enterprise risk management (erm) as an essential tool for good corporate governance rahaju pal...
TRANSCRIPT
Enterprise Risk Management (ERM) as an essential tool for good corporate governance
Rahaju Pal
Director, Enterprise Risk Services
September 2010
©2010 Deloitte Touche Tohmatsu India Private Limited
Contents
• Corporate Governance - Key elements
• Evolution of Corporate Governance – India
• Why ERM
• ERM for Corporate Governance
• Deloitte’s nine principles for building a Risk Intelligent Enterprise
• ERM – Key Challenges
• Route to Risk Intelligent Governance
• Key takeaways
• About Deloitte
2
©2010 Deloitte Touche Tohmatsu India Private Limited
Corporate Governance – Key elements
Core Principles• Shareholder rights• Independence• Accountability and disclosure• Board roles and responsibilities
Intent• Ensure integrity of accounting and financial reporting• Include independent audit• Ensure appropriate controls over
– Financials– Monitoring risks– Compliance with laws and regulations
3
OECD principles of Corporate Governance:“The Board should fulfill certain key functions including: Ensuring the integrity of the corporation’s accounting and financial reporting systems, including the independent audit, and that appropriate systems of control are in place, in particular, systems for risk management, financial and operational control, and compliance with the law and relevant standards.”
©2010 Deloitte Touche Tohmatsu India Private Limited
Corporate Governance – Key elements
Factors driving state of governance• Globalization• Growth initiatives• Accelerated decision-making• More proactive Boards• Increased competition• Recent scandals
Key players involved• CEO / CFO• Board of Directors• Audit Committees and other committees of Board• Shareholders• Regulators
4
©2010 Deloitte Touche Tohmatsu India Private Limited
Evolution of Corporate Governance – India
5
Confederation of Indian Industry (CII), Associated Chambers of Commerce and Industry (ASSOCHAM) and Securities and Exchange Board of India (SEBI) constituted following committees to recommend initiatives in Corporate Governance for Indian Corporate.
Clause 49 of the Listing agreement with Stock Exchanges governs the corporate governance requirements for the Indian Coroporate Sector.
Kumar Mangalam Birla Committee 1999
Kumar Mangalam Birla Committee 1999
SEBI constituted the Kumar Mangalam Birla Committee in 1999 which made recommendations for changes in clause 49 of listing agreement primarily covering
•Composition of the Board of Directors•Audit Committee•Directors Remuneration•Disclosures
SEBI constituted the Kumar Mangalam Birla Committee in 1999 which made recommendations for changes in clause 49 of listing agreement primarily covering
•Composition of the Board of Directors•Audit Committee•Directors Remuneration•Disclosures
Naresh Chandra Committee 2002Naresh Chandra Committee 2002
Constituted by Department of company Affairs (DCA) which covered essentially the Auditor – Company relationship and the concept of CEO/CFO certification in line with Sarbanes Oxley Act in the United States.
Constituted by Department of company Affairs (DCA) which covered essentially the Auditor – Company relationship and the concept of CEO/CFO certification in line with Sarbanes Oxley Act in the United States.
Narayan Murthy Committee 2003Narayan Murthy Committee 2003
Constituted by SEBI to examine the quality and uniformity of disclosures made under Clause 49 and made recommendations for improvements, drawing upon the existing best practices and the recommendations made by the earlier committees.
Constituted by SEBI to examine the quality and uniformity of disclosures made under Clause 49 and made recommendations for improvements, drawing upon the existing best practices and the recommendations made by the earlier committees.
©2010 Deloitte Touche Tohmatsu India Private Limited
Why ERM
6
MeetLegal
RequirementsLetter of the Law
Spirit of the Law
• High profile corporate scandals in USA (Enron, Worldcom etc.) followed by encouragement from SEC & NYSE to adopt Risk Management activities.
• In India Clause 49 of the listing agreement stipulates Risk Management as mandatory compliance requirement.
• Financial analysts and rating agencies are increasingly interested in a company’s ERM capability. – Moody’s and Standard & Poor’s have ERM listed as one of their evaluation criteria
– Even Indian Rating Agencies – CRISIL , ICRA , CARE consider quality of Corporate Governance and Risk Management while assigning their ratings to companies
©2010 Deloitte Touche Tohmatsu India Private Limited
Why ERM contd..
