January 11, 2013

Embedding Enterprise Risk Management (ERM) Into The Audit Plan IIA – Atlanta Chapter

1

Introductions

Shane Hester, CPA Risk Advisory Manager

Atlanta, GA

2

Agenda

Overview of Enterprise Risk Management (ERM)

Why an effective ERM strategy is necessary

The future of ERM

The limitations of ERM

Five simple steps that lead to better risk management

What is ERM? - Definition

4

What is ERM?

ERM is a systematic approach to identifying, measuring, mitigating and monitoring risks within an organization

ERM must be a company-wide initiative and embraced

by all levels of management ERM begins with soft controls (i.e. tone at the top,

alignment with strategy and an understanding of overall risk appetite)

5

What is ERM?

ERM is a principles-based approach to manage, not eliminate risk

ERM is a process: Built into routine business practices Designed to:

Identify emerging events with the potential to affect the entity Assess the potential impact consistently Manage risk within a predetermined risk appetite

Geared to the achievement of objectives Applied across the enterprise Tied to the organization’s strategic goals

6

What is ERM?

ERM – Risk identification No functional silos Communication of risks Risk origination

Sales & Marketing

New Accounts

Transaction Processing

Financial Reporting

Customer Service

ERM

7

What is ERM?

ERM – Risk measurement Common risk language

Strategic – Risk to earnings or capital arising from adverse business decisions or improper implementation of those decisions

Reputation – Risk to earnings or capital arising from negative public opinion

Operational – Risk to earnings or capital arising from problems with service or product delivery

Fraud – Risk to earnings or capital arising from intentional misrepresentation or abuse of assigned responsibilities by customers, non-customers or employees

Event – Risk to earnings or capital arising from some catastrophic or major event

8

What is ERM?

ERM – Risk measurement (continued) Additional risks include:

Credit Price Technology Litigation

Financial / Accounting Interest Rate Liquidity Regulatory

Risk Impact and Probability / Likelihood should also be considered High Medium Low

Probability

Financial

Accounting

Strategic

Reputation

Credit

Liquidity

Regulatory

Operational

Price

9

Charge-offs

The Economy Technology

Strategic Direction

Regulatory

Interest Rate Fraud

Many risks are obvious, but which risks remain hidden?

Liquidity

Capital

10

The Economy

Technology

Charge-offs Regulatory

Strategic Direction Interest Rate Fraud

Enterprise Risk Management

Business Processes

Liquidity

Client Experience Resistance to Other Opinions

Shared Purpose

Organization Structure

Productivity

Objective Assessment

Behavior Change Measurements

Internal Conflict

Sustained Change

Common Culture

Employee Retention

Succession Planning

Capital

Non-traditional Competitors

Operational Risks

ERM – Risk mitigation Control environment

The control environment begins with a risk strategy Evade – exit, divest Reassign – hedge, insure Accept – business as usual Exploit – expand, grow, leverage

What is ERM?

ERM – Risk monitoring Management reporting Continuous monitoring KPI dashboard

The key to effective ERM is to create a process that correctly identifies, prioritizes, mitigates, and monitors critical risks within the organization resulting in a strengthened control environment

What is ERM?

Identifying

Mitigating

Measuring Monitoring Risks

Control Environment

A company-wide control environment that identifies, measures, mitigates, and monitors risks

What is ERM?

What is ERM?

Though tools are available they are not imperative and should not be a barrier to commencing an ERM process Sophisticated software should not become the focus of the process rather they should be used as a tool to help administer the process. Maintaining the:

Awareness Communication Transparency

….across organizational activity areas, departments, business units, is more important than having a sophisticated software application.

It is not a system or software application

Why every company should have an ERM strategy?

Reconciling strategic objectives and organizational risk tolerance

Maximizing profitability through risk analysis Minimizing operational expenses and losses Strategically training and allocating resources Creating a proactive regulatory environment

Provide objective assurance to the Board of Directors on the organization’s effectiveness of risk management

This can include a number of activities but should NOT include: Setting the risk appetite Imposing risk management processes Deciding upon or implementing risk responses Owning responsibility for risk management

ERM – Internal Audit’s Role

What is Internal Audit’s Role???

Risk management techniques

This is NOT the way!

Polling question #1

Do you have an ERM strategy in your institution? Yes

No

ERM integrated framework – COSO model

Internal Environment

Objective Setting

Event Identification

Risk Assessment

Risk Response

Control Activities

Information & Communication

Monitoring

Div

isio

n B

usin

ess

Uni

t Su

bsid

iary

Entit

y Le

vel

Internal Environment Risk management culture Risk tolerance Ethics and core values Objective Setting Organization objectives align

with strategy and risk tolerance Event Identification Identification of internal and

external opportunities and threats

Risk Assessment Risks are identified and

measured (impact & probability)

Risk Response A risk management strategy is

selected (evade, reassign, accept, exploit)

Control Activities Policies and procedures Standard operating procedures Information &

Communication Communication throughout the

company Timeliness and accuracy of data Monitoring Continuous monitoring Remediation as necessary

The COSO Model

The Future of ERM

Risk management today Fragmented and

inconsistent risk identification and analysis

Reports are generated but not reviewed or updated for business changes

Quantitative analysis is historical and is not used to quantify opportunities or manage the business

Risk management is Internal Audit’s responsibility

Risk management tomorrow Risk identification and analysis

efforts are coordinated and centralized (risk champion)

Risk management reporting is included at all levels and used for managing the business

Quantitative analysis is used in decision making, managing the business and success quantification

