Risk reporting to the Board

June 26, 2016 1 comment

Jim DeLoach and I are friends that, I believe, share mutual respect but sometimes disagree[1]. I like to think our occasional disagreements are more about how we present and discuss topics than they are of substance. Nevertheless, I have made some less than positive comments on his and his firm’s work a few times in these pages.

Not so much today!

In March, Jim had Six Principles for Improving Board Risk Reporting published in NACD Directorship.

I would not argue with any of his principles:

  1. Focus on critical enterprise risks and emerging risks.
  2. Address ongoing business management risks on an outlier basis.
  3. Ensure risk reporting is linked to key business objectives.
  4. Use risk reporting to advance dialogues around risk appetite.
  5. Integrate risk reporting with performance reporting.
  6. Report on whether changes in the external environment affect the critical assumptions underlying the strategy.

I think the six are all principles that should be a focus of the board’s attention. Jim expands on them in the article.

I would change the order, putting the reporting of risk to objectives first.

My dialogues with board members over the last couple of years (including work with the NACD, where I would often see Jim) have told me that they want to receive information that is actionable.

Actionable information, when it comes to board members and top executives, will focus on the type of decisions that those individuals typically make: decisions relating to strategies, major projects, and so on. While they are concerned about management’s ability to make appropriate choices regarding significant risks, they will (and should) rarely get involved in tactical decisions.

  1. So, whether corporate objectives and strategies, which have been approved by the board, will be achieved should be their first concern.7. This brings me to two points that I would consider adding to Jim’s list:7. Consider and obtain assurance on the culture of the organization. The COSO ERM Exposure Draft makes culture a focus and I just posted (on the IIA site, where I have another blog) a discussion of a new research paper by the Chartered Institute of Internal Auditors.
  2. Assess whether the management team, including the CEO and CFO, have effectively integrated the consideration of risk into every business process and decision. Do they ‘embody[2]’ risk management at all times? As a secondary observation, does the board have full confidence in the chief risk officer and his or her ability to work effectively with the management team?

I welcome your comments.

[1] I was honored to have Jim as one of the reviewers of World-Class Risk Management.

[2] I emphasize the need for every executive to embody risk management in my book. Their actions drive the tone for and culture of the whole organization. They need not only to integrate risk into their decision-making processes but demand the same from their direct reports.

We need to review and provide feedback on the COSO ERM Exposure Draft

June 19, 2016 2 comments

This last week, COSO published an Exposure Draft of its ERM Framework Update, freshly entitled Enterprise Risk Management – Aligning Risk with Strategy and Objectives. You can see an introductory video, review, and then provide feedback on the draft here.

The COSO update is a significant moment for all risk practitioners.[1] So I strongly recommend that everybody take the time to review and give careful consideration to the draft.

But, let’s do that by looking at the big picture rather than the detail.

Let’s also put aside any predisposition we may have either to like or dislike COSO’s work.

How should we assess the ERM Update draft? That’s the focus of this post.

COSO not only provides the opportunity to submit comments, but has a history of listening and making changes where appropriate[2].

While COSO has provided their own set of review questions, I am not persuaded they strike to the heart of whether the draft meets the needs of its potential users. COSO’s questions seem to assume that their thinking is correct and only asks whether it is clear. For example, rather than ask whether we agree with their concept of risk appetite, the survey asks whether it is clearly explained.

I suggest we do it against criteria that focus on whether the draft will provide the guidance that enterprises need if they are to be successful.

In other words, if organizations adopt the updated COSO guidance, are they likely to increase their ability to set and then achieve their objectives and deliver the value their stakeholder needs[3]?

How about using the following questions as the basis for assessing and then providing feedback? They are distilled from some of the points COSO makes in the video and the Executive Summary of the draft, plus some consideration of the fundamentals of world-class risk management.

