Enterprise Risk Management (ERM)

This document is the proprietary and confidential property of Resources Global Professionals.

Enterprise Risk Management (ERM)

A Practical Approach

May 20, 2014

http://feihouston.org/index.php


Risk Management Landscape

Often, risk management and oversight is the responsibility of select groups within organizations

It emphasizes a silo-based philosophy and approach, resulting in a lack of strategic alignment, awareness and accountability across the organization.

Disparate efforts might measure unrelated values that may not give management a holistic view into its total value at risk.

Internal reporting cannot capture cross relationships and interdependencies that might compound or mitigate certain organizational-wide exposures.

Therefore, there is a false sense of security within management that risks are adequately addressed and managed.

Enterprise Risk Management (ERM) has evolved over many years as a discipline to address these challenges.

2


Driving Forces

Learning from well-publicized crises

Fiduciary duty of officers and directors

International protocols

Ratings agencies evaluating risk management

Volatile credit market conditions

Corporate governance expectations

US Sentencing Guidelines

3


Value Proposition

Broader understanding of aggregate exposure to risk

Align risks and rewards

Eliminate surprises

Clarify roles and responsibilities

Assign risks with no clear owner

Enhance collaboration in response to events

Improve business decisions

4


Defining ERM

Enterprise Risk Management is defined by the Committee of Sponsoring Organizations (COSO) as follows:

“Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

The content in this section is based on information gathered from www.coso.org

ENHANCE RISK MANAGEMENT ACROSS THE ORGANIZATION RESULTS

Use a well-defined, rigorous and sustainable risk management framework.

Improved risk knowledge through a portfolio view of risks.

Execute a continuous, consistent and proactive risk assessment and risk response process.

Executive management and Board confidence.

Integrate risk management with key decision-making processes.

Coordinated and informed decision making.

Aggregate key risk information across the organization.

Improved governance and accountability for risk management.

5


Defining Enterprise Risk Management

Risk appetite is the amount of risk, on a broad level, an entity is willing to accept in pursuit of value.

The risk appetite reflects the entity’s risk management philosophy, and in turn, influences the entity’s culture and operating style.

The risk appetite is directly related to an entity’s strategy.

Enterprise risk management helps management select a strategy that aligns anticipated value creation with the entity’s risk appetite.

Enterprise Risk Management consists of eight interrelated components:

Silo Risk

Silo Risk

Silo Risk

Gross Risks

Responseand Control

Net Risks

6

Internal Environment

Objective Setting

Event Identification

Risk Assessment

Risk Response

Control Activities

Information and

CommunicationMonitoring

This document is the proprietary and confidential property of Resources Global Professionals. 7

ERM Approach

We recommend a multi-phased and iterative ERM process designed to:

Focus on the highest priority risks.

Prove the process and refine as needed.

Leverage existing processes and risk related activities and deliverables.

Confirm the benefit to the ERM processes.

PHASE 1 Identify, Assess,

and ValidateRisks

PHASE 2 Prioritize Key Risks

PHASE 3 Review

Effectiveness of Risk Strategies and Responses

PHASE 4 Develop and

Implement New Risk Strategies and Responses

PHASE 5 Measure, Monitor

and Report onERM Program Performance

PHASE 6 Integrate ERM Activities into Organization

Processes

Business Goals, Objectives and

Strategies


ERM Approach

Phase 1 – Identify, Assess and Validate Enterprise Risk

Review Corporate Vision Statement.

Identify risk category (strategic, operations, reporting or compliance) for risk assessment.

Document potential events / risks and related impact to the company’s strategy through workshops and/or surveys.

