Enterprise Risk Management (ERM)
-
Upload
iola-valdez -
Category
Documents
-
view
52 -
download
1
description
Transcript of Enterprise Risk Management (ERM)
This document is the proprietary and confidential property of Resources Global Professionals.
Enterprise Risk Management (ERM)
A Practical Approach
May 20, 2014
This document is the proprietary and confidential property of Resources Global Professionals.
Risk Management Landscape
Often, risk management and oversight is the responsibility of select groups within organizations
It emphasizes a silo-based philosophy and approach, resulting in a lack of strategic alignment, awareness and accountability across the organization.
Disparate efforts might measure unrelated values that may not give management a holistic view into its total value at risk.
Internal reporting cannot capture cross relationships and interdependencies that might compound or mitigate certain organizational-wide exposures.
Therefore, there is a false sense of security within management that risks are adequately addressed and managed.
Enterprise Risk Management (ERM) has evolved over many years as a discipline to address these challenges.
2
This document is the proprietary and confidential property of Resources Global Professionals.
Driving Forces
Learning from well-publicized crises
Fiduciary duty of officers and directors
International protocols
Ratings agencies evaluating risk management
Volatile credit market conditions
Corporate governance expectations
US Sentencing Guidelines
3
This document is the proprietary and confidential property of Resources Global Professionals.
Value Proposition
Broader understanding of aggregate exposure to risk
Align risks and rewards
Eliminate surprises
Clarify roles and responsibilities
Assign risks with no clear owner
Enhance collaboration in response to events
Improve business decisions
4
This document is the proprietary and confidential property of Resources Global Professionals.
Defining ERM
Enterprise Risk Management is defined by the Committee of Sponsoring Organizations (COSO) as follows:
“Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
The content in this section is based on information gathered from www.coso.org
ENHANCE RISK MANAGEMENT ACROSS THE ORGANIZATION RESULTS
Use a well-defined, rigorous and sustainable risk management framework.
Improved risk knowledge through a portfolio view of risks.
Execute a continuous, consistent and proactive risk assessment and risk response process.
Executive management and Board confidence.
Integrate risk management with key decision-making processes.
Coordinated and informed decision making.
Aggregate key risk information across the organization.
Improved governance and accountability for risk management.
5
This document is the proprietary and confidential property of Resources Global Professionals.
Defining Enterprise Risk Management
Risk appetite is the amount of risk, on a broad level, an entity is willing to accept in pursuit of value.
The risk appetite reflects the entity’s risk management philosophy, and in turn, influences the entity’s culture and operating style.
The risk appetite is directly related to an entity’s strategy.
Enterprise risk management helps management select a strategy that aligns anticipated value creation with the entity’s risk appetite.
Enterprise Risk Management consists of eight interrelated components:
Silo Risk
Silo Risk
Silo Risk
Gross Risks
Responseand Control
Net Risks
6
Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information and
CommunicationMonitoring
This document is the proprietary and confidential property of Resources Global Professionals. 7
ERM Approach
We recommend a multi-phased and iterative ERM process designed to:
Focus on the highest priority risks.
Prove the process and refine as needed.
Leverage existing processes and risk related activities and deliverables.
Confirm the benefit to the ERM processes.
PHASE 1 Identify, Assess,
and ValidateRisks
PHASE 2 Prioritize Key Risks
PHASE 3 Review
Effectiveness of Risk Strategies and Responses
PHASE 4 Develop and
Implement New Risk Strategies and Responses
PHASE 5 Measure, Monitor
and Report onERM Program Performance
PHASE 6 Integrate ERM Activities into Organization
Processes
Business Goals, Objectives and
Strategies
This document is the proprietary and confidential property of Resources Global Professionals.
ERM Approach
Phase 1 – Identify, Assess and Validate Enterprise Risk
Review Corporate Vision Statement.
Identify risk category (strategic, operations, reporting or compliance) for risk assessment.
Document potential events / risks and related impact to the company’s strategy through workshops and/or surveys.
