Sustainable Enterprise Risk Management: A Comprehensive Approach

Enterprise Risk ManagementPresented to The Audit Directors RoundtableAtlanta, Georgia October 16, 1997

Agenda • “Know yourself” - a starting point for Enterprise Risk Management • A model for Enterprise Risk Management • Four focal points of Enterprise Risk Management • The Unconscious Conspiracy • Sustainable Enterprise Risk Management

Unprotected Transitional “Go ahead.....” Know yourself - three kinds of risk environment Processes, systems not in place Cultural attitudes not supportive Basics not strong Typical of: Start-ups, JV’s, different cultures, speed to market. Challenges: Lack of capability; where to start. Financial control processes moderate History of problems, surprises Rapid change, rapid growth situations Challenges: High stress, over-stretched, resource constrained; Fire-fighting Well established systems, common processes Pockets of slackness, many areas for improvement Basics well in place Challenges: Operational, strategic; Unconscious Conspiracy

Risk EnvironmentOF #1 • How would you describe your current risk environment? • Unprotected • Transitional • Go Ahead

Risk Readiness Ten indicators of ability to anticipate and manage risk: (COSO, CoCO, etc.) • Objectives and risks • Policies and parameters • Values and ethics • Responsibility and accountability • Trust and communication • Skills and tools • Systems and discipline • Scanning and questioning • Monitoring and follow-up • Assessment and reporting

Overall Risk ReadinessOF #2 • How would you describe your organization’s overall risk readiness? • Very ready • Ready • Fairly ready • Somewhat ready • Very unready

The Enterprise Risk Model • What are you trying to accomplish? • What gets in your way? • What are you doing to manage this? • Where do you feel the most exposed?

n R - C = E (O) Enterprise Risk Model Set Expectations Assess Performance against expectations Identify Risks Business Strategies & Objectives Monitor Risk Environment Risk Management Measure / Assess Risk & Control Assess & Mitigate Exposure

Set Expectations Assess Performance against expectations Identify Risks Business Strategies & Objectives Monitor Risk Environment Risk Management Measure / Assess Risk & Control Assess & Mitigate Exposure Enterprise Risk Model • Financing • Risk Management • Significance • Uncertainty • Avoidance • Risk • Capital • Identification • Monitoring • Measurement • Exposure • Control • Mitigation • Transfer

Set Expectations Assess Performance against expectations Identify Risks Business Strategies & Objectives Monitor Risk Environment Risk Management Measure / Assess Risk & Control Assess & Mitigate Exposure Enterprise Risk Model • Financing - Economic resources available for use in pursuing objectives and risk management activities • Risk Management - The business process of managing uncertainty and significance of risk to an acceptable level of exposure • Significance - Importance and magnitude of meaning, influence or effect • Uncertainty - The level of the unknown regarding a future outcome • Avoidance - Declining an opportunity because expectation does not justify the risk involved • Risk - Anything of variable uncertainty and significance that interferes with achievement of objectives • Capital - Financial resources that support objectives and that enable survival under adverse outcomes • Identification - Recognizing or establishing objectives, risks or exposures as being of a particular type or origin • Monitoring - The process of continuous identification and measurement • Measurement - Assessing the likelihood and significance of risks, exposures and related objectives • Exposure - Susceptibility of objectives to risk remaining after control and mitigation activities • Control - Action to correct or reduce uncertainty to an acceptable level • Mitigation - Action to correct or reduce significance of risks and outcomes to an acceptable level (such as through diversification, financing, transfer, etc.) • Transfer - Sharing a portion of risk and potential reward with another party

R (O) Enterprise Risk Model - Risk Risk (a) Risk is a function of Business Objectives (b) Risk is lost Opportunity • Risk - Anything of variable certainty and impact that interferes with achievement of objectives

n C Enterprise Risk Model - Control & Mitigate Control & Mitigate Retain & Manage/Mitigate Risk Mitigate - (Detect & Correct) Hedge Risk, diversify, finance Self Insure Avoid Risk Control (Prevent) to reduce likelihood Re-engineer to avoid risk Change objectives (opportunity) Transfer Risk to others Purchase insurance • Control - Action to correct or reduce certainty to an acceptable level • Mitigation - Action to correct or reduce significance of risks and outcomes to an acceptable level (such as through diversification, financing, transfer, etc.)