COMPLIANCE RISK REPORTING RISK OPERATIONAL RISK STRATEGIC RISK

Internal Controls over Financial Reporting

Privacy Risks Safety Reporting

Risks

Financial Reporting Legal Controls Regulatory

Monetary Controls Distribution IT Systems Turnover Economic Risk

Un-diversified or under-diversified client base Over-reliance on clients with limited or

constricted funding Economic constriction / recessionary pressures

Credit Risk Disputes Settlement Lag

Competition Negative Publicity Customer Demands Regulatory / Political Capital Availability Technological Market Risk

Equities Other Assets Currency Liquidity Interest Rate Sensitivity


Objective Setting


Risk Assessment

Risk Response

Control Activities

Information and


8


ERM Approach

Phase 1 – Identify, Assess and Validate Enterprise Risk (continued)

Define likelihood.

Determine levels of impact.

Assess the likelihood and impact if the event / risk occurred.

Determine the priority.

RISK CATEGORY DESCRIPTION OF POTENTIAL EVENT/RISK LIKELIHOOD IMPACT

OPERATIONS RISK Supply Chain Disruptions; Product Liability Events . Low High

REPUTATION RISK Damage to reputation caused by company actions and/or partner actions . Medium High

INFORMATION TECHNOLOGY RISK Liability to achieve objectives because of failures of enabling technology. Medium High

MARKET RISK Financial stability of the client base and stability of the economy. Medium High


Objective Setting


Risk Assessment

Risk Response

Control Activities

Information and


9


ERM Approach

Phase 1 – Identify, Assess and Validate Enterprise Risk (continued)

Define risk tolerance and risk appetite

Identify high level management strategy

Document risk response

Develop future mitigation actions

Determine the overall status


Objective Setting


Risk Assessment

Risk Response

Control Activities

Information and


Liquidity Risk

Overall Risk Likelihood Level of Impact Management StrategyFuture

Mitigation Actions

Overall StatusHigh Medium Monitor / Mitigate

Current Mitigation Responses

Increasing bad debts and aging receivables continue to impair our ability to generate enough liquidity to defray ongoing policyholder liabilities.

Review contract with customer X (largest aging receivable). Sell receivable to third party at a discount.

Update

Business Continuity Risk

Overall Risk Likelihood Level of Impact Management StrategyFuture

Mitigation Actions

Overall Status

High Medium Mitigate / Transfer

Current Risk Responses

Hazards or catastrophic / other events threaten the company’s ability to sustain operations and perform critical business functions or provide services to internal or external customers.

Mitigation: Implementing enhanced supplier / vendor risk management processes. Additional updates from Mr. X.

Risk Transfer: Significant improvements achieved in Business Interruption (BI), Contingent BI, Flood, Earthquake and Wind coverage and sub-limits.

Update

10


ERM Approach

After Phase 1, we recommend:

Either continue with Phases 2 through 6, based on the value, or

Return to Phase 1 with a different risk category

Prove the process and refine as needed

Leveraging existing processes and risk related activities and deliverables

Confirm the benefit to the ERM processes


Objective Setting


Risk Assessment

Risk Response

Control Activities

Information and


11


ERM Initial Action Steps

Seek Board and Senior Leadership involvement and oversight

Select a strong leader to drive the ERM initiative

Establish a Management Risk Team

Conduct the initial enterprise-wide risk assessment and develop

an action plan

Inventory the existing risk management practices

Develop initial risk reporting

Develop action plans for future phases

ERM PROGRAM SPONSOR

ERM PROGRAM LEADER

PEOPLE

PROCESS

TECHNOLOGY

ERM STEERING COMMITTEE

LEADERSHIP RISK COMMITTEES


Key Implementation Questions

Are we taking the right kinds of risk? Are we taking the proper amount of risk to meet our objectives? Are we allocating resources (financial, human, technology) efficiently to manage risks? Do we have a competitive advantage in a particular type of risk? What will be our cultural and operational challenges as we implement ERM?


Risk Appetite Statement – Sample

High-level Roadmap of an organization’s risk management strategy.

Facilitates consistent enterprise-wide risk management.

