enterprise risk management (erm) as an essential tool for good corporate governance rahaju pal...

Enterprise Risk Management (ERM) as an essential tool for good corporate governance

Rahaju Pal

Director, Enterprise Risk Services

September 2010

©2010 Deloitte Touche Tohmatsu India Private Limited

Contents

• Corporate Governance - Key elements

• Evolution of Corporate Governance – India

• Why ERM

• ERM for Corporate Governance

• Deloitte’s nine principles for building a Risk Intelligent Enterprise

• ERM – Key Challenges

• Route to Risk Intelligent Governance

• Key takeaways

• About Deloitte

2


Corporate Governance – Key elements

Core Principles• Shareholder rights• Independence• Accountability and disclosure• Board roles and responsibilities

Intent• Ensure integrity of accounting and financial reporting• Include independent audit• Ensure appropriate controls over

– Financials– Monitoring risks– Compliance with laws and regulations

3

OECD principles of Corporate Governance:“The Board should fulfill certain key functions including: Ensuring the integrity of the corporation’s accounting and financial reporting systems, including the independent audit, and that appropriate systems of control are in place, in particular, systems for risk management, financial and operational control, and compliance with the law and relevant standards.”


Corporate Governance – Key elements

Factors driving state of governance• Globalization• Growth initiatives• Accelerated decision-making• More proactive Boards• Increased competition• Recent scandals

Key players involved• CEO / CFO• Board of Directors• Audit Committees and other committees of Board• Shareholders• Regulators

4


Evolution of Corporate Governance – India

5

Confederation of Indian Industry (CII), Associated Chambers of Commerce and Industry (ASSOCHAM) and Securities and Exchange Board of India (SEBI) constituted following committees to recommend initiatives in Corporate Governance for Indian Corporate.

Clause 49 of the Listing agreement with Stock Exchanges governs the corporate governance requirements for the Indian Coroporate Sector.

Kumar Mangalam Birla Committee 1999

Kumar Mangalam Birla Committee 1999

SEBI constituted the Kumar Mangalam Birla Committee in 1999 which made recommendations for changes in clause 49 of listing agreement primarily covering

•Composition of the Board of Directors•Audit Committee•Directors Remuneration•Disclosures

SEBI constituted the Kumar Mangalam Birla Committee in 1999 which made recommendations for changes in clause 49 of listing agreement primarily covering

•Composition of the Board of Directors•Audit Committee•Directors Remuneration•Disclosures

Naresh Chandra Committee 2002Naresh Chandra Committee 2002

Constituted by Department of company Affairs (DCA) which covered essentially the Auditor – Company relationship and the concept of CEO/CFO certification in line with Sarbanes Oxley Act in the United States.

Constituted by Department of company Affairs (DCA) which covered essentially the Auditor – Company relationship and the concept of CEO/CFO certification in line with Sarbanes Oxley Act in the United States.

Narayan Murthy Committee 2003Narayan Murthy Committee 2003

Constituted by SEBI to examine the quality and uniformity of disclosures made under Clause 49 and made recommendations for improvements, drawing upon the existing best practices and the recommendations made by the earlier committees.

Constituted by SEBI to examine the quality and uniformity of disclosures made under Clause 49 and made recommendations for improvements, drawing upon the existing best practices and the recommendations made by the earlier committees.


Why ERM

6

MeetLegal

RequirementsLetter of the Law

Spirit of the Law

• High profile corporate scandals in USA (Enron, Worldcom etc.) followed by encouragement from SEC & NYSE to adopt Risk Management activities.

• In India Clause 49 of the listing agreement stipulates Risk Management as mandatory compliance requirement.

• Financial analysts and rating agencies are increasingly interested in a company’s ERM capability. – Moody’s and Standard & Poor’s have ERM listed as one of their evaluation criteria

– Even Indian Rating Agencies – CRISIL , ICRA , CARE consider quality of Corporate Governance and Risk Management while assigning their ratings to companies


Why ERM contd..