Enterprise Risk Model - Exposure Exposure Function of the Certainty of Risk Occurrence, & Significanceof Risk, if it occurred Measured on a spectrum of acceptable ----- unacceptable E • Exposure - Susceptibility of objectives to risk remaining after control and mitigation activities

Risk Exposure VH Unacceptable M Significance Caution Acceptable VL M VH Certainty

Current Risk Assessment ProcessOF # 3 • How would you describe your satisfaction with your current enterprise risk management process? • Setting expectations • Identifying risks • Measuring and assessing risks • Assessing and mitigating exposure • Monitoring risk environment and risk management • Assessing performance against expectations

Focal points for Enterprise Risk Management Basics Examples: Financial processes (purchasing, payments, accounting) Typical Risk Classes: Information, Methods, Technology, Ethics Examples: Structure (accountability, responsibility); Tone: trust, motivation, ethics, enablement Typical Risk Classes: People, Organizational, Environment Behavior Examples: Production, sales, distribution, design, engineering, human resources, service Typical Risk Classes: Operational; Methods, Materials & equipment; Interest, Liquidity, Concentration, Market, Environment Business Examples: Unconscious Conspiracy issues - sales practices; product liability; Challenger; transportation disasters Typical Risk Classes: Ethics, Environment, Organization Burning

Unprotected Transitional “Go ahead.....” Supporting different starting points.. ? ? ? Basics ? ? ? Behavior ? ? ? Business ? ? ? Burning Build It Fix It Demonstrate It

Focal Point for Risk ManagementOF #4 • What is your organization’s focal point for risk management at this time? 1. Basics 2. Behavior 3. Business 4. Burning 5. Any combination or all of the above

Basics The value of Enterprise Risk Management Reduce fraud, Minimize error, Increase efficiency & effectiveness

Risk Management Focus - Basics Objective: Integrity of assets, transactions, reporting Risk Classes: Methods & systems; Facilities; People; Information; Environment; Technology Control Procedural Risk Frameworks (globally established); Guidance materials; Policy infrastructure (Corporate, accounting); Established through training; Customized for “hostility” of local environment Assessed by audit, or self assessed; Metrics from benchmarking, compliance Risk Consequences: Fraud, error, inefficiency; ineffectiveness Basics

Four focal points Common Cultural Specific Core Basics Behavior Business Burning Capability issues: - what, how, where Policies, procedures, processes; Reengineering, Business process redesign; Quality improvement processes; Benchmarking; best practices; Handbooks; Training; Surveys, questionnaires, audits

Basics The value of Enterprise Risk Management Reduce fraud, Minimize error, Increase efficiency & effectiveness Behavior Reduce fraud& error; Increase efficiency & effectiveness; Engage & enthuse; Minimize penalty

Risk Management Focus - Behavior Objective: Standards of ethics, trust, integrity, openness of communication, learning, responsiveness ....... Risk Classes: People; Environment; Control Ethics policy infrastructure; Tone at the top; attention to detail Culture creation / development processes Customized for “hostility” of local environment Assessed by culture profiles; Metrics from benchmarking - internal & external Risk Consequences: Fraud, Ineffectiveness, Loss of key people Regulatory penalty, Loss of reputation, ....... Behavior

Four focal points Common Cultural Specific Core Basics Behavior Business Burning Commitment issues - why, whether Structural issues - accountability, responsibility, authority Leadership issues Cultural issues - trust, motivation Workshops, conferences, workgroups, surveys,

Basics The value of Enterprise Risk Management Reduce fraud, Minimize error, Increase efficiency & effectiveness Behavior Reduce fraud& error; Increase efficiency & effectiveness; Engage & enthuse; Minimize penalty Business Avoid or transfer risk Quantify risk uncertainty for specific risks Use capital market techniques to manage certain risks Improve quality / timeliness / price / delivery / technology Reduce costs / downtime / lost productivity Improve relationships with customers / employees / suppliers / regulators / investors / creditors Protect against criminal / civil / regulatory penalties Improve achievement of business objectives

