Feb 06 Steele Enterprise Risk Managementppt2004

© Grant Thornton

Enterprise-Wide Risk Management

Top 10 Things Everyone should know about Enterprise Risk Management

© Grant Thornton 2

Contents

#1 – What is Enterprise Risk Management?

#2 – The Value Proposition – Why do this?

#3 – ERM – Best Practices – International

#4 – An Example of ERM Methodology

#5 – Identify Risks

#6 – Analyze Risks

#7 – Evaluate Risks

#8 – ERM Organization

#9 – Where is the industry today?

#10 – Best Practices and Lessons Learned

© Grant Thornton 3

#1 - What is Enterprise Risk Management? Taken from "COSO - ERM Integrated Framework"

• Takes an entity-level portfolio view of risk• A process, ongoing and flowing through an entity• Effected by people at every level of the organization• Applied in strategy setting• Designed to identify potential events that, if they occur, will

affect the entity• Designed to help an organization manage risk within its risk

appetite• Provides reasonable assurance to an entity's management

and board of directors as to accomplishment of business objectives

© Grant Thornton 4

#2 - The Value Proposition – Why do this?

Taken from "COSO - ERM Integrated Framework"

• Develops a strategic, firm-wide approach to risk management and mitigation using all the available tools: derivatives, insurance, internal controls and strategic action

• Focuses management attention on the truly important risks – risks with potential to significantly impact earnings or even endanger firm survival

• Integrates risk management into critical decision-making processes, such as strategic planning, to ensure a link between risk-adjusted performance measurement tools (e.g. Economic Capital RAROC) and strategic decision-making (i.e. Budget planning, Capex, M&A)

• Identifies the risks inherent in current strategy and business model before the competition to provide sustainable competitive advantage

© Grant Thornton 5

• Lowers cost of capital by reducing cash flow volatility and increases confidence of delivering financial outcomes

• Determines risk appetite of the firm in context of investor expectations

• Financial resources and communicates this effectively to all shareholders (i.e. Board, investors, analysts, rating agencies)

The Value Proposition for Pub Co.s – Why do this?

© Grant Thornton 6

#3 - ERM - Best Practices - International

Australia/New Zealand AZ4360 and HB436

Canada CoCo

UK Combined Code

South Africa King I and II

Banking - Worldwide Basel I and II

India Clause 49

© Grant Thornton 7

COSO-ERM Framework Taken from "COSO - ERM Integrated Framework"

Entity

-Lev

elDiv

isio

n Busin

ess Uni

tSu

bsid

iary

Monitoring

Information & Communication

Control Activities

Risk Assessment

Internal Environment

Compliance

Reporting

Operations

Strategic

Risk Response

Event Identification

Objective Setting

COSO – ERM FrameworkComparison to COSO•4 objectives vs. 3 (strategy is added)•reporting is more robust•internal environment >control environment•risk identification more robust•separate section for risk response

© Grant Thornton 8

COSO – ERM Process Flow

Internal Environment Risk Management Philosophy – Risk Culture – Board of Directors

Integrity and Ethical Values – Commitment to CompetenceManagement’s Philosophy and Operating Style - Risk Appetite – Organizational Structure

Assignment of Authority and Responsibility – Human Resource Policies and Practices

Objective SettingStrategic Objectives – Related Objectives – Selected Objectives – Risk Appetite – Risk Tolerance

Event Identification Events – Factors Influencing Strategy and Objectives – Methodologies and Techniques

Event InterdependenciesEvent Categories – Risks and Opportunities

Risk Assessment Inherent and Residual Risk – Likelihood and Impact

Methodologies and Techniques – Correlation

Risk ResponseIdentify Risk responses – Evaluate Possible Risk Responses – Select Responses – Portfolio View

Information & CommunicationInformation – Strategic and Integrated Systems – Communication

Monitoring Separate Evaluations – Ongoing Evaluations

Control ActivitiesIntegration with Risk Response – Types of Control Activities – General Controls