• When a corporate catastrophe occurs, questions quickly arise as to whether the board was complacent in its oversight responsibilities. Perceived complacency can be costly: in case of Satyam the role of independent directors were questioned

• S & P announced on Month X, 2008 that an analysis of ERM capability will be a factor in determining a company’s overall credit rating. Evaluations will be conducted as an integral part of their normal credit review process. Discussions with company managers will focus on the following major areas of ERM capability:• Risk-management culture and governance• Risk Controls• Emerging Risk Preparation• Strategic risk management

• Maintaining and improving credit ratings will help reduce cost of capital and support greater flexibility in managing debt

• Board directors are already demanding increased risk information - this issue will drive even higher expectations

• Shareholders and other stakeholders expect management to take more effective steps to minimize the frequency and severity of losses and missed earnings projections

• Now more than ever, directors are expected to exercise due diligence and care. Directors are understandably concerned about personal liability and reputation at risk. But without better risk intelligence that comes from an effective enterprise risk management (ERM) approach, it will be difficult for the board to meet stakeholder expectations.

7

• Top-down involvement (board and executive management)

• Common infrastructure to identify, assess and respond to risks

• Discipline around making risk-informed decisions

• Require risk management as a competency across level

ERM for Corporate Governance

Deloitte’s nine fundamental principles assist organisations to become Risk Intelligent

8


Deloitte’s nine principles for building a Risk Intelligent Enterprise

Risk Governance

Risk Infrastructure & Management

Risk Ownership

Common Definition of RiskA common definition of risk, which addresses both value preservation and value creation, is used consistently throughout the organization

Common Risk Framework A common risk framework supported by appropriate standards is used throughout the organization to manage risks.

Roles & Responsibilities Key roles, responsibilities, and authority relating to risk management are clearly defined and delineated within the organization

Common Risk InfrastructureA common risk management infrastructure that is used to support the business units and functions in the performance of their risk responsibilities

Transparency for Governing Bodies Governing bodies (e.g., Boards, Audit Committees, etc.) have appropriate transparency and visibility into the organizations risk management practices to discharge their responsibilities

Executive Management ResponsibilityExecutive management is charged with designing, implementing and maintaining an effective risk program

Business Unit ResponsibilityBusiness units are responsible for the performance of their business and the management of risks they take within the risk framework established by executive management

Support of Pervasive FunctionsCertain functions have a pervasive impact on the business and not only provide support to the business units as it relates to the organization's risk program, but also enhance and enable success when strategically aligned and considered as essential elements of the program

Objective Assurance and MonitoringOther functions (e.g., internal audit, risk management, compliance, etc.) provide objective assurance as well as monitor and report on the effectiveness of an organization's risk program to governing bodies and executive management.

9


ERM – Key Challenges

Factors driving state of ERM• Risk is becoming personal for Board Members and Executives• Risk is managed in silos• Risk Management is focused on ‘Unrewarded Risk’ rather than ‘Rewarded Risk’

10

Fraud

Lawsuits

Penalties and fines

Increased market share

New product development

Increased revenue

Creating shareholder

value

+

−

VALUEPreserving

shareholder value


ERM – Key Challenges contd..

Key questions for Board to ask• What is the company’s policy and process for managing risks on an integrated,

enterprise-wide basis?• What are the company’s key risks and vulnerabilities, and what are the plans to

address them?• Who has the authority to take risk on behalf of the company?

Some of the common ERM challenges are:

11

• Unclear risk strategy and philosophy

• Lack of actionable details and support from top management towards implementation of the risk strategy

• Lack of transparency and understanding of risk issues at Board and Executive levels

• Ineffective change management and communication to manage organizational resistance to new ERM practices

• Business units treating risk management as interference of the management into their functioning

• Decision-making driven by earnings rather than risk-adjusted results

• Lack of consistent practices and critical success factors across organization

• Unclear definition of the roles and responsibilities of the risk-related functions and risk owners

• Risk related activities positioned as redundant except ones required for compliance

StrategyStrategy ExecutionExecution BehaviorBehavior


Stages of Risk Management Capability Maturity

Sta

keho

lder

Val

ue

Systematic

RiskIntelligent

Top DownFragmentedUnaware

• Ad hoc/chaotic

• Depends primarily on individual heroics, capabilities, and verbal wisdom

• Independent risk management activities

• Limited focus on the linkage between risks

• Limited alignment of risk to strategies

• Disparate monitoring & reporting functions

• Common framework, program statement, policy

• Routine risk assessments

• Communication of top strategic risks to the Board

• Executive/Steering Committee

• Knowledge sharing across risk functions

• Awareness activities• Formal risk

consulting • Dedicated team

• Coordinated risk management activities across silos

• Risk appetite is fully defined

• Enterprise-wide risk monitoring, measuring, and reporting

• Technology implementation

• Contingency plans and escalation procedures

• Risk management training

• Risk discussion is embedded in strategic planning, capital allocation, product development, etc.