Risk Management Focus - Business Objective: Achievement of business objectives Strategic; Group; division; department; team Risk Classes: Methods & systems; Facilities; People; Information; Environment; Technology; Operations; Market; Credit; Control Business Risk Frameworks (globally established); Impact & likelihood assessments Business risk management assessment Avoid (Prevent, Re-engineer) Retain & manage (Detect, Correct, Hedge..) Transfer (purchase insurance; self-insure) Policy infrastructure; Engagement of key people; Assessed by audit, or management self assessed; Metrics based on business risk Risk Consequences: Failure to achieve business objectives Business

Four focal points Common Cultural Specific Core Basics Behavior Business Burning Objectives / Purpose issues Operational risks; Legal / regulatory; Capital / financial; Strategic Measurement - analysis, hedge, transfer, avoid Assessment - workshop, survey, interview Engage, enable, enthuse

Basics The value of Enterprise Risk Management Reduce fraud, Minimize error, Increase efficiency & effectiveness Behavior Reduce fraud& error; Increase efficiency & effectiveness; Engage & enthuse; Minimize penalty Business Avoid or transfer risk Quantify risk uncertainty for specific risks Use capital market techniques to manage certain risks Improve quality / timeliness / price / delivery / technology Reduce costs / downtime / lost productivity Improve relationships with customers / employees / suppliers / regulators / investors / creditors Protect against criminal / civil / regulatory penalties Improve achievement of business objectives Protect against fundamental risk Burning

Risk Management Focus - Burning Objective: Protection from fundamental risk Achieve quantum leap opportunity Risk Classes: All.... Control Structured format for open dialogue Heightened awareness of unconscious conspiracy Cross-silo workshops, conferences, meetings Knowledge / memory management Governance processes Risk Consequences: Massive fraud, or error; Disaster Loss of competitive position Loss of value Burning

The Unconscious Conspiracy • Disaster events • No single “cause” • Environment, technology, structure, culture, systems, processes, people all play a role • The organization had all the information about the risk - but no one person had it all, or made the connections. • A number of indicators of unconscious conspiracy were available..... in hindsight.

The Unconscious ConspiracyIndicators... • Today’s “Business Imperative” - industry wide • Hot opportunity • High reliance on a few wizards • Dominating objective • Unchallenged assumptions • Dominating individual • .......

Four focal points Common Cultural Specific Core Basics Behavior Business Burning Learning issues - fundamental issues that are stuck at awareness / action stages Accessed by workshops - shared awareness, moving the unconscious conspiracy to conscious awareness and action Issues are normally fundamental, sometimes critical to survival

Integrated Risk Management Burning Basics Behavior Business Policies Procedures Fraud protection Governance Accountability Tone Values Ethics Trust Unconscious Conspiracy Strategic Operational

Integrated Risk Management Burning Basics Behavior Business Policies Procedures Fraud protection Information Systems Governance Accountability Tone Values Ethics Trust Unconscious Conspiracy Strategic Operational Quantify uncertainty Avoid Transfer Insurance Risk Management Capital Market Strategies

Avoid Transfer Capital Market Strategies Integrated Risk Management Burning Basics Behavior Business Policies Procedures Fraud protection Information Systems Governance Accountability Tone Values Ethics Trust Unconscious Conspiracy Strategic Operational Quantify uncertainty Insurance Risk Management Operational Uncertainty (non-quantified)

Avoid Transfer Insurance Risk Management Capital Market Strategies Integrated Risk Management Burning Basics Behavior Business Policies Procedures Fraud protection Information Systems Governance Accountability Tone Values Ethics Trust Unconscious Conspiracy Strategic Operational Quantify uncertainty Risk & control frameworks & Gap analysis Operational Uncertainty (non-quantified) Systems quality & integrity

Avoid Transfer Insurance Risk Management Capital Market Strategies Integrated Risk Management Burning Basics Behavior Business Policies Procedures Fraud protection Information Systems Governance Accountability Tone Values Ethics Trust Unconscious Conspiracy Strategic Operational Quantify uncertainty Risk & control Maps & Gap analysis Operational Uncertainty (non-quantified) Systems quality & integrity Culture profiles Control environment change management