• When a corporate catastrophe occurs, questions quickly arise as to whether the board was complacent in its oversight responsibilities. Perceived complacency can be costly: in case of Satyam the role of independent directors were questioned
• S & P announced on Month X, 2008 that an analysis of ERM capability will be a factor in determining a company’s overall credit rating. Evaluations will be conducted as an integral part of their normal credit review process. Discussions with company managers will focus on the following major areas of ERM capability:• Risk-management culture and governance• Risk Controls• Emerging Risk Preparation• Strategic risk management
• Maintaining and improving credit ratings will help reduce cost of capital and support greater flexibility in managing debt
• Board directors are already demanding increased risk information - this issue will drive even higher expectations
• Shareholders and other stakeholders expect management to take more effective steps to minimize the frequency and severity of losses and missed earnings projections
• Now more than ever, directors are expected to exercise due diligence and care. Directors are understandably concerned about personal liability and reputation at risk. But without better risk intelligence that comes from an effective enterprise risk management (ERM) approach, it will be difficult for the board to meet stakeholder expectations.
7
• Top-down involvement (board and executive management)
• Common infrastructure to identify, assess and respond to risks
• Discipline around making risk-informed decisions
• Require risk management as a competency across level
ERM for Corporate Governance
Deloitte’s nine fundamental principles assist organisations to become Risk Intelligent
8
©2009 Deloitte Touche Tohmatsu India Private Limited
Deloitte’s nine principles for building a Risk Intelligent Enterprise
Risk Governance
Risk Infrastructure & Management
Risk Ownership
Common Definition of RiskA common definition of risk, which addresses both value preservation and value creation, is used consistently throughout the organization
Common Risk Framework A common risk framework supported by appropriate standards is used throughout the organization to manage risks.
Roles & Responsibilities Key roles, responsibilities, and authority relating to risk management are clearly defined and delineated within the organization
Common Risk InfrastructureA common risk management infrastructure that is used to support the business units and functions in the performance of their risk responsibilities
Transparency for Governing Bodies Governing bodies (e.g., Boards, Audit Committees, etc.) have appropriate transparency and visibility into the organizations risk management practices to discharge their responsibilities
Executive Management ResponsibilityExecutive management is charged with designing, implementing and maintaining an effective risk program
Business Unit ResponsibilityBusiness units are responsible for the performance of their business and the management of risks they take within the risk framework established by executive management
Support of Pervasive FunctionsCertain functions have a pervasive impact on the business and not only provide support to the business units as it relates to the organization's risk program, but also enhance and enable success when strategically aligned and considered as essential elements of the program
Objective Assurance and MonitoringOther functions (e.g., internal audit, risk management, compliance, etc.) provide objective assurance as well as monitor and report on the effectiveness of an organization's risk program to governing bodies and executive management.
9
©2010 Deloitte Touche Tohmatsu India Private Limited
ERM – Key Challenges
Factors driving state of ERM• Risk is becoming personal for Board Members and Executives• Risk is managed in silos• Risk Management is focused on ‘Unrewarded Risk’ rather than ‘Rewarded Risk’
10
Fraud
Lawsuits
Penalties and fines
Increased market share
New product development
Increased revenue
Creating shareholder
value
+
−
VALUEPreserving
shareholder value
©2010 Deloitte Touche Tohmatsu India Private Limited
ERM – Key Challenges contd..
Key questions for Board to ask• What is the company’s policy and process for managing risks on an integrated,
enterprise-wide basis?• What are the company’s key risks and vulnerabilities, and what are the plans to
address them?• Who has the authority to take risk on behalf of the company?
Some of the common ERM challenges are:
11
• Unclear risk strategy and philosophy
• Lack of actionable details and support from top management towards implementation of the risk strategy
• Lack of transparency and understanding of risk issues at Board and Executive levels
• Ineffective change management and communication to manage organizational resistance to new ERM practices
• Business units treating risk management as interference of the management into their functioning
• Decision-making driven by earnings rather than risk-adjusted results
• Lack of consistent practices and critical success factors across organization
• Unclear definition of the roles and responsibilities of the risk-related functions and risk owners
• Risk related activities positioned as redundant except ones required for compliance
StrategyStrategy ExecutionExecution BehaviorBehavior
©2009 Deloitte Touche Tohmatsu India Private Limited
Stages of Risk Management Capability Maturity
Sta
keho
lder
Val
ue
Systematic
RiskIntelligent
Top DownFragmentedUnaware
• Ad hoc/chaotic
• Depends primarily on individual heroics, capabilities, and verbal wisdom
• Independent risk management activities
• Limited focus on the linkage between risks
• Limited alignment of risk to strategies
• Disparate monitoring & reporting functions
• Common framework, program statement, policy
• Routine risk assessments
• Communication of top strategic risks to the Board
• Executive/Steering Committee
• Knowledge sharing across risk functions
• Awareness activities• Formal risk
consulting • Dedicated team
• Coordinated risk management activities across silos
• Risk appetite is fully defined
• Enterprise-wide risk monitoring, measuring, and reporting
• Technology implementation
• Contingency plans and escalation procedures
• Risk management training
• Risk discussion is embedded in strategic planning, capital allocation, product development, etc.
