bmr advisors - all rights reserved enterprise risk management insights & operationalization...
TRANSCRIPT
BM
R A
dvis
ors
- A
ll rig
hts
rese
rved
Enterprise Risk ManagementInsights & Operationalization
Prepared for the Committee on Finance & IT
June 18th 2010
BM
R A
dvis
ors
- A
ll rig
hts
rese
rved
Background
Key findings:
1. The current state of ERM implementation
2. Types of ERM program
3. Organisation of ERM functions
4. Operationalization of ERM
Open questions
Next steps
About BMR
Contents
BM
R A
dvis
ors
- A
ll rig
hts
rese
rved
Background to the study
BM
R A
dvis
ors
- All
right
s re
serv
ed
A perfect storm
ERM has been a topic of discussion and
analysis since the mid 1990s – but economic
turmoil has thrown risk management into
sharper focus
Regulatory developments – for example, the
introduction of SEC Rule 33-9089 – are acting
as a powerful catalyst for ERM adoption
Management teams and Boards are under
increasing pressure from regulators, investors
and the media to demonstrate the effectiveness
of risk management efforts – both in protecting
shareholder interests AND in adding value
By 2009, FERF had identified a gap in
knowledge among FEI members – most of
whom knew that they should do something
about ERM, but weren’t sure exactly what to do
• What’s your company’s risk culture?
• Elson & Hubbard to lead study group on corporate boards
• European Commission to unveil governance Green Paper
| 4
BM
R A
dvis
ors
- All
right
s re
serv
ed
Focus on practical implementation
FERF and BMR agreed that an executive report
was needed to help FEI members address the
’operationalization’ of ERM
A steering group was formed, comprising Peggy
Yocher of United Technologies; Joan Netzel of
SunTrust Banks; and Prof Paul Walker of the
University of Virginia, as well as BMR and FERF
representatives
Rather than review theoretical frameworks, it
was agreed that the study should canvass ERM
Managers to find out how ERM is actually
being implemented on the ground and to
identify trends, patterns and future directions
that may be of value to FEI members
It was also agreed that the principal focus
should be upon ERM in non-financial companies
| 5
BM
R A
dvis
ors
- All
right
s re
serv
ed
Participants in the study
Companies interviewed for the study have
aggregate revenues in excess of $1.2
trillion and are generally global in scope
They were predominantly Fortune 500
organisations or similar, on the basis that
these companies are most likely to have
well-developed ERM programs
Personnel interviewed were typically either:
ERM Directors
Treasurers
Strategy Directors
Controllers
In addition to these face-to-face interviews,
we also carried out detailed reviews of
approximately 15 more ERM programs
| 6
BM
R A
dvis
ors
- A
ll rig
hts
rese
rved
Key findings1. Current state of ERM implementation
2. Two types of ERM program
3. Organization of ERM programs
4. Operationalization of ERM
BM
R A
dvis
ors
- All
right
s re
serv
ed
Current state of ERM implementation
•ERM Managers believe ERM exists to make risks more visible before they impact an organization, so that management decisions can be evaluated and challenged
•There is a growing recognition that ‘ad hoc’ risk management approaches have not worked and are no longer acceptable
1. There is a broad consensus as to the
purpose of ERM
•Some organizations have reached ‘advanced’ levels of sophistication
•However, these are heavily outnumbered by those for whom ERM still remains a work in progress, or has not been embarked upon at all
•All ERM Managers agree that there can be no ‘one size fits all’ solution
2. The typical ERM program is still in an
early stage of development
•Proactive decision, prompted by leadership change, Board discussion etc
•Reaction to events, whether internal (fraud, restatement) or external (terrorism, reputational issues affecting other companies)
•Requirements / expectations of regulators and other external bodies (biggest influence on the current heightened interest in ERM)
3. The ‘drivers’ of ERM programs fall
into three main categories
| 8
BM
R A
dvis
ors
- A
ll rig
hts
rese
rved
Key findings1. Current state of ERM implementation
2. Two types of ERM program
3. Organization of ERM programs
4. Operationalization of ERM
BM
R A
dvis
ors
- All
right
s re
serv
ed
Two types of ERM program
ERM programs can be classified
according to the categories of risk that
are deemed to be in scope; and the
overall approach that is adopted to risk
management:
In general, programs tend to fall into one
or other of two program types:
Type One: programs that take a mainly
strategic view of risk, and manage it in a
qualitative way; and
Type two: programs that take a more
financial / operational view, and tend to
manage risks through quantitative control
The view of risk might be said to be either
“Enterprise Level” (Type One) or
“Enterprise Wide” (Type Two)
Quantitative Qualitative
Ope
ratio
nal
Stra
tegi
c
Type One
Type Two
Type of risks that a given program is
mainly designed to
address
Predominant approach that a given company takes to management of risk
BM
R A
dvis
ors
- All
right
s re
serv
ed
Move toward more integrated, holistic approaches
Most organizations are making efforts to take a
more holistic, integrated view of ERM
To do this an organization needs to ask:
How can strategic risks be analyzed on a
quantitative level?
How can financial / operational data be
interpreted in a qualitative way?
