CBIZ Risk & Advisory Services - Chapters Site - ERM Leveraging Information and...CBIZ Risk & Advisory Services Agile. Experienced. Efficient. ERM: Leveraging Information and Technology

CBIZ Risk & Advisory Services | 1

CBIZ Risk & Advisory ServicesAgile. Experienced. Efficient.ERM: Leveraging Information and Technology

May 2019


Introduction

SONYA GOLDENCBIZ Risk & Advisory ServicesDesignationsCertified Internal Controls Auditor

Specialties Enterprise Risk Management

(ERM) Internal Audit Quality Assurance &

Improvement Programs (QAIP)

Sarbanes-Oxley FASB, GAAP Disclosures SEC Reporting IIA International Standards

for the Professional Practice

Senior Manager in the national Risk & Advisory Services practice forCBIZ, Inc. with over 20 years of experience working with professionalservices, financial services, governmental and manufacturing clients.

Recently, she led an initiative to create a customized solution toleverage technology and improve the overall accuracy and reliabilityof fraud and internal control risk assessments at one of CBIZ’s largestclients. Sonya has also assisted clients in conducting all phases ofrisk management, regulatory compliance, financial and operationalaudits, including, but not limited to interviews, walk-throughs,preparation of narratives and flowcharts, planning, identification andtesting of controls and reporting.

Sonya currently serves as the enterprise risk management projectlead for CBIZ’s largest internal audit outsource client.


Topics Covered

Understanding Enterprise Risk Management (ERM)

Strategic Value of ERM

Framework Components & Principles

Data – Big, Small and everything in between

Information, Communication, and Reporting

Leveraging Technology and Data

Key Takeaways


Understanding Enterprise Risk Management

Boards and executive management of companies that aspire to be resilient in the face of change must keep in mind:

ERM is defined many different ways by many different standards, frameworks, and disciplines across the globe

ERM sets out a basic conceptual structure of ideas which an organization integrates into other practices occurring within the entity

ERM frameworks, models, and components will vary by legal structure, size, industry, and geography, etc.

ERM uses a common methodology which provides a basis for continuous improvement, rationalization, and integrated reporting

ERM is expected to follow a path of increasingly organized and systematically more mature processes


Underlying principles

Every entity exists to realize value for its stakeholders.

Value is created, preserved, or eroded by management

decisions in all activities, from setting strategy to operating

the enterprise day-to-day.

ERM supports value creation by enabling management to:

Deal effectively with potential future events that create

uncertainty.

Respond in a manner that reduces the likelihood of downside outcomes and

increases the upside.




Enterprise risk management (ERM) is defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) as:

The culture, capabilities, and practices, integrated with strategy-setting and its execution, that organizations rely on to manage risk in creating, preserving, and realizing value.

CPR

What is Enterprise Risk Management?


Strategic ValueBenefits of integrating ERM include the ability to:

Increase the range of opportunities

Identify and mange company-wide risks.

Reduce surprises and losses

Reduce performance variability

Improve resource deployment

Anticipate, identify, adapt, and respond to change


There are several ERM frameworks or models available to help organizations integrate risk.

International Organization for Standards (ISO) 31000: Risk Management –Principles and Guidelines

United Kingdom’s Orange Book, Management of Risk – Principles and Concepts Open Compliance and Ethics Group (OCEG) Red Book 2.0 – GRC Capability

Model Federation of European Risk Management Associations (FERMA) British Standards (BS) 31100: Code of Practice for Risk Management



COSO ERM Integrated FrameworkCOSO

Integrating with Strategy and Performance

An entity’s internal environment can be viewed in the context of three categories:

1. Mission, Vision and Core Values 2. Strategy and Business

Objectives3. Enhance Performance

The five components and principles of the framework are interrelated and considers activities at all levels of the organization:

1. Governance and Culture2. Strategy and Objective-Setting3. Performance4. Review and Revision5. Information, Communication, and

Reporting

The ERM framework defines essential components, concepts, and a common ERM language.