• Early warning risk indicators used
• Linkage to performance measures and incentives
• Risk modeling/scenarios
• Industry benchmarking used regularly
Typical Symptoms
Unaware Fragmented Top Down SystematicRisk
Intelligent
Journey that most companies make on the road to Risk Intelligence
Deloitte's Risk Intelligence maturity model
12
©2010 Deloitte Touche Tohmatsu India Private Limited
Actions for Risk Intelligent Governance
• Define the board’s risk oversight role• Define the board’s risk governance roles and responsibilities• Consider board composition• Establish an enterprise-wide risk management framework• Perform site visits
• Foster a Risk Intelligent culture• Lead by example in communicating about risk• Build cohesive teams with management• Reward Risk Intelligent behavior• Consider a third-party assessment
• Help management incorporate Risk Intelligence into strategy• Design processes for integrating risk management into strategic
planning• Monitor strategic alignment• Establish accountability
13
©2010 Deloitte Touche Tohmatsu India Private Limited
Actions for Risk Intelligent Governance contd
14
• Help define the risk appetite• Distinguish between risk appetite and risk tolerance• Serve as a sounding board
• Execute the Risk Intelligent governance process• Work with management on process design• Monitor the overall risk management process• Conduct formal risk management program assessments• Clarify accountability at the board and management levels
• Benchmark and evaluate the governance process• Use internal monitoring and feedback• Participate in continuing education and updates• Solicit independent viewpoints• Include risk as a topic in the annual board self-assessment
©2009 Deloitte Touche Tohmatsu India Private Limited
The program and organization structure for Risk Intelligent Enterprise
15
Governance Strategy & Planning Compliance Reporting
Operations / Infrastructure
Common Risk Infrastructure
People Process Technology
Risk Governance
Executive Risk
Oversight
Risk Ownership
Board of Directors
Executive Risk Committee Internal Audit
BU ABU BBU CBU D
RisksRisks
Identify Risks
Respond to Risks
Design & Test Controls
Assess & Evaluate
Risks
Monitor, Assure, Escalate
De
vel
op
an
d D
eplo
y S
tra
teg
ies
Su
sta
in a
nd
Co
nti
nu
ou
sly
Imp
rov
e
©2010 Deloitte Touche Tohmatsu India Private Limited
Our customised approach for ERM
The objectives of this phase are:• Project set up and governance• Assess the current state of risk
management• Assess the maturity of risk management
activities within the organisation.
The objective of this phase is to design an ERM Program that will enable achieving the strategic objectives of the organization and comply with risk management guidelines
The objective of the workshop module is to sensitize the senior management on the significance of active risk management and their role in the program.Objectives
Key Deliverables
Designing the ERM program
Scoping and planningRisk Prioritisation
Workshops
• Project scope and governance documentation.
• Risk Management architecture and framework elements
• Governance Structure• ERM policy document• Guidelines on Risk Appetite Framework• Risk reporting design• Risk assessment at a business process level
• Risk registers across key business processes of the Company
• Risk Workshops (2)• Identification of top 20 risks of the organisation• Root cause analysis and risk profiling for top 20
risks indentified• Risk prioritisation and reporting
Approach
Risk Diagnostic Tool Risk intelligence Framework Risk Maturity Development Framework
16
Assess workshop needs
Develop workshop plan and material
Conduct risk workshops across management levels
Manage risks on an ongoing basis
Risk workshops
©2010 Deloitte Touche Tohmatsu India Private Limited
Relevant tools from Deloitte
17
Risk Infrastructure & Oversight
The Risk Intelligence Diagnostic Tool The Risk Intelligence Map
Risk Intelligence Whitepaper Series
©2010 Deloitte Touche Tohmatsu India Private Limited
Key takeaways
18
Risk Intelligent governance stands among the most valuable contributions a board can make to its organization. As seasoned business leaders, board’s combined breadth of perspective, depth of experience, and knowledge of the enterprise can lend support to the organization’s risk management efforts that is not only invaluable, but also unavailable elsewhere. The competitive benefits of Risk Intelligent Governance include:
• A means to improve strategic flexibility for both upside and downside scenarios
• Employ risk management for competitive advantage
• Assist in shaping the organization’s response to regulatory issues
• Drive long-term growth while preserving assets
• A common risk management infrastructure with sufficient autonomy for individual
business units/functions to exploit their specialized knowledge and expertise
• The ability to provide a “comfort level” to the Board and other stakeholders that the full
range of risks is understood and managed
In the present business scenario, where being and staying profitable is a paramount objective, a Risk Intelligent EnterpriseTM can look forward to a bottom line impact
©2010 Deloitte Touche Tohmatsu India Private Limited
Deloitte’s leadership position in risk consulting
The Kennedy Vanguard for Risk Consulting Practices, 2009
