorporateObjectives
CorporateInitiatives
INRAM

Policyand
Interna
tional

IFR

Human
Capital

Strategic
Planning

Auditand
Consulting
Services

Communica
tionsand
PublicAffairs
Public
Affairs

FINAD

Legal

CEOsOffice

RiskParameters

RISK CAPACITY:
Level of risk MDIC
could not afford to
accept/tolerate

Financial
Factors
Financial Loss
Non-Financial
Factors (Internal )
Employees
Achievement of
Corporate
Initiatives
Operational
Requirements
and Continuity
Non-Financial
Factors (External)
Financial
Soundness of
MIs

Risk
Parameter:
Impact
4
Critical

3
Major

2
Minor

1
Insignificant

Public
Confidence /
Reputation

ERM

21

PublicInformation

Phase2:CorporateandDivisionalRiskAssessment
RISKIDENTIFICATION
1

IdentifytheCorporateandDivisionalriskanddescribetheunderlyingriskevents

RISKASSESSMENTANDANALYSIS
2

Determine the root causes

Determinetherootcauses

Determinetheconsequences
Determinethegrosslikelihood(Unlikely,Low,Moderate,High)

4
5
6

Determinethegrossimpact(Insignificant,Minor,Major,Critical)
Determinegrossriskrating(WellManaged,Concern,ExtraordinaryEvents,SeriousConcern)

RISKEVALUATION
7
8
9
10

Identifycurrentcontrolsandcontroltypes(Preventive,Detective,Corrective)
Determinecontroleffectiveness
Determine
control effectiveness (High,Moderate,Ineffective)
(High Moderate Ineffective)
Reevaluatethegrossriskrating

11

Determineresidualriskrating(WellManaged,Concern,ExtraordinaryEvents,SeriousConcern)
Determineresidualrisktrend(Increase,Decrease,Stable)

12

RiskMap,RiskProfileandRiskRegisters

22

11

12/4/2013

PublicInformation

Phase3:RiskTreatmentOptionSelectionand
PreliminaryRiskActionPlansPreparation
1

Identifyriskownerandcoowners
y

Identifyrisktreatmentoptions

Determinerationaleforrisktreatment
optionsselected

Preparepreliminaryriskactionplans

RevisebytheCEO/ERMCommittee
/

TabletotheACforendorsement

23

PublicInformation

Phase4:FollowupontheImplementationofRisk
ActionPlans
1

Reviewtheimplementationstatusof
agreedriskactionplans

Assessviabilitytocompletewithinthe
expectedenddate

Reviewtheriskactionplans

Measuretheimplementationstatus

EndorsebytheCEO/ERMCommittee
E d
b th CEO/ERM C
itt

UpdatetheAContheimplementationstatus

24

12

12/4/2013

PublicInformation

Phase5:MonitortheEffectivenessofRiskActionPlan
ImplementedandReassesstheImpactonRiskRating
1

Reassesstheimplementationstatus

Revise the risk action plans

Revisetheriskactionplans

Updatethecontrols

Reassessthecontroleffectiveness

Reassesstheresidualriskrating

EndorsebytheCEO/ERMCommittee

UpdatetheAContheimplementationstatus
andrevisedriskrating

25

PublicInformation

BoardRiskPolicies

BoardRiskPolicy
1.0Definition
2.0Policy
2.1BoardofDirectors
Oversight
2.2BoardsExpectations
3.0RiskPolicyReview

To clarify the oversight function of the Board in

relation to specific risks and outline the Boards
expectations of managements roles in supporting
them including the risk strategy and policies and
them,
risk appetite. The Boardapproved risk categories are
as follows:
FinancialRisk;
InsuranceRisk;
OperationalRisk;
ReputationRisk;and
StrategicandGovernanceRisk.
26

13

12/4/2013

PublicInformation

CorporatewideBoardRiskReport
To outline the current controls, processes and
Management oversight in place in managing the
respective risk category.

BoardRiskReport

The objectives of the Corporate

Corporatewide
wide Board Risk
Report are for the CRO to provide an independent
assessment on:

1 0 Definition
1.0Definition
2.0RiskOwner
3.0BackgroundoftheRisk
4.0CurrentInternalControls,
Practices,andOversight
OverRiskExposure
5.0OverallAssessmentofthe
Risk,ConclusionandRisk
ActionPlans

whetherManagementismeetingtheexpectations
oftheBoardRiskPolices;and

thestatusofkeyinitiativestobetakentolowerthe
residualriskforeachoftheriskcategories/subrisk
categories.

27

PublicInformation

TheSynergies ERM,StrategicPlanningandInternalAudit
ERM
keyactivities

StrategicPlanningkey
activities
Strategicsettingand
planning

EnvironmentalScan&
RiskIdentification
external
and internal
externalandinternal

Corporate Planning
CorporatePlanning
process

Strategicdirection
andKeyPerformance
Indicators

Corporateperformance
management Balanced
Scorecard
Divisionalbusinessplans
andperformance
reporting

Monitoringand
reportingtoEMC,AC
andBoard

3yearAuditPlan
Strategic
managementaudit

HighlevelRiskIdentification&
Assessment AnnualERM
Workshop
OngoingRiskAssessment,
Monitoring&Review
Quarterlymonitoringand
trackingofActionPlans
AnnualReviewofERMpolicies
andguidelines

3yearAuditPlan
ERM audit
ValidateControls
p
IdentifiedinRiskprofile

InternalAuditkeyactivities
RepresentationstoBoardand
Management
RiskbasedAuditPlanning
RiskbasedAuditing

28

14

12/4/2013

PublicInformation

KeyTakeaways

29

PublicInformation

KeyTakeaways
Compare the roles of CRO and ERM Function of your respective
organizations to MDIC.
Evaluate the importance of having an independent CRO and ERM
Function for your respective organizations in providing
independent and unbiased advice on significant risks and ERM
related matters in the decision making process.
Select the best reporting structure and roles of the CRO to create
value to the Board of Directors in discharging its responsibilities
and in providing oversight on the significant risks.

30

15

12/4/2013

PublicInformation

ThankYou

31

16