Navigating the New NormalEnterprise Risk ManagementMaking it Relevant in Today’s Global Environment

2

Agenda• Enterprise Risk Management

• Got ERM?• Why Now – ERM Drivers & Influencers• Regulatory Expectations• Myths of ERM• Demystify ERM - Cultivating Your Risk Landscape• Risk Management – The Disconnect• ERM Roles and Responsibilities• ERM Characteristics of a Mature Program• Action Planning Considerations• ERM Benefits and Summary

• Q&A

3

ERM - A Global PerspectiveUncertainty surrounding the global economy has never been more important and an awareness of the need to manage and leverage risk has never been more important. Where are you today and can your organization answer these key stakeholder questions.

• What are your critical risks?• Do you know when your organization’s risk profile

changes?• Which business lines bring the most risk?• What is the potential financial impact of your key risks?• What is your risk appetite and tolerance?• Have you allocated your resources appropriately to

manage key risks?• Do employees understand their risk management roles?• How is risk incorporated into strategy development?• Is risk a consistent contributor in the decision making

process for senior leadership and board of directors?

4

Enterprise Risk Management

ERM Defined…Got ERM?

• Leadership has a repeatable, comprehensive understanding of how to establish acceptable levels of risk the organization is willing to undertake

• Leadership has a repeatable, comprehensive understanding of how to identify, assess, prioritize and manage risk

• Roles and responsibilities are assigned for ERM governance• High-value and relevant information for management decision making is

generated• Monitoring and reporting processes are enhanced with risk information• ERM is linked to the organization’s strategy, culture and values

5

Evolution of ERM – An Overview

6

Customers•Performance•Transparency•Security and Trust

Economies•Capital•Cost Containment•Globalization•Growth

Regulators•New Legislation and Rules

•Heightened Expectations•Scrutiny•Transparency

Employees•Development•Security and Trust

Media and Public•Accountability•Transparency•Security and Trust

Investors•Performance•Transparency•Active Shareowners

Constant Change in Global Business Environment – New

Threats and Vulnerabilities

Increasing Public Scrutiny

Increasing Expectations from Leadership and BOD

Increasing Compliance Requirements & Examiner

Expectations

Company Viability More Vulnerable

Slow Global Economic Growth & Corporate Failures & Recovery

Drivers and Influencers

7

Regulatory Expectations

• Bank Regulators• Federal Reserve audits have resulted in criticism of risk management

practices… and recommendations that a “comprehensive solution” be implemented to improve risk management practices.

• Bank regulators are having conversations about risk management with financial institutions that want to merge or expand product lines.

• Focus on implementing enterprise-wide risk models is gathering.• Increasing commentary and focus on management and capital CAMELS rating

system and addressing deficiencies • BASEL III, COSO, ISO 31000• OCC June 7 guidance on capital planning

• Healthcare Reform• HIPPA HITECH, ICD-10, OIG Audits, MU

• Rating Company Expectations

8

ERM Myths“We have always had an ERM Program”“It’s too expensive”“We can use a “template” to start our ERM program”“It’s distracting and disruptive to management”“Does not contribute to achieving the goals of the company”“We can hire a consultant to build an ERM Program”“The goal of ERM is always to reduce risk”“Implementation is a one-time event”“ERM is a stand-alone self sustaining program”

9

Demystify ERM - Cultivate Your Risk Landscape

Business LandscapeRisk Appetite

Business StrategyGoals and Objectives

ERM Fundamentals

Board of Directors& Committees

Monitoring

Enterprise Risk Management

Disclosure &Transparency

Business Practices& Ethics

Legal &Regulatory

Communication& Trust

Corporate Governance Framework

Corporate Governance is the system of processes and procedures an organization has in place to protect the interests of its diverse stakeholders.

Enterprise Risk Management (ERM) is a process designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

10

Demystify ERM - Cultivate Your Risk Landscape

Business LandscapeRisk Appetite

Business StrategyGoals and Objectives

ERM Fundamentals

• The identification of risks that may affect, either negatively or positively, the objectives of the organization (risk inventory).

• The formal process of assessing risk events contained in the risk inventory to create a holistic risk landscape.