  1. Does the draft provide useful guidance that will help leaders of the organization define the mission, objectives, strategies, and plans that will deliver optimal value to stakeholders?
    • If the mission is not optimal, it is unlikely that the objectives will be
    • If the objectives are not optimal, it is unlikely that strategies to achieve them will be
    • …and so on
    • In order to set the optimal mission, objectives, strategies, and plans, leaders need to consider all the possibilities. They need to be able to obtain as clear a view as possible of potential opportunities and harms for all potential options. Their assessment of what might lie ahead, and how it might affect their journey, needs to be performed in a structured fashion – both opportunities and harms – and a reasonable judgment made that takes all of the potential effects of uncertainty into account
    • Organizations need to periodically review their mission and change it as conditions change. Think of Intel, Microsoft, HP, Apple and more
  2. Does the draft provide useful guidance when it comes to executing against the defined mission, objectives, strategies, and plans? Is there sufficient guidance on effective decision-making, and will it move the practice of risk management away from only reviewing, periodically, a list of risks? Will it lead to organizations practicing risk management continuously?
    • The Executive Summary makes the points that risk management must be continuous, enable effective decision-making, and be more than the review of a list of risks
    • But, does the detail of the framework deliver on those promises?
    • As COSO says in their Executive Summary, execution and the optimization of performance rely on decisions that are made not only by leaders in establishing the goals and objectives of the organization, but by managers at every level of the organization every day
    • In order to make good decisions, people need to consider all the potential consequences of the choices they make. Those include not only the harms but also the rewards that may occur. The consideration needs to be structured and based on useful, timely, current, and reliable information
    • Also as COSO says, risk management needs to be an essential part of running the organization and delivering performance. It should not be separate. Does the guidance enable organizations to manage risk as part of the rhythm of the business? Does it help management entwine the consideration of risk into every business process?
  3. Will the guidance still lead people to only identify, assess, and address potential harms? Will risk reporting still be focused on the level of risk rather than the likelihood of achieving each objective?
    • COSO says the consideration of both harms and rewards (in their language, ‘risks’ and ‘opportunities’) is essential if risk management is to be effective
    • While that is essentially what the prior version said, its language focused almost entirely on ‘risk’ and arguably this has led to most organizations only managing potential harms
    • Most organizations limit risk reporting to a list of risks and their level. But if it’s really about achieving objectives, shouldn’t reporting be about whether each objective is likely to be achieved, exceeded, or missed? It should not be limited to an assessment of potential harms
  4. Does the guidance explain clearly and help decision-makers understand and then evaluate all the potential effects of uncertainty?
    • Some look at ‘opportunity’ as the positive side and ‘risk’ as the negative. But, most situations and certainly most decisions have multiple potential consequences. It’s not just reward or just harm, usually it’s both. For example, when you decide to overtake another car on the freeway, there is potential to go faster as well as the potential for a crash. Only by understanding and then weighing both can a good decision be made. As another example, when you purchase a hotel while playing Monopoly, you create the opportunity to obtain rent (and this requires considering the size of that gain and its likelihood) as well as increase the potential to go bankrupt if you land on another’s property and have to pay rent
    • Some assess the ‘level’ of risk as a point – a level of impact and the likelihood of that impact. However, there is almost always a range of potential impacts, each with its separate likelihood. For example, if the organization decides to reduce the price of its products, sales could (a) increase by 10%; (b) increase by 20%; (c) remain the same; (d) change by another percentage. All of these possibilities have different likelihoods. If you wanted to plot the ‘level of risk’, it would be a range or a curve on the chart and not a point
    • The actions and decisions of one affect many. Is the guidance sufficient on this point?
    • Many define the level of risk based on the amount of impact multiplied by its likelihood. But then a 5% likelihood of a $200 loss is the same as a 50% likelihood of a $20 loss. One may be acceptable but the other not. Does COSO discourage the assessment of risk based on this simplistic calculation?
  5. Will the update provide decision-makers with the structure/process they need to decide whether to ‘take the risk’ because of the potential for reward?
    • In real life, people have to ‘balance’ risk and reward
    • Will the guidance provide a disciplined process for identifying and evaluating all the potential effects of each option and only then making an informed decision? Or does it consider only harms?
    • For example, if the potential for loss is assessed as between $50 (20% likelihood) and $100 (5% likelihood), should a manager ‘take the risk’ when the potential for gain is between $50 (20%) and $250 (5%)?
  6. Will the update lead to providing decision-makers with the guidance they need if they are to make the decisions management and the board want them to make?
    • The great majority of organizations who have a ‘risk appetite statement’ at the entity level have not been able to cascade it down in a way that enables those making the decisions in real life to know what is necessary
    • Different conditions (e.g., whether there is huge public scrutiny, whether the organization is likely to exceed or miss its earnings targets) can lead to executives wanting to change the risk decisions that are made
    • It’s one thing to say that you need to avoid exceeding defined risk limits, but when the reward is high it may be appropriate to take that risk. Does the guidance enable agile decision-making that considers changes in the environment?
  7. Does the update provide sufficient guidance on how to assess and then correct, as necessary, the culture of the organization?
    • It is encouraging that this is now included. Is it sufficient?
  8. Does the update provide sufficient guidance on each stage of the risk management process, including identifying, assessing, evaluating, and treating risk and opportunity? Does it provide sufficient guidance on communications and monitoring, including continuous improvement?
    • There is more to assessing risk (good and bad) than impact and likelihood. Other considerations include duration, speed of onset, and more
    • Many use models. Is this covered sufficiently?
  9. Is the updated COSO guidance on risk appetite and risk tolerance useful? Does it mirror and enable effective decision-making in real life? Does the guidance help to establish not only the upper limit of ‘risk’ that should be taken, but the lower level as well?
    • If organizations don’t ‘take risk’ they will not survive. It is dangerous to be too risk averse
    • How does an organization establish the minimum level as well as the maximum?
    • Does COSO provide sufficient guidance on how to assess both the upside and the downside?
    • Does the updated guidance help people ‘balance’ risk and reward, knowing when to ‘take the risk’?
    • The COSO definition of risk appetite in the current framework talks about an amount of risk. Sometimes risk appetite is expressed in terms like “we have no tolerance for this risk”
    • However, in real life people make decisions based not only on the ‘amount’ of risk (harm) but the likelihood of that amount of risk. For example, I might accept a 2% possibility of losing $100 but not a 20% possibility
    • A generic statement like “we have no tolerance for this risk” does not help real life decision-making. While no organization will state a level at which loss of life is acceptable, in many industries the only way to get to zero likelihood is to exit the business
    • What is an acceptable level of variation from objectives? If you set an objective of 10% growth but are willing to accept 5% growth, surely 5% is your true objective. Alternatively, your objective may remain 10% but you will accept a 7% chance that it will be reduced to 5%
    • Is the ISO 31000:2009 term ‘risk criteria’ better, especially as it can be applied to individual decisions?
  10. Will it be possible to assess the effectiveness of risk management in practice using the updated version?
    • Any assessment should be based on whether the management of risk helps people establish the optimal vision, objectives, strategies, and plans, make better decisions and, as a result, increase the likelihood of achieving objectives
    • Any assessment should identify the areas where the risk of failure in identifying, assessing, evaluating, or taking action to address risk is higher than desired
    • If the assessment is against principles, are those in the COSO draft as good or better than those in ISO 31000:2009?
  11. Will the guidance provide sufficient guidance to enable the board and/or a committee of the board to provide effective oversight?
    • Is the guidance as good as that in South Africa’s King IV Exposure Draft?
  12. Is the updated document consumable? Is it too long? Will it be read, understood, and acted on by all levels of the organization?

