enterprise risk management - acuia · enterprise risk management is a continuous process that...
TRANSCRIPT
Enterprise Risk Enterprise Risk Management
Managing Risks and Uncertainties Managing Risks and Uncertainties Affecting Your Business and Strategy
April 25, 2013
Amy Ribick, MBA, CFE, [email protected]
Bianca Sarrach, MBA, CIA, CFSA, CRMA314.983.1365b h@b ll
1050 N. Lindbergh Blvd. │ St. Louis, Missouri 63132 │ 314.983.1200 1520 S. Fifth St., Suite 309 │ St. Charles, Missouri 63303 │ 636.255.3000
2220 S. State Route 157, Ste. 300 │ Glen Carbon, Illinois 62034 │ 618.654.3100 1.888.279.2792 │ www.bswllc.com
Speakers
Amy Ribick, MBA, CFE, CRMAManager• Amy is a Manager in Brown Smith Wallace’s Risk Advisory Services practice, where
she provides internal audit services, including Compliance and Sarbanes-Oxleydocumentation and testing for clientsdocumentation and testing, for clients.
• Amy’s expertise is focused on professional services, including compliance, internaland operational audits.
Bianca Sarrach, MBA, CIA, CFSA, CRMASupervisor• Bianca is a Supervisor in Brown Smith Wallace’s Risk Advisory Services practice,p y p ,
where she has responsibility for providing internal audit services, includingoperational, financial and compliance audits, to the firm’s clients.
• Bianca’s expertise is focused on financial services, including compliance, internal andoperational audits.p
© 2013 All Rights Reserved Brown Smith Wallace LLC 2
Who We Are – By the Numbers
1 200+ 23 #1of the Top STL
Accounting Firms
Employees Dedicated Partners
in Client Service
9Li f
40+Y i
#1A ti
25Ri k Ad i Lines of
BusinessYears in Business
Accounting Firm to Work
For
Risk Advisory Consultants
© 2013 All Rights Reserved Brown Smith Wallace LLC
3
Recognition
2012 Best Accounting Firm to Work For (Accounting Today)Recognized as a Top Workplace (St. Louis Post-Dispatch)Named the #1 Accounting Firm in St. Louis (St. Louis Small Business Monthly’s Readers Choice Awards)
2011 Top 5 Fastest Growing Firm (INSIDE Public Accounting)Achieved the second highest growth nationally in its net revenue category ($20-$30 million)g y ($ $ )
2010 Recipient of the Torch Award (STL Better Business Bureau)In recognition of BSW’s high ethical standardsIn recognition of BSW’s high ethical standards
2009 Received inaugural Work/Life Balance Awardg /(Missouri Society of CPAs)
4© 2013 All Rights Reserved Brown Smith Wallace LLC
What is ERM?
It is not a “one-size-fits-all” solution!How can it be defined?
• A strategic business discipline that supports the achievement f i ti ’ bj ti b dd i th f ll of an organization’s objectives by addressing the full
spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio
• The methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives
• A process designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the
© 2013 All Rights Reserved Brown Smith Wallace LLC 5
pp , p g gachievement of entity objectives
Background on ERM
COSO’s ERM Framework Definition:“The process of planning organizing leading and controlling the The process of planning, organizing, leading, and controlling the
activities of an organization in order to minimize the effects of risk on an organization's capital and earnings.”
• Activities can be viewed in the context of four categories:• Activities can be viewed in the context of four categories:– Strategic
– Operational
– Reporting
– Compliance
• ERM considers activities at all levels of the organization:• ERM considers activities at all levels of the organization:– Enterprise-level
– Division or subsidiary
© 2013 All Rights Reserved Brown Smith Wallace LLC 6
– Business unit processes
Why ERM?
Maximizing stakeholder value!
• Value is created, preserved, or eroded by management
• ERM supports value creation by enabling organizations to:
– Manage uncertainties related to possible future events
Respond in a manner that reduces the likelihood of downside – Respond in a manner that reduces the likelihood of downside outcomes and increases the upside
• Entities face risks from external and internal sources
– Failing to manage risk effectively destroys value
© 2013 All Rights Reserved Brown Smith Wallace LLC 7
Why ERM?