Avoid Transfer Insurance Risk Management Capital Market Strategies Integrated Risk Management Burning Basics Behavior Business Policies Procedures Fraud protection Information Systems Governance Accountability Tone Values Ethics Trust Unconscious Conspiracy Strategic Operational Quantify uncertainty Risk & control frameworks & Gap analysis Operational Uncertainty (non-quantified) Systems quality & integrity Business Risk Management Self-assessment of exposure - leading to Action Risk & Control frameworks Culture profiles Control environment change management

Burning Basics Behavior Business Avoid Transfer Insurance Risk Management Capital Market Strategies Integrated Risk Management Policies Procedures Fraud protection Information Systems Governance Accountability Tone Values Ethics Trust Unconscious Conspiracy Strategic Operational Quantify uncertainty Risk & control frameworks & Gap analysis Operational Uncertainty (non-quantified) Systems quality & integrity Business Risk Management Self-assessment of exposure - leading to Action Risk & Control frameworks Governance review Facilitated business & strategic risk assessment Diagnostics Culture profiles Control environment change management

Burning Basics Behavior Business Avoid Transfer Insurance Risk Management Capital Market Strategies Integrated Risk Management Policies Procedures Fraud protection Information Systems Governance Accountability Tone Values Ethics Trust Unconscious Conspiracy Strategic Operational Quantify uncertainty Risk & control frameworks & Gap analysis Operational Uncertainty (non-quantified) Systems quality & integrity Business Risk Management Self-assessment of exposure - leading to Action Risk & Control frameworks Governance review Facilitated business & strategic risk assessment Diagnostics Culture profiles Control environment change management Internal Audit based on integrated Risk Framework

Enterprise Risk Management Implementation approaches Cultural Common Specific Core Basics Behavior Business Burning Facilitated workshop Risk Profiles Risk Frameworks Quantitative methods Insurance methods Procedural frameworks Surveys Enterprise risk framework database

What are the major challenges you face in developing an integrated approach risk management?

What do you think needs to be done to manage these challenges?

Sustainable Risk Management aligns People, Objectives, Risks • Builds Employee Involvement • Creates Business Value • Builds a Global Connection • Enhances Teamwork • Anticipates risk

Basics The value of Enterprise Risk Management Reduce fraud, Minimize error, Increase efficiency & effectiveness Behavior Reduce fraud& error; Increase efficiency & effectiveness; Engage & enthuse; Minimize penalty Business Avoid or transfer risk Quantify risk uncertainty for specific risks Use capital market techniques to manage certain risks Improve quality / timeliness / price / delivery / technology Reduce costs / downtime / lost productivity Improve relationships with customers / employees / suppliers / regulators / investors / creditors Protect against criminal / civil / regulatory penalties Improve achievement of business objectives Protect against fundamental risk Burning

Presentation Evaluation

Next Steps • Incorporate group brainstorms and Option Finder exercises into a report of today’s session • Distribute report to all participants • Other?

Sustainable Enterprise Risk Management: A Comprehensive Approach

Sustainable Enterprise Risk Management: A Comprehensive Approach

Presentation Transcript

Enterprise Risk Management Presentation to the Committee on Audit January 2006

Enterprise Risk Management

Enterprise Risk Management

Integrating Enterprise Risk Management and Audit

ENTERPRISE RISK MANAGEMENT

From Enterprise Risk Management to Risk-Based Audit Planning at

ENTERPRISE RISK MANAGEMENT

The Role of the Board of Directors in Enterprise Risk Management

How to Audit Risk Management

Enterprise Risk Management

Enterprise Risk Management

Enterprise Risk Management

Enterprise Risk Management

Enterprise Risk Management

ENTERPRISE RISK MANAGEMENT

Enterprise Risk Management

Enterprise Risk Management

Enterprise Risk Management

Enterprise Risk Management

ENTERPRISE RISK MANAGEMENT

Enterprise Risk Management