280 likes | 502 Views
Enterprise Risk Management (ERM). A Practical Approach May 20, 2014. Risk Management Landscape. Often, risk management and oversight is the responsibility of select groups within organizations
E N D
Enterprise Risk Management (ERM) A Practical Approach May 20, 2014
Risk Management Landscape • Often, risk management and oversight is the responsibility of select groups within organizations • It emphasizes a silo-based philosophy and approach, resulting in a lack of strategic alignment, awareness and accountability across the organization. • Disparate efforts might measure unrelated values that may not give management a holistic view into its total value at risk. • Internal reporting cannot capture cross relationships and interdependencies that might compound or mitigate certain organizational-wide exposures. • Therefore, there is a false sense of security within management that risks are adequately addressed and managed. • Enterprise Risk Management (ERM) has evolved over many years as a discipline to address these challenges.
Driving Forces • Learning from well-publicized crises • Fiduciary duty of officers and directors • International protocols • Ratings agencies evaluating risk management • Volatile credit market conditions • Corporate governance expectations • US Sentencing Guidelines
Value Proposition • Broader understanding of aggregate exposure to risk • Align risks and rewards • Eliminate surprises • Clarify roles and responsibilities • Assign risks with no clear owner • Enhance collaboration in response to events • Improve business decisions
Defining ERM • Enterprise Risk Management is defined by the Committee of Sponsoring Organizations (COSO) as follows: • “Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” The content in this section is based on information gathered from www.coso.org
Defining Enterprise Risk Management • Risk appetite is the amount of risk, on a broad level, an entity is willing to accept in pursuit of value. • The risk appetite reflects the entity’s risk management philosophy, and in turn, influences the entity’s culture and operating style. • The risk appetite is directly related to an entity’s strategy. • Enterprise risk management helps management select a strategy that aligns anticipated value creation with the entity’s risk appetite. • Enterprise Risk Management consists of eight interrelated components: Silo Risk Gross Risks Net Risks Response and Control Silo Risk Silo Risk
ERM Approach • We recommend a multi-phased and iterative ERM process designed to: • Focus on the highest priority risks. • Prove the process and refine as needed. • Leverage existing processes and risk related activities and deliverables. • Confirm the benefit to the ERM processes. Business Goals, Objectives and Strategies
ERM Approach Phase 1 – Identify, Assess and Validate Enterprise Risk • Review Corporate Vision Statement. • Identify risk category (strategic, operations, reporting or compliance) for risk assessment. • Document potential events / risks and related impact to the company’s strategy through workshops and/or surveys.
ERM Approach Phase 1 – Identify, Assess and Validate Enterprise Risk (continued) • Define likelihood. • Determine levels of impact. • Assess the likelihood and impact if the event / risk occurred. • Determine the priority.
ERM Approach Phase 1 – Identify, Assess and Validate Enterprise Risk (continued) • Define risk tolerance and risk appetite • Identify high level management strategy • Document risk response • Develop future mitigation actions • Determine the overall status
ERM Approach After Phase 1, we recommend: • Either continue with Phases 2 through 6, based on the value, or • Return to Phase 1 with a different risk category • Prove the process and refine as needed • Leveraging existing processes and risk related activities and deliverables • Confirm the benefit to the ERM processes
ERM Initial Action Steps • Seek Board and Senior Leadershipinvolvement and oversight • Select a strong leader to drive the ERM initiative • Establish a Management Risk Team • Conduct the initial enterprise-wide risk assessment and develop an action plan • Inventory the existing risk management practices • Develop initial risk reporting • Develop action plans for future phases
Key Implementation Questions • Are we taking the right kinds of risk? • Are we taking the proper amount of risk to meet our objectives? • Are we allocating resources (financial, human, technology) efficiently to manage risks? • Do we have a competitive advantage in a particular type of risk? • What will be our cultural and operational challenges as we implement ERM?
Risk Appetite Statement – Sample • High-level Roadmap of an organization’s risk management strategy. • Facilitates consistent enterprise-wide risk management.
Risk Register – Sample • High-level summary of the key aspects of a risk that an organization needs to know in order to effectively mitigate and manage a material risk. • Conveys risk ownership and how the organization is currently mitigating and managing each material risk.
Capability Benchmarking and Align Capabilities to Risks Self Assess 1.0 to 5.0
ERM Best Practices • Create a strategic plan, implementation roadmap and on-going program for ERM. • Incorporate risk management into strategy, development and review of all business action plans. • Leverage a framework (or multiple frameworks). • Obtain Board and Senior Leadership sponsorship. • Request visible, active support from CEO and CFO. • Create Board and Executive level committees that are actively involved in risk management. • Share risk management information with Senior Leadership team and business partners. • Develop and maintain an ERM dashboard. • Create a culture encouraging full engagement and accountability. • Develop a process tailored to your organization. • Use consistent risk management language across the organization. • Consider an automated tool that meets the organization’s needs.