The benefits of successfully adopting a more
integrated view are that a virtuous circle would
be created, strengthening the links between
business strategy and operational planning
| 11
Qualitative awareness of strategic risks
Quantitative analysis of strategic
risks informs operational plans
Quantitative control of financial /
operational risks
Qualitative interpretation of operational data brings strategic
risks to the surface
BM
R A
dvis
ors
- A
ll rig
hts
rese
rved
Key findings1. Current state of ERM implementation
2. Two types of ERM program
3. Organization of ERM programs
4. Operationalization of ERM
BM
R A
dvis
ors
- All
right
s re
serv
ed
Organization of ERM functions (1)
•ERM must not operate in parallel to the existing management structure
•Primary responsibility for the identification, ownership and management of risk MUST remain with the business itself
•Accountability for each risk must beheld at an appropriate level, while ‘tone at the top’ is established by the CEO and management team
1. Ownership of risks must be with the
business, not with the ERM team
•The choice of which function should own the ERM process is not critical provided that it has the necessary skills, relationships and knowledge
•In general, Type One programs are more likely to be managed out of Strategy & Planning functions while Type Two programs are more likely to be led out of Internal Audit, Controllership, Treasury etc
2. Functional ownership of ERM
process is less important
•Most ERM functions are staffed by very small teams, which can introduce a significant risk unless steps are taken to institutionalize the knowledge, processes and tools of ERM
•If an ERM program relies too heavily on the personal ‘equity’ of the ERM Manager, what happens if that person leaves? Does ERM cease?
3. Small ERM teams can introduce a risk
all of their own
| 13
BM
R A
dvis
ors
- All
right
s re
serv
ed
Organization of ERM functions (2)
•While some ERM functions act purely as facilitators of a process, others have much more influence over development and enforcement of risk policy
•Whichever approach is adopted, it is vital to ensure that ERM is not perceived as the “risk police”
4. Role of ERM function is different
in each company
•The intensity of ‘engagement’ between the ERM program and the business is a key determinant of success
•This in turn is influenced by risk culture – which cannot be imposed, but must be allowed to develop naturally through human interaction
5. Risk culture drives engagement, which
drives success
•Although accountability for risk management can only extend to relatively senior managerial levels, ERM Managers believe that ERM should aim to increase awareness of risk in all decisions across the business
6. ERM is generally believed to have very
‘long arms’
| 14
BM
R A
dvis
ors
- A
ll rig
hts
rese
rved
Key findings1. Current state of ERM implementation
2. Two types of ERM program
3. Organization of ERM programs
4. Operationalization of ERM
BM
R A
dvis
ors
- All
right
s re
serv
ed
Operationalization of ERM functions
Most ERM programs are operationalized around
five broad activities:
1. Gathering ‘risk intelligence’
2. Cross-functional risk discussion
3. Risk scoring and prioritization
4. Risk response
5. Reporting
Although the activity areas do not necessarily
happen sequentially, most programs reviewed
for the study operate with a natural ‘cadence’
that resembles a cyclical process
For companies starting out on the ERM journey,
gathering of risk intelligence is the most obvious
place to start
1. Gathering risk
intelligence
2. Cross-functional discussion
3. Risk scoring and prioritization
4. Risk response
5. Reporting
BM
R A
dvis
ors
- All
right
s re
serv
ed
Operationalization of ERM functions
• Most ERM programs begin with a ‘top down’ approach to gathering intelligence on risk
• Senior management takes the first cut at defining the risk universe, which is then refined through interaction with leaders of business units and corporate functions
• In some cases, intelligence about risks is harvested from IT systems, through review of ERP data – or even the outputs of continuous control monitoring
1. Gathering risk intelligence
• Cross-functional risk forums are considered essential in most programs
• They bring together insights and inputs from across the business and therefore play a critical role in ensuring truly enterprise-wide engagement
• These forums are perceived to be a key component in infusing energy into an ERM program, and ensuring consistency
2. Cross-functional risk discussion
| 17
BM
R A
dvis
ors
- All
right
s re
serv
ed
Operationalization of ERM functions
• Most programs incorporate ‘heat maps’ to support risk analysis, with axes representing the likelihood and severity of risks
• Some organizations have taken this further, to incorporate ‘effectiveness of mitigation’ or even ‘risk velocity’
• It is often impossible to compare ‘apples with apples’ – particularly when comparing strategic and operational risks, or existing and emerging risks
• The concept of Risk Capacity is not widely adopted in non-financial companies, but Risk Appetite (which is closely linked to corporate culture) is considered of far more relevance
• Some programs are defining tolerances for specific risks which can be used as the basis for business rules – creating a link between business strategy and operational planning
3. Risk scoring & prioritization
| 18
BM
R A
dvis
ors
- All
right
s re
serv
ed
Operationalization of ERM functions
• Essentially, the responses open to a company are to accept a risk; share it; mitigate it; or avoid it – but all can have serious implications
• A risk response may itself create another risk event elsewhere, through ‘risk correlation’ or the ‘law of unintended consequences’
4. Risk response
• Management and Boards must be kept fully informed of the outputs of ERM programs, but must also not become bogged down
• After the initial establishment of a program, Boards typically allow between 30 and 60 minutes per meeting for ERM discussion
• Periodic ‘deep dives’ into specific risk areas are commonly presented (often rotationally) to monthly or quarterly board meetings
• ERM Managers typically aim to report on the ‘top ten’ risks, but in practice this figure varies, depending on pragmatic assessment as to which risk factors merit board-level discussion
5. Reporting
| 19
BM
R A
dvis
ors
- A
ll rig
hts
rese
rved
Open questions
BM
R A
dvis
ors
- All
right
s re
serv
ed
Questions that require deeper exploration
• What should be the ultimate role of the ERM function – should it be purely facilitative, or given greater ‘teeth’?