COMPLIANCE RISK REPORTING RISK OPERATIONAL RISK STRATEGIC RISK
Internal Controls over Financial Reporting
Privacy Risks Safety Reporting
Risks
Financial Reporting Legal Controls Regulatory
Monetary Controls Distribution IT Systems Turnover Economic Risk
Un-diversified or under-diversified client base Over-reliance on clients with limited or
constricted funding Economic constriction / recessionary pressures
Credit Risk Disputes Settlement Lag
Competition Negative Publicity Customer Demands Regulatory / Political Capital Availability Technological Market Risk
Equities Other Assets Currency Liquidity Interest Rate Sensitivity
Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information and
CommunicationMonitoring
8
This document is the proprietary and confidential property of Resources Global Professionals.
ERM Approach
Phase 1 – Identify, Assess and Validate Enterprise Risk (continued)
Define likelihood.
Determine levels of impact.
Assess the likelihood and impact if the event / risk occurred.
Determine the priority.
RISK CATEGORY DESCRIPTION OF POTENTIAL EVENT/RISK LIKELIHOOD IMPACT
OPERATIONS RISK Supply Chain Disruptions; Product Liability Events . Low High
REPUTATION RISK Damage to reputation caused by company actions and/or partner actions . Medium High
INFORMATION TECHNOLOGY RISK Liability to achieve objectives because of failures of enabling technology. Medium High
MARKET RISK Financial stability of the client base and stability of the economy. Medium High
Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information and
CommunicationMonitoring
9
This document is the proprietary and confidential property of Resources Global Professionals.
ERM Approach
Phase 1 – Identify, Assess and Validate Enterprise Risk (continued)
Define risk tolerance and risk appetite
Identify high level management strategy
Document risk response
Develop future mitigation actions
Determine the overall status
Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information and
CommunicationMonitoring
Liquidity Risk
Overall Risk Likelihood Level of Impact Management StrategyFuture
Mitigation Actions
Overall StatusHigh Medium Monitor / Mitigate
Current Mitigation Responses
Increasing bad debts and aging receivables continue to impair our ability to generate enough liquidity to defray ongoing policyholder liabilities.
Review contract with customer X (largest aging receivable). Sell receivable to third party at a discount.
Update
Business Continuity Risk
Overall Risk Likelihood Level of Impact Management StrategyFuture
Mitigation Actions
Overall Status
High Medium Mitigate / Transfer
Current Risk Responses
Hazards or catastrophic / other events threaten the company’s ability to sustain operations and perform critical business functions or provide services to internal or external customers.
Mitigation: Implementing enhanced supplier / vendor risk management processes. Additional updates from Mr. X.
Risk Transfer: Significant improvements achieved in Business Interruption (BI), Contingent BI, Flood, Earthquake and Wind coverage and sub-limits.
Update
10
This document is the proprietary and confidential property of Resources Global Professionals.
ERM Approach
After Phase 1, we recommend:
Either continue with Phases 2 through 6, based on the value, or
Return to Phase 1 with a different risk category
Prove the process and refine as needed
Leveraging existing processes and risk related activities and deliverables
Confirm the benefit to the ERM processes
Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information and
CommunicationMonitoring
11
This document is the proprietary and confidential property of Resources Global Professionals. 12
ERM Initial Action Steps
Seek Board and Senior Leadership involvement and oversight
Select a strong leader to drive the ERM initiative
Establish a Management Risk Team
Conduct the initial enterprise-wide risk assessment and develop
an action plan
Inventory the existing risk management practices
Develop initial risk reporting
Develop action plans for future phases
ERM PROGRAM SPONSOR
ERM PROGRAM LEADER
PEOPLE
PROCESS
TECHNOLOGY
ERM STEERING COMMITTEE
LEADERSHIP RISK COMMITTEES
This document is the proprietary and confidential property of Resources Global Professionals. 13
Key Implementation Questions
Are we taking the right kinds of risk? Are we taking the proper amount of risk to meet our objectives? Are we allocating resources (financial, human, technology) efficiently to manage risks? Do we have a competitive advantage in a particular type of risk? What will be our cultural and operational challenges as we implement ERM?
This document is the proprietary and confidential property of Resources Global Professionals.
Risk Appetite Statement – Sample
High-level Roadmap of an organization’s risk management strategy.
Facilitates consistent enterprise-wide risk management.
