Enterprise risk management ERM ERM v3bis

Enterprise Risk Management ERM‘Integrated Framework’ IMPLEMENTATION Risk Management Vision and Objectives Conducting Risk Assessments... RM Vision and ObjectivesHow does management devel

Enterprise Risk Management (ERM)

‘Integrated Framework’

IMPLEMENTATION Risk Management Vision and Objectives

Conducting Risk Assessments

FUNDAMENTALS & ROLES

• The Fundamentals

• COSO Enterprise Risk Management

• Role of Executive Management

• Role of the Director

• Role of the Chief Risk Officer

• Risk Management Oversight Structure

• Role of Internal Audit

• Risk Management Vision and Objectives

• Conducting Risk Assessments

• Getting Started – Set the Foundation

• Building & Enhancing Capabilities

• Building a Compelling Business Case

• Making it Happen

• Relevance to Sarbanes-Oxley Compliance

• Other Questions

RM Vision and Objectives

How does management develop a shared vision for the role of risk management in the

organization? What is the practical use of a

shared vision?

senior management working group

“risk management vision” develops a shared view

of the role of risk management in the

organization and the capabilities desired to

manage its key risks (“big picture view”)

RM Vision and Objectives

Risk management vision

“call for action” to drive the organization to

identify, design and build the risk

management capabilities needed to close

significant gaps and make management’s

selected risk responses happen

RM Vision and Objectives

Specific capabilities managing priority risks

selecting the priority risks and determining the current state of risk management capability

desired future state is assessed with the

objective of advancing the maturity of the

capabilities around managing those risks

close significant gaps and deliver management’s desired outcomes

RM Vision and Objectives

ERM infrastructure

overall risk management policy

enterprise wide risk assessment process

integration of risk responses with business plans

presence on the board and CEO agenda

chartered risk committee

clarity of risk management roles and responsibilities

dashboard and other

risk reporting

proprietary tools to portray a portfolio view of risk

RM Vision and Objectives

How does management define the entity’s risk management

goals and objectives?

Develop a common understanding of risk across multiple

functions and business units to manage risk cost-effectively

Achieve a better understanding of risk for competitive advantageBuild safeguards against earnings-related surprises

Build and improve capabilities to respond effectively to low

probability, critical, catastrophic risks

Achieve cost savings through better management of internal

resources

Allocate capital more efficiently

RM Vision and Objectives

RM Goals and Objectives should be consistent /supportive of the

enterprise’s business objectives and strategies

targets the markets and geographies in which the firm does

business

specifies the products and services it provides to those markets,

the channels it uses to access those markets and the

characteristics by which it differentiates its products and services

in the eyes of the customer

built on the processes through which the entity converts materials and labor into products and services; employees,

training/retention; suppliers/customers; shareholders and

lenders

RM Vision and Objectives

“Tough questions”

What are our business objectives and strategies?

What are our financial targets, e.g., profitability, size

and revenue growth?

What values do we want to build and reinforce?

What markets do we choose?

What relative market position do we seek?

What is our business model for winning in our chosen markets?

RM Vision and Objectives

RM Vision and Objectives

“Tough questions”

Which specific future events could, if they occurred,

affect our organization’s ability to achieve its:

objectives relating to quality, innovation, timeliness, safety, compliance, etc.

to execute its strategies successfully?

Which events would affect our market share?

RM Vision and Objectives

unit? By major product? By geography?

If accept the exposures inherent in our business model that give rise to our existing risks, do we have

sufficient capital to absorb significant unforeseen

losses should they occur?

RM Vision and Objectives

ERM Vision Statement:

Contribute to the creation, optimization and

protection of enterprise value by managing

our business risks as we create value in the

marketplace.

RM Vision and Objectives

ERM Mission Statement:

Create a comprehensive approach to anticipate, identify, prioritize, manage and monitor the

portfolio of business risks impacting our

organization Put in place the policies, common processes, competencies, accountabilities,

reporting and enabling technology to execute that approach successfully.

