Post on 11-Jan-2016
description
Enterprise Risk Management and Internal Audit:Partners in Value CreationJ.V. Rizzi, ABN AMRO BankMay 21, 2007
The views expressed are those of the author and do not necessarily reflect those of ABN AMRO Bank
Today’s Discussion
1. Enterprise Risk Management Overview
2. Enterprise Risk Management at ABN AMRO
3. Internal Audit Implications of ERM
4. Conclusion
2
I. Enterprise Risk Management Overview
Risk Issues and Challenges
Analysis of interrelationships/correlations of different types of risk
Accountability for all risks under one organization (CRO)
Measuring risk on a consistent basis (capital)
Assessment of risks in, and value implications of, corporate strategies
Considering cross-risk extreme scenarios
4
Classical Risk Management
Classical approaches to managing risk focus on establishing well maintained and controlled processes around single risk factors.
Credit
Operational
Market
Com
pliance
Country
Liquidity
Strategic
Line of Business
Historically, this approach to managing risk has been appropriate for the environment. However, as the environment changes, so must the discipline.
5
Enterprise Risk Management
VISIONManage all material risks and opportunities across the organization Across silos Total risk management
WHYImprove decision making through portfolio management of interrelated risks
RESULTManage to objectives consistent with stakeholder expectations to increase value
6
Scope of Enterprise Risk Management
ERM is… Integrated view and
awareness across the organization
Standardized risk related information, metrics and communication
Common language Coordination of risk related
projects
ERM is not… Just a risk management factor Data centralization,
aggregation and translation Meant to discourage
specialization Only for regulatory and
compliance
Observations Strategic not transactional focus Single top level risk view as an input into strategy, and not just an
output or consequence Balance risk appetite and risk profile
7
Assets
CapitalRequired
CapitalAllocation
Risk Appetite
CapitalManagement
Value Creation
EconomicCapital
Portfolio ofEnterprise
Risks
CapitalStructure
Cost of Capital
Return onRisk
Risk Structure
InternalStakeholders
CEO
CFO CRO
ExternalStakeholders
Regulators
Shareholders Rating Agencies
Enterprise Risk Management Objectives
Portfolio ofCapital
Resources
8
Big Enterprise Risk Management Ideas
Management Information: Dashboard
Risk Oversight & Independence: Governance Roles
Communication & Escalation: Interaction Model
Strategic Planning: Strategic Risk Model
9
II. Enterprise Risk Management at ABN AMRO
2004 2005 2006 2007
Economic Capital framework adopted
Basel II Program became operational
December — ERM introduced as a 2006 strategic agenda item for Risk Management NA and Group Risk Management
May — Global Steering Committee formed including GRM, Finance, Compliance, Audit et al with monthly meetings
June — ERM framework presented and endorsed at the Risk Leadership Conference
December — ERM Program endorsed by Managing Board and NA Regional Management Committee (RMC) and ERM Program activated
2006 Risk Charter drafted in “ERM style.”
Independence review
Dashboard development
Risk outlook
Governance structure
11
Accomplishments to Date
12
IV
Guiding Principles
Risk Philosophy
Enterprise Risk Management
ProgramM
ana
gem
ent
Info
rmat
ion
Ris
k O
vers
igh
t an
d I
nd
epen
den
ce
Co
mm
un
icat
ion
san
d E
scal
ati
on
I II III
Stra
tegi
c Pl
anni
ng
and
Alig
nmen
t
IV
The four pillars of BUNA’s ERM Program
Risk Foundation
Responsibility and Ownership
Centralization and Aggregation
Authority and Delegation
Four-eyes principle
Independence and Oversight
13
Risk Awareness where “everyone one is a Risk Manager”
Defined Risk Appetite and Risk Tolerance
Clarity and Transparency through a common language
Risk-Reward Alignment that manages risk for value
Compliance where “everyone acts to protect”
Risk Philosophy GUIDING PRINCIPLES
ERM Dashboard
Vision
Efficiency
Efficiency
Eff & Grow th
Grow th
Grow th
Grow th
Controls
Controls
People
People
Key Risk Indicators2007 BU NA Management Priorities
Key Performance Indicators
Top 10 Risks – Heat Map
Unacceptable Level Unknown - Need More Info Acceptable Level Un-Rated
Distribution of Risks by Probability and Impact
BE
F
G
H
IJK
L
M
0%
5%
10%
15%
20%
25%
30%
0 10 20 30 40 50 60
Average Expected Impact
Ave
rage
Pro
babi
lity
Client/Corporate Credit Default (6)
Legal Risk (4)
General Economy Decline (4)
Declining Employee Morale/Loss of Top Employees (5)
Failed Business Practices (4)
Real Estate Decline (6)
Data Loss/Vulnerability (11)
Supplier Failure (2)
Regulatory / Ethical Failure (7)Material Unpredicted External Event (6)
Model Risk / Failure (6)
System / IT (7)
Control Breakdown (13)
Fraud Loss (9)
LOW RISK
MEDIUM RISK
MEDIUM RISK
HIGH RISK
DRAFT
Under Re-evaluation
Overall BU NAFeb-07
YTD Target StatusEfficiency RatioRevenue Growth (YoY)Return on ARC
Com'l PFS GSTS Total
Business
Credit
Operational
Market
Interest
Liquidity
Strategic
Compliance
ALM - RWAALM - EC
Human Cap.
IT
Legal
SOX
Audit
Qu
anita
tive
Ris
kQ
ual
itativ
e R
isk
ALMAsset Mgmt. Services
GlobalMarkets
Global Clients
Transaction
Banking
Private Clients
ComprehensiveRisk Assessment
Integrated Risk, Rewardand Strategy View
Forward looking, actionable, risk escalation tool
Executive sponsorship
14
Governance Actions
For ERM to be successfully implemented at an organization requires creating a clear governance structure & interaction model to create a risk aware culture to identify, measure and manage inter-related risks.
