navigating the new normal enterprise risk management ... · • do you know when your...
TRANSCRIPT
Navigating the New NormalEnterprise Risk ManagementMaking it Relevant in Today’s Global Environment
2
Agenda• Enterprise Risk Management
• Got ERM?• Why Now – ERM Drivers & Influencers• Regulatory Expectations• Myths of ERM• Demystify ERM - Cultivating Your Risk Landscape• Risk Management – The Disconnect• ERM Roles and Responsibilities• ERM Characteristics of a Mature Program• Action Planning Considerations• ERM Benefits and Summary
• Q&A
3
ERM - A Global PerspectiveUncertainty surrounding the global economy has never been more important and an awareness of the need to manage and leverage risk has never been more important. Where are you today and can your organization answer these key stakeholder questions.
• What are your critical risks?• Do you know when your organization’s risk profile
changes?• Which business lines bring the most risk?• What is the potential financial impact of your key risks?• What is your risk appetite and tolerance?• Have you allocated your resources appropriately to
manage key risks?• Do employees understand their risk management roles?• How is risk incorporated into strategy development?• Is risk a consistent contributor in the decision making
process for senior leadership and board of directors?
4
Enterprise Risk Management
ERM Defined…Got ERM?
• Leadership has a repeatable, comprehensive understanding of how to establish acceptable levels of risk the organization is willing to undertake
• Leadership has a repeatable, comprehensive understanding of how to identify, assess, prioritize and manage risk
• Roles and responsibilities are assigned for ERM governance• High-value and relevant information for management decision making is
generated• Monitoring and reporting processes are enhanced with risk information• ERM is linked to the organization’s strategy, culture and values
5
Evolution of ERM – An Overview
6
Customers•Performance•Transparency•Security and Trust
Economies•Capital•Cost Containment•Globalization•Growth
Regulators•New Legislation and Rules
•Heightened Expectations•Scrutiny•Transparency
Employees•Development•Security and Trust
Media and Public•Accountability•Transparency•Security and Trust
Investors•Performance•Transparency•Active Shareowners
Constant Change in Global Business Environment – New
Threats and Vulnerabilities
Increasing Public Scrutiny
Increasing Expectations from Leadership and BOD
Increasing Compliance Requirements & Examiner
Expectations
Company Viability More Vulnerable
Slow Global Economic Growth & Corporate Failures & Recovery
Drivers and Influencers
7
Regulatory Expectations
• Bank Regulators• Federal Reserve audits have resulted in criticism of risk management
practices… and recommendations that a “comprehensive solution” be implemented to improve risk management practices.
• Bank regulators are having conversations about risk management with financial institutions that want to merge or expand product lines.
• Focus on implementing enterprise-wide risk models is gathering.• Increasing commentary and focus on management and capital CAMELS rating
system and addressing deficiencies • BASEL III, COSO, ISO 31000• OCC June 7 guidance on capital planning
• Healthcare Reform• HIPPA HITECH, ICD-10, OIG Audits, MU
• Rating Company Expectations
8
ERM Myths“We have always had an ERM Program”“It’s too expensive”“We can use a “template” to start our ERM program”“It’s distracting and disruptive to management”“Does not contribute to achieving the goals of the company”“We can hire a consultant to build an ERM Program”“The goal of ERM is always to reduce risk”“Implementation is a one-time event”“ERM is a stand-alone self sustaining program”
9
Demystify ERM - Cultivate Your Risk Landscape
Business LandscapeRisk Appetite
Business StrategyGoals and Objectives
ERM Fundamentals
Board of Directors& Committees
Monitoring
Enterprise Risk Management
Disclosure &Transparency
Business Practices& Ethics
Legal &Regulatory
Communication& Trust
Corporate Governance Framework
Corporate Governance is the system of processes and procedures an organization has in place to protect the interests of its diverse stakeholders.
Enterprise Risk Management (ERM) is a process designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
10
Demystify ERM - Cultivate Your Risk Landscape
Business LandscapeRisk Appetite
Business StrategyGoals and Objectives
ERM Fundamentals
• The identification of risks that may affect, either negatively or positively, the objectives of the organization (risk inventory).