Best practice in ERM implementations has been to utilize a Top-Down / Bottom-Up Risk Based Approach. This approach recognize the importance of buy-in at all levels

1. Top-down. Senior management and/or directors select indicators to monitor across the business. Typically the most effective approach for strategic-level KRIs. Top-down KRIs can facilitate aggregation and management understanding in the context of top-level strategy and business objectives.

2. Bottom-up. The business entity or process manager selects and monitors the indicators they see as relevant within their operational processes. Ensures business entity managers select indicators most relevant to the actual operational objectives of their entity and processes.

Minimize exposure to loan defaults

Geographic concentration of the

institution’s loan portfolio

Percentage of outstanding capital in active loans in

the largest geography

Maximum loan concentration in a single geography

should be XX?

Real-time

SET KEYTHRESHOLDS

MONITORINGFREQUENCY

ESTABLISHKRI

DEFINE SOURCES OF

RISK

BUSINESSOBJECTIVE



Demand shortfallsCustomer losses/problems

M&A problemsPricing pressures

Product/services competitionProduct problems

RegulationR&D

Management changeCorporate governance

Miscommunication/false guidance

Earnings shortfallCost overruns

Poor operating controlsAccounting problemsCapacity problems

Supply-chain issuesEmployee issues and fraud

NoncomplianceHigh input costs

IT securitySupplier losses

Poor financial strategiesAsset losses

Goodwill and amortizationLiquidity crises

High debt and interest rates

Declining commodity pricesRating impactsIndustry crises

Legal risksCountry economic issues

Weather lossesPartner lossesPolitical issues

TerrorismForeign economic issues

STRATEGIC RISKS OPERATIONAL RISKS

FINANCIAL RISKS EXTERNAL RISKS



Monitor and Review

Communicate and Consult

Business Context

Identify the Risks

Analyze the Risks

Evaluatethe Risks

Treat the Risks

• Internal Context• External Context• Risk Mgmt. context• Develop criteria• Define the structure

• What can happen?• When and where?• How and why?

• Determine existing controls

• Determine probability and consequences

• Estimate level of risk• What will this mean

for our objective?

• Compare against criteria

• Set priorities

• Identify options• Assess options• Prepare and

implement treatment plan

• Analyze and evaluate residual risk

To be relevant and impactful, a risk assessment process cannot merely be a checklist, rather it must provide a clear view of variables to which an organization may be exposed, whether internal or external, retrospective or forward-looking.


TreatRisks?

Yes

No


Identify Risks

Develop Assessment

CriteriaAssess Risks Assess Risk

InteractionsPrioritize

RisksRespond to

Risks

Risk Assessment Process

The first activity within the risk assessment process is to develop a common set of assessment criteria to be deployed across business units, corporate functions, and large capital projects. Risks and opportunities are typically assessed in terms of impact and likelihood. Many enterprises recognize the utility of evaluating risk along additional dimensions such as vulnerability and speed of onset.

DEVELOP ASSESSMENT CRITERIA

Develop Assessment Scales- Create Consistency

Standardized Scale Impact Assessment Criteria

- Rate, Describe, Define Likelihood Vulnerability (susceptibility) Speed of Onset

Assess Risks



Identify Risks

Develop Assessment



RisksRespond to

Risks

Assessing risks consists of assigning values to each risk and opportunity using the defined criteria. This may be accomplished in two stages where an initial screening of the risks is performed using qualitative techniques followed by a more quantitative analysis of the most important risks.

ASSESS RISKS

Qualitative Analyses- Analysis of Existing Data- Interviews & Workshops- Surveys- Benchmarking

Quantitative Analytics- Scenario Analysis- Causal At-Risk Models

- Gross Margin- Cash Flow

Assess Risks

Risk Assessment ProcessFramework Components & Principles


Identify Risks

Develop Assessment



RisksRespond to

Risks

Risks do not exist in isolation. Enterprises have come to recognize the importance of managing risk interactions. Even seemingly insignificant risks on their own have the potential, as they interact with other events and conditions, to cause great damage or create significant opportunity. Therefore, enterprises are gravitating toward an integrated or holistic view of risks using techniques such as risk interaction matrices, bow-tie diagrams, and aggregated probability distributions.