RISK ELEMENTS OUR ASSERTIONSRISKS THAT ARE ACCEPTABLE OR ON-STRATEGY

Market growth. We will aggressively pursue regional strategies to meet our market growth objectives (increase of 4 percent in market share) and invest in and develop key markets.

RISKS THAT ARE UNDESIRABLE OR OFF-STRATEGY

Reputation and brand image. We will avoid any situation and action resulting in a negative impact on our reputation, and if and when an undesirable situation arises, manage it aggressively to protect our reputation and brand image.

Financial derivatives. We will limit our use of derivative instruments to "plain vanilla" swaps and options entered into with counterparties rated "AA" or better.

STRATEGIC RISK PARAMETERS

Investment limits. We will limit capital expenditures and investments in mergers and acquisitions to an amount that allows the company to achieve its annual free cash flow target of $330 million.

FINANCIAL RISK PARAMETERS

Target debt rating. We will seek to maintain an enterprise-level debt rating of "A" or better.

Self-sustaining growth. In seeking new business, we will maintain our working capital ratio between 1 and 1.5 percent.

Financial strength. We will maintain an EBIT / Interest ratio between 4 and 5 percent.

OPERATIONAL RISK PARAMETERS

Loss exposure. We will manage our operational activities and exposures to avoid an event resulting in a loss to pre-tax operating margin of more than $25 million.

Geographical dependence. A single geographical location will not account for more than 20 percent of our total loans.

14


Risk Register – Sample

High-level summary of the key aspects of a risk that an organization needs to know in order to effectively mitigate and manage a material risk.

Conveys risk ownership and how the organization is currently mitigating and managing each material risk.

TYPE OF RISK

DESCRIPTION OF RISK

KEY DRIVERS OF RISK

PROBABILITY OF RISK

FINANCIAL IMPACT OF RISK

HOW RISK IS CURRENTLY MANAGED

HOW RISK IS CURRENTLY

MONITOREDRISK

OWNERHuman Capital

Disparity between employee base salary and marketplace base salary

(1) Freezes in merit raises

(2) Amount of merit raises

(3) Increasing employee cost of healthcare benefits

5 = Certain $5,000,001 - $15,000,000

(1) Targeted pay increases and job leveling roll-out

(2) Rebid healthcare benefits in 20XX

(1) Voluntary turnover rate

(2) Number of exit interviews that cite compensation as key reason for leaving

Head of Human Resources (SVP, HR)

Financial Decreasing revenue

(1) Increased discounting of programs during marketing

(2) Failure to obtain insurance contracts

(3) Increasing bad debts

4 = Likely $1,000,001 - $5,000,000

(1) Track and discuss with programs with lower than budgeted revenues how to improve revenues

(2) Increase collections training for Finance and Admissions

(1) Bad debts expense as a % of revenue

(2) Program allowances or discounts from revenue

Head of Finance (CFO)

Legal Sentinel events (1) Acuity of patients(2) Patient suicides(3) Patient drug

overdose

3 = Possible $500,001 - $1,000,000

(1) Monitor and respond to sentinel events reported in the incident report system

(2) Create new clinical management interventions

(1) Number of sentinel events per program per month, quarter or year

(2) Frequency and cost of sentinel-related litigation

Head of Legal (SVP & General Counsel)

15


Capability Benchmarking and Align Capabilities to Risks

16

CAPABILITY DESCRIPTION ROBUST (5) ADEQUATE (3) CHALLENGED (1)Name of capability Describe what this

capability doesList several attributes that define a strong, highly resilient or best in class capability

List several attributes that define an average or adequate capability

List several attributes that define a capability that may be functioning, but that are in need of substantial improvement to be considered adequate

Self Assess 1.0 to 5.0

RISK CATEGORY CAPABILITIES GAPSMarket

Credit

Operational

Strategic

Reputation

Regulatory


ERM Best Practices

17

Create a strategic plan, implementation roadmap and on-going program for ERM.

Incorporate risk management into strategy, development and review of all business action plans.