• The formal process of assessing risk events contained in the risk inventory to create a holistic risk landscape.
• The prioritization of the risk landscape so that actions can be taken to address those risks that are most critical to the organization.
• Establish mitigation strategy/objectives• Create project plan (timing, tasks, deliverables).• Focus on “do-able”.• Evaluate for root cause.• Set initial measures of success.
• Clearly defined and validated measures of success.• Identify critical risk data that must be reported.• Formalize report types, distribution list and means
of delivery.• Adhere to existing processes where possible.
Risk Appetite • Establish the amount of risk willing to accept• Determine acceptable levels of risk variation – risk
tolerances
11
Example Statements
Bitsco Healthcare operates within a low overall risk range. Bitsco’s lowest risk appetite relates to patient safety and compliance objectives, with a marginally higher risk appetite towards its strategic, reporting, and operations objectives. This means that reducing to reasonably practicable levels the risks originating from various medical systems, products, equipment, and our work environment, and meeting our legal obligations will take priority over other business objectives
Randell University’s main objective is to continue as a preeminent teaching and research university that attracts outstanding students and is a desired place of work for top faculty. We have a high risk appetite when approving a new computer system that offers greater processing capacity; a moderate risk appetite for teaching quality; a low risk appetite for significant breaches of security or unauthorized access to classified records; and a very low risk appetite for risks that would significantly reduce our research reputation.
We strive to treat all emergency room patients within 2 hours and critically ill patients within 10 minutes. Management accepts that in rare situations (5% of the time) patients in need of non-life-threatening attention may not receive that attention for up to 4 hours.
• Our teaching evaluations should not decline by more than 3%.
• Where individual schools within the university are ranked by outside evaluators in student preparedness and quality of students, there should be no more than a 3% decline.
• The caliber of students wanting to attend the university should not decline by more than 2%, as measured by standard university admissions data such as SAT or ACT scores, precentile ranking in high school graduating class, or extent of community service before attending university.
Risk AppetiteRisk Appetite Risk ToleranceRisk Tolerance
Risk Appetite
12
Survey Samples
CCCooonnnssseeeqqquuueeennnccceee DDDeeessscccrrriiippptttiiiooonnnsss Descriptor Example Impacts
5
Two or more events involving death and/or multiple injuries as a direct result of the organization’s negligence and/or
Multiple employee deaths and/or
Loss of assets or revenue exceeding $_________ and/or
National television / newspaper headlines and/or government investigation and/or
Regional service cessation for more than 6 weeks and/or
Total service cessation for more than 4 weeks
4
A single event involving death and/or multiple injuries as a direct result of the organization’s negligence and/or
Single employee death or multiple injuries and/or
Loss of assets or revenue between $________ and $_______ and/or
State television / newspaper headlines and/or regulator investigation and/or
Regional service cessation for 5 to 6 weeks and/or
Total service cessation for a period of between 1 week and 4 weeks and subsequent interruption over several weeks
3
A single event involving serious injury and/or
Multiple employee lost-time injuries and/or
Loss of assets or revenue between $__________ and $________ and/or
Local television / newspaper headlines (front page) and/or regulator inquiry and/or
Regional service cessation for 3 weeks to 5 weeks and/or
Total service cessation for a period between 1 day and 7 days and subsequent interruption over several days
2
Employee lost-time injury and/or
Loss of assets or revenue between $________ and $_________ and/or
Local newspaper headlines (not front page) and/or
Regional service cessation for 2 weeks to 3 weeks and/or
Business interruption over several days
1
Loss of assets or revenue less than $_________ and/or
Reporting (not front page) in local newspapers and/or
Regional service cessation for less then 2 weeks and/or
Minor service disruption
LLLiiikkkeeellliiihhhooooooddd DDDeeessscccrrriiippptttiiiooonnnsss Descriptor Description Frequency
5
The probability that an event can occur at anytime and one occurrence does not prevent other occurrences from transpiring within the same year.