© 2013 All Rights Reserved Brown Smith Wallace LLC 8
ERM Challenges
• Problems faced with ERM program implementations:– What are the significant risks facing the organization?
– How to prioritize risks in terms of impact and occurrence?
H li d b d i d di d – How to align management and board in understanding and approaching risk?
– How to manage risks associated with strategic objectives?
– Who should own and be accountable for risks and the ERM program?
– How to manage the cost associated with an ERM program?
– How to ensure that ERM is understood as value and not added bureaucracy?
© 2013 All Rights Reserved Brown Smith Wallace LLC 9
Is it Risk or Opportunity?
risk – nouna situation involving exposure to
danger –
opportunity – nounthe possibility of doing something
–someone or something that creates or suggests a hazard
a favorable or advantageous circumstance or combination of
circumstances
risk – synonymshazard – peril – jeopardy – danger
– venture – chance
opportunity – synonymsfreedom - good fortune – opening
- happening - hope – chance
© 2013 All Rights Reserved Brown Smith Wallace LLC 10
11© 2013 All Rights Reserved Brown Smith Wallace LLC
Risk and Reward
• Dare to take enough of the “right” risks
• Value and risk are inseparable from performance from performance management
• Intelligent risk management must be integrated into core must be integrated into core business processes
• Biggest risk results from strategy
“Never was anything great achieved without danger.”
© 2013 All Rights Reserved Brown Smith Wallace LLC 12
Machiavelli
The ERM Ladder
Enterprise risk management is Enterprise risk management is a continuous process that
identifies, analyzes, mitigates and monitors potential events that
create uncertainty to the achievement of objectives
The BSW Risk Ladder identifies The BSW Risk Ladder identifies the components of an ERM
strategy based on the establishment of an ERM
structure aligned with corporate governance
© 2013 All Rights Reserved Brown Smith Wallace LLC 13
ERM Components
• Risk Environment – Sets tone and base
• Communication – Timely and relevant information, top down-bottom up
• ERM Structure and Governance – Governance aligned with ERM
• Risk Assessment – Identify, Analyze, Evaluate
• Risk Mitigation– Avoidance (eliminate, withdraw from or not become involved)
– Reduction (optimize - mitigate)
– Sharing (transfer - outsource or insure)Sharing (transfer outsource or insure)
– Retention (accept and budget)
• Monitoring –Management activities, separate evaluations, or both
© 2013 All Rights Reserved Brown Smith Wallace LLC 14
Communicating ERM
• Find the “Organizational Currency”
• Make sure terms used are understood within the organization as a whole
D l i d l• Develop a way to communicate process and results
• Keep one comprehensive picture
• Training and awareness presentations for employees • Training and awareness presentations for employees, management and the Board
© 2013 All Rights Reserved Brown Smith Wallace LLC 15
Approaching ERM
An enterprise risk management project is comprised of five distinct phases, each with its own set of objectives and expected results!
• Phase 1: Planning and OrganizationEstablish the ERM Program/Project
phases, each with its own set of objectives and expected results!
Planning & Organization
Establish the ERM Program/Project Structure
• Phase 2: Risk Assessment Identify, analyze and prioritize risks
• Phase 3: Risk Mitigation
Risk Assessment
Phase 3: Risk Mitigation Identify and develop risk mitigation strategies
• Phase 4: MonitoringDevelop strategy and tools for continuous
Risk Mitigation
Develop strategy and tools for continuous monitoring of risks
• Phase 5: Knowledge TransferInstitutionalize the process into the organization
Monitoring
Knowledge
© 2013 All Rights Reserved Brown Smith Wallace LLC 16
g Knowledge Transfer
Case Studyy
© 2013 All Rights Reserved Brown Smith Wallace LLC 17
Case Study – Situation
Organization?– Small Community Bank
Why?
– As part of their quarterly regulatory exam the regulators started questioning risk and how management would handle themand how management would handle them
Question?
– How the organization would be impacted by risk
What did Management do?
