View
21
Download
0
Category
Preview:
Citation preview
January 11, 2013
Embedding Enterprise Risk Management (ERM) Into The Audit Plan IIA – Atlanta Chapter
1
Introductions
Shane Hester, CPA Risk Advisory Manager
Atlanta, GA
2
Agenda
Overview of Enterprise Risk Management (ERM)
Why an effective ERM strategy is necessary
The future of ERM
The limitations of ERM
Five simple steps that lead to better risk management
What is ERM? - Definition
4
What is ERM?
ERM is a systematic approach to identifying, measuring, mitigating and monitoring risks within an organization
ERM must be a company-wide initiative and embraced
by all levels of management ERM begins with soft controls (i.e. tone at the top,
alignment with strategy and an understanding of overall risk appetite)
5
What is ERM?
ERM is a principles-based approach to manage, not eliminate risk
ERM is a process: Built into routine business practices Designed to:
Identify emerging events with the potential to affect the entity Assess the potential impact consistently Manage risk within a predetermined risk appetite
Geared to the achievement of objectives Applied across the enterprise Tied to the organization’s strategic goals
6
What is ERM?
ERM – Risk identification No functional silos Communication of risks Risk origination
Sales & Marketing
New Accounts
Transaction Processing
Financial Reporting
Customer Service
ERM
7
What is ERM?
ERM – Risk measurement Common risk language
Strategic – Risk to earnings or capital arising from adverse business decisions or improper implementation of those decisions
Reputation – Risk to earnings or capital arising from negative public opinion
Operational – Risk to earnings or capital arising from problems with service or product delivery
Fraud – Risk to earnings or capital arising from intentional misrepresentation or abuse of assigned responsibilities by customers, non-customers or employees
Event – Risk to earnings or capital arising from some catastrophic or major event
8
What is ERM?
ERM – Risk measurement (continued) Additional risks include:
Credit Price Technology Litigation
Financial / Accounting Interest Rate Liquidity Regulatory
Risk Impact and Probability / Likelihood should also be considered High Medium Low
Probability
Financial
Accounting
Strategic
Reputation
Credit
Liquidity
Regulatory
Operational
Price
9
Charge-offs
The Economy Technology
Strategic Direction
Regulatory
Interest Rate Fraud
Many risks are obvious, but which risks remain hidden?
Liquidity
Capital
10
The Economy
Technology
Charge-offs Regulatory
Strategic Direction Interest Rate Fraud
Enterprise Risk Management
Business Processes
Liquidity
Client Experience Resistance to Other Opinions
Shared Purpose
Organization Structure
Productivity
Objective Assessment
Behavior Change Measurements
Internal Conflict
Sustained Change
Common Culture
Employee Retention
Succession Planning
Capital
Non-traditional Competitors
Operational Risks
ERM – Risk mitigation Control environment
The control environment begins with a risk strategy Evade – exit, divest Reassign – hedge, insure Accept – business as usual Exploit – expand, grow, leverage
What is ERM?
ERM – Risk monitoring Management reporting Continuous monitoring KPI dashboard
The key to effective ERM is to create a process that correctly identifies, prioritizes, mitigates, and monitors critical risks within the organization resulting in a strengthened control environment
What is ERM?
Identifying
Mitigating
Measuring Monitoring Risks
Control Environment
A company-wide control environment that identifies, measures, mitigates, and monitors risks
What is ERM?
What is ERM?
Though tools are available they are not imperative and should not be a barrier to commencing an ERM process Sophisticated software should not become the focus of the process rather they should be used as a tool to help administer the process. Maintaining the:
Awareness Communication Transparency
….across organizational activity areas, departments, business units, is more important than having a sophisticated software application.
It is not a system or software application
Why every company should have an ERM strategy?
Reconciling strategic objectives and organizational risk tolerance
Maximizing profitability through risk analysis Minimizing operational expenses and losses Strategically training and allocating resources Creating a proactive regulatory environment
Provide objective assurance to the Board of Directors on the organization’s effectiveness of risk management
This can include a number of activities but should NOT include: Setting the risk appetite Imposing risk management processes Deciding upon or implementing risk responses Owning responsibility for risk management
ERM – Internal Audit’s Role
What is Internal Audit’s Role???
Risk management techniques
This is NOT the way!
