enterprise risk management - acuia · enterprise risk management is a continuous process that...

Enterprise Risk Enterprise Risk Management

Managing Risks and Uncertainties Managing Risks and Uncertainties Affecting Your Business and Strategy

April 25, 2013

Amy Ribick, MBA, CFE, [email protected]

Bianca Sarrach, MBA, CIA, CFSA, CRMA314.983.1365b h@b ll

1050 N. Lindbergh Blvd. │ St. Louis, Missouri 63132 │ 314.983.1200 1520 S. Fifth St., Suite 309 │ St. Charles, Missouri 63303 │ 636.255.3000

2220 S. State Route 157, Ste. 300 │ Glen Carbon, Illinois 62034 │ 618.654.3100 1.888.279.2792 │ www.bswllc.com

[email protected]

Speakers

Amy Ribick, MBA, CFE, CRMAManager• Amy is a Manager in Brown Smith Wallace’s Risk Advisory Services practice, where

she provides internal audit services, including Compliance and Sarbanes-Oxleydocumentation and testing for clientsdocumentation and testing, for clients.

• Amy’s expertise is focused on professional services, including compliance, internaland operational audits.

Bianca Sarrach, MBA, CIA, CFSA, CRMASupervisor• Bianca is a Supervisor in Brown Smith Wallace’s Risk Advisory Services practice,p y p ,

where she has responsibility for providing internal audit services, includingoperational, financial and compliance audits, to the firm’s clients.

• Bianca’s expertise is focused on financial services, including compliance, internal andoperational audits.p

© 2013 All Rights Reserved Brown Smith Wallace LLC 2

Who We Are – By the Numbers

1 200+ 23 #1of the Top STL

Accounting Firms

Employees Dedicated Partners

in Client Service

9Li f

40+Y i

#1A ti

25Ri k Ad i Lines of

BusinessYears in Business

Accounting Firm to Work

For

Risk Advisory Consultants

© 2013 All Rights Reserved Brown Smith Wallace LLC

3

Recognition

2012 Best Accounting Firm to Work For (Accounting Today)Recognized as a Top Workplace (St. Louis Post-Dispatch)Named the #1 Accounting Firm in St. Louis (St. Louis Small Business Monthly’s Readers Choice Awards)

2011 Top 5 Fastest Growing Firm (INSIDE Public Accounting)Achieved the second highest growth nationally in its net revenue category ($20-$30 million)g y ($ $ )

2010 Recipient of the Torch Award (STL Better Business Bureau)In recognition of BSW’s high ethical standardsIn recognition of BSW’s high ethical standards

2009 Received inaugural Work/Life Balance Awardg /(Missouri Society of CPAs)

4© 2013 All Rights Reserved Brown Smith Wallace LLC

What is ERM?

It is not a “one-size-fits-all” solution!How can it be defined?

• A strategic business discipline that supports the achievement f i ti ’ bj ti b dd i th f ll of an organization’s objectives by addressing the full

spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio

• The methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives

• A process designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the


pp , p g gachievement of entity objectives

Background on ERM

COSO’s ERM Framework Definition:“The process of planning organizing leading and controlling the The process of planning, organizing, leading, and controlling the

activities of an organization in order to minimize the effects of risk on an organization's capital and earnings.”

• Activities can be viewed in the context of four categories:• Activities can be viewed in the context of four categories:– Strategic

– Operational

– Reporting

– Compliance

• ERM considers activities at all levels of the organization:• ERM considers activities at all levels of the organization:– Enterprise-level

– Division or subsidiary


– Business unit processes

Why ERM?

Maximizing stakeholder value!

• Value is created, preserved, or eroded by management

• ERM supports value creation by enabling organizations to:

– Manage uncertainties related to possible future events

Respond in a manner that reduces the likelihood of downside – Respond in a manner that reduces the likelihood of downside outcomes and increases the upside

• Entities face risks from external and internal sources

– Failing to manage risk effectively destroys value


Why ERM?


ERM Challenges

• Problems faced with ERM program implementations:– What are the significant risks facing the organization?

– How to prioritize risks in terms of impact and occurrence?

H li d b d i d di d – How to align management and board in understanding and approaching risk?

– How to manage risks associated with strategic objectives?

– Who should own and be accountable for risks and the ERM program?

– How to manage the cost associated with an ERM program?

– How to ensure that ERM is understood as value and not added bureaucracy?


Is it Risk or Opportunity?

risk – nouna situation involving exposure to

danger –

opportunity – nounthe possibility of doing something

–someone or something that creates or suggests a hazard

a favorable or advantageous circumstance or combination of

circumstances

risk – synonymshazard – peril – jeopardy – danger

– venture – chance

opportunity – synonymsfreedom - good fortune – opening

- happening - hope – chance


Risk and Reward

• Dare to take enough of the “right” risks

• Value and risk are inseparable from performance from performance management

• Intelligent risk management must be integrated into core must be integrated into core business processes

• Biggest risk results from strategy

“Never was anything great achieved without danger.”