My request of you is:

  1. Do you think this list of 12 questions (I would prefer that there were fewer, but there you are) would be a sound basis for assessing the Exposure Draft?
  2. If it is, please share your assessment – here as well as with COSO.


[1] In my mind, this should include all executives and board members because everyone who leads and manages an organization, in fact every decision-maker, is a risk manager. Their decisions, from establishing the vision and mission, through strategy and objective-setting, to the decisions that are made every day across the enterprise as we execute on strategy, create and/or modify risk – and by risk, I refer to the effect of what might happen as we go from where we are to where we want to be.

[2] The Internal Control Framework Exposure Draft had issues that several of us pointed out. To their credit, COSO made some substantial changes. For example, they inserted as the first sentence in the section on effective internal control the key observation that effective internal control provides reasonable assurance that the risk to objectives is at acceptable levels. Without that sentence (and, for some, even despite that sentence) they would have created a checklist comprised of principles and points of focus. Instead, they told us to consider risk when assessing internal control.

[3] Asking a question like this is a technique I have used with good effect when running internal audit. It’s not whether the document explains defined content or ideas. It’s about whether it will help those charged with leading, directing, and running the enterprise be successful.


Coming up in Dubai and Los Angeles

June 14, 2016 Leave a comment

I am planning to be in Dubai for three different events. The first (10/30-11/1) will be a repeat of the 3-day class we had in May on world-class internal audit and risk management, then we will have a 2-day class (11/2-3) for directors and executives on world-class risk management and audit, before Richard Anderson and I hold a 1-day RiskReimagined event (11/6) on the effective management of risk.

After that, Richard and I are planning a similar RiskReimagined event in Los Angeles on 11/16.

Registration is not yet available, but we will have an early registration discount for at least the RiskReimagined if not the other two events. To obtain the discount, please contact me and I will put you on the list.

Explaining risk management in plain English

June 12, 2016 25 comments

I have been saying for a while that one of the reasons for the disconnect between senior executives and risk practitioners is the latter’s language.

Leaders of the organization speak in plain English about the achievement of corporate objectives such as earnings, profits, and projects.

Leaders of the risk management function talk about risks, impact or consequences, and sometimes in technobabble about terms that only risk practitioners and statisticians understand, such as ‘risk capacity’, ‘alpha’, and ‘residual risk’.