• If risk management is embedded in the role of executive management, and risk oversight is earmarked as the function of the Board, what implications does this have for the role of an ERM leader and his or her team?
• Should the ERM leader be a Chief Risk Officer with executive committee status?
The role of ERM
• Should ERM be integrated with compliance and / or internal audit – or should a solution be found by which audit, compliance etc. continue to monitor risks and controls from an historical standpoint, while ERM remains focused on emerging risks?
Integration
• How can a ‘risk culture’ best be created within the organization?• How can an appropriate balance be struck between responsibility and expectation on
the one hand, and empowerment and engagement on the other? • What infrastructure, tools and techniques are needed to ensure top-down AND bottom-
up communication about risk?
Risk culture
| 21
BM
R A
dvis
ors
- A
ll rig
hts
rese
rved
Next steps
BM
R A
dvis
ors
- All
right
s re
serv
ed
Engaging the FEI membership
As has been seen, the study leaves a number of
questions open for discussion
We also hope that it will provoke debate around
this critical issue, which in itself will prove
valuable and interesting to FEI members
We are exploring options for further engagement
with FEI membership to take forward the
conversation we have started with this study.
Ideas may include:
Regional round table discussions in key ‘hub’ cities
Webinars
Discussions / presentations at CFRI or other FEI
conferences
| 23
BM
R A
dvis
ors
- A
ll rig
hts
rese
rved
About BMR
BM
R A
dvis
ors
- All
right
s re
serv
ed
Who we are
BMR was founded in October 2004 by a group of
former Andersen and EY partners
We are now recognised as one of the top three tax
firms in India* and the number one M&A service
provider for the Indian market**
At the same time, we have established a global
reputation for risk and process consulting, having
delivered assignments in more than 40 countries
We have a strong track record, with most of our
partners having worked together for 20+ years
We offer the high quality that clients expect from a
major international firm, combined with a flexible
approach that fosters innovation
For the second year, we are ranked among India’s
top employers by the Great Place To Work® Institute
BMR At A Glance
Partners 27
Headcount 425 and growing steadily
Clients 200+
Practice Areas Tax & Regulatory
Mergers & Acquisitions
Risk & Advisory
Key Industries Energy
Financial Services
Infrastructure
Media & Entertainment
Retail
Real Estate
Technology
Telecoms
Locations Delhi
Mumbai
Bengaluru
Chennai
London
New York
Bahrain
Singapore
* Source: International Tax Review, 2009
* * Source: Thomson Reuters, 2009
| 25
BM
R A
dvis
ors
- All
right
s re
serv
ed
Unique model for outsourcing of risk functions
• Most BMR people – including all Partners and Directors – have a Big Four background
• We pride ourselves on the level of Partner / Manager engagement we devote to our client projects – far higher than is typical in the consulting sector
Outstanding quality
• Our clients benefit from massive cost arbitrage and generate savings of 60% or more relative to other approaches
• This is because our teams are based out of India and travel to global locations as required
Reasonable cost
• We have worked extensively on global jobs, covering multiple teams, business units and countries
• Our specialist areas include ERM, Internal Audit, SOX, AML, Decision Analytics and BPM
Demonstrable track record
| 26
To our knowledge, BMR is the only firm offering an unique global business model for the outsourcing of risk-related functions
BM
R A
dvis
ors
- A
ll rig
hts
rese
rved
Contact details
MumbaiThe Contractor Building
41 RK Marg, Ballard EstateMumbai 400 001
Tel: +91 22 3021 7000
BengaluruEmbassy Icon Annex
2/1 Infantry RoadBengaluru 560 001
Tel: +91 80 4032 0000
New DelhiThe Great Eastern Centre
70 Nehru PlaceNew Delhi 110 019
Tel: +91 11 3081 5000
LondonBerkeley Square House
Berkeley SquareLondon W1J 6BD
Tel: +44 20 7849 6100
New York100 Park Avenue
New YorkNY 10017
Tel: +1 212 880 6462
Chennai21 Sambandam Street
MandaveliChennai 600 028
Tel: +91 44 24954783/84
Singapore10 Anson Road
#09-24 International Plaza079903 Singapore Tel: +65 6408 8004
Santa Clara3940 Freedom Circle
Santa ClaraCA 95054
Tel: +1 408 834 4699
Bahrain32 Sabha Building
Diplomatic AreaManama 317
Tel: +97 313 646676