• Early warning risk indicators used

• Linkage to performance measures and incentives

• Risk modeling/scenarios

• Industry benchmarking used regularly

Typical Symptoms

Unaware Fragmented Top Down SystematicRisk

Intelligent

Journey that most companies make on the road to Risk Intelligence

Deloitte's Risk Intelligence maturity model

12


Actions for Risk Intelligent Governance

• Define the board’s risk oversight role• Define the board’s risk governance roles and responsibilities• Consider board composition• Establish an enterprise-wide risk management framework• Perform site visits

• Foster a Risk Intelligent culture• Lead by example in communicating about risk• Build cohesive teams with management• Reward Risk Intelligent behavior• Consider a third-party assessment

• Help management incorporate Risk Intelligence into strategy• Design processes for integrating risk management into strategic

planning• Monitor strategic alignment• Establish accountability

13


Actions for Risk Intelligent Governance contd

14

• Help define the risk appetite• Distinguish between risk appetite and risk tolerance• Serve as a sounding board

• Execute the Risk Intelligent governance process• Work with management on process design• Monitor the overall risk management process• Conduct formal risk management program assessments• Clarify accountability at the board and management levels

• Benchmark and evaluate the governance process• Use internal monitoring and feedback• Participate in continuing education and updates• Solicit independent viewpoints• Include risk as a topic in the annual board self-assessment


The program and organization structure for Risk Intelligent Enterprise

15

Governance Strategy & Planning Compliance Reporting

Operations / Infrastructure

Common Risk Infrastructure

People Process Technology

Risk Governance

Executive Risk

Oversight

Risk Ownership

Board of Directors

Executive Risk Committee Internal Audit

BU ABU BBU CBU D

RisksRisks

Identify Risks

Respond to Risks

Design & Test Controls

Assess & Evaluate

Risks

Monitor, Assure, Escalate

De

vel

op

an

d D

eplo

y S

tra

teg

ies

Su

sta

in a

nd

Co

nti

nu

ou

sly

Imp

rov

e


Our customised approach for ERM

The objectives of this phase are:• Project set up and governance• Assess the current state of risk

management• Assess the maturity of risk management

activities within the organisation.

The objective of this phase is to design an ERM Program that will enable achieving the strategic objectives of the organization and comply with risk management guidelines

The objective of the workshop module is to sensitize the senior management on the significance of active risk management and their role in the program.Objectives

Key Deliverables

Designing the ERM program

Scoping and planningRisk Prioritisation

Workshops

• Project scope and governance documentation.

• Risk Management architecture and framework elements

• Governance Structure• ERM policy document• Guidelines on Risk Appetite Framework• Risk reporting design• Risk assessment at a business process level

• Risk registers across key business processes of the Company

• Risk Workshops (2)• Identification of top 20 risks of the organisation• Root cause analysis and risk profiling for top 20

risks indentified• Risk prioritisation and reporting

Approach

Risk Diagnostic Tool Risk intelligence Framework Risk Maturity Development Framework

16

Assess workshop needs

Develop workshop plan and material

Conduct risk workshops across management levels

Manage risks on an ongoing basis

Risk workshops


Relevant tools from Deloitte

17

Risk Infrastructure & Oversight

The Risk Intelligence Diagnostic Tool The Risk Intelligence Map

Risk Intelligence Whitepaper Series


Key takeaways

18

Risk Intelligent governance stands among the most valuable contributions a board can make to its organization. As seasoned business leaders, board’s combined breadth of perspective, depth of experience, and knowledge of the enterprise can lend support to the organization’s risk management efforts that is not only invaluable, but also unavailable elsewhere. The competitive benefits of Risk Intelligent Governance include:

• A means to improve strategic flexibility for both upside and downside scenarios

• Employ risk management for competitive advantage

• Assist in shaping the organization’s response to regulatory issues

• Drive long-term growth while preserving assets

• A common risk management infrastructure with sufficient autonomy for individual

business units/functions to exploit their specialized knowledge and expertise

• The ability to provide a “comfort level” to the Board and other stakeholders that the full

range of risks is understood and managed

In the present business scenario, where being and staying profitable is a paramount objective, a Risk Intelligent EnterpriseTM can look forward to a bottom line impact


Deloitte’s leadership position in risk consulting

The Kennedy Vanguard for Risk Consulting Practices, 2009

“Deloitte’s approach to risk consulting engagements focuses on risk management’s crucial role in creating and protecting business value. An important thought leader in the space, Deloitte also leads the market with a full range of services from risk strategy and process design down to technology development and implementation. Deloitte stood out with this holistic approach as well as its emphasis on a “risk intelligence” framework for driving enterprise wide communication and action.”*