• The prioritization of the risk landscape so that actions can be taken to address those risks that are most critical to the organization.

• Establish mitigation strategy/objectives• Create project plan (timing, tasks, deliverables).• Focus on “do-able”.• Evaluate for root cause.• Set initial measures of success.

• Clearly defined and validated measures of success.• Identify critical risk data that must be reported.• Formalize report types, distribution list and means

of delivery.• Adhere to existing processes where possible.

Risk Appetite • Establish the amount of risk willing to accept• Determine acceptable levels of risk variation – risk

tolerances

11

Example Statements

Bitsco Healthcare operates within a low overall risk range. Bitsco’s lowest risk appetite relates to patient safety and compliance objectives, with a marginally higher risk appetite towards its strategic, reporting, and operations objectives. This means that reducing to reasonably practicable levels the risks originating from various medical systems, products, equipment, and our work environment, and meeting our legal obligations will take priority over other business objectives

Randell University’s main objective is to continue as a preeminent teaching and research university that attracts outstanding students and is a desired place of work for top faculty. We have a high risk appetite when approving a new computer system that offers greater processing capacity; a moderate risk appetite for teaching quality; a low risk appetite for significant breaches of security or unauthorized access to classified records; and a very low risk appetite for risks that would significantly reduce our research reputation.

We strive to treat all emergency room patients within 2 hours and critically ill patients within 10 minutes. Management accepts that in rare situations (5% of the time) patients in need of non-life-threatening attention may not receive that attention for up to 4 hours.

• Our teaching evaluations should not decline by more than 3%.

• Where individual schools within the university are ranked by outside evaluators in student preparedness and quality of students, there should be no more than a 3% decline.

• The caliber of students wanting to attend the university should not decline by more than 2%, as measured by standard university admissions data such as SAT or ACT scores, precentile ranking in high school graduating class, or extent of community service before attending university.

Risk AppetiteRisk Appetite Risk ToleranceRisk Tolerance

Risk Appetite

12

Survey Samples

CCCooonnnssseeeqqquuueeennnccceee DDDeeessscccrrriiippptttiiiooonnnsss Descriptor Example Impacts

5

Two or more events involving death and/or multiple injuries as a direct result of the organization’s negligence and/or

Multiple employee deaths and/or

Loss of assets or revenue exceeding $_________ and/or

National television / newspaper headlines and/or government investigation and/or

Regional service cessation for more than 6 weeks and/or

Total service cessation for more than 4 weeks

4

A single event involving death and/or multiple injuries as a direct result of the organization’s negligence and/or

Single employee death or multiple injuries and/or

Loss of assets or revenue between $________ and $_______ and/or

State television / newspaper headlines and/or regulator investigation and/or

Regional service cessation for 5 to 6 weeks and/or

Total service cessation for a period of between 1 week and 4 weeks and subsequent interruption over several weeks

3

A single event involving serious injury and/or

Multiple employee lost-time injuries and/or

Loss of assets or revenue between $__________ and $________ and/or

Local television / newspaper headlines (front page) and/or regulator inquiry and/or

Regional service cessation for 3 weeks to 5 weeks and/or

Total service cessation for a period between 1 day and 7 days and subsequent interruption over several days

2

Employee lost-time injury and/or

Loss of assets or revenue between $________ and $_________ and/or

Local newspaper headlines (not front page) and/or

Regional service cessation for 2 weeks to 3 weeks and/or

Business interruption over several days

1

Loss of assets or revenue less than $_________ and/or

Reporting (not front page) in local newspapers and/or

Regional service cessation for less then 2 weeks and/or

Minor service disruption

LLLiiikkkeeellliiihhhooooooddd DDDeeessscccrrriiippptttiiiooonnnsss Descriptor Description Frequency

5

The probability that an event can occur at anytime and one occurrence does not prevent other occurrences from transpiring within the same year.

