hoover.2016 texas bankers cfo conference
TRANSCRIPT
ENTERPRISE RISK MANAGEMENT
A PRACTICAL APPROACH
Terry Hoover CPA, CIA
AGENDA
• Working Definition of Enterprise Risk Management (ERM)
• Components of ERM
• Talk through a “mock” ERM Program Review
• Look at some sample tools you can implement immediately
COMMONLY USED DEFINITIONS
• COSO’s ERM Framework
• ISO 31000
• Consultants
• FFIEC
• OCC
• Federal Reserve
• Wikipedia
MANAGEMENT
Wikipedia – Management
• Management in businesses is the function that coordinates the
efforts of people to accomplish goals and objectives by using
available resources efficiently and effectively. Management
includes planning, organizing, staffing, leading, and controlling
an organizations to accomplish the goal.
• Management involves identifying the mission, objective,
procedures, rules…to contribute to the success of the
enterprise.
RISK MANAGEMENT
Wikipedia – Risk Management
• The identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events – or to maximize the realization of opportunities. Risk management’s objective is to assure uncertainty does not deflect the endeavor from the business goals.
• Risks can come from various sources including uncertainty in financial markets, threats from project failures, legal liabilities, credit risk, accidents, natural causes and disasters, deliberate attack, or events of uncertain or unpredictable root cause.
ENTERPRISE RISK MANAGEMENT
Wikipedia – Enterprise Risk Management
• Includes methods and processes used by organizations to
manage risks and seize opportunities related to the
achievement of their objectives. ERM provides a framework
for risk management, which typically involves identifying
events or circumstances relevant to the organization’s
objectives (risks and opportunities), assessing them in terms of
likelihood and magnitude of impact, determining a response
strategy, and monitoring progress.
COSO ERM FRAMEWORK
Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and mange risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
ISO 3100 DEFINITION
Risk Management Framework
A set of components that provide
the foundations and
organizational arrangements for
designing, implementing,
monitoring, reviewing and
continually improving risk
management throughout the
organization.
COMPTROLLER OF THE CURRENCY
Risk management
systems should:
• Identify Risk
• Measure Risk
• Monitor Risk
• Control Risk
ERM, SIMPLY STATED
• ERM is the process used to identify, measure, monitor, and
control risk
BUT, WHAT DOES ERM “LOOK LIKE”
• Most of us must be “doing” ERM at some level – the doors are
still open
• Can we do better / are there gaps in our program / how do we
know
FEDERAL RESERVE
KEY ERM “COMPONENTS”
• Board and senior management oversight
• Policies, procedures, and limits
• Risk measurement, monitoring, and reporting
• Internal controls
MOCK ERM PROGRAM REVIEW
• Gather Information
• Understand how your bank “sees” ERM and risk management
• Populate the Program Overview / Gap Analysis Tool
• Identify gaps
• Provide sample tools
STEP 1 – GATHER INFORMATION
• Strategic Plan / Goals and Objectives
• Policies
• Board / Executive Management Reports and Presentations
• Other Metrics
• Risk Assessments
• Internal Audit Scope / Schedule / Reports
STEP 2 - UNDERSTAND
• Read all information provided
• Talk to executive and senior managers, and also to board
members if possible
• Understand how you see risk management, the importance, the
drivers, your appetite for risk, and what you want out of your
ERM program.
STEP 3 – GAP ANALYSIS
• Customize the Program Overview / Gap Analysis tool to your bank
• Document your program elements in the Program Overview / Gap
Analysis tool.
• Definitions
• Governance (committees, risk owners)
• Key policies, procedures, and limits
• Risk assessments
• Reports and other communication protocols
• Internal control elements
• Risk appetite statements
• Key Risk / Performance Indicators
PROGRAM SUMMARY / GAP ANALYSIS
PROGRAM SUMMARY / GAP ANALYSIS
COMMON “GAPS”
• No ERM Policy or Framework
• No Enterprise Risk Assessment (Top 10 or Letterman List)
• Risk Appetite not documented
• Missing Key Risk Indicators
• No periodic ERM Summary Report to Board and Executive
Management
ERM POLICY OR FRAMEWORK
• The Program Overview / Gap Analysis Tool thoroughly
documents your program
• ERM Policy should be short, high level. Does not replace other
policies…more of an umbrella.
• Overall Policy Statement and Objectives
• Risk Appetite
• Risk Categories
• Program Elements (governance; risk measurement, monitoring,
and reporting; internal control system)
• Program Review
ENTERPRISE RISK ASSESSMENT
• Key Risk List – “Board Level” Risks – Letterman List – Top 10 List
• Survey senior and executive management to identify risk
inventory
• Normalize the risk inventory
• Department heads identify “top 5” risks to their departments and
rate risk and controls
• Risk committee to normalize risk ratings and identify most
significant bank wide risks (Top 10)
• Assign accountability and develop risk management action plans
for top risks
EXAMPLE KEY RISKS
KEY RISK LIST
RISK APPETITE
• Risk Appetite is the amount of risk – on a broad level – an
entity is willing to accept in pursuit of value and strategy.
HIGH LEVEL GUIDING PRINCIPLES AND RISK APPETITE STATEMENTS
DETAILED RISK APPETITE STATEMENTS
KEY RISK INDICATORS
• Key Risk Indicator (KRI) – a ratio or piece of information that
measures or provides insight into a key risk.
• Key Performance Indicators (KPI) – a ratio or piece of
information that measures performance.
• The most meaningful KRI’s and KPI’s will be directly related to
your Strategic Plan, Enterprise Risk Assessment, and Risk
Appetite Statements.
EXAMPLE KEY RISK AND PERFORMANCE INDICATORS
ERM SUMMARY REPORT
• A periodic (i.e. quarterly), concise summary report that goes to
the board and executive management.
• A great way to communicate to the regulators
• Promotes transparency
• Dashboards & graphs – a picture is worth a thousand words
RISK PROFILE TABLE OF CONTENTS
RISK PROFILE SUMMARY
RISK PROFILE NARRATIVE
KEY RISK/PERFORMANCE INDICATORS
CONTACT INFORMATION
Terry Hoover CPA, [email protected]
Payne & Smith, LLC5952 Royal Lane, Ste. 158Dallas, Tx 75230