Risk management is my responsibility

The Future of ERM

Next steps Identify the company’s approach to managing risk Inventory current risk management tools/methodologies

within the organization Identify the ERM champion Start at the top – what is the tone at the top Identify and measure operational risks (source not

symptom) Develop and implement a risk management strategy

(roles and responsibilities) Assess results, redefine the process and continuously

improve Drive risk management to every level within the

organization

The risk management continuum

Time and value

Operational risk management Functional focus Compliance Policies/procedures

Business risk management Process focus Problem solving Best practices /

benchmarking Functional risk identification Compliance Policies/procedures

ERM Strategic focus Company-wide assessment Align risk appetite and strategy Reconciling growth, risk and

return Minimizing losses Risk management champion Process focus Problem solving Best practices/benchmarking Functional risk identification Compliance Policies/procedures

Practical ERM Implementation

Practical ERM implementation

“Enterprise” – not just selected “silos of risk” A “process” that is ongoing, living, systematic Consideration of risks on “portfolio” basis

• Collection of risks that may interact

Done to enhance entity value • Heavily integrated with business strategy

Focus is on coordinated program for identification, measurement, assessment, and response to risks primarily across 2 dimensions

• Probability (Likelihood) • Impact (Consequence)

Key part of entity’s corporate governance • Responsibility of senior management and board • Pushed down to key business segment management

Business Case for ERM

Better information about risks • All entities face risks and risks constantly change

Opportunities to take risk • Some risks create opportunities for returns • Other risks are over-managed • Under-managed risks can lead to losses

Partnering on risk responses • Capture efficiencies of coordinated risk responses

Consistency in approach • Work off same “score sheet” • Avoid offsetting risk “gains” with inefficient risk management

Strategic advantage • Not all strategies bear same level of risks • Ensure return is commensurate with risk

Assumptions often include past performance or future projections – both may be incorrect

ERM should be appropriately scoped for each company and expectations should be documented

Business process and controls can breakdown or be overridden

The governance process is dependent on coordination and collaboration of the core team, which is dependent on individual participation

Ongoing maintenance is dependent on commitment and contribution from all employees (everyone is responsible for risk management)

ERM should be a tool not a rule

Limitations of ERM

Common Pitfalls Companies that do not adequately address the following areas are often not

able to extract optimal value from their ERM programs Area Issues Impact

Focus of ERM Program • ERM process is solely focused on output to the Board; not utilized as a tool for management

• ERM is focused solely on WCG or hazards

• Risk assessment is not embedded in strategic planning and business process

• Management is disengaged from the process, because they don’t feel a value add

Risk Analysis • Risk appetite is not adequately defined and communicated

• Risk levels are not measured against risk tolerance levels

• Risk does not define inherent vs. residual risk

• Risk impact is not quantified

• Board/management lacks transparency to determine if risk levels are appropriate; if risks require further mitigation action or possible exploitation; and whether certain activities should be continued given risk levels and current mitigation steps

ERM Reporting • Reporting is limited to enterprise level and/or only a subset or risks are reported

• Risk reported to the Board are reported out of context

• Board lacks transparency into overall risk profile/specific business unit risk

Managing Risks • Action/ mitigation plans and owners are not assigned to high risk areas

• Lack of clear accountability and proactive action plans may lead to risks going unattended

Polling question #3

If you currently HAVE an ERM strategy, who is the ERM champion in your institution?

Chief Risk Officer

Chief Financial Officer

Chief Operations Officer

Internal Audit

Other

Five steps to better risk management

4 Embed risk in all decisions and processes. Are critical business decisions made with a clear view of how they change your company’s risk profile? Are core business processes consistent with your approach to risk?

2 Decide which risks are natural. Do you understand which risks your company is competitively advantaged to own and which you should seek to transfer or mitigate?

Risk Mindset And Culture

3 Determine your capacity and appetite for risk. Are you holding the amount of risk needed to deliver the returns you seek?

5 Align governance and organization around risk. Are the systems and infrastructure in place for you to monitor and manage risks that are being taken within your business?

1 Identify and understand your major risks. Do you understand which risks will affect your company’s future performance? Do you have insight into the risks that matter most?

Step 1 – Identify / understand your major risks

Do you understand which risks will affect your company’s future performance?

Do you know which risks matter most? Specify the risks you face Focus on the risks that really matter Manage the full spectrum of risks Traditional forecasting often fails to predict significant

changes in the external environment Don’t forget the past – but don’t get mired in it

Step 2 – Decide which risks are natural or direct

Which risks should you own? Which should you seek to transfer or mitigate? Does the company have superior capabilities to manage

certain types or degrees of risk? Are the accessible risk transfer markets reasonably

efficient? Decide how much of certain risks the company wants to own

and which risks the company should not own

Step 3 – Determine capacity and risk appetite

Are you holding the amount of risk needed to deliver the returns you seek?

Do you quantify your operating cash-flow risk? How solid is your credit administration function? Obtain an objective assessment of loans and the lending

process

Step 4 – Embed risk management

Are critical business decisions made with a clear view of how the company’s risk profile can change?

Are core business processes consistent with your approach to risk?

Risk-informed decisioning is a mind-set incorporated in the culture

It is a way of approaching processes and decisions Investment decisions Business decisions Financial decisions Operational decisions

Step 5 – Align governance and organization

Are the systems and infrastructure in place to monitor and manage business risks?

Does the organizational structure complement your risk management objectives?

Polling question #4

How active is the Audit Committee in the ERM initiative in your institution?

They initiated or sponsored the activity and are involved in all phases of

ERM

They are very involved and frequently inquire about and monitor ERM activities

They get regular updates related to ERM initiatives but are not very involved

They are not involved

QUESTIONS?

35

Contact Information

Shane Hester, Risk Advisory Manager shane.hester@mcgladrey.com

Office: (404) 751-9100 Cell: (404) 290-8389

36