Will occur more than once per year

4 The probability that an event can occur but reoccurrence of the event is not expected within the same year.

Will occur once per year

3 The possibility an event can occur but reoccurrence of the event may is not expected within a 5 year period.

Will occur once every 5 years

2 The possibility an event can occur but reoccurrence of the event is not expected within a 10 year period.

Will occur once every 10 years

1 The scarce chance an event may occur but is not expected within a 30 year period or longer.

Less than once in 30 years

CCCooonnntttrrrooolll CCCrrriiittteeerrriiiaaa

5 Significant attention to risk. Controls in place provide assurance with the highest level of certainty that a risk will be detected or prevented consistently and timely. These controls are highly formalized, automated, and tested on a regular basis. Controls of this type are rated as “exceeding best practices”.

4 Controls in place provide assurance with a high level of certainty that a risk will be detected or prevented consistently and timely. Controls of this type are formalized, automated, and tested on a regular basis. Controls of this type are rated as “best practice”.

3 Controls in place provide reasonable assurance that a risk will be detected or prevented consistently. Controls of this type are formal but highly manual. Risk mitigation or treatment is implemented in a “reactionary” manner.

2 Controls do not provide reasonable assurance that a risk will be detected consistently or timely. Controls of this type are informal and are insufficient to prevent or mitigate the risk effectively.

1 There is no formal or informal control associated with the risk. This includes uncontrollable risks.

13

ERM- eRIA

Brings the key participants into a facilitated consensus session to assess all risks in the inventory. Risks are assessed based on impact, likelihood, and control effectiveness.

Objective is two fold: To understand individual perspectives on critical risks and concerns that face the company; develop an organic risk inventory based on leadership’s view and perspective.

Analysis and quantification of the results of the consensus session. Report content designed to meet the needs and expectations of senior leadership and BOD.

Reporting

ConsensusSession

ContextInterviews

14

Planning and Management

15

Tools for Todays Leadership

16

Cultivate Your Risk Landscape

Business LandscapeBusiness Strategy

Goals and Objectives

Basic Building Blocks

COSO Model

ISO 31000Risk Mgt – Principles & GuidelinesBasel

ERM Stds & Principles ERM Program Maturity

Risk Avoidance

Opportunity Recognition

17

Risk and Compliance Programs•Design Programs to Operate within Risk Appetite

•Specific Assessments

Controls•Manage Risks•Monitor Compliance

Testing and Monitoring•Test Controls•Monitor Controls•Share best practices

Strategy•Chosen Goals and Objectives for the Enterprise

Risk and Compliance Universe•Identification of Rules and Risks in Achieving Strategy

Risk Appetite•Set Boundaries within Risk Universe

Risk and Compliance Programs are Disconnected from Strategy and are Inefficient

The Disconnect

18

ERM Alignment

Strategy•Chosen Goals and Objectives for the Enterprise

Risk and Compliance Universe•Identification of Rules and Risks in Achieving Strategy

Risk Appetite•Set Boundaries within Risk Universe

Risk and Compliance Programs•Design Programs to Operate within Risk Appetite•Specific Assessments

Controls•Monitor Risks•Monitor Compliance

Testing and Monitoring•Test Controls•Monitor Controls

Risk Assessment

Risk Monitoring

Controls Testing

IA Processes

19

ERM Leveling

All entities experience risk and uncertainty in driving value to shareholders

ERM creates discipline for communicating risk to make risk:

Understandable

Use of common language

Able to be written in a sentence

Measurable

Can be anticipated (known vsunknown)

Manageable

Can be transferred, avoided, reduced

or accepted

Within the entities

capacity to accept risk

Risk Appetite/ Risk Tolerance / Risk

Capacity / Attitudes towards risk

20

Roles & Responsibilities - Overview• Board of Directors

The board of directors is ultimately responsible for looking after the interests of the organizations stakeholders. This responsibility includes understanding the critical risks faced by the organization and how they are being addressed – risk oversight. Therefore, boards can be the impetus for the establishment of an ERM program.

• Senior ManagementSenior management is responsible for creating, implementing, and sustaining an ERM program across the organization.

• Chief Risk Officer & Risk CommitteeCRO is a designated senior enterprise officer responsible for administering and monitoring the overall ERM function in an organization.

• Internal AuditInternal audit is responsible to verify that management’s activities and controls are designed and operating effectively. As it pertains to ERM, internal audit’s role is to review the ERM program and to determine whether that program is operating as intended.

