ERM: What's New & What's Next

www.theiia.org/Training

ERM: What’s New & What’s Next

Institute of Internal Auditors WebinarFebruary 19, 2009

Presented by:John A. Wheeler, Managing Principal, Wheelhouse Advisors LLCKenneth K. Yoo, Senior Vice President – Enterprise Risk Management, Federal Home Loan Bank of Atlanta


© Copyright 2009 - Wheelhouse Advisors LLC © Copyright 2009 - Wheelhouse Advisors LLC

Discussion Topics

• Key risks facing companies operating both inside and outside the United States

• Developing an Enterprise Risk Management Framework & Approach

• Evolution of a Risk & Controls Program

• Enterprise Risk Management in the era of increased regulatory and shareholder scrutiny

│1



Changing Risk Environment

│2



Changing Risk EnvironmentIn 2008 & 2009, the risk landscape has shifted dramatically

│3

Fannie and Freddie Likely to Plunge, Searing Investors



Developing an ERM Framework

What is “ERM”?

“… a process, effected by an entity's board of directors,

management and other personnel, applied in strategy

setting and across the enterprise, designed to identify

potential events that may affect the entity, and manage

risks to be within its risk appetite, to provide reasonable

assurance regarding the achievement of entity objectives.”

Source: COSO Enterprise Risk Management – Integrated Framework - 2004.

│4




• ERM is a process that encompasses the following key activities– Identifies potential events that may arise out of and/or impact a

company’s strategic objectives

– Assesses the severity and likelihood of risk events

– Determines risk response

• Evaluates in relation to risk tolerances

• Determines approach – Avoid, Accept, Reduce, Share

• Specifies mitigation plan

– Manages risk within the enterprise’s risk appetite

– Takes a portfolio view of risk at the top

– Monitors performance continuously

│5


© Copyright 2009 - Wheelhouse Advisors LLC


“Old School” Approach “New School” Approach

Risk perceived as individual hazards that may

negatively impact a given area

Understand risks in context of business

strategies and objectives

Ad hoc focus on risks with greatest emphasis

on recent events

Disciplined and forward looking focus on

critical risks

Managing risks is senior management’s

responsibility

Managing risk is everyone’s responsibility

Minimize and/or eliminate risk Manage risk within tolerance levels and

capitalize on opportunities

No risk owners Well defined accountability for risks

No formal risk reporting or monitoring at the

entity level

Risk reporting emanating from existing

channels to the top

Highly decentralized Portfolio management

│6



Risk Assessment vs. ERM

• Risk Assessment– Point-in-time snapshot

– Often internal audit driven

– Identifies where to focus current attention

– Great for planning, but not the full solution

• ERM– Continuous risk monitoring and identification

– Real-time assessment using indicators as well as evaluation of new strategic initiatives

– Balanced focus on opportunities and impacts

– Built-in ownership of risks at the right level – embedded in the business

│7



Benefits of ERM

ERM provides the ability for a company to:– Understand and define risk appetite as it relates to strategy

– Link growth, risk and return

– Optimize risk response decisions

– Minimize operational losses and surprises

– Rationalize capital resources

– Strengthen credit ratings

– Improve efficiency by integrating responses to multiple risks

– Seize opportunities to capitalize on rewards from taking intelligent risks

│8



Evolution of a Risk & Controls Program

• Sarbanes-Oxley (“SOX”) Section 404 as a starting point

• Innovation and integration leading to greater efficiency and effectiveness

• Barriers to overcome

• Required changes in approach

│9



SOX as a starting point

• Similar disciplined approach with primary focus on risks first, processes second and controls third

• Streamlining business processes– Eliminating duplicative activities

– Process improvement, eliminate outdated procedures

– Enhancing data integrity for critical decision-making

• Enhancing, automating and integrating data flow– Focus on data analytics and mining opportunities to strengthen

controls

– Providing more transparent and seamless communication across the business

– Viewing the process end-to-end to understand control gaps

│10



Evolution of Risk & Control Programs

Evolving Mature

• Highly reactive to individual regulatory mandates

• Immature risk governance & oversight structure

• Informal risk related infrastructure

• Individual control programs in various phases of implementation and/or refinement