RISK ELEMENTS OUR ASSERTIONSRISKS THAT ARE ACCEPTABLE OR ON-STRATEGY
Market growth. We will aggressively pursue regional strategies to meet our market growth objectives (increase of 4 percent in market share) and invest in and develop key markets.
RISKS THAT ARE UNDESIRABLE OR OFF-STRATEGY
Reputation and brand image. We will avoid any situation and action resulting in a negative impact on our reputation, and if and when an undesirable situation arises, manage it aggressively to protect our reputation and brand image.
Financial derivatives. We will limit our use of derivative instruments to "plain vanilla" swaps and options entered into with counterparties rated "AA" or better.
STRATEGIC RISK PARAMETERS
Investment limits. We will limit capital expenditures and investments in mergers and acquisitions to an amount that allows the company to achieve its annual free cash flow target of $330 million.
FINANCIAL RISK PARAMETERS
Target debt rating. We will seek to maintain an enterprise-level debt rating of "A" or better.
Self-sustaining growth. In seeking new business, we will maintain our working capital ratio between 1 and 1.5 percent.
Financial strength. We will maintain an EBIT / Interest ratio between 4 and 5 percent.
OPERATIONAL RISK PARAMETERS
Loss exposure. We will manage our operational activities and exposures to avoid an event resulting in a loss to pre-tax operating margin of more than $25 million.
Geographical dependence. A single geographical location will not account for more than 20 percent of our total loans.
14
This document is the proprietary and confidential property of Resources Global Professionals.
Risk Register – Sample
High-level summary of the key aspects of a risk that an organization needs to know in order to effectively mitigate and manage a material risk.
Conveys risk ownership and how the organization is currently mitigating and managing each material risk.
TYPE OF RISK
DESCRIPTION OF RISK
KEY DRIVERS OF RISK
PROBABILITY OF RISK
FINANCIAL IMPACT OF RISK
HOW RISK IS CURRENTLY MANAGED
HOW RISK IS CURRENTLY
MONITOREDRISK
OWNERHuman Capital
Disparity between employee base salary and marketplace base salary
(1) Freezes in merit raises
(2) Amount of merit raises
(3) Increasing employee cost of healthcare benefits
5 = Certain $5,000,001 - $15,000,000
(1) Targeted pay increases and job leveling roll-out
(2) Rebid healthcare benefits in 20XX
(1) Voluntary turnover rate
(2) Number of exit interviews that cite compensation as key reason for leaving
Head of Human Resources (SVP, HR)
Financial Decreasing revenue
(1) Increased discounting of programs during marketing
(2) Failure to obtain insurance contracts
(3) Increasing bad debts
4 = Likely $1,000,001 - $5,000,000
(1) Track and discuss with programs with lower than budgeted revenues how to improve revenues
(2) Increase collections training for Finance and Admissions
(1) Bad debts expense as a % of revenue
(2) Program allowances or discounts from revenue
Head of Finance (CFO)
Legal Sentinel events (1) Acuity of patients(2) Patient suicides(3) Patient drug
overdose
3 = Possible $500,001 - $1,000,000
(1) Monitor and respond to sentinel events reported in the incident report system
(2) Create new clinical management interventions
(1) Number of sentinel events per program per month, quarter or year
(2) Frequency and cost of sentinel-related litigation
Head of Legal (SVP & General Counsel)
15
This document is the proprietary and confidential property of Resources Global Professionals.
Capability Benchmarking and Align Capabilities to Risks
16
CAPABILITY DESCRIPTION ROBUST (5) ADEQUATE (3) CHALLENGED (1)Name of capability Describe what this
capability doesList several attributes that define a strong, highly resilient or best in class capability
List several attributes that define an average or adequate capability
List several attributes that define a capability that may be functioning, but that are in need of substantial improvement to be considered adequate
Self Assess 1.0 to 5.0
RISK CATEGORY CAPABILITIES GAPSMarket
Credit
Operational
Strategic
Reputation
Regulatory
This document is the proprietary and confidential property of Resources Global Professionals.
ERM Best Practices
17
Create a strategic plan, implementation roadmap and on-going program for ERM.
Incorporate risk management into strategy, development and review of all business action plans.
Leverage a framework (or multiple frameworks).