Leverage a framework (or multiple frameworks).

Obtain Board and Senior Leadership sponsorship.

Request visible, active support from CEO and CFO.

Create Board and Executive level committees that are actively involved in risk management.

Share risk management information with Senior Leadership team and business partners.

Develop and maintain an ERM dashboard.

Create a culture encouraging full engagement and accountability.

Develop a process tailored to your organization.

Use consistent risk management language across the organization.

Consider an automated tool that meets the organization’s needs.


Contact Information

LESTER SUSSMAN

Senior Practice Director

[email protected]

818-598-5730

NELSON SCHMIDT

Managing Director - Houston

[email protected]

713-403-1965

TOMMY PARKER

Managing Director, Strategic Accounts

[email protected]

713-403-1970


Additional COSO ERM Information


Internal Environment – ERM Component Internal

Environment Objective

Setting Event

Identification Risk

Assessment Risk

ResponseControl

Activities Information

and Communication

Monitoring

Risk Management

Philosophy

Risk Appetite

Board of Directors

Integrity and Ethical Values

Commitment to Competence

Organizational Structure

Assignment of Authority and Responsibility

Human Resources Standards

Implications

20

Internal Environment sets the basis for how risk and control are viewed and addressed by an entity’s people. The core of any business is its people – their individual attributes, including integrity, ethical values and competence – and the environment in which they operate.

Risk Appetite is the amount of risk, on a broad level, an entity is willing to accept in pursuit of value. It reflects the Risk Management Philosophy, and in turn, influences the entity’s culture and operating style.

Integrity and Ethical Values influence the way strategies are implemented and require management’s commitment. Standards of behavior go beyond compliance with the law.

Organizational Structure provides the framework to plan, execute, control and monitor activities. The structure includes defining authority and responsibility and establishes appropriate lines of reporting.

Assignment of Authority and Responsibility establishes the levels where an individual is empowered (or not) to make decisions.

Decrease Risk

Increase Growth


Objective Setting - ERM Component

Objective Setting


Risk Assessment

Risk Response

Control Activities

Information and

CommunicationMonitoring Internal

Environment

Strategic Objectives

Operations Objectives

Reporting Objectives

Compliance Objectives

Achievement of Objectives

Selected Objectives

Risk Appetite

Risk Tolerances

21

Objective Setting is aligned to event identification, risk assessment and risk response.

Strategic Objectives are high level goals that align with and support the entity’s mission and vision and identify critical success factors for the entity, business unit, function, department, etc., or an individual. Objectives should be readily understood and measurable. Related objectives include:

Operations Objectives

Achievement of Objectives assists to implement appropriate risk responses and provide timely monitoring and reporting of how the entity is achieving the objectives.

Risk Appetite can be expressed in qualitative or quantitative terms. It can be described as the acceptable balance of growth risk, and return, or as risk-adjusted shareholder value added measures.

Risk Tolerances are the acceptable level variation in performance relative to the achievement of objectives.

Performance measures can be used to help ensure the actual results will be within established tolerances

Reporting Objectives Compliance Objectives


Event Identification - ERM Component


Risk Assessment

Risk Response

Control Activities

Information and


EnvironmentObjective

Setting

Events

Influencing Factors

Event Identification Techniques

Inter-dependencies

Event Categories

22

Event Identification is a process to determine if certain occurrences happen and whether there will be a positive or negative impact on the entity’s ability to implement strategy and achieve objectives.

Events are incidents or occurrences emanating from internal or external sources.

Influencing Factors can be:

External (economic, natural environment, political, social, technological) Internal (infrastructure, personnel, process, technology)


Risk Assessment - ERM Component

Risk Assessment

Risk Response

Control Activities

Information and



SettingEvent

Identification

Inherent and Residual Risk

Estimating Likelihood and Impact

Assessment Techniques

Relationship Between

Events

23

Risk Assessment allows an entity to consider the extent to which potential events have an impact on the achievement of objectives. Risk are generally assessed from two perspectives – likelihood and impact – and normally through a combination of qualitative and quantitative methods.