The traditional way of explaining the risk management process is (per ISO 31000):

  • Establish the context
  • Identify risks
  • Analyze risks
  • Evaluate risks
  • Treat risks
  • Communicate and consult (throughout the above)
  • Monitor and review (continuously)

Can this be translated into plain English, without using the ‘R’ word?

How about this?

  • Anticipate what might happen
  • Analyze the possibilities
  • Is there a problem? Can we do better?
  • What are the options? Can we improve them?
  • Which is best?
  • Decide
  • Act
  • Review/monitor/learn

I especially like the work ‘anticipate’. It’s better than talking about ‘uncertainty’, another word risk practitioners understand (I hope) but executives find difficult.

Isn’t risk management all about anticipating what might happen between where we are and where we want to be?

I welcome your thoughts.

Can we practice risk management in plain English and help leaders make intelligent and informed decisions without even knowing that this is ‘risk management’?

Risk and Strategy Entwined

June 4, 2016 6 comments

I want to tell you a couple of stories about four people, two sets of twins.

The first two people are O and P; the second pair is SR and RS.

O and P are executives at the same company. The CEO, C, is considering a new venture, so he calls a meeting of his executive team. O and P sit opposite each other and just glare with clear disdain for the other.

C outlines the opportunity and asks for comments from the team. The general counsel and CFO look thoughtful, but before they can say anything O jumps in.

“I think that’s great! I already looked into this with my team and we project an 80% success rate, where we either hit or exceed the targets you outlined. There are a few things we need to prepare before launching, but I am very optimistic (no pun intended) that everything will be set for a launch in just a few months. [The “pun intended” comment was because his real name is Optimist, although his position within the company is Vice President for Strategy and Planning.]

“Oh, O, you are always quick to see the upside without thinking about the many risks involved”, retorts P. “My team also thought the scheme would come up and we have worked with the appropriate departments to compile this list of risks”.

O comments quietly but everyone hears him, “P, you always live up to your name – a Pessimist who sees a cloud in every silver lining”.

P looks quickly at O and says “My job as Vice President and Chief Risk Officer is to make sure everybody is aware of the risks at all times. O, you constantly ignore them.”

Meanwhile, P is passing around a 5-page document describing about 30 areas assessed as ‘major’ risks to the company that exceed its risk appetite, as defined by the Risk Framework and Policy.

C responds to all of this as you might expect – frustration and annoyance. He doesn’t say anything, but he is thinking along the lines of “why did I hire these bozos, who can’t get along with each other and give me the advice and insight I need? One is always ‘full speed ahead’, perhaps to please me, while the other is always quick to point out why we should never do anything. But, if I fire either of them, especially P, I will hear from the board and the regulators.”

Out loud, C puts the list face down after glancing at it and asks his CFO and general counsel, “So, what do you think.”

I am sharing this story because when I write about the risk officer considering both the potential positive and the negative effects of events, situations, and decisions, several people have commented that the risk officer should focus only on the potential adverse effects because others, like the strategy people, are looking at the opportunity side.

I disagree with this perspective for a few reasons.

  1. Any event, situation, or decision can have multiple effects. Some may be adverse, some positive. Often, there will be multiple effects. In my Monopoly blog, I talked about the decision whether or not to buy a property. The purchase would create an opportunity to earn rent, but it would also reduce the cash reserves and increase the significance of having to pay rent, a fine, or so on. The smart manager has to decide whether the potential outweighs the risk. Both sides have to be considered, not just one.
  2. When anybody only explains why you shouldn’t do something, they should expect to be increasingly ignored. How would you react if every time you started to leave home you were greeted with a list of all the bad things that might happen?
  3. Every potential positive effect needs to be assessed with the same disciplined and structured process as an adverse effect.
  4. If you want to be perceived as a partner to the business, behave like a partner to the business! Behave like a top executive who has to make an informed and intelligent decision about whether to move forward, change direction, stand still, or even retreat – based on reliable information about all potential consequences under every option. Behave like an executive and talk like an executive, in the language of the business.

In our second story, which is at another company, the CEO (CE) is also considering a new venture and asks his executive team for input.

SR looks at RS, gets a nod, and answers.

“RS and I have been working together to integrate the consideration of risk into the strategic planning and performance monitoring processes. I am pleased to tell you that our Risk and Strategy teams have been looking at this opportunity together. Strategy [ndm: whose middle name is Risk} and I have this joint assessment for you and the team to review”.

Risk, whose middle name is Strategy, passes around a 2-page document that outlines the results of the two team’s assessment. It includes both the potential upsides, their extent and likelihood, as well as the more significant risks, also with extent and likelihood. There is a Summary section that provides an overview of the most likely net effect of each strategic option.