– Management started inquiring on how to best tackle the questioning from their regulators on their risk management practices
They determined that their current risk management practices did not show a – They determined that their current risk management practices did not show a full Enterprise Risk Management approach
– They reached out to different vendors, evaluated tools and practices to determine the best ERM approach for them
© 2013 All Rights Reserved Brown Smith Wallace LLC 18
Case Study – Solution
Decision?Start small and build incrementally– Start small and build incrementally
– An organization-wide initiative, involving several levels of employees through interviews to have everyone’s input, was started
Process?– A Risk Committee consisting of executive management was established
each person in the committee took ownership of one risk
– From the interviews eight key risks were identified
k d b l k l h d d h– Risks were rated by likelihood, occurrence, and impact on the organization and compared to the “Risk Appetite”
– The time needed to come to the key risks – six months
Ongoing?Ongoing?– A risk snapshot for each of those risks is currently in process
– Quarterly meetings on each risk are held to determine if “Risk Profile” and “Risk Appetite” still align
© 2013 All Rights Reserved Brown Smith Wallace LLC 19
– Continuous monitoring and identification of risk – ERM is about the journey, not the destination
Case Study – Overview
How many people were interviewed?Ten employees– Ten employees
– Three Board Members
Risk Assessment Results
Initial Risks Identified Focused Risks for Further ERM Process
ALM + Asset Quality ALM + Asset Quality
Capital Planning and Stress Testing Capital Planning and Stress Testing
Communication CommunicationCommunication Communication
Geographic Concentration Information Security
Information Security Regulatory Compliance
Investments Reputation
IT Support Strategic Direction
Loan Concentrations Talent ManagementLoan Concentrations Talent Management
Organization structure
Regulatory Compliance
Reputation
Strategic Direction
Succession Planning
© 2013 All Rights Reserved Brown Smith Wallace LLC 20
Succession Planning
Team Environment
Tools?
Need Tools?© 2013 All Rights Reserved Brown Smith Wallace LLC 21
ERM Tools Overview
Choosing the right tools supporting the ERM process is very important!important!
• Assessment Questionnaires– Asking questions will give management an idea of current risk Asking questions will give management an idea of current risk
management practices and company knowledge of risk
• Maturity Level D t i th t it l l f th i ti– Determine the maturity level of the organization
– Once the level is determined, the ERM process should be tailored to meet the needs of the company
• Project Plan– A project with no blueprint of action jeopardizes the process
– Project planning is fundamental in order to avoid failure and
© 2013 All Rights Reserved Brown Smith Wallace LLC 22
– Project planning is fundamental in order to avoid failure and disappointment
ERM Tools Overview
Choosing the right tools supporting the ERM process is very important!important!
• Risk Map– Graphic identification of risk in comparison to their likelihood Graphic identification of risk in comparison to their likelihood
and occurrence identifying the impact
• Risk Snapshot O th i k h b d t i d i d t t – Once the risks have been determined, using a document to assist in consolidating the various aspects of the risk is useful to ensure risks are documented consistently and monitored on an as-needed basis
© 2013 All Rights Reserved Brown Smith Wallace LLC 23
ERM Tools – Questionnaire
Sample questions to determine your current ERM status:– How is risk management integrated with your strategic direction and
plan?– What are the principal business risks?– How effective is your process for indentifying assessing and managing How effective is your process for indentifying, assessing and managing
business risks?– Do people in your organization have a common understanding of the
term “risk”?How do you ensure that risk management is an integral part of the – How do you ensure that risk management is an integral part of the planning and day-to-day operations of individual business units?
– How is risk management coordinated across the organization?– How do you ensure that the organization is performing according to the
b i l d ithi i t i k t l li it ?business plan and within appropriate risk tolerance limits?– How do you monitor and evaluate changes in the external environment
and their impact on the organization’s strategy and risk management practices?
© 2013 All Rights Reserved Brown Smith Wallace LLC 24
– How does the Board handle its responsibility for the oversight of opportunities and risks?
ERM Tools – Maturity Level
NNon‐existent Start‐Up Defined Integrated Optimized
Maturity Level Level Definition
Level 1 Nonexistent ‐ No formal risk management framework/process has been defined.