Risk Categorization

Strategic Operational Reporting Compliance

Assessing Impact

Data sources Perspective

Quantitative Risk Assessment Techniques

Benchmarking Probabilistic models Non-probabilistic models

Enterprise Risk

Market Risk

Credit Risk

Operational Risk

Strategic Risk

Reputation Risk

Regulatory Risk


Risk Response - ERM Component

Risk Response

Control Activities

Information and



SettingEvent

IdentificationRisk

Assessment

Evaluating Possible

Responses

Selected Responses

Portfolio View

24

Risk Response – Management determines how it will respond to risks. Categories of Risk Responses include:

Avoidance Reduction Sharing Acceptance

Evaluating Possible Responses

Evaluating effect on risk likelihood and impact Assessing cost versus benefits Opportunities


Control Activities - ERM Component

Control Activities

Information and



SettingEvent

IdentificationRisk

AssessmentRisk

Response

Integration with Risk Response

Types of Control

Activities

Policies & Procedures

Controls Over Information

Systems

Entity Specific

25

Control Activities are the policies and procedures which are the actions of people, directly or through application of technology to help ensure management’s risk responses are carried out

Types of Control Activities

Top-level reviews Direct functional or activity management Physical controls Performance indicators Segregation of duties

Controls over Information Systems (often other frameworks, such as COBIT, Information Technology Infrastructure Library (ITIL) and International Standards (ISO) are to provide detailed guidance):

Information technology management Information technology infrastructure Security management Software acquisition, development and maintenance Application controls


Information and Communication - ERM Component Information

and Communication

Monitoring Internal Environment

Objective Setting


Risk Assessment

Risk Response

Control Activities

Information

Communication

26

Information and Communication is needed at all levels to identify, assess and respond to risks gathered and generated from a variety of sources and make informed decisions.

Information, operating, financial and non-financial, is relevant to multiple business objectives:

Strategic and integrated systems Integration with operations Depth and timeliness of information Information quality

Communication is inherent in information systems, but also must take place in a broader sense to deal with expectations and responsibilities. Additionally, all personnel need to receive a clear message from leadership that ERM is to be taken seriously.

Internal External Communication methods


Monitoring - ERM Component

Monitoring Internal Environment

Objective Setting


Risk Assessment

Risk Response

Control Activities

Information and

Communication

Ongoing Monitoring Activities

Separate Evaluations

Reporting Deficiencies

27

Monitoring – Risk Management is monitored in the normal course of activities or through separate evaluations.

Ongoing Monitoring Activities are regular management activities.

Separate Evaluations

Scope and frequency Who evaluates The evaluation process Methodology Documentation


Sources of information What is reported To whom to report Reporting directives


Defining the ERM Components


Objective Setting


Risk Assessment

Risk Response

Control Activities

Information and


Risk Management

Philosophy Strategic

Objectives Events Inherent and Residual Risk

Evaluating Possible

Responses

Integration with Risk Response

InformationOngoing

Monitoring Activities

Risk Appetite

Related Objectives: Operations

Influencing Factors

Estimating Likelihood and Impact

Selected Responses

Types of Control Activities

Communication Separate Evaluations

Board of Directors

Related Objectives: Reporting

Event Identification Techniques

Assessment Techniques

Portfolio View

Policies & Procedures


Integrity and Ethical Values

Related Objectives: Compliance

Inter-dependencies

Relationship Between

Events

Controls Over Information

Systems

Commitment to Competence Achievement

of ObjectivesEvent

CategoriesEntity

Specific

Organization alStructure

Selected Objectives

Assignment of Authority and Responsibility

Risk Appetite

Human Resources Standards

Risk Tolerances

Implications

28

Enterprise Risk Management (ERM)

Documents

Transcript of Enterprise Risk Management (ERM)