Application Controls – Entity Specific

© Grant Thornton 9

• Establishes a philosophy regarding risk management. It recognizes that unexpected as well as expected events may occur

• Establishes the entity’s risk culture

• Considers all other aspects of how the organization’s actions may affect its risk culture

Internal Environment Taken from "COSO - ERM Integrated Framework"

© Grant Thornton 10

• Is applied when management considers risks strategy in the setting of objectives

• Forms the risk appetite of the entity – a high-level view of how much risk management and the board are willing to accept

• Risk tolerance, the acceptable level of variation around objectives, is aligned with risk appetite

Objective Setting Taken from "COSO - ERM Integrated Framework"


• Differentiates risks and opportunities

• Events that may have a negative impact represent risks

• Events that may have a positive impact represent natural offsets (opportunities), which management channels back to strategy setting

Event Identification Taken from "COSO - ERM Integrated Framework"


• Involves identifying those incidents, occurring internally or externally, that could affect strategy and achievement of objectives

• Addresses how internal and external factors combine and interact to influence the risk profile.

Event Identification Taken from "COSO - ERM Integrated Framework"


• Allows an entity to understand the extent to which potential events might impact objectives

• Assesses risks from two perspectives: - Likelihood- Impact

• Is used to assess risks and is normally also used to measure the related objectives

Risk Assessment Taken from "COSO - ERM Integrated Framework"


• Employs a combination of both qualitative and quantitative risk assessment methodologies

• Relates time horizons to objective horizons

• Assesses risk on both an inherent and a residual basis

Risk Assessment Taken from "COSO - ERM Integrated Framework"


• Identifies and evaluates possible responses to risk

• Evaluates options in relation to entity’s risk appetite, cost vs. benefit of potential risk responses, and degree to which a response will reduce impact and/or likelihood

• Selects and executes response based on evaluation of the portfolio of risks and responses

Risk Response Taken from "COSO - ERM Integrated Framework"


• Policies and procedures that help ensure that the risk responses, as well as other entity directives, are carried out

• Occur throughout the organization, at all levels and at all functions

• Include application and general information technology controls

Control Activities Taken from "COSO - ERM Integrated Framework"


• Management identifies, captures and communicates pertinent information in a form and timeframe that enables people to carry out their responsibilities

• Communication occurs in a broader sense, flowing down, across and up the organization

Information & Communication Taken from "COSO - ERM Integrated Framework"


Effectiveness of the other ERM components is monitored through:

• Ongoing monitoring activities• Separate evaluations• A combination of the two

Monitoring Taken from "COSO - ERM Integrated Framework"


• Expands and elaborates on elements of internal control as set out in COSO’s “control framework”

• Includes objective setting as a separate component. Objectives are a “prerequisite” for internal control

• Expands the control framework’s “Financial Reporting” and “Risk Assessment”

Relationship to Internal Control – Integrated Framework


#4 - An Example of ERM Methodology

Identify Risks

Gain understanding of business model and establish context

Analyze risks Evaluate risks Treat risks Monitor risks

• Co. Strategy & objectives• Control Environment • ERM overall plan• Understand internal risk

capabilities• Vision/mission of Co.• Establish risk appetite/tolerances• Discuss different risk treatment

strategies

• Identify/ interview risk process owners

• Identify risk universe/terms• Identify key risk events • Link risks to strategy• ID processes/subprocesses• Link risks to proc/sub.