CE beams with satisfaction. What a change this is from his last company! Here, he has two partners that he can trust to provide him with the information he needs as well as a balanced perspective on the options. He has a strategic advantage over his old friend, C.

He congratulates SR and RS for working together to provide a joint assessment. SR looks to RS before replying that they have agreed on a common framework going forward; both teams are cross-trained so that they always look at an event or situation with a balanced view. The Risk team will assess the full range of potential effects on all issues that come to them, and the Strategy team will include an assessment of both positive and negative effects when proposing new or updated strategies, and when reporting on progress towards objectives.

Let me close with a thought.

Risk Officers have to consider themselves as business executives first and foremost. While their charter may talk about ‘risk’, their job is to help the board and executive team achieve the corporate objectives.

They need to put themselves in the shoes of the CEO and board members. They cannot afford only to concern themselves with reasons not to pursue ventures – implying a desire to stay home and vegetate.

Think like a CEO, act like a CEO, and talk like a CEO. Provide leadership with the information, process, systems, and so on to make effective decisions that lead to success.

I welcome your thoughts.



PS – Do you ‘get’ the pun about ‘entwined’?

Prominent academics fail to understand effective risk management

May 30, 2016 22 comments

Bob Kaplan deserves our respect. Famous for his contribution to management with the balanced scorecard, he is now Senior Fellow and Marvin Bower Professor of Leadership Development, Emeritus at the Harvard Business School. I have never had the privilege of meeting him.

Hi colleague, Anette Mikes, was with Bob at Harvard and is now Professor of Accounting and Control at the University of Lausanne (HEC). I am in a network of risk practitioners and thought leaders that includes Anette. I have heard her speak, but have never met her one-on-one. Anette has made important contributions to the academic study of risk management that include a case study of John Fraser’s Hydro One and a similar case study on LEGO.

On earlier occasions, I have shared my thoughts with Anette Mikes on the narrow and highly limiting view that risk management is about mitigating potential harm from adverse events. Unfortunately, I have not been persuasive.

Kaplan and Mikes recently published a Harvard Business School Working Paper, Risk Management – the Revealing Hand.

While there is some value in the paper, such as its insistence that risk management must be continuous and its discussion of over-reliance on models, it demonstrates very clearly why so many board members and executives do not see how the management of risk enables their organization to set and deliver on objectives and strategies. For example, the ERM Initiative at North Carolina State University, in their 2016 survey of the state of risk management, found that only 4% of organizations feel their risk management is very mature (up from the 3.4% in 2010). In 2013, a Deloitte survey found only 13% of executives believing that risk management supports their ability to develop and execute on business strategy very well.

How can risk management practitioners demonstrate value and a significant contribution to the success of an organization when they:

  • Focus on a list of potential harms?
  • Don’t focus on enabling intelligent and informed decisions from strategy to tactics?
  • Talk in technobabble instead of the language of the business?

I see risk management as about:

  • Enabling informed and intelligent decisions that consider what might happen, both good and bad. Those decisions include setting the vision for the organization (including its strategy, plans, and objectives) as well as the decisions made every day across the extended enterprise as people at all levels direct and manage the organization towards its objectives
  • Thinking about what lies between where we are and where we go, how it might affect our ability to achieve or exceed our objectives, and what (if anything) we need to do about it
  • Taking the right level of the right risks. We cannot survive, let alone thrive, if we do not take risk. The concept that we must mitigate all risks is absurd. Risks need to be assessed in the context of achieving objectives, not in a silo
  • Knowing how to assess and evaluate the potential for any event or situation to have good, bad, or a combination of good and bad effects – and providing a structured process for making decisions about the path forward
  • Intelligent and effective management that enables the organization to succeed

Kaplan and Mikes say that there has been no credible academic study that demonstrates that risk management delivers tangible value. (Note, EY and Aon have released studies that say that organizations with better risk management obtain better long-term financial results.)

Is that because they don’t understand what risk management should be? That it is not about managing a list of potential harms – what Jim DeLoach calls Enterprise List Management? Focusing on what could go wrong will not help you do what is needed for everything to go right. If you were greeted at your front door by someone with a list of all the bad things that might happen, would you ever go out? Or, would you dismiss the pessimist with disdain?