Will occur more than once per year
4 The probability that an event can occur but reoccurrence of the event is not expected within the same year.
Will occur once per year
3 The possibility an event can occur but reoccurrence of the event may is not expected within a 5 year period.
Will occur once every 5 years
2 The possibility an event can occur but reoccurrence of the event is not expected within a 10 year period.
Will occur once every 10 years
1 The scarce chance an event may occur but is not expected within a 30 year period or longer.
Less than once in 30 years
CCCooonnntttrrrooolll CCCrrriiittteeerrriiiaaa
5 Significant attention to risk. Controls in place provide assurance with the highest level of certainty that a risk will be detected or prevented consistently and timely. These controls are highly formalized, automated, and tested on a regular basis. Controls of this type are rated as “exceeding best practices”.
4 Controls in place provide assurance with a high level of certainty that a risk will be detected or prevented consistently and timely. Controls of this type are formalized, automated, and tested on a regular basis. Controls of this type are rated as “best practice”.
3 Controls in place provide reasonable assurance that a risk will be detected or prevented consistently. Controls of this type are formal but highly manual. Risk mitigation or treatment is implemented in a “reactionary” manner.
2 Controls do not provide reasonable assurance that a risk will be detected consistently or timely. Controls of this type are informal and are insufficient to prevent or mitigate the risk effectively.
1 There is no formal or informal control associated with the risk. This includes uncontrollable risks.
13
ERM- eRIA
Brings the key participants into a facilitated consensus session to assess all risks in the inventory. Risks are assessed based on impact, likelihood, and control effectiveness.
Objective is two fold: To understand individual perspectives on critical risks and concerns that face the company; develop an organic risk inventory based on leadership’s view and perspective.
Analysis and quantification of the results of the consensus session. Report content designed to meet the needs and expectations of senior leadership and BOD.
Reporting
ConsensusSession
ContextInterviews
14
Planning and Management
15
Tools for Todays Leadership
16
Cultivate Your Risk Landscape
Business LandscapeBusiness Strategy
Goals and Objectives
Basic Building Blocks
COSO Model
ISO 31000Risk Mgt – Principles & GuidelinesBasel
ERM Stds & Principles ERM Program Maturity
Risk Avoidance
Opportunity Recognition
17
Risk and Compliance Programs•Design Programs to Operate within Risk Appetite
•Specific Assessments
Controls•Manage Risks•Monitor Compliance
Testing and Monitoring•Test Controls•Monitor Controls•Share best practices
Strategy•Chosen Goals and Objectives for the Enterprise
Risk and Compliance Universe•Identification of Rules and Risks in Achieving Strategy
Risk Appetite•Set Boundaries within Risk Universe
Risk and Compliance Programs are Disconnected from Strategy and are Inefficient
The Disconnect
18
ERM Alignment
Strategy•Chosen Goals and Objectives for the Enterprise
Risk and Compliance Universe•Identification of Rules and Risks in Achieving Strategy
Risk Appetite•Set Boundaries within Risk Universe
Risk and Compliance Programs•Design Programs to Operate within Risk Appetite•Specific Assessments
Controls•Monitor Risks•Monitor Compliance
Testing and Monitoring•Test Controls•Monitor Controls
Risk Assessment
Risk Monitoring
Controls Testing
IA Processes
19
ERM Leveling
All entities experience risk and uncertainty in driving value to shareholders
ERM creates discipline for communicating risk to make risk:
Understandable
Use of common language
Able to be written in a sentence
Measurable
Can be anticipated (known vsunknown)
Manageable
Can be transferred, avoided, reduced
or accepted
Within the entities
capacity to accept risk
Risk Appetite/ Risk Tolerance / Risk
Capacity / Attitudes towards risk
20
Roles & Responsibilities - Overview• Board of Directors
The board of directors is ultimately responsible for looking after the interests of the organizations stakeholders. This responsibility includes understanding the critical risks faced by the organization and how they are being addressed – risk oversight. Therefore, boards can be the impetus for the establishment of an ERM program.
• Senior ManagementSenior management is responsible for creating, implementing, and sustaining an ERM program across the organization.
• Chief Risk Officer & Risk CommitteeCRO is a designated senior enterprise officer responsible for administering and monitoring the overall ERM function in an organization.