Risk Interaction Map Fault/Event Tree or Bow Tie Diagram

Assess Risks

ASSESS RISK INTERACTIONS



Identify Risks

Develop Assessment



RisksRespond to

RisksIdentify

RisksDevelop

Assessment Criteria

Assess Risks Assess Risk Interactions

Prioritize Risks

Respond to Risks

Risk prioritization is the process of determining risk management priorities by comparing the level of risk against predetermined target risk levels and tolerance thresholds. Risk is viewed not just in terms of financial impact and probability,but also subjective criteria such as health and safety impact, reputational impact, vulnerability, and speed of onset.

Risk Hierarchies Opportunity Risk/Heatmap

Assess Risks

PRIORITIZE RISKS



Information, Communication, and Reporting

What’s worth monitoring?

Organizations must consider what information is available to management, what information systems and technology are in use for capturing that information

While all data is important, predictive data can provide the most significant and tangible benefits. As businesses collect more predictive data, they can project specific business outcomes and make more informed business decisions further into the future

Regardless of industry, management must have open and effective communication channels that address all aspects of the organization, including risk, culture, and strategic performance

The organization reporting requirements (frequency, type, source (internal/external)) vary by report user, but it is critical that the focus of reporting be the link between strategy, business objectives, risk, and performance.


Data – Big, Small and everything in between

Too much data can be overwhelming. Too little, and you’re not going to gain any insight or could be missing critical information.

Advances in cognitive computing, such as artificial intelligence, data mining, and machine learning can collect, convert, and analyze large volumes of unstructured data into information that helps organizations to make better business decisions

The key is not just to gather data, but to leverage it with analysis and insight. This often requires experts from multiple disciplines to work together to peel back multiple layers of data and insight

It is important that organizations provide the right information, in the right form, at the right level of detail, to the right people, at the right time – relevant, reliable, and timely

Management must not blindly accept the outcome of data models; instead, transformed data should be combined with human, including a willingness to challenge any assumptions underlying the strategy and business objectives


Leveraging Technology and Data

The key is not just to gather data, but to leverage it with analysis and insight.

Technology can also introduce new risks to an entity, which can be critical to achieving strategy and business objectives

By building a strategic technology road map, an organization can properly align business goals with technology initiatives to help drive those objectives

Part of that road map should include effective risk management and mitigation processes and controls to ensure the technological advancements are not offset by data security setbacks and breaches, and maximum enterprise value is delivered to the organization

Connect the dots - use information to anticipate situations that may get in the way of achieving strategy and business objectives


Key Takeaways

The first and arguably most important is gaining buy-in from your executive team:

Understand what your stakeholders care about and how they define success. Plan for the barriers you may face along the way

Identify the right people, departments, and tools that you need to get the job done

Determine which data is ripe for analysis, whether they be new areas to review or integrated within your existing program

Establish frequent, consistent reviews of your program so it remains relevant and accounts for future growth

Keep it simple – An overly complex model provides significant challenges to implementation and on-going execution


Summary

Having an understanding of the overall ERM process, as well as your organization, can facilitate the integration of ERM into all levels to support strategic decision-making within your organization

ERM is not a single point in time; instead, a comprehensive plan includes continual improvement and monitoring, employee education, having the right systems and performing the right tests

Having a function that collects, connects, interprets and focuses on enterprise data for the leaders in the organization is critical to improving performance

Leveraging technology to help identify, collecting, analyze and evaluate data is critical for success ─ to remain competitive, innovative and grow the business

Enhanced data analytics capabilities enable informed decision-making, a better customer and employee experience, and delivers deep insights across the organization

Senior ManagerCBIZ Risk & Advisory Services

Sonya Golden

Tel: [email protected]

www.cbiz.com

Documents

CBIZ Risk & Advisory Services - Chapters Site - ERM Leveraging Information and...CBIZ Risk & Advisory Services Agile. Experienced. Efficient. ERM: Leveraging Information and Technology