RM Vision and Objectives

ERM Goals and Objectives:

Design and execute a global business risk management process integrated with our strategic management process:

• Integrate business risk management with our strategy formulation and business planning processes

• Articulate our strategies so that they are understood throughout our organization

• Establish KPIs designed to drive behaviors consistent with our strategy

• Reward effective articulation and management of key risks

Ensure that process ownership questions are addressed with

clarity so that roles, responsibilities and authorities are

properly understood

RM Vision and Objectives

ERM Goals and Objectives:

Design and execute a global process to monitor and reassess the top quartile risk profile and identify gaps in the management

of those risks, based upon changes in business objectives and

in the external and internal operating environment

Define risk management strategies and clear accountabilities and action steps for building and executing risk management

capabilities and improving them continuously

Continuously monitor the information provided to

decision-makers in order to assist them as they manage key risks and protect the interests of shareholders

RM Vision and Objectives

What is “risk appetite”?

amount of risk, on a broad level, an entity is willing to accept in pursuit of value

reflects management philosophy, and in turn influences the

entity’s culture and operating style

qualitative risk appetite: high, medium or low

quantitative approach: balancing goals for growth, return and

risk

higher risk appetite may be willing to allocate a large portion of its capital to such high risk areas as newly emerging marketslow risk appetite only in mature, stable markets

RM Vision and Objectives

What is “risk thresholds” = “tolerances” =

“limits”?

acceptable level of variation relative to

achievement of a specific objective

best measured in the same units as those used

to measure the related objective

RM Vision and Objectives

Observations:

Risk appetite is strategic - relates primarily to the business modelRisk tolerance is tactical - relates primarily to objectives

Every organization has a risk appetite

Risk tolerance reflected differently for different objectives:

• relating to earnings variability

• interest rate exposure

• compliance with laws and regulations

• acquisition, development and retention of people

RM Vision and Objectives

Is there a defined methodology for calibrating performance

with risk tolerances? (“the acceptable variation relative to the

achievement of an objective.”)

three types of risk tolerance:

• Variability in achieving expected returns (materiality)

• Susceptibility to extreme events = loss exposure or loss

driver  exposure to catastrophic loss (probability)

• Inconsistency with the desired risk appetite

RM Vision and Objectives

How are the risk management vision and objectives translated into the appropriate ERM infrastructure?

Develop “Capabilities”  policies, processes,

competencies, reports, methodologies and

technologies

• phase 1 sets the foundation

• phase 2 builds capabilities for critical risks

• phase 3 enhances existing risk management

capabilities

RM Vision and Objectives

Conducting Risk Assessments

What is the relationship between risk assessment and risk

management?

Risk assessment is the process of identifying, sourcing and

evaluating individual risks and the interrelationships

between risks

Materiality  evaluation of available data and the application of judgment to determine the significance of potential future

events

Probability  likelihood of their occurrence

Action planning  leads to formulation of risk responses

Conducting Risk Assessments

Risk management is objective-setting, event

identification and risk assessment within framework policies

Conducting Risk Assessments

What is the relationship between risk assessment and

performance assessment?

Risk assessment is a forward-looking activity applied to future

possible events to identify the potential impact on the

achievement of objectives and the likelihood of occurrence over a defined time horizon

Performance assessment is a retrospective activity applied to

evaluate the performance of a unit, a process or a function against a pre-determined target or standard over a stated

period of time

Objective  pre-defined target or standard

Conducting Risk Assessments

What are the components of an effective objective

statement and why are objectives important to an

effective risk assessment?

Conducting Risk Assessments

What is the difference between an event and a risk?

event is “an incident or occurrence, from sources

internal or external to an entity, that affects

achievement of objectives.”

risk is “the possibility that an event will occur and

adversely affect the achievement of objectives.”

positive impact = opportunity

negative impact = a risk  threat

Conducting Risk Assessments

Why doesn’t COSO’s definition of risk incorporate the notion that risk includes upside as well as

downside?

COSO concluded that broadening the definition of risk

to include the potential for “upside” would cloud the concepts and frustrate a primary objective of the

framework to provide a common language for ERM

Conducting Risk Assessments

How do we articulate the concept of “inherent risk” so that

it can be effectively used as risk assessment criteria?