Level 2Start‐up ‐ No formal risk management framework/process has been defined. However, a framework/process is currently being built/implemented.
Level 3Defined ‐ A common risk management framework/process has been defined. An organization‐wide view of risk is provided to executive leadership. Action plans areLevel 3 organization wide view of risk is provided to executive leadership. Action plans are implemented in response to high priority risks.
Level 4Integrated ‐ Risk management activities are coordinated across business areas. Common risk management tools are processes are used where appropriate, with enterprise risk monitoring, measurement and reporting. Process metrics are in place. Optimized ‐ Risk discussion is embedded in strategic planning capital allocation and other
© 2013 All Rights Reserved Brown Smith Wallace LLC 25
25
Level 5Optimized Risk discussion is embedded in strategic planning, capital allocation, and other processes and in daily decision‐making. An early warning system is in place with "key risk indicators" in place and monitored to notify the board and management of risk.
ERM Tools – Project Plan
Planning and Organization– Gather background information on the Organization and prior risk assessments – Identify interviews to be performed – typically senior management and the Board
Data Gathering– Conduct interviewsConduct interviews– Gather additional external and internal data relevant to the Organization
Evaluation and Analysis– Document risks identified and develop the Risk Portfolio– Assess impact, likelihood and occurrence of risks
Define Risk Management Program/Action Plan– Identify Risk Owners for Critical Risks – Develop ERM policies and procedures p p p– Develop and define risk mitigation and monitoring action plans (i.e. Risk Snapshot)
Knowledge Transfer
– Present and educate process and results to the Board, management and employees
© 2013 All Rights Reserved Brown Smith Wallace LLC 26
ERM Tools – Risk Map
A visual presentation allows management to identify and understand keys risk!
Acquisition Integration
CustomerConcentrations
Go To Market Acquisition Alignment
EconomyDepth of Talent IT St t
Capital Access
HIGH
IntegrationDepth of Talent IT Strategyand Vision
Insurable RisksLitigation Quality
Compliance
Mgmt Turnover Operations
Footprint SystemConversionsPolitical Taxes
Cash Mgmt
ShareholderConcentration
VendorConcentrations Fraud and
Ethics
Quote to Cash Sales Order Planning
Competition
C i i O Ti OutsourcingFlexingOrg
IMPACT ON THE
BUSINESS
Crisis Management Unfunded
Liabilities
On Time Delivery
OutsourcingFin Rpt
Credit Risk IT Environment
EmployeeCosts
Technological Obsolescence
Legal structureProduct
Portfolio Mgmt
Commodities Intercompany Transactions
Revenue Recog.
Structure
LOW
EmployeeCompliance
Data Protection
© 2013 All Rights Reserved Brown Smith Wallace LLC 27
HIGHPROBABILITY/LIKELIHOOD OF OCCURRENCELOW
27
ERM Tools – Risk Snapshot
RISK SNAPSHOT
Risk Name Enter Name of Risk Name Risk
Trend
Risk Leader Assign a Risk
Leader
Likelihood Magnitude Preparedness Date 1 Low Medium Medium Date 2 Date 3
Risk DescriptionRisk Description Clearly define and evaluate the risk. Develop a Risk Team with various knowledgeable individuals of the applicable risk to develop and monitor this Risk Snapshot document.
Risk Mitigation Strategy Identify the appropriate risk mitigation strategy for the risk - Determine the appropriate risk mitigation strategies by brainstorming possible "What If" scenarios
Early Warning Indicators Strategy Linkage
© 2013 All Rights Reserved Brown Smith Wallace LLC 28
Identify key risk and performance indicators that could be monitored to provide management with adequate time to react to critical risk events.
ERM and You
Upon completion of the A Q i i d Assessment Questionnaire and
the determination of your Maturity Level, you can design an ERM process that works for
t l i ti you to evolve your organization and to socialize risk monitoring
into your daily operations
© 2013 All Rights Reserved Brown Smith Wallace LLC 29
Q tiQuestions
© 2013 All Rights Reserved Brown Smith Wallace LLC 30