Risk Governance Model defines three legs — Businesses that take and manage risk, Risk Management to provide policy and analysis, and Audit to provide assurance.
Board of Directors
Business Areas ERM Committee
Risk identificationRisk assessments
CRO & Risk Committees Internal Audit
Strategy & Action to address Risk Within Policy
Policies, governance and information flow Validation of controls
Provide assertions on risk exposure for business / function
Risk assessment methods
Objective review of risk management process
Ownership of risk and responsibility for management and mitigation
Measurement, aggregation rules and tools
Assurance to Senior Executive management and Board on assertions of risk exposure
Monitor risk exposure status and provide reporting to Board
15
ExternalConferences /
Communication
Develop Tactical
communicationsplan
Strategic Risk Management
ERM Communications Strategy
Adopt theme: “Everyone is aRisk Manager”
Align withcompliance-
related policies and procedures
Standards of Conduct toinclude risk
issue escalation
Promote learningculture
Escalation
Clarification ofescalation
expectations
16
Align Finance & Risk Strategic
Agendas
Performancecontract
process toembrace ERM
Agree ERM role and PfC
process
Strategic Risk Management
Enterprise Strategy
Risk Appetite
17
Challenges Of Achieving An ERM Approach
ERM capabilities is an iterative, incremental approach with some potentially big hurdles to overcome.
Risk Management Survey Results
Culture
Reporting
Infrastructure
Strategic Planning
ERM Components
Culture
Reporting
Infrastructure
Strategic Planning
ERM Components
987654321 987654321
Rudimentary Progressive Pioneering
18
Lessons Learned
Sponsorship
1. Successful Risk Management implementations require senior management and Board support.
Change Management
2. Significant effort will be required to overcome organizational inertia and change a mindset to a risk-reward culture
Sustainability
3. To sustain progress and momentum, maintain program team continuity.
Project Management
4. Do not underestimate launch complexities or cultural challenges.
5. Pilot programs prior to global roll outs.
66
Enterprise Risk Management
Program
Enterprise Risk Management
Program
Risk Management Framework
19
III. Internal Audit Implications of ERM
21
Internal Audit Context
First Line of Defense
Second Line of Defense
Third Line of Defense
Strategy, Performance and Risk Management
Policy Validation and Oversight
Independence Assurance
Board of Directors / CEO Compliance External Audit
Line of Business CRO / Risk Management Internal Audit
22
The Role of Internal Audit in Enterprise Risk Management (COSO)
Core Internal Audit ERM Roles
Permissible Internal Audit ERM Roles
Impermissible Internal Audit ERM Roles
Risk Management Process Assurance
Identify and Evaluate Risk Identification Setting Risk Appetite
Risk Evaluation Assurance
Coaching Management Risk Response
Authorizing and Dictation ERM Implementation
Evaluating Risk Management Process
Coordinate ERM activities
Providing assurance on risks and Risk Management Performance
Evaluating Key Risk Reporting
Consolidate Risk Reporting Making Risk decisions
Key Risk Management Review
Championing ERM Development
Implementing Risk Management Responses
Developing Risk Management Strategy
Accepting Risk Management Accountability
Shift in focus Control Based Risk Based Historical Forward
looking Accounting Value
focused
Integration of ERM and Internal Audit
23
Parallel Developments in Internal Audit and Risk Management
Determine Audit Criteria ERM Governance
Internal Audit should align the organization’s Internal Control Framework with the ERM Program to help assure on “In Control” status
Governance model should consider: Oversight and independence of Risk Management
function Defining roles and responsibilities Explicit Senior Management support Reporting relationships and requirements Accountability
24
Regulators Want Assurance“In Control” Status
The “In-Control” status indicates an understanding of risk management effectiveness and internal controls throughout the organization.
Elements of ERM:
ERM vision & FW
Committee charter
ERM Dashboard
RCSA
Strategic risk model
ERM policies
Event risk analysis
Integrated compliance monitoring
Risk strategy alternatives
KRIs and KPIs
Risk appetite
Tangible Functions and Processes Organization Structure Accountability Risk Limits Internal Controls Decision Matrix Interaction Model Assessment Process Measurement &
Reporting Technology
Internal Auditprovide assurance through periodic audit
“In-Control”
Effective RiskGovernance
RiskAppetite
Intangible Functions and Processes Change
Management Communication Culture
25
Business Managers:
Make transaction decisions
Focus on day-to-dayManagement of risk
Business Execution
Risk Management:
Quantify residual risks and ensure capital adequacy.
Assess control design adequacy
Risk Oversight
Finance:
Ensure appropriateAccounting
Focus on G/L accuracy
Books and Records
Ma
na
ge
men
t P
roc
ess
Audit:
Verify procedures are being followed.
Test effectiveness ofcontrols.
The Complete Audit Approach Model
26
Internal Audit
Provides assurance ERM is functioning as intended
Ensures accountability Encourages flexibility to fit changing
circumstances Independently verifies risk
management coverage Tests effectiveness of risk oversight
and controls
27
IV. Conclusion
Summary
ERM is a process, ongoing and flowing through an entity
ERM improves interaction between Risk Disciplines and LOBs on risk-related matters
ERM enables and allows for the organization to make risk based decision-making
ERM is effected by people at every level of an organization
ERM is applied across the enterprise, at every level and unit, and includes taking an entity-level portfolio view of risk
ERM is designed to identify potential events, that, if they occur, will affect the entity and to manage risk within its risk appetite
Internal Audit constitutes an important partner in the ERM process
29