Obtain Board and Senior Leadership sponsorship.
Request visible, active support from CEO and CFO.
Create Board and Executive level committees that are actively involved in risk management.
Share risk management information with Senior Leadership team and business partners.
Develop and maintain an ERM dashboard.
Create a culture encouraging full engagement and accountability.
Develop a process tailored to your organization.
Use consistent risk management language across the organization.
Consider an automated tool that meets the organization’s needs.
This document is the proprietary and confidential property of Resources Global Professionals. 18
Contact Information
LESTER SUSSMAN
Senior Practice Director
818-598-5730
NELSON SCHMIDT
Managing Director - Houston
713-403-1965
TOMMY PARKER
Managing Director, Strategic Accounts
713-403-1970
This document is the proprietary and confidential property of Resources Global Professionals.
Additional COSO ERM Information
This document is the proprietary and confidential property of Resources Global Professionals.
Internal Environment – ERM Component Internal
Environment Objective
Setting Event
Identification Risk
Assessment Risk
ResponseControl
Activities Information
and Communication
Monitoring
Risk Management
Philosophy
Risk Appetite
Board of Directors
Integrity and Ethical Values
Commitment to Competence
Organizational Structure
Assignment of Authority and Responsibility
Human Resources Standards
Implications
20
Internal Environment sets the basis for how risk and control are viewed and addressed by an entity’s people. The core of any business is its people – their individual attributes, including integrity, ethical values and competence – and the environment in which they operate.
Risk Appetite is the amount of risk, on a broad level, an entity is willing to accept in pursuit of value. It reflects the Risk Management Philosophy, and in turn, influences the entity’s culture and operating style.
Integrity and Ethical Values influence the way strategies are implemented and require management’s commitment. Standards of behavior go beyond compliance with the law.
Organizational Structure provides the framework to plan, execute, control and monitor activities. The structure includes defining authority and responsibility and establishes appropriate lines of reporting.
Assignment of Authority and Responsibility establishes the levels where an individual is empowered (or not) to make decisions.
Decrease Risk
Increase Growth
This document is the proprietary and confidential property of Resources Global Professionals.
Objective Setting - ERM Component
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information and
CommunicationMonitoring Internal
Environment
Strategic Objectives
Operations Objectives
Reporting Objectives
Compliance Objectives
Achievement of Objectives
Selected Objectives
Risk Appetite
Risk Tolerances
21
Objective Setting is aligned to event identification, risk assessment and risk response.
Strategic Objectives are high level goals that align with and support the entity’s mission and vision and identify critical success factors for the entity, business unit, function, department, etc., or an individual. Objectives should be readily understood and measurable. Related objectives include:
Operations Objectives
Achievement of Objectives assists to implement appropriate risk responses and provide timely monitoring and reporting of how the entity is achieving the objectives.
Risk Appetite can be expressed in qualitative or quantitative terms. It can be described as the acceptable balance of growth risk, and return, or as risk-adjusted shareholder value added measures.
Risk Tolerances are the acceptable level variation in performance relative to the achievement of objectives.
Performance measures can be used to help ensure the actual results will be within established tolerances
Reporting Objectives Compliance Objectives
This document is the proprietary and confidential property of Resources Global Professionals.
Event Identification - ERM Component
Event Identification
Risk Assessment
Risk Response
Control Activities
Information and
CommunicationMonitoring Internal
EnvironmentObjective
Setting
Events
Influencing Factors
Event Identification Techniques
Inter-dependencies
Event Categories
22
Event Identification is a process to determine if certain occurrences happen and whether there will be a positive or negative impact on the entity’s ability to implement strategy and achieve objectives.
Events are incidents or occurrences emanating from internal or external sources.
Influencing Factors can be:
External (economic, natural environment, political, social, technological) Internal (infrastructure, personnel, process, technology)
This document is the proprietary and confidential property of Resources Global Professionals.
Risk Assessment - ERM Component
Risk Assessment
Risk Response
Control Activities
Information and
CommunicationMonitoring Internal
EnvironmentObjective
SettingEvent
Identification
Inherent and Residual Risk
Estimating Likelihood and Impact
Assessment Techniques
Relationship Between
Events
23
Risk Assessment allows an entity to consider the extent to which potential events have an impact on the achievement of objectives. Risk are generally assessed from two perspectives – likelihood and impact – and normally through a combination of qualitative and quantitative methods.