• Internal AuditInternal audit is responsible to verify that management’s activities and controls are designed and operating effectively. As it pertains to ERM, internal audit’s role is to review the ERM program and to determine whether that program is operating as intended.
21
Cultivate Your Risk Landscape• Identify and Establish Realistic Objectives, Goals, and Requirements
• Relevant to the Organization• Commitment from Board of Directors and Senior Management• Understandable• Iterative & pragmatic phased approach with real & immediate results• Leverage existing company processes and technology• Scalable – ability to evolve as needs and requirements change• Set Realistic Expectations – ERM maturity curve and evolution• Reasonable project costs• ERM development must be “owned” by the organization
22
Characteristics of a Mature ERM Program
• Leadership Commitment – Board of Director and Senior Leadership
• Transparency of risk communication• Use of refined quantification measures and
methods• Identification of new and emerging risks• Shift from focus on risk avoidance and mitigation to leveraging risk
• Dedicated senior level risk executive - CRO• ERM culture at all levels of the organization• Risk information integrated into decision making• Stakeholder contribution in risk management strategy and
policy setting
23
Possible Next Steps• Conduct an ERM Readiness Assessment• Conduct an eRIA – (develop risk measures and quantification methods) • Obtain Board of Director and/or Senior Leadership Commitment• Establish Risk Appetite and Tolerance• Establish Enterprise Risk Governance• Develop ERM processes• Define/Refine ERM reporting information/metrics for the organization• Evaluate and Implement an ERM
Technology Platform• Conduct an ERM program maturity
evaluation – ERM Audit• Change Corporate Culture• Align Insurance Program
24
Short Terms Considerations - example• Conduct a group exercise to discuss any data anomalies and “first pass”
prioritization of the results based on perceived need• Use the existing Risk Analysis Report to develop a risk inventory with
detailed definitions and examples (validate with senior leadership) • Establish risk tolerance / threshold policies (how much risk can we accept?)• Establish a risk response plan for process improvement
• Prioritize risks by severity and perceived cost to treat / benefit gained• Assign ownership and assess root causes and develop treatment
strategies• Assess the efficiency of current insurance (partially insured)• Establish control improvements and/or additions
• Implement a formal risk identification and measurement process (annual)• Develop an insurance program that addresses all insurable and partially
insurable risks
25
Long Term Considerations - example• Formalize your effort and implement a structured risk management
framework• Establish formal risk management processes and procedures
• Define governance structure and decision support requirements• Develop formal communication channels• Align with and/or leverage current processes (audit, planning, etc.) • Monitor, measure and report the results (what is being changed?)• Implement training plans
• Incorporate risk management policies into individual performance requirements
• Implement an audit schedule to regularly test performance of risk controls• Develop risk management technology platform (enabling applications)
• Risk database• Risk project tracking • Metrics and dashboard functionality
26
ERM Benefits and Summary
• Benefits and Value Proposition• Increase capability to protect long term viability• Leverage the linkage between risk management and market share
competitive advantage – upside of risk – cultivate your risk landscape• Risk included in decision making process• Better prepared for down side of risk• Aligned risk management efforts to level of inherent risk
• Enablers and Tools• Formal risk inventory• Common risk language• Common risk measures• Common understanding of critical risks
27
PresenterBart KimmelCrowe Horwath, LLP15233 Ventura Blvd Sherman Oaks, CA [email protected]
Crowe Horwath LLP is an independent member of Crowe Horwath International, a Swiss verein. Each member firm of Crowe Horwath International is a separate and independent legal entity. Crowe Horwath LLP and its affiliates are not responsible or liable for any acts or omissions of Crowe Horwath International or any other member of Crowe Horwath International and specifically disclaim any and all responsibility or liability for acts or omissions of Crowe Horwath International or any other Crowe Horwath International member. Accountancy services in Kansas and North Carolina are rendered by Crowe Chizek LLP, which is not a member of Crowe Horwath International. This material is for informational purposes only and should not be construed as financial or legal advice. Please seek guidance specific to your organization from qualified advisers in your jurisdiction. © 2012 Crowe Horwath LLP
Justin Van BeekCrowe Horwath, LLP15233 Ventura Blvd Sherman Oaks, CA [email protected]