A few quotes to support my view:

  • “Enterprise risk management helps an entity get to where it wants to go” – COSO
  • Risk management enables “A greater likelihood of achieving business objectives” and “More informed risk-taking and decision-making” – COSO
  • “The purpose of managing risk is to increase the likelihood of an organization achieving its objectives by being in a position to manage threats and adverse situations and being ready to take advantage of opportunities that may arise” – National Guidance on Implementing ISO 31000:2009 from NSAI in Ireland
  • “We believe a paradigm shift in risk management is beginning, which is tied to the increasingly complex world in which companies now operate; based on the awareness that uncertainty is embedded in (and impacts) everything we do; [and] focused on both capturing upside opportunities as well as protecting the business.” – EY
  • “You need [risk management] to become part of the rhythm of the business: meaning within the flow of strategic and business planning, operations, oversight and monitoring that runs from the board to the line.” – EY
  • “The job of risk [management] is to make … executives more confident to take strategic risks; to demand objectivity in decision-making; and to focus on value added, not just value preserved” – Deloitte

I can tell you that the risk management programs at Hydro One and LEGO do not limit their work to potential harms. They consider the potential for reward as well as harm. They work to help management succeed.

So how is it that Kaplan and Mikes have such a narrow view? Perhaps it’s because the great majority of practitioners limit risk to the negative and their practice to a periodic review of a list of top risks – what Jim DeLoach correctly calls ‘enterprise list management’.

That narrow view inevitably creates a disconnect with the desire of management to lead their organization to success.

How do you expect a CEO to believe risk management enables success when all the CRO gives him is a list of what could go wrong? He needs help to see what might happen, both good and bad, and what to do about it – in other words, risk management needs to be seen by the CEO as helping him or her get where he or she needs to go.

Do you share my view?

If so, how do we move both the practitioner and academic community? How can we move the practice forward so that it is recognized by leaders of every organization as contributing to their success?

I welcome your views.


Proposed rules on compensation risk merit consideration by all of us

May 21, 2016 Leave a comment

Five US regulators have jointly published proposed rules regarding compensation risk at the financial institutions they oversee. The agencies are:

  • Office of the Comptroller of the Currency, Treasury (OCC);
  • Board of Governors of the Federal Reserve System (Board);
  • Federal Deposit Insurance Corporation (FDIC);
  • Federal Housing Finance Agency (FHFA); National Credit Union Administration (NCUA); and
  • S. Securities and Exchange Commission (SEC).

I believe the principles behind these rules are relevant to every organization, whether non-profit, for profit, large, small, manufacturing, retail, or other.

In general, the proposed rules would require a deferral of compensation (which includes salary, bonus, options, and more) that allows time before payment for consideration of whether excessive levels of risk were taken by individuals that led to their achieving or exceeding targets and earning compensation. Clawback provisions are included.

The rules are not limited to executives. They also apply to any individual whose actions could put the organization at significant risk.

The rules specify the obligations of the board and its compensation committee (all of whose members must be independent).

They also require that the risk officers be independent of the units taking the risk. They do NOT require that the risk office report directly to the CEO or board.

Reviews and reports on the effectiveness of the compensation and risk processes by both the risk office and internal audit are required.

Also required are policies and so on that mandate actions consistent with these requirements.

There’s a lot to like here. The agencies have asked for comments in their >500 page document.

The only item that I have a problem with is when they say “The proposed rule … provides that an incentive-based compensation arrangement will be considered to encourage inappropriate risks that could lead to material financial loss to the covered institution”. (They define ‘material financial loss at 0.5% of the organization’s capital.

  1. No likelihood is defined for ‘could’. Is 0.00001% acceptable? How about 1% or 2% or 5%?
  2. As with so many of these regulator’s rules, everything is expressed in financial terms – $$$. But, how do you measure compliance risk? Can you put a quantified value on it? At least the discussion includes a reference that incurring excessive compliance risk is a consideration of whether excessive risk overall was taken to earn a reward.

As I reflect on my experience (it is a great many years since I worked in financial services), I can see these principles addressing a couple of real-life problems at non-financial institutions.

  1. At a number of companies, there was a risk that sales personnel and even management (including both general management and, in some cases, financial management) would collude with third parties such as customers and channel partners to inflate sales for a quarter. Management would agree (a ‘side-letter’) with the third party where the customer or partner would increase an order beyond their needs and receive a credit memo in the next quarter. The fraudsters would receive a larger bonus based on the inflated revenues. Many sales personnel, especially, move from company to company and are willing to take the risk that any discovery of the scheme will be after they have departed. More senior managers, especially if financial managers are part of the scheme, don’t expect to be caught.

If bonuses were deferred, that would delay the reward and reduce the (net) incentive to cheat.

  1. At several companies, individuals were compensated for actions that were not tied directly to profits. Sales and even production personnel were rewarded for actions such as increasing revenue that have little or no margin (‘empty revenue’) or increasing production when margins were negative. I actually heard, in a management meeting when margins were reported as being negative, “we can make it up on volume”.

What do you think?

How can these principles be applied broadly to good effect?


The remainder of this post is excerpts from the >500 pages.


