1 / 29

Enterprise Risk Management and Internal Audit: Partners in Value Creation

Enterprise Risk Management and Internal Audit: Partners in Value Creation J.V. Rizzi, ABN AMRO Bank May 21, 2007. 19th Annual Spring Internal Audit Conference and Audit Directors Roundtable May 21-23, 2007 Hyatt Regency Hotel Chicago, Illinois.

ghazi
Download Presentation

Enterprise Risk Management and Internal Audit: Partners in Value Creation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Enterprise Risk Management and Internal Audit: Partners in Value Creation J.V. Rizzi, ABN AMRO Bank May 21, 2007 19th Annual Spring Internal Audit Conferenceand Audit Directors RoundtableMay 21-23, 2007Hyatt Regency HotelChicago, Illinois The views expressed are those of the author and do not necessarily reflect those of ABN AMRO Bank

  2. Today’s Discussion • Enterprise Risk Management Overview • Enterprise Risk Management at ABN AMRO • Internal Audit Implications of ERM • Conclusion 2

  3. I. Enterprise Risk Management Overview

  4. Risk Issues and Challenges • Analysis of interrelationships/correlations of different types of risk • Accountability for all risks under one organization (CRO) • Measuring risk on a consistent basis (capital) • Assessment of risks in, and value implications of, corporate strategies • Considering cross-risk extreme scenarios 4

  5. Classical Risk Management Classical approaches to managing risk focus on establishing well maintained and controlled processes around single risk factors. Credit Operational Market Compliance Country Liquidity Strategic Line of Business Historically, this approach to managing risk has been appropriate for the environment. However, as the environment changes, so must the discipline. 5

  6. Enterprise Risk Management • VISIONManage all material risks and opportunities across the organization • Across silos • Total risk management • WHYImprove decision making through portfolio management of interrelated risks • RESULTManage to objectives consistent with stakeholder expectations to increase value 6

  7. Scope of Enterprise Risk Management 7

  8. Enterprise Risk Management Objectives Assets Value Creation Return on Risk Cost of Capital Regulators CEO External Stakeholders Internal Stakeholders CRO CFO Shareholders Rating Agencies Portfolio of Enterprise Risks Portfolio ofCapital Resources Capital Required Capital Allocation Risk Appetite CapitalManagement Risk Structure CapitalStructure EconomicCapital 8

  9. Big Enterprise Risk Management Ideas • Management Information: Dashboard • Risk Oversight & Independence: Governance Roles • Communication & Escalation: Interaction Model • Strategic Planning: Strategic Risk Model 9

  10. II. Enterprise Risk Management at ABN AMRO

  11. Accomplishments to Date 2004 2005 2006 2007 • Independence review • Dashboard development • Risk outlook • Governance structure • Economic Capital framework adopted • Basel II Program became operational • December — ERM introduced as a 2006 strategic agenda item for Risk Management NA and Group Risk Management • May — Global Steering Committee formed including GRM, Finance, Compliance, Audit et al with monthly meetings • June— ERM framework presented and endorsed at the Risk Leadership Conference • December — ERM Program endorsed by Managing Board and NA Regional Management Committee (RMC) and ERM Program activated • 2006 Risk Charter drafted in “ERM style.” 11

  12. The four pillars of BUNA’s ERM Program Enterprise Risk Management Program I II III IV IV Risk Oversight and Independence Communications and Escalation Management Information Strategic Planning and Alignment Risk Philosophy Guiding Principles 12

  13. Risk Foundation Risk Philosophy GUIDING PRINCIPLES • Risk Awareness where “everyone one is a Risk Manager” • Defined Risk Appetite and Risk Tolerance • Clarity and Transparency through a common language • Risk-Reward Alignment that manages risk for value • Compliance where “everyone acts to protect” Responsibility and Ownership Centralization and Aggregation Authority and Delegation Four-eyes principle Independence and Oversight 13

  14. Distribution of Risks by Probability and Impact 30% HIGH RISK MEDIUM RISK F Client/Corporate Credit Default (6) 25% 20% System / IT (7) E 15% Average Probability General Economy Decline (4) M B Fraud Loss (9) Data Loss/Vulnerability (11) Control Breakdown (13) K H Model Risk / Failure (6) Failed Business Practices (4) J 10% Declining Employee Morale/Loss of Top Employees (5) G I Real Estate Decline (6) Regulatory / Ethical Failure (7) L Legal Risk (4) Material Unpredicted External Event (6) Supplier Failure (2) 5% LOW RISK MEDIUM RISK 0% 0 10 20 30 40 50 60 Average Expected Impact Unacceptable Level Unknown - Need More Info Acceptable Level Un-Rated ERM Dashboard Integrated Risk, Reward and Strategy View Comprehensive Risk Assessment Key Risk Indicators 2007 BU NA Management Priorities Executive sponsorship Forward looking, actionable, risk escalation tool Top 10 Risks – Heat Map Key Performance Indicators DRAFT Under Re-evaluation 14