“Deloitte’s approach to risk consulting engagements focuses on risk management’s crucial role in creating and protecting business value. An important thought leader in the space, Deloitte also leads the market with a full range of services from risk strategy and process design down to technology development and implementation. Deloitte stood out with this holistic approach as well as its emphasis on a “risk intelligence” framework for driving enterprise wide communication and action.”*
* “The Forrester WaveTM: Risk Consulting Services, Q1 2009”, Michael Rasmussen and Chris McClean
19
A unique multi disciplinary practice of professionals
Deloitte’s operations in India constitutes a large and important part of the global firm. Our success can be attributed to the following:
Multi Disciplinary services – Our traditional and non traditional service offerings are the most comprehensive in the industry and allow us to help our clients grow while managing risks. We service our clients out of the 13 offices across India
Global Resource Pool – Our practice is structured to ensure the best talent reaches the customer. Teams are rigorously trained in applying proprietary Deloitte methodologies and have access to Deloitte’s Global Knowledge databases and research
Industry Experience – We draw upon industry leaders to augment our knowledge, stay on top of developing trends and build experienced team with key team members having been involved in corporate and business unit strategy development across a range of industries and geographies
We have worked with the largest Banks, Insurance and Asset Management companies on Strategy, Operations, Technology, and Risk Management projects
20
©2009 Deloitte Touche Tohmatsu India Private Limited21
Shaping the industry through world-class thought leadership
• CFA Institute (formerly AIMR) • Investment Company Institute (ICI) • National Investment Company Service
Association (NICSA) • Managed Funds Association • Money Management Institute • Global Alternative Investment Management
(GAIM) • American Chamber of Commerce in Japan
(ACCJ), Investment Management Subcommittee • Japanese Institute of Certified Public
Accountants (JICPA), Investment Trusts Subcommittee
• Securities Analysts Association of Japan (SAAJ), IPS Verification Committee
• Korea Accounting Standards Board(KASB), Working Group on Uniform Accounting Standard for Asset Management
Representative industry association relationships
• Deloitte Research is a cross-industry group, which is known in the marketplace for bringing new perspective to real-world concerns. Deloitte Research is comprised of leading thinkers on strategic, economic, regulatory, technology, and industry issues.
• GFSI develops industry and sector-specific research on hot topics and business issues.
• Deloitte Strategy, Research and Innovation Group (SR&I) is a centralized research and development organization built on the firm’s deep understanding of business and industry trends, in-depth capabilities in client and market analysis and competitive strategies, and the insightful work of our research professionals that includes issue-specific expertise and innovative ideas related to our clients’ unique business challenges. Our SR&I organization enables Deloitte to better understand the issues that are important to clients and how our resources can be brought to solve their business challenges. SR&I has long had a Center of Excellence in India to support escalating client demand for research services. This unique operation enables the SR&I organization to literally work around the clock, giving our clients access to best-in-class industry research and analysis
• Guernsey International Fund Association (GIFA)
• Jersey Fund Managers Association (JFMA)
• Dublin Funds Industry Association (DFIA) • Alternative Investment Management
Association (AIMA) • Association Luxembourgeoise des Fonds
d’Investissement (ALFI) • ALFI hedge fund working group • Auditors’ Institute Committee on Banking
and Asset Management • AIMA and the Investment Management
Association
©2010 Deloitte Touche Tohmatsu India Private Limited22
In this material Deloitte refers to Deloitte Touche Tohmatsu India Private Limited (DTTIPL), a Company established under the Indian Companies Act, 1956, as amended.
DTTIPL is a member firm of Deloitte Touche Tohmatsu, a Swiss Verein, whose member firms are legally separate and Independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu and its member firms
This material prepared is intended to provide general information on a particular subject or subjects and are not an exhaustive treatment of such subject(s).Further, the views and opinions expressed herein are the subjective views and opinions of DTTIPL based on such parameters and analyses which in its opinion are relevant to the subject. Accordingly, the information in this material is not intended to constitute accounting, tax, legal, investment, consulting, or other professional advice or services. The information is not intended to be relied upon as the sole basis for any decision which may affect you or your business. Before making any decision or taking any action that might affect your personal finances or business, you should consult a qualified professional adviser . None of Deloitte Touche Tohmatsu, its member firms, or its and their respective affiliates shall be responsible for any loss whatsoever sustained by any person who relies on this material.
© 2010 Deloitte Touche Tohmastu India Private Limited