Polling question #1
Do you have an ERM strategy in your institution? Yes
No
ERM integrated framework – COSO model
Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information & Communication
Monitoring
Div
isio
n B
usin
ess
Uni
t Su
bsid
iary
Entit
y Le
vel
Internal Environment Risk management culture Risk tolerance Ethics and core values Objective Setting Organization objectives align
with strategy and risk tolerance Event Identification Identification of internal and
external opportunities and threats
Risk Assessment Risks are identified and
measured (impact & probability)
Risk Response A risk management strategy is
selected (evade, reassign, accept, exploit)
Control Activities Policies and procedures Standard operating procedures Information &
Communication Communication throughout the
company Timeliness and accuracy of data Monitoring Continuous monitoring Remediation as necessary
The COSO Model
The Future of ERM
Risk management today Fragmented and
inconsistent risk identification and analysis
Reports are generated but not reviewed or updated for business changes
Quantitative analysis is historical and is not used to quantify opportunities or manage the business
Risk management is Internal Audit’s responsibility
Risk management tomorrow Risk identification and analysis
efforts are coordinated and centralized (risk champion)
Risk management reporting is included at all levels and used for managing the business
Quantitative analysis is used in decision making, managing the business and success quantification
Risk management is my responsibility
The Future of ERM
Next steps Identify the company’s approach to managing risk Inventory current risk management tools/methodologies
within the organization Identify the ERM champion Start at the top – what is the tone at the top Identify and measure operational risks (source not
symptom) Develop and implement a risk management strategy
(roles and responsibilities) Assess results, redefine the process and continuously
improve Drive risk management to every level within the
organization
The risk management continuum
Time and value
Operational risk management Functional focus Compliance Policies/procedures
Business risk management Process focus Problem solving Best practices /
benchmarking Functional risk identification Compliance Policies/procedures
ERM Strategic focus Company-wide assessment Align risk appetite and strategy Reconciling growth, risk and
return Minimizing losses Risk management champion Process focus Problem solving Best practices/benchmarking Functional risk identification Compliance Policies/procedures
Practical ERM Implementation
Practical ERM implementation
“Enterprise” – not just selected “silos of risk” A “process” that is ongoing, living, systematic Consideration of risks on “portfolio” basis
• Collection of risks that may interact
Done to enhance entity value • Heavily integrated with business strategy
Focus is on coordinated program for identification, measurement, assessment, and response to risks primarily across 2 dimensions
• Probability (Likelihood) • Impact (Consequence)
Key part of entity’s corporate governance • Responsibility of senior management and board • Pushed down to key business segment management
Business Case for ERM
Better information about risks • All entities face risks and risks constantly change
Opportunities to take risk • Some risks create opportunities for returns • Other risks are over-managed • Under-managed risks can lead to losses
Partnering on risk responses • Capture efficiencies of coordinated risk responses
Consistency in approach • Work off same “score sheet” • Avoid offsetting risk “gains” with inefficient risk management
Strategic advantage • Not all strategies bear same level of risks • Ensure return is commensurate with risk
Assumptions often include past performance or future projections – both may be incorrect
ERM should be appropriately scoped for each company and expectations should be documented
Business process and controls can breakdown or be overridden
The governance process is dependent on coordination and collaboration of the core team, which is dependent on individual participation
Ongoing maintenance is dependent on commitment and contribution from all employees (everyone is responsible for risk management)
ERM should be a tool not a rule
Limitations of ERM
Common Pitfalls Companies that do not adequately address the following areas are often not
able to extract optimal value from their ERM programs Area Issues Impact
Focus of ERM Program • ERM process is solely focused on output to the Board; not utilized as a tool for management
• ERM is focused solely on WCG or hazards
• Risk assessment is not embedded in strategic planning and business process
• Management is disengaged from the process, because they don’t feel a value add
Risk Analysis • Risk appetite is not adequately defined and communicated
• Risk levels are not measured against risk tolerance levels
• Risk does not define inherent vs. residual risk
• Risk impact is not quantified
• Board/management lacks transparency to determine if risk levels are appropriate; if risks require further mitigation action or possible exploitation; and whether certain activities should be continued given risk levels and current mitigation steps
ERM Reporting • Reporting is limited to enterprise level and/or only a subset or risks are reported
• Risk reported to the Board are reported out of context
• Board lacks transparency into overall risk profile/specific business unit risk
Managing Risks • Action/ mitigation plans and owners are not assigned to high risk areas
• Lack of clear accountability and proactive action plans may lead to risks going unattended
Polling question #3
If you currently HAVE an ERM strategy, who is the ERM champion in your institution?
Chief Risk Officer
Chief Financial Officer
Chief Operations Officer
Internal Audit
Other
Five steps to better risk management
4 Embed risk in all decisions and processes. Are critical business decisions made with a clear view of how they change your company’s risk profile? Are core business processes consistent with your approach to risk?
2 Decide which risks are natural. Do you understand which risks your company is competitively advantaged to own and which you should seek to transfer or mitigate?
Risk Mindset And Culture
3 Determine your capacity and appetite for risk. Are you holding the amount of risk needed to deliver the returns you seek?
5 Align governance and organization around risk. Are the systems and infrastructure in place for you to monitor and manage risks that are being taken within your business?
1 Identify and understand your major risks. Do you understand which risks will affect your company’s future performance? Do you have insight into the risks that matter most?
Step 1 – Identify / understand your major risks
Do you understand which risks will affect your company’s future performance?
Do you know which risks matter most? Specify the risks you face Focus on the risks that really matter Manage the full spectrum of risks Traditional forecasting often fails to predict significant
changes in the external environment Don’t forget the past – but don’t get mired in it
Step 2 – Decide which risks are natural or direct
Which risks should you own? Which should you seek to transfer or mitigate? Does the company have superior capabilities to manage
certain types or degrees of risk? Are the accessible risk transfer markets reasonably
efficient? Decide how much of certain risks the company wants to own
and which risks the company should not own
Step 3 – Determine capacity and risk appetite
Are you holding the amount of risk needed to deliver the returns you seek?
Do you quantify your operating cash-flow risk? How solid is your credit administration function? Obtain an objective assessment of loans and the lending
process
Step 4 – Embed risk management
Are critical business decisions made with a clear view of how the company’s risk profile can change?
Are core business processes consistent with your approach to risk?
Risk-informed decisioning is a mind-set incorporated in the culture
It is a way of approaching processes and decisions Investment decisions Business decisions Financial decisions Operational decisions
Step 5 – Align governance and organization
Are the systems and infrastructure in place to monitor and manage business risks?
Does the organizational structure complement your risk management objectives?
Polling question #4
How active is the Audit Committee in the ERM initiative in your institution?
They initiated or sponsored the activity and are involved in all phases of
ERM
They are very involved and frequently inquire about and monitor ERM activities
They get regular updates related to ERM initiatives but are not very involved
They are not involved
QUESTIONS?
35
Contact Information
Shane Hester, Risk Advisory Manager shane.hester@mcgladrey.com
Office: (404) 751-9100 Cell: (404) 290-8389
36
Recommended