• Evolving risk governance & oversight structure

• More formal risk related infrastructure at corporate and business unit levels

• Alignment of control programs to increase efficiency and reduce administrative burden

• More focused risk governance & oversight structure

• Identification and implementation of best practices across business units

• Seamless and proactive risk & control program

• Risk governance & oversight structure fully embedded in business governance structure (i.e. from strategy through execution)

• Risk infrastructure automated and fully integrated across enterprise

Developing Implementing Improving Integrating

│11



Barriers to OvercomeAttitudes / Culture

• People are “burned-out” by SOX

• Seen as interfering with “real work”

• Lack of alignment with performance measurements – little incentive to

participate

• Budget constraints are increasing leaving few resources to commit

• View that one-time training is the answer

• Wavering support from executive management and board

Infrastructure

• No shared language

• Over reliance on support functions

• Little or no linkage between risks, process and controls

• Enabling technology is non-existent or fragmented at best

│12



Barriers to Overcome

│13



Internal Audit’s ERM Barriers to Overcome

│14

26%

26%

30%

52%

55%

53%

22%

19%

17%

Use of technology and analytics

Fraud prevention / detection

Enterprise Risk Assessment

Internal Audit ERM Competency Map

Improvement Opportunity Somewhat Competent Very Competent

Source: Ernst & Young 2008 Global Internal Audit Survey



Internal Audit’s Role in ERM

│15

Source: The Institute of Internal Auditors



ERM Program Sustainability

Yes29%

No71%

Has your company reached a sustaining ERM maturity level?

│16

0% 20% 40% 60% 80% 100%

Other

Risk management efforts are part of the organization’s management

process and tools

Management is part of the risk management program

Senior management endorses the organization’s risk management

efforts

22%

66%

74%

84%

What makes your ERM program sustainable?

Source: 2008 ERM Benchmarking Survey - The Institute of Internal Auditors



Changes Required

• Clear and consistent support from executive management

• High-level, multi-disciplinary, dedicated core team

• Strong business case on how ERM will enhance

– Business decision-making

– Achievement of corporate and business unit strategic objectives

– Identification of opportunities as well as potential impacts

• Building ERM into business processes – efficiently and without undue administrative burden

• Well defined roles and responsibilities for risk leading to improved accountability – build into incentives and performance management

• Long-term commitment to the effort, linked to strategic planning

│17



Changes Required

│18



Increased Scrutiny

• Legal / Regulatory

– SEC

– Department of Justice

– Stock Exchanges

– Securities Fraud Plaintiff Attorneys

– Sarbanes-Oxley Act – Sections 302 & 404

– Foreign Corrupt Practices Act

– Industry specific regulations (Privacy, Anti-money laundering, Risk-based capital requirements, etc.)

• Shareholders & Stakeholders

– Outsourcing / Third-party resources

– Credit rating agencies

– Institutional Investors

– Personal liability for Board Members

│19



Critical Success Factors1. Organizational Culture

– Governance (Board & Executive Management)

– Roles and Responsibilities

– Incentive Programs

2. Infrastructure

– Simple, consistent and well understood risk framework

– Effective controls at the appropriate stages of the process

3. Integration

– Portfolio view

– Mind the control gaps

– Focused effort with optimal use of resources

4. Continuous Monitoring

– Current risk levels vs. risk appetite

– Effectiveness of control performance

Continuous Monitoring

Integration

Infrastructure

Organizational Culture

│20



For more information about service offerings, please visit:

www.WheelhouseAdvisors.com

Or email us at:

[email protected]

│21

http://www.wheelhouseadvisors.com/

mailto:[email protected]

ERM: What's New & What's Next

Economy & Finance

Transcript of ERM: What's New & What's Next