Machiavelli

The ERM Ladder

Enterprise risk management is Enterprise risk management is a continuous process that

identifies, analyzes, mitigates and monitors potential events that

create uncertainty to the achievement of objectives

The BSW Risk Ladder identifies The BSW Risk Ladder identifies the components of an ERM

strategy based on the establishment of an ERM

structure aligned with corporate governance


ERM Components

• Risk Environment – Sets tone and base

• Communication – Timely and relevant information, top down-bottom up

• ERM Structure and Governance – Governance aligned with ERM

• Risk Assessment – Identify, Analyze, Evaluate

• Risk Mitigation– Avoidance (eliminate, withdraw from or not become involved)

– Reduction (optimize - mitigate)

– Sharing (transfer - outsource or insure)Sharing (transfer outsource or insure)

– Retention (accept and budget)

• Monitoring –Management activities, separate evaluations, or both


Communicating ERM

• Find the “Organizational Currency”

• Make sure terms used are understood within the organization as a whole

D l i d l• Develop a way to communicate process and results

• Keep one comprehensive picture

• Training and awareness presentations for employees • Training and awareness presentations for employees, management and the Board


Approaching ERM

An enterprise risk management project is comprised of five distinct phases, each with its own set of objectives and expected results!

• Phase 1: Planning and OrganizationEstablish the ERM Program/Project

phases, each with its own set of objectives and expected results!

Planning & Organization

Establish the ERM Program/Project Structure

• Phase 2: Risk Assessment Identify, analyze and prioritize risks

• Phase 3: Risk Mitigation

Risk Assessment

Phase 3: Risk Mitigation Identify and develop risk mitigation strategies

• Phase 4: MonitoringDevelop strategy and tools for continuous

Risk Mitigation

Develop strategy and tools for continuous monitoring of risks

• Phase 5: Knowledge TransferInstitutionalize the process into the organization

Monitoring

Knowledge


g Knowledge Transfer

Case Studyy


Case Study – Situation

Organization?– Small Community Bank

Why?

– As part of their quarterly regulatory exam the regulators started questioning risk and how management would handle themand how management would handle them

Question?

– How the organization would be impacted by risk

What did Management do?

– Management started inquiring on how to best tackle the questioning from their regulators on their risk management practices

They determined that their current risk management practices did not show a – They determined that their current risk management practices did not show a full Enterprise Risk Management approach

– They reached out to different vendors, evaluated tools and practices to determine the best ERM approach for them


Case Study – Solution

Decision?Start small and build incrementally– Start small and build incrementally

– An organization-wide initiative, involving several levels of employees through interviews to have everyone’s input, was started

Process?– A Risk Committee consisting of executive management was established

each person in the committee took ownership of one risk

– From the interviews eight key risks were identified

k d b l k l h d d h– Risks were rated by likelihood, occurrence, and impact on the organization and compared to the “Risk Appetite”

– The time needed to come to the key risks – six months

Ongoing?Ongoing?– A risk snapshot for each of those risks is currently in process

– Quarterly meetings on each risk are held to determine if “Risk Profile” and “Risk Appetite” still align


– Continuous monitoring and identification of risk – ERM is about the journey, not the destination

Case Study – Overview

How many people were interviewed?Ten employees– Ten employees

– Three Board Members

Risk Assessment Results

Initial Risks Identified Focused Risks for Further ERM Process

ALM + Asset Quality ALM + Asset Quality

Capital Planning and Stress Testing Capital Planning and Stress Testing

Communication CommunicationCommunication Communication

Geographic Concentration Information Security

Information Security Regulatory Compliance

Investments Reputation

IT Support Strategic Direction

Loan Concentrations Talent ManagementLoan Concentrations Talent Management

Organization structure

Regulatory Compliance

Reputation

Strategic Direction

Succession Planning


Succession Planning

Team Environment

Tools?

Need Tools?© 2013 All Rights Reserved Brown Smith Wallace LLC 21

ERM Tools Overview

Choosing the right tools supporting the ERM process is very important!important!

• Assessment Questionnaires– Asking questions will give management an idea of current risk Asking questions will give management an idea of current risk

management practices and company knowledge of risk

• Maturity Level D t i th t it l l f th i ti– Determine the maturity level of the organization

– Once the level is determined, the ERM process should be tailored to meet the needs of the company

• Project Plan– A project with no blueprint of action jeopardizes the process

– Project planning is fundamental in order to avoid failure and


– Project planning is fundamental in order to avoid failure and disappointment

ERM Tools Overview

Choosing the right tools supporting the ERM process is very important!important!