There is evidence that flawed incentive-based compensation practices in the financial industry were one of many factors contributing to the financial crisis that began in 2007. Some compensation arrangements rewarded employees – including nonexecutive personnel like traders with large position limits, underwriters, and loan officers – for increasing an institution’s revenue or short-term profit without sufficient recognition of the risks the employees’ activities posed to the institutions, and therefore potentially to the broader financial system. Traders with large position limits, underwriters, and loan officers are three examples of non-executive personnel who had the ability to expose an institution to material amounts of risk. Significant losses caused by actions of individual traders or trading groups occurred at some of the largest financial institutions during and after the financial crisis.

Of particular note were incentive-based compensation arrangements for employees in a position to expose the institution to substantial risk that failed to align the employees’ interests with those of the institution. For example, some institutions gave loan officers incentives to write a large amount of loans or gave traders incentives to generate high levels of trading revenues, without sufficient regard for the risks associated with those activities. The revenues that served as the basis for calculating bonuses were generated immediately, while the risk outcomes might not have been realized for months or years after the transactions were completed. When these, or similarly misaligned incentive-based compensation arrangements, are common in an institution, the foundation of sound risk management can be undermined by the actions of employees seeking to maximize their own compensation.

Flawed incentive-based compensation arrangements were evident in not just U.S. financial institutions, but also major financial institutions worldwide. In a 2009 survey of banking organizations engaged in wholesale banking activities, the Institute of International Finance found that 98 percent of respondents recognized the contribution of incentive-based compensation practices to the financial crisis.

Executive officers and employees of a covered institution may be willing to tolerate a degree of risk that is inconsistent with the interests of stakeholders, as well as broader public policy goals.


The Federal Banking Agencies have found that any incentive-based compensation arrangement at a covered institution will encourage inappropriate risks if it does not sufficiently expose the risk-takers to the consequences of their risk decisions over time, and that in order to do this, it is necessary that meaningful portions of incentive-based compensation be deferred and placed at risk of reduction or recovery. The proposed rule reflects the minimums that are required to be effective for that purpose, as well as minimum standards of robust governance, and the disclosures that the statute requires.


…the proposed rule would apply to any covered institution with average total consolidated assets greater than or equal to $1 billion that offers incentive-based compensation to covered persons.


The proposed rule identifies three categories of covered institutions based on average total consolidated assets:

  • Level 1 (greater than or equal to $250 billion);
  • Level 2 (greater than or equal to $50 billion and less than $250 billion); and
  • Level 3 (greater than or equal to $1 billion and less than $50 billion).


…the proposed rule provides that compensation, fees, and benefits will be considered excessive when amounts paid are unreasonable or disproportionate to the value of the services performed by a covered person, taking into consideration all relevant factors.


The proposed rule … provides that an incentive-based compensation arrangement will be considered to encourage inappropriate risks that could lead to material financial loss to the covered institution, unless the arrangement:

  • Appropriately balances risk and reward;
  • Is compatible with effective risk management and controls; and
  • Is supported by effective governance.


…the proposed rule specifically provides that an incentive-based compensation arrangement would not be considered to appropriately balance risk and reward unless it:

  • Includes financial and non-financial measures of performance;
  • Is designed to allow non-financial measures of performance to override financial measures of performance, when appropriate; and
  • Is subject to adjustment to reflect actual losses, inappropriate risks taken, compliance deficiencies, or other measures or aspects of financial and non-financial performance.


Under the proposed rule, the board of directors of each covered institution (or a committee thereof) would be required to:

  • Conduct oversight of the covered institution’s incentive-based compensation program;
  • Approve incentive-based compensation arrangements for senior executive officers, including amounts of awards and, at the time of vesting, payouts under such arrangements; and
  • Approve material exceptions or adjustments to incentive-based compensation policies or arrangements for senior executive officers.


The proposed rule would apply deferral requirements to significant risk-takers as well as senior executive officers, and, as described below, would require 40, 50, or 60 percent deferral depending on the size of the covered institution and whether the covered person receiving the incentive-based compensation is a senior executive officer or a significant risk-taker.


A Level 1 or Level 2 covered institution would be required to consider forfeiture or downward adjustment of incentive-based compensation if any of the following adverse outcomes occur:

  • Poor financial performance attributable to a significant deviation from the covered institution’s risk parameters set forth in the covered institution’s policies and procedures;
  • Inappropriate risk-taking, regardless of the impact on financial performance;
  • Material risk management or control failures;
  • Non-compliance with statutory, regulatory, or supervisory standards resulting in enforcement or legal action brought by a federal or state regulator or agency, or a requirement that the covered institution report a restatement of a financial statement to correct a material error; and
  • Other aspects of conduct or poor performance as defined by the covered institution.