• Significance of risks• Likelihood-inherent• Likelihood-residual• Roll-up of risks• Prioritized summary• Report

• Compare against risk tolerances

• Assess different treatment options

• Decide optimal option• Assign responsibility• Ensure resources available• Bridge risk capability gaps • Treat risks• Analyze & evaluate residual

risks• Report

• Risk monitoring• Internal audit –assurance

(see separate flow)

• Questionnaires,• CSA• FCSA• Brainstorming

• Scatter graph• Heat map, charts, • Communications• CSA

• Dashboards

• Voting technology• Compliance software

• Voting technology• Risk repository software• Templates

• Scenario modeling software • Monitoring software• Extraction software• Audit workpaper software

Te

chn

iqu

es

Te

chn

olo

gy

Me

tho

do

log

yD

eliv

era

ble

s

• Strategy linked to risk appetite• Overall ERM plan by year• Report on existing risk capabilities• Risk appetite statement/tolerances-

established• Risk management

charter/Committee• Establish common business

language

• Risk questionnaire• List of people to interview• Risk universe/terms• Processes/sub-processes• Risks linked to processes• Risks linked to strategy

• Prioritized risk report with and without mitigation

• Discussion• Review documents• Facilitated workshops

• Cost vs. benefit analysis (avoid, accept, mitigate, outsource)

• CSA• External exports (e.g.,

actuaries)

• CSA

• Risk report-post treatment

Te

chn

iqu

es

Te

chn

olo

gy

Me

tho

do

log

yD

elive

rable

s

• Report an on-going risk monitoring

• Key metrics• Tie into performance

management system


Gain UnderstandingRelating Vision, Mission, Strategic/Business Objectives and Appetite

TargetA.

B.

C. Ensure quality assurance process is 99% defect free

D. Ensure accident rate is reduced by 10%

E.

Tolerances-Acceptable RangeA.

B.

C. Willing to accept up to 3% deviation

D. Willing to accept no deviation

E.

Vision: To help drive advancement of educationMission: To improve the mathematics skills of elementary & secondary students, regardless of curriculum & teaching styles

Strategic Objectives

A. Enhance shareholder value: Consistently grow operating earnings (currently at 25%)

B. Market share objective: Penetrate both top 1000 school districts + 40% of next tier 1500 school districts

C. Reputation objective: Be recognized by educators and institutions as significant contributor to education in U.S.

D. People objective: Achieve ranking as one of top 50 companies to work for

E. Integrity objective: Always act with integrity when dealing with employees, customers, vendors or other parties

Related Objectives

A.

B. Install customer service (reporting) information system

C. Ensure quality assurance process

D. Ensure internal accident rate is reduced by 10% (compliance)

E.

Risk Appetite

A.

- Accepts consumption of capital for need and information technology projects

- Will not accept impairment of reputation through significant quality defects

- Will not accept any deaths from internal accidents

B. C.D. E.

Ris

k T

ole

ran

ces Measure

A.

B.

C. Be recognized by educators and institutions as significant contributor to education in U.S.

D. Ensure accident rate is reduced by 10%

E.

Strategy

• Expand customer base retail channels• Expand product line-reading based product• Foreign languages – penetrate international

markets


Identify RisksRisk Universe

Business Risk Model Definitions - Example

Str

ateg

ic R

isks 1. Industry*

2. Economy3. Political change

6. Market share7. Reputation8. Brand equity*

Op

erat

ion

s R

isks

Process Risks11. Customer satisfaction12. Product failure*13. Supply chain14. Sourcing15. Supplier concentration16. Outsourcing17. Production Cycle18. Catastrophic loss19. Process execution

Compliance Risks20. Policies and procedures21. Environmental22. Contract23. Legal and regulatory*

People Risks24. Human Resources25. Health and safety*26. Authority27. Integrity28. Leadership/Empowerment29. Communications30. Culture31. Performance incentive32. Knowledge capital

Fin

ance

Ris

ks

Financial Risks40. Accounting41. Budgeting42. Taxation

Operational Risks43. Pricing44. Performance measurement45. Portfolio

Technological Risks46. Systems infrastructure47. Systems access48. Systems availability49. Data integrity50. Date relevance

Treasury Risks33. Cash flow/liquidity34. Capital availability35. Interest rate36. Foreign exchange

Credit Risks37. Credit capacity38. Credit concentration39. Credit default

4. Competitor5. Consumer preference

External Risks9. Strategic focus10. Investor confidence

Internal Risks


#5 - Identify RisksRisk Universe Terms

8. Brand equity– Failure to establish and maintain brand awareness, positioning, and strength may impair Company’s ability to execute strategic growth objectives