* “The Forrester WaveTM: Risk Consulting Services, Q1 2009”, Michael Rasmussen and Chris McClean

19

A unique multi disciplinary practice of professionals

Deloitte’s operations in India constitutes a large and important part of the global firm. Our success can be attributed to the following:

Multi Disciplinary services – Our traditional and non traditional service offerings are the most comprehensive in the industry and allow us to help our clients grow while managing risks. We service our clients out of the 13 offices across India

Global Resource Pool – Our practice is structured to ensure the best talent reaches the customer. Teams are rigorously trained in applying proprietary Deloitte methodologies and have access to Deloitte’s Global Knowledge databases and research

Industry Experience – We draw upon industry leaders to augment our knowledge, stay on top of developing trends and build experienced team with key team members having been involved in corporate and business unit strategy development across a range of industries and geographies

We have worked with the largest Banks, Insurance and Asset Management companies on Strategy, Operations, Technology, and Risk Management projects

20

©2009 Deloitte Touche Tohmatsu India Private Limited21

Shaping the industry through world-class thought leadership

• CFA Institute (formerly AIMR) • Investment Company Institute (ICI) • National Investment Company Service

Association (NICSA) • Managed Funds Association • Money Management Institute • Global Alternative Investment Management

(GAIM) • American Chamber of Commerce in Japan

(ACCJ), Investment Management Subcommittee • Japanese Institute of Certified Public

Accountants (JICPA), Investment Trusts Subcommittee

• Securities Analysts Association of Japan (SAAJ), IPS Verification Committee

• Korea Accounting Standards Board(KASB), Working Group on Uniform Accounting Standard for Asset Management

Representative industry association relationships

• Deloitte Research is a cross-industry group, which is known in the marketplace for bringing new perspective to real-world concerns. Deloitte Research is comprised of leading thinkers on strategic, economic, regulatory, technology, and industry issues.

• GFSI develops industry and sector-specific research on hot topics and business issues.

• Deloitte Strategy, Research and Innovation Group (SR&I) is a centralized research and development organization built on the firm’s deep understanding of business and industry trends, in-depth capabilities in client and market analysis and competitive strategies, and the insightful work of our research professionals that includes issue-specific expertise and innovative ideas related to our clients’ unique business challenges. Our SR&I organization enables Deloitte to better understand the issues that are important to clients and how our resources can be brought to solve their business challenges. SR&I has long had a Center of Excellence in India to support escalating client demand for research services. This unique operation enables the SR&I organization to literally work around the clock, giving our clients access to best-in-class industry research and analysis

• Guernsey International Fund Association (GIFA)

• Jersey Fund Managers Association (JFMA)

• Dublin Funds Industry Association (DFIA) • Alternative Investment Management

Association (AIMA) • Association Luxembourgeoise des Fonds

d’Investissement (ALFI) • ALFI hedge fund working group • Auditors’ Institute Committee on Banking

and Asset Management • AIMA and the Investment Management

Association

©2010 Deloitte Touche Tohmatsu India Private Limited22

In this material Deloitte refers to Deloitte Touche Tohmatsu India Private Limited (DTTIPL), a Company established under the Indian Companies Act, 1956, as amended.

DTTIPL is a member firm of Deloitte Touche Tohmatsu, a Swiss Verein, whose member firms are legally separate and Independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu and its member firms

This material prepared is intended to provide general information on a particular subject or subjects and are not an exhaustive treatment of such subject(s).Further, the views and opinions expressed herein are the subjective views and opinions of DTTIPL based on such parameters and analyses which in its opinion are relevant to the subject. Accordingly, the information in this material is not intended to constitute accounting, tax, legal, investment, consulting, or other professional advice or services. The information is not intended to be relied upon as the sole basis for any decision which may affect you or your business. Before making any decision or taking any action that might affect your personal finances or business, you should consult a qualified professional adviser . None of Deloitte Touche Tohmatsu, its member firms, or its and their respective affiliates shall be responsible for any loss whatsoever sustained by any person who relies on this material.

© 2010 Deloitte Touche Tohmastu India Private Limited

enterprise risk management (erm) as an essential tool for good corporate governance rahaju pal...

Documents

corporate governance

indian corporate

exchange board of india

erm erm

kumar mangalam birla

independent audit

enterprise risk management

certain key functions