  15. Governance Actions For ERM to be successfully implemented at an organization requires creating a clear governance structure & interaction model to create a risk aware culture to identify, measure and manage inter-related risks. Risk Governance Model defines three legs — Businesses that take and manage risk, Risk Management to provide policy and analysis, and Audit to provide assurance. 15

  16. Strategic Risk Management ERM Communications Strategy Adopt theme: “Everyone is a Risk Manager” Develop Tacticalcommunications plan ExternalConferences /Communication Escalation Clarification of escalation expectations Promote learningculture Standards of Conduct toinclude risk issue escalation Align withcompliance-related policies and procedures 16

  17. Strategic Risk Management Enterprise Strategy Risk Appetite Agree ERM role and PfCprocess Performancecontractprocess toembrace ERM Align Finance & Risk StrategicAgendas 17

  18. ERM capabilities is an iterative, incremental approach with some potentially big hurdles to overcome. Challenges Of Achieving An ERM Approach Risk Management Survey Results 18

  19. Lessons Learned • Sustainability • To sustain progress and momentum, maintain program team continuity. • Sponsorship • Successful Risk Management implementations require senior management and Board support. Risk Management Framework Enterprise Risk Management Program 6 • Change Management • Significant effort will be required to overcome organizational inertia and change a mindset to a risk-reward culture • Project Management • Do not underestimate launch complexities or cultural challenges. • Pilot programs prior to global roll outs. 19

  20. III. Internal Audit Implications of ERM

  21. Internal Audit Context 21

  22. The Role of Internal Audit in Enterprise Risk Management (COSO) 22

  23. Parallel Developments in Internal Audit and Risk Management • Shift in focus • Control Based Risk Based • Historical Forward looking • AccountingValue focused • Integration of ERM and Internal Audit 23

  24. Determine Audit Criteria ERM Governance • Internal Audit should align the organization’s Internal Control Framework with the ERM Program to help assure on “In Control” status • Governance model should consider: • Oversight and independence of Risk Management function • Defining roles and responsibilities • Explicit Senior Management support • Reporting relationships and requirements • Accountability 24

  25. Regulators Want Assurance“In Control” Status The “In-Control” status indicates an understanding of risk management effectiveness and internal controls throughout the organization. • Elements of ERM: • ERM vision & FW • Committee charter • ERM Dashboard • RCSA • Strategic risk model • ERM policies • Event risk analysis • Integrated compliance monitoring • Risk strategy alternatives • KRIs and KPIs • Risk appetite “In-Control” Effective RiskGovernance RiskAppetite • Tangible Functions and Processes • Organization Structure • Accountability • Risk Limits • Internal Controls • Decision Matrix • Interaction Model • Assessment Process • Measurement & Reporting • Technology • Intangible Functions and Processes • Change Management • Communication • Culture Internal Auditprovide assurance through periodic audit 25

  26. The Complete Audit Approach Model Business Execution Risk Oversight Business Managers: Make transaction decisions Focus on day-to-dayManagement of risk Risk Management: Quantify residual risks and ensure capital adequacy. Assess control design adequacy Audit: Verify procedures are being followed. Test effectiveness ofcontrols. Management Process Books and Records Finance: Ensure appropriateAccounting Focus on G/L accuracy 26

  27. Internal Audit • Provides assurance ERM is functioning as intended • Ensures accountability • Encourages flexibility to fit changing circumstances • Independently verifies risk management coverage • Tests effectiveness of risk oversight and controls 27

  28. IV. Conclusion

  29. Summary • ERM is a process, ongoing and flowing through an entity • ERM improves interaction between Risk Disciplines and LOBs on risk-related matters • ERM enables and allows for the organization to make risk based decision-making • ERM is effected by people at every level of an organization • ERM is applied across the enterprise, at every level and unit, and includes taking an entity-level portfolio view of risk • ERM is designed to identify potential events, that, if they occur, will affect the entity and to manage risk within its risk appetite • Internal Audit constitutes an important partner in the ERM process 29

More Related