“the risk to an entity in the absence of any actions

management might take to alter either the risk’s likelihood

or impact.”

“residual risk” current policies and procedures are

considered during the assessment

risk should be assessed on a residual risk basis after

considering risk responses selected to mitigate the

significant risks

Conducting Risk Assessments

Is there an officially endorsed risk language we can

use for our organization? NO

Three event categories consisting of external factors

and internal factors in the framework

Environment risk

Process risk

Information for decision-making risk

Conducting Risk Assessments

Conducting Risk Assessments

Environment risk arises when external forces can affect

the entity’s performance

make its choices regarding its strategies, operations,

customer and supplier relationships, organizational

structure or financing obsolete or ineffective

actions of competitors and regulators

shifts in market prices, technological innovation

changes in industry fundamentals

availability of capital or other factors outside the

company’s direct ability to control

Conducting Risk Assessments

Process risk arises when internal processes do not achieve the

objectives they were designed to achieve in supporting the entity’s business model

characteristics of poorly performing processes or process risks:

• poor alignment with business objectives and strategies

• dissatisfied customers

• inefficient operations

• diluting (instead of creating or preserving) enterprise value

• failing to protect significant financial, physical, customer,

employee/supplier, knowledge and information assets from

unacceptable losses, risk taking, misappropriation or misuse

Conducting Risk Assessments

Information for decision-making risk arises when information

used to support business decisions is incomplete, out of date, inaccurate, late or simply irrelevant to the decision-making

process

These risks are uncertainties affecting reliability of information

used to support decisions to create and protect enterprise

Conducting Risk Assessments

Conducting Risk Assessments

Catastrophic Loss

the inability to sustain operations, provide

essential products and services, or recover

operating costs as a result of a major disaster could damage the company’s reputation, ability

to obtain capital, and investor relationships

Conducting Risk Assessments

Catastrophic Loss Uncontrollable events: natural

and man made

war, terrorism, revolution & expropriation (political)

fire

earthquake

severe weather and flooding

cannot be prevented or even predicted, their effects on the organization’s assets and operations can be

managed

Conducting Risk Assessments

Catastrophic Loss  Controllable events: impacted by

management’s choices or by the effectiveness of the internal control environment

environmental disasters

pervasive health and safety violations

spectacularly large underwater real estate deals

headline-grabbing high litigation costs

huge losses from derivatives

massive business fraud

losses in market share due to failure to abandon bad strategies

Conducting Risk Assessments

“Top Down” approach

senior management defines:

objectives of the organization

related risk categories impacting those objectives

specific events are then identified within each category

Conducting Risk Assessments

To what extent does the organization strictly define risk for the enterprise as a whole, when the organization has a variety of different businesses?

“cascading” approach

identifying risks that are common across the enterprise  risks common to all business units drive enterprise wide responses

operating units with distinctive risk profiles customized to address the unique risks faced by those units  risks

unique to individual units drive unit-specific risk responses

Conducting Risk Assessments

What are risk maps and how are they used

appropriately during the risk assessment process?

assessments of possible future events identified by

senior management or by unit management

plotted on a grid or map according to their impact on the achievement of business objectives and the

likelihood of their occurrence

Conducting Risk Assessments

Conducting Risk Assessments

Impact: materiality

significance of risk to the business in terms of the effect

on achieving business objectives

financial

execution of key strategies

potential cost in terms capital, earnings, cash flow and brand equity

materiality - the more severe the risk

time horizon - short, intermediate or long term

Conducting Risk Assessments

Conducting Risk Assessments

What’s an effective way for an organization to conduct a risk assessment?

interviews

surveys of key personnel

review key documents

conduct facilitated workshops

perform targeted reviews

Conducting Risk Assessments

Conducting Risk Assessments

Conducting Risk Assessments

Conducting Risk Assessments

Conducting Risk Assessments

What are the common mistakes and pitfalls during the risk assessment process?

Lack of clarification and common understanding of the meaning or definition of risk

Not including all stakeholders

Not considering or giving appropriate weight to

knowledgeable positions