In addition to deferral, downward adjustment, and forfeiture, the proposed rule would require a Level 1 or Level 2 covered institution to include clawback provisions in the incentive-based compensation arrangements for senior executive officers and significant risk-takers.


The proposed rule would require clawback provisions that, at a minimum, allow the covered institution to recover incentive-based compensation from a current or former senior executive officer or significant risk-taker for seven years following the date on which such compensation vests, if the covered institution determines that the senior executive officer or significant risk-taker engaged in misconduct that resulted in significant financial or reputational harm to the covered institution, fraud, or intentional misrepresentation of information used to determine the senior executive officer or significant risk-taker’s incentive-based compensation.


The proposed rule would require all Level 1 and Level 2 covered institutions to have a risk management framework for their incentive-based compensation programs that is independent of any lines of business; includes an independent compliance program that provides for internal controls, testing, monitoring, and training with written policies and procedures; and is commensurate with the size and complexity of the covered institution’s operations. In addition, the proposed rule would require Level 1 and Level 2 covered institutions to:

  • Provide individuals in control functions with appropriate authority to influence the risk-taking of the business areas they monitor and ensure covered persons engaged in control functions are compensated independently of the performance of the business areas they monitor; and
  • Provide for independent monitoring of:
    1. incentive-based compensation plans to identify whether the plans appropriately balance risk and reward;
    2. events related to forfeiture and downward adjustment and decisions of forfeiture and downward adjustment reviews to determine consistency with the proposed rule; and
    3. compliance of the incentive-based compensation program with the covered institution’s policies and procedures.


To be considered independent under the proposed rule, the group or person at the covered institution responsible for monitoring the areas described above generally should have a reporting line to senior management or the board that is separate from the covered persons whom the group or person is responsible for monitoring. Some covered institutions may use internal audit to perform the independent monitoring that would be required under this section.


…the proposed rule includes a requirement that internal audit or risk management submit a written assessment of the effectiveness of a Level 1 or Level 2 covered institution’s incentive-based compensation program and related control processes in providing risk-taking incentives that are consistent with the risk profile of the covered institution.


…the proposed rule would require each Level 1 or Level 2 covered institution to establish a compensation committee composed solely of directors who are not senior executive officers to assist the board of directors in carrying out its responsibilities under the proposed rule. The compensation committee would be required to obtain input from the covered institution’s risk and audit committees, or groups performing similar functions, and risk management function on the effectiveness of risk measures and adjustments used to balance incentive-based compensation arrangements. Additionally, management would be required to submit to the compensation committee on an annual or more frequent basis a written assessment of the effectiveness of the covered institution’s incentive-based compensation program and related compliance and control processes in providing risk-taking incentives that are consistent with the risk profile of the covered institution. The compensation committee would also be required to obtain an independent written assessment from the internal audit or risk management function of the effectiveness of the covered institution’s incentive-based compensation program and related compliance and control processes in providing risk-taking incentives that are consistent with the risk profile of the covered institution.


The proposed rule would require all Level 1 and Level 2 covered institutions to have policies and procedures that, among other requirements:

  • Are consistent with the requirements and prohibitions of the proposed rule;
  • Specify the substantive and procedural criteria for forfeiture and clawback;
  • Document final forfeiture, downward adjustment, and clawback decisions;
  • Specify the substantive and procedural criteria for the acceleration of payments of deferred incentive-based compensation to a covered person;
  • Identify and describe the role of any employees, committees, or groups authorized to make incentive-based compensation decisions, including when discretion is authorized;
  • Describe how discretion is exercised to achieve balance;
  • Require that the covered institution maintain documentation of its processes for the establishment, implementation, modification, and monitoring of incentive-based compensation arrangements;
  • Describe how incentive-based compensation arrangements will be monitored;
  • Specify the substantive and procedural requirements of the independent compliance program; and
  • Ensure appropriate roles for risk management, risk oversight, and other control personnel in the covered institution’s processes for designing incentive-based compensation arrangements and determining awards, deferral amounts, deferral periods, forfeiture, downward adjustment, clawback, and vesting and assessing the effectiveness of incentive-based compensation arrangements in restraining inappropriate risk-taking.


The proposed definition of “significant risk-taker” incorporates two tests for determining whether a covered person is a significant risk-taker. A covered person would be a significant risk-taker if either test was met. [The first test is based on compensation levels.]

The second test is based on whether the covered person has authority to commit or expose 0.5 percent or more of the capital of the covered institution or an affiliate that is itself a covered institution (the “exposure test”).



Get every new post delivered to your Inbox.

Join 6,943 other followers