21

Cultivate Your Risk Landscape• Identify and Establish Realistic Objectives, Goals, and Requirements

• Relevant to the Organization• Commitment from Board of Directors and Senior Management• Understandable• Iterative & pragmatic phased approach with real & immediate results• Leverage existing company processes and technology• Scalable – ability to evolve as needs and requirements change• Set Realistic Expectations – ERM maturity curve and evolution• Reasonable project costs• ERM development must be “owned” by the organization

22

Characteristics of a Mature ERM Program

• Leadership Commitment – Board of Director and Senior Leadership

• Transparency of risk communication• Use of refined quantification measures and

methods• Identification of new and emerging risks• Shift from focus on risk avoidance and mitigation to leveraging risk

• Dedicated senior level risk executive - CRO• ERM culture at all levels of the organization• Risk information integrated into decision making• Stakeholder contribution in risk management strategy and

policy setting

23

Possible Next Steps• Conduct an ERM Readiness Assessment• Conduct an eRIA – (develop risk measures and quantification methods) • Obtain Board of Director and/or Senior Leadership Commitment• Establish Risk Appetite and Tolerance• Establish Enterprise Risk Governance• Develop ERM processes• Define/Refine ERM reporting information/metrics for the organization• Evaluate and Implement an ERM

Technology Platform• Conduct an ERM program maturity

evaluation – ERM Audit• Change Corporate Culture• Align Insurance Program

24

Short Terms Considerations - example• Conduct a group exercise to discuss any data anomalies and “first pass”

prioritization of the results based on perceived need• Use the existing Risk Analysis Report to develop a risk inventory with

detailed definitions and examples (validate with senior leadership) • Establish risk tolerance / threshold policies (how much risk can we accept?)• Establish a risk response plan for process improvement

• Prioritize risks by severity and perceived cost to treat / benefit gained• Assign ownership and assess root causes and develop treatment

strategies• Assess the efficiency of current insurance (partially insured)• Establish control improvements and/or additions

• Implement a formal risk identification and measurement process (annual)• Develop an insurance program that addresses all insurable and partially

insurable risks

25

Long Term Considerations - example• Formalize your effort and implement a structured risk management

framework• Establish formal risk management processes and procedures

• Define governance structure and decision support requirements• Develop formal communication channels• Align with and/or leverage current processes (audit, planning, etc.) • Monitor, measure and report the results (what is being changed?)• Implement training plans

• Incorporate risk management policies into individual performance requirements

• Implement an audit schedule to regularly test performance of risk controls• Develop risk management technology platform (enabling applications)

• Risk database• Risk project tracking • Metrics and dashboard functionality

26

ERM Benefits and Summary

• Benefits and Value Proposition• Increase capability to protect long term viability• Leverage the linkage between risk management and market share

competitive advantage – upside of risk – cultivate your risk landscape• Risk included in decision making process• Better prepared for down side of risk• Aligned risk management efforts to level of inherent risk

• Enablers and Tools• Formal risk inventory• Common risk language• Common risk measures• Common understanding of critical risks

27

PresenterBart KimmelCrowe Horwath, LLP15233 Ventura Blvd Sherman Oaks, CA 91403818.325.8478bart.kimmel@crowehorwath.com

Crowe Horwath LLP is an independent member of Crowe Horwath International, a Swiss verein. Each member firm of Crowe Horwath International is a separate and independent legal entity. Crowe Horwath LLP and its affiliates are not responsible or liable for any acts or omissions of Crowe Horwath International or any other member of Crowe Horwath International and specifically disclaim any and all responsibility or liability for acts or omissions of Crowe Horwath International or any other Crowe Horwath International member. Accountancy services in Kansas and North Carolina are rendered by Crowe Chizek LLP, which is not a member of Crowe Horwath International. This material is for informational purposes only and should not be construed as financial or legal advice. Please seek guidance specific to your organization from qualified advisers in your jurisdiction. © 2012 Crowe Horwath LLP

Justin Van BeekCrowe Horwath, LLP15233 Ventura Blvd Sherman Oaks, CA 91403818.325.8431justin.vanbeek@crowehorwath.com