Risk Categorization
Strategic Operational Reporting Compliance
Assessing Impact
Data sources Perspective
Quantitative Risk Assessment Techniques
Benchmarking Probabilistic models Non-probabilistic models
Enterprise Risk
Market Risk
Credit Risk
Operational Risk
Strategic Risk
Reputation Risk
Regulatory Risk
This document is the proprietary and confidential property of Resources Global Professionals.
Risk Response - ERM Component
Risk Response
Control Activities
Information and
CommunicationMonitoring Internal
EnvironmentObjective
SettingEvent
IdentificationRisk
Assessment
Evaluating Possible
Responses
Selected Responses
Portfolio View
24
Risk Response – Management determines how it will respond to risks. Categories of Risk Responses include:
Avoidance Reduction Sharing Acceptance
Evaluating Possible Responses
Evaluating effect on risk likelihood and impact Assessing cost versus benefits Opportunities
This document is the proprietary and confidential property of Resources Global Professionals.
Control Activities - ERM Component
Control Activities
Information and
CommunicationMonitoring Internal
EnvironmentObjective
SettingEvent
IdentificationRisk
AssessmentRisk
Response
Integration with Risk Response
Types of Control
Activities
Policies & Procedures
Controls Over Information
Systems
Entity Specific
25
Control Activities are the policies and procedures which are the actions of people, directly or through application of technology to help ensure management’s risk responses are carried out
Types of Control Activities
Top-level reviews Direct functional or activity management Physical controls Performance indicators Segregation of duties
Controls over Information Systems (often other frameworks, such as COBIT, Information Technology Infrastructure Library (ITIL) and International Standards (ISO) are to provide detailed guidance):
Information technology management Information technology infrastructure Security management Software acquisition, development and maintenance Application controls
This document is the proprietary and confidential property of Resources Global Professionals.
Information and Communication - ERM Component Information
and Communication
Monitoring Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information
Communication
26
Information and Communication is needed at all levels to identify, assess and respond to risks gathered and generated from a variety of sources and make informed decisions.
Information, operating, financial and non-financial, is relevant to multiple business objectives:
Strategic and integrated systems Integration with operations Depth and timeliness of information Information quality
Communication is inherent in information systems, but also must take place in a broader sense to deal with expectations and responsibilities. Additionally, all personnel need to receive a clear message from leadership that ERM is to be taken seriously.
Internal External Communication methods
This document is the proprietary and confidential property of Resources Global Professionals.
Monitoring - ERM Component
Monitoring Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information and
Communication
Ongoing Monitoring Activities
Separate Evaluations
Reporting Deficiencies
27
Monitoring – Risk Management is monitored in the normal course of activities or through separate evaluations.
Ongoing Monitoring Activities are regular management activities.
Separate Evaluations
Scope and frequency Who evaluates The evaluation process Methodology Documentation
Reporting Deficiencies
Sources of information What is reported To whom to report Reporting directives
This document is the proprietary and confidential property of Resources Global Professionals.
Defining the ERM Components
Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information and
CommunicationMonitoring
Risk Management
Philosophy Strategic
Objectives Events Inherent and Residual Risk
Evaluating Possible
Responses
Integration with Risk Response
InformationOngoing
Monitoring Activities
Risk Appetite
Related Objectives: Operations
Influencing Factors
Estimating Likelihood and Impact
Selected Responses
Types of Control Activities
Communication Separate Evaluations
Board of Directors
Related Objectives: Reporting
Event Identification Techniques
Assessment Techniques
Portfolio View
Policies & Procedures
Reporting Deficiencies
Integrity and Ethical Values
Related Objectives: Compliance
Inter-dependencies
Relationship Between
Events
Controls Over Information
Systems
Commitment to Competence Achievement
of ObjectivesEvent
CategoriesEntity
Specific
Organization alStructure
Selected Objectives
Assignment of Authority and Responsibility
Risk Appetite
Human Resources Standards
Risk Tolerances
Implications
28