Enterprise Risk ManagementExpectations Outpacing Capabilities andThe Audit Committee’s Role

July 30, 2013Presented by: Suzette E. Ramsden (B.Sc., CISA, CBRA, CRMA)

Caribbean Association of Audit Committee Members Inc.7th Annual General Meeting and Conference“Governance, Audit and Compliance: Changing the Way We Do BusinessHilton Trinidad Hotel & Conference Centre: July 29-30, 2013

Enterprise-Wide Risk Management

2

“Enterprise Risk Management is a process, effected by the entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within the risk appetite, to provide reasonable assurance regarding the achievement of objectives”

COSO’s Enterprise Risk Management – Integrated Framework (2004)

ERM in Today’s Global Economy

3

“Risk Management is at the top of the global executive agenda as companies face an array of threats that grow more complex

by the day. The risks are multitudinous and ever-present, andthose companies that fail to manage them well imperil their future”

Keeping Pace

4

“…challenges are growing faster than most organizations’abilities to respond: today’s complex environment requires an

even stronger capability to master and optimize Risk Management.”

ChallengesAbility

Contributors

5

Risk Management capabilities are not advancing fast enough

Significant gaps and weaknesses in the management of Enterprise Risk

Inability to manage risk in an integrated and holistic way

Constantly Evolving

6

“When Risk Management is a strategic tool, the risk program and profile will constantly evolve..”

ModelsRelevant to new Economic Environment

EnsureRisk Programsdon’t go stale

Risk-Savvy

Shift in the Aftermath

7

In the aftermath of the Global Financial Storm

Risk-AverseRisk-Taking

Unmanaged Risk

RiskPrograms

Ever-ExpandingEconomy

StagnantEconomies

Although the ultimate accountability for Risk Management performance remains with the Board of Directors, boards are increasingly looking to

board committees to provide assurance regarding the status of the organization’s Risk management processes

Audit Committee Charter

ERM Roles

8

Provide assurance regarding the status of the organization’s Risk Management processes; that they are active, credible and effective.

An independent, objective assurance and consulting activity to provide objective assurance to the board on the effectiveness of Risk Management.

Oversight - Effectively oversee the organization’s Enterprise-Wide Risk Management.

Board of Directors

Audit Committee

Internal Audit

Audit Committee Agenda

9

SO...What should audit committees look for in a company’s Enterprise-Wide Risk Management endeavours to ensure abilities are not lagging behind expectations?

Intersection of Strategy and Risk

10

Enterprise Risk Management resources and actions must be integrated into Strategic Planning process

Tool for collaborative decision-making embedded into managementroutines suchas strategicplanning

Engaging in discussion and dialogue with designated risk owners (senior mgnt) tokeep abreast of emerging risks

Assessing Risk Exposures

11

Is your organization conducting regular top down and middle-up assessments and alignment of them to create a comprehensive

risk profile of the enterprise?

Is Management focusing on those lower level operational risk that could frustrate accomplishment of the Board’s objectives for the

company ?

Are risks being aggregated and the inter-relationships identified to have a clear understanding of the velocity at which risks may

occur.

Is guidance provided to the business units and functional groups to ensure that they have a consistent approach that is focused on

business objectives?

Ensure consistency in the way risk is being assessed across the enterprise

Articulate Risk Appetite

12

Ris

k A

ppet

ite

Aggregate risk exposure

monitored in monetary terms

Stress-test the resilience of their balance sheets

by calculating the monetary value at which

solvency would be jeopardized.

How do you know whether you have taken too much or not enough risk

Risk appetite embedded into the business units and functional areas

Calculate themonetary value at

which a loss or risk event would

jeopardize its credit rating

Develop a formal Risk Appetite Statement

Three Lines of Defense

13

Enhance Risk Management via Business Units, Risk & Compliance and Internal Audit functions

33 22

Internal AuditRisk & Compliance

Business Unit

Are Risk Management capabilities keeping pace with the changing needs

of the enterprise and expectations of stakeholders?

Is consistent risk training being conducted across

your three lines of defense?

Are processes and technologies in place to

monitor and measure risk in a way that get the

three lines of defense closer in

alignment?

Is risk information between lines of defense visible, freely shared and

communicated tosupport

dependencies?

Do your Board, shareholders and

regulators understand your risk program?

Is Risk Management embedded in business

processes in a waythat enhances transparency?

Barriers to Convergence

14

Resources must be adequate to facilitate convergence or integration of risk and control functions

Risk and control silos

Obstructed flow of risk

information

Changing goals and less clarity of

risk data

Duplication and redundancy

Insufficient numbers of

people

Lack of skills and human talent

Absence of technology

enablers

Lagging governance structures

Stagnant risk andcontrol oversight

functions

Lack of executive support

Creating a Risk-Resilient Culture:A call to action

15

RiskManagementFramework

RiskResilientCulture

RiskGovernance

Structure

Key Questions• How do you establish

stakeholders’ expectations?• How do you communicate

Risk Management to the organization?

• How do you ensure that these Risk Management

expectations are followed?

How can KPMG Help

16

Use risk and control information to improve performanceRisk and Control Optimization

Report, monitor, and conduct activities to provide insights into risk management strengths and weaknesses

Risk Monitoringand Reporting

Measure, analyze, and consolidate enterprise risksRisk Quantification and Aggregation

Identify, assess, and categorize risks across the enterpriseRisk Assessment

Establish an approach to developing, supporting, and embedding the risk strategy and accountabilitiesRisk Governance

DescriptionDescriptionFramework Framework ElementElement

Use risk and control information to improve performanceRisk and Control Optimization

Report, monitor, and conduct activities to provide insights into risk management strengths and weaknesses

Risk Monitoringand Reporting

Measure, analyze, and consolidate enterprise risksRisk Quantification and Aggregation

Identify, assess, and categorize risks across the enterpriseRisk Assessment

Establish an approach to developing, supporting, and embedding the risk strategy and accountabilitiesRisk Governance

DescriptionDescriptionFramework Framework ElementElement

KPMG Contact Information

17

Robert AlleyneManaging Partner1-868-623-1081ralleyne@kpmg.co.tt

KPMG69-71 Edward StreetPort-of-SpainTrinidad and Tobago

Dushyant SookramPartner, Advisory1-868-623-1081dsookram@kpmg.co.tt

KPMG69-71 Edward StreetPort-of-SpainTrinidad and Tobago

Neil BholaManager, Advisory1-868-623-1081nbhola@kpmg.co.tt

KPMG69-71 Edward StreetPort-of-SpainTrinidad and Tobago

Suzette RamsdenManager, Advisory1-868-623-1081sramsden@kpmg.co.tt

KPMG69-71 Edward StreetPort-of-SpainTrinidad and Tobago

Thank You

18