Contact Information • Lester Sussman • Senior Practice Director • lsussman@rgp.com • 818-598-5730 • Nelson Schmidt • Managing Director - Houston • Nelson.schmidt@rgp.com • 713-403-1965 • Tommy Parker • Managing Director, Strategic Accounts • Tommy.parker@rgp.com • 713-403-1970
Internal Environment – ERM Component • Internal Environment sets the basis for how risk and control are viewed and addressed by an entity’s people. The core of any business is its people – their individual attributes, including integrity, ethical values and competence – and the environment in which they operate. • Risk Appetite is the amount of risk, on a broad level, an entity is willing to accept in pursuit of value. It reflects the Risk Management Philosophy, and in turn, influences the entity’s culture and operating style. • Integrity and Ethical Values influence the way strategies are implemented and require management’s commitment. Standards of behavior go beyond compliance with the law. • Organizational Structureprovides the framework to plan, execute, control and monitor activities. The structure includes defining authority and responsibility and establishes appropriate lines of reporting. • Assignment of Authority and Responsibility establishes the levels where an individual is empowered (or not) to make decisions.
Objective Setting - ERM Component • Objective Setting is aligned to event identification, risk assessment and risk response. • Strategic Objectivesare high level goals that align with and support the entity’s mission and vision and identify critical success factors for the entity, business unit, function, department, etc., or an individual. Objectives should be readily understood and measurable. Related objectives include: • Operations Objectives • Achievement of Objectives assists to implement appropriate risk responses and provide timely monitoring and reporting of how the entity is achieving the objectives. • Risk Appetitecan be expressed in qualitative or quantitative terms. It can be described as the acceptable balance of growth risk, and return, or as risk-adjusted shareholder value added measures. • Risk Tolerances are the acceptable level variation in performance relative to the achievement of objectives. • Performance measures can be used to help ensure the actual results will be within established tolerances • Compliance Objectives • Reporting Objectives
Event Identification - ERM Component • Event Identification is a process to determine if certain occurrences happen and whether there will be a positive or negative impact on the entity’s ability to implement strategy and achieve objectives. • Events are incidents or occurrences emanating from internal or external sources. • Influencing Factors can be: • External (economic, natural environment, political, social, technological) • Internal (infrastructure, personnel, process, technology)
Risk Assessment - ERM Component • Risk Assessment allows an entity to consider the extent to which potential events have an impact on the achievement of objectives. Risk are generally assessed from two perspectives – likelihood and impact – and normally through a combination of qualitative and quantitative methods. • Risk Categorization • Strategic • Operational • Reporting • Compliance • Assessing Impact • Data sources • Perspective • Quantitative Risk Assessment Techniques • Benchmarking • Probabilistic models • Non-probabilistic models
Risk Response - ERM Component • Risk Response –Management determines how it will respond to risks. Categories of Risk Responses include: • Avoidance • Reduction • Sharing • Acceptance • Evaluating Possible Responses • Evaluating effect on risk likelihood and impact • Assessing cost versus benefits • Opportunities
Control Activities - ERM Component • Control Activities are the policies and procedures which are the actions of people, directly or through application of technology to help ensure management’s risk responses are carried out • Types of Control Activities • Top-level reviews • Direct functional or activity management • Physical controls • Performance indicators • Segregation of duties • Controls over Information Systems (often other frameworks, such as COBIT, Information Technology Infrastructure Library (ITIL) and International Standards (ISO) are to provide detailed guidance): • Information technology management • Information technology infrastructure • Security management • Software acquisition, development and maintenance • Application controls
Information and Communication - ERM Component • Information and Communication is needed at all levels to identify, assess and respond to risks gathered and generated from a variety of sources and make informed decisions. • Information, operating, financial and non-financial, is relevant to multiple business objectives: • Strategic and integrated systems • Integration with operations • Depth and timeliness of information • Information quality • Communication is inherent in information systems, but also must take place in a broader sense to deal with expectations and responsibilities. Additionally, all personnel need to receive a clear message from leadership that ERM is to be taken seriously. • Internal • External • Communication methods
Monitoring - ERM Component • Monitoring– Risk Management is monitored in the normal course of activities or through separate evaluations. • Ongoing Monitoring Activities are regular management activities. • Separate Evaluations • Scope and frequency • Who evaluates • The evaluation process • Methodology • Documentation • Reporting Deficiencies • Sources of information • What is reported • To whom to report • Reporting directives