• Risk Map– Graphic identification of risk in comparison to their likelihood Graphic identification of risk in comparison to their likelihood

and occurrence identifying the impact

• Risk Snapshot O th i k h b d t i d i d t t – Once the risks have been determined, using a document to assist in consolidating the various aspects of the risk is useful to ensure risks are documented consistently and monitored on an as-needed basis


ERM Tools – Questionnaire

Sample questions to determine your current ERM status:– How is risk management integrated with your strategic direction and

plan?– What are the principal business risks?– How effective is your process for indentifying assessing and managing How effective is your process for indentifying, assessing and managing

business risks?– Do people in your organization have a common understanding of the

term “risk”?How do you ensure that risk management is an integral part of the – How do you ensure that risk management is an integral part of the planning and day-to-day operations of individual business units?

– How is risk management coordinated across the organization?– How do you ensure that the organization is performing according to the

b i l d ithi i t i k t l li it ?business plan and within appropriate risk tolerance limits?– How do you monitor and evaluate changes in the external environment

and their impact on the organization’s strategy and risk management practices?


– How does the Board handle its responsibility for the oversight of opportunities and risks?

ERM Tools – Maturity Level

NNon‐existent Start‐Up Defined Integrated Optimized

Maturity Level Level Definition

Level 1 Nonexistent ‐ No formal risk management framework/process has been defined.

Level 2Start‐up ‐ No formal risk management framework/process has been defined. However, a framework/process is currently being built/implemented.

Level 3Defined ‐ A common risk management framework/process has been defined. An organization‐wide view of risk is provided to executive leadership. Action plans areLevel 3 organization wide view of risk is provided to executive leadership. Action plans are implemented in response to high priority risks.

Level 4Integrated ‐ Risk management activities are coordinated across business areas. Common risk management tools are processes are used where appropriate, with enterprise risk monitoring, measurement and reporting. Process metrics are in place. Optimized ‐ Risk discussion is embedded in strategic planning capital allocation and other


25

Level 5Optimized Risk discussion is embedded in strategic planning, capital allocation, and other processes and in daily decision‐making. An early warning system is in place with "key risk indicators" in place and monitored to notify the board and management of risk.

ERM Tools – Project Plan

Planning and Organization– Gather background information on the Organization and prior risk assessments – Identify interviews to be performed – typically senior management and the Board

Data Gathering– Conduct interviewsConduct interviews– Gather additional external and internal data relevant to the Organization

Evaluation and Analysis– Document risks identified and develop the Risk Portfolio– Assess impact, likelihood and occurrence of risks

Define Risk Management Program/Action Plan– Identify Risk Owners for Critical Risks – Develop ERM policies and procedures p p p– Develop and define risk mitigation and monitoring action plans (i.e. Risk Snapshot)

Knowledge Transfer

– Present and educate process and results to the Board, management and employees


ERM Tools – Risk Map

A visual presentation allows management to identify and understand keys risk!

Acquisition Integration

CustomerConcentrations

Go To Market Acquisition Alignment

EconomyDepth of Talent IT St t

Capital Access

HIGH

IntegrationDepth of Talent IT Strategyand Vision

Insurable RisksLitigation Quality

Compliance

Mgmt Turnover Operations

Footprint SystemConversionsPolitical Taxes

Cash Mgmt

ShareholderConcentration

VendorConcentrations Fraud and

Ethics

Quote to Cash Sales Order Planning

Competition

C i i O Ti OutsourcingFlexingOrg

IMPACT ON THE

BUSINESS

Crisis Management Unfunded

Liabilities

On Time Delivery

OutsourcingFin Rpt

Credit Risk IT Environment

EmployeeCosts

Technological Obsolescence

Legal structureProduct

Portfolio Mgmt

Commodities Intercompany Transactions

Revenue Recog.

Structure

LOW

EmployeeCompliance

Data Protection


HIGHPROBABILITY/LIKELIHOOD OF OCCURRENCELOW

27

ERM Tools – Risk Snapshot

RISK SNAPSHOT

Risk Name Enter Name of Risk Name Risk

Trend

Risk Leader Assign a Risk

Leader

Likelihood Magnitude Preparedness Date 1 Low Medium Medium Date 2 Date 3

Risk DescriptionRisk Description Clearly define and evaluate the risk. Develop a Risk Team with various knowledgeable individuals of the applicable risk to develop and monitor this Risk Snapshot document.

Risk Mitigation Strategy Identify the appropriate risk mitigation strategy for the risk - Determine the appropriate risk mitigation strategies by brainstorming possible "What If" scenarios

Early Warning Indicators Strategy Linkage


Identify key risk and performance indicators that could be monitored to provide management with adequate time to react to critical risk events.

ERM and You

Upon completion of the A Q i i d Assessment Questionnaire and

the determination of your Maturity Level, you can design an ERM process that works for

t l i ti you to evolve your organization and to socialize risk monitoring

into your daily operations


Q tiQuestions


enterprise risk management - acuia · enterprise risk management is a continuous process that...

Documents