Business Risk Model Definitions - Example

Str

ateg

ic R

isks

Op

erat

ion

s R

isks

Info

rmat

ion

Ris

ksF

inan

ce R

isks

Financial Risks Operational Risks Technological Risks

Treasury Risks Credit Risks

External Risks Internal Risks

1. Industry– Changes in the education or technology industries may require alteration in Company’s business model and potentially threaten long term viability

Process Risks12.Product failure– failure of

product to operate as intended may result in higher than acceptable returns or warranty claims, lack of repeat business and damage to brand equity

Compliance Risks23.Legal and regulatory– failure

to comply with federal, state or local regulations may result in fees, penalties, criminal or civil claims, or damage to the company’s reputation

People Risks25.Health and safety– failure to

protect health and safety of employees and third parties on company property, may result in claims, fees, low morale, or reduced productivity


Linking of Risks to Strategic Objectives

Earnings Growth Market Share Reputation People Integrity

1. Industry X X

2. Economy

3. Political change

4. Competitor

5. Consumer preference

6. Market share

7. Reputation

8. Brand equity X X X

9. Strategic focus

10. Investor confidence

11. Customer satisfaction

12. Product failure X X X

13. Supply chain

14. Sourcing

15. Supplier concentration

16. Outsourcing

17. Production cycle

18. Catastrophic loss

RisksStrategic Objectives

Identify Risks


Identify RisksLink Risks to Business Processes

ABC Company Industry Brand Equity

Product Failure

Legal & Regulatory

Health & Safety

Finance (Process)

M&A (Sub Process)

X

General Counsel (Process)

Environmental (Sub Process) X X

Administration (Process)

HR (Sub Process) X

Risk Management (Process)

Insurance (Sub Process)

Strategic Planning (Sub Process) X

X

Operations (Process)

Production (Sub Process)

Quality Assurance (Sub Process) X

X

X

Customer Service (Process)

Distribution/ Warranty & Repairs (Sub Process) X X

New Product Development (Process)

Research (Sub Process) X X


#6 - Analyze RisksAssessment of Risks for Impact and Likelihood of Occurrence

Scales for Impact: 1 Not Significant – Neither a strategic nor financial impact3 Slightly Significant – Relatively minor strategic and/or financial impact (one-week’s earnings)

e.g., minor legal issues5 Moderately Significant – Noticeable challenges to achieving strategic objectives and/or

financial targets (one-month’s earnings) e.g., serious breach of regulations with investigational authorities

7 Significant – Difficult to achieve strategic objectives (possibly requiring a strategic change) and/or material financial impact (one-quarter’s earnings) e.g., major breach of regulation/major litigation

9 Highly Significant – Strategic objectives cannot be achieved, resulting in significant financial impact (one-year’s earnings) and questions about future viability- e.g., significant prosecution and fines – very significant litigation including class action lawsuits

Scales for Likelihood (assess likelihood with and without mitigation):1 Never - will not occur in specified time period (<5%)3 Unlikely - not likely to occur in specified time period (<25%)5 Possible – may occur in specified time period (<50%)7 Likely – more likely than not to occur in specified time period (<50%)9 Definitely – Already occurring or almost certainly will occur in specified time period (>90%)


#7 - Evaluate RisksRisk Appetite/Tolerance

Scales for Tolerance:

Very Low Tolerance – Management is not willing to accept more than a nominal level of risk. Adverse risks are intolerable whatever benefits the activity will bring and risk reduction measures are essential – whatever their cost.

Moderate Tolerance – Management will accept a moderate level of risk. Costs and benefits are taken into account and opportunities balanced against potential adverse consequences.

Extremely High Tolerance – Management will accept an extremely high level of risk. Positive or negative risks are negligible or so small that no risk treatment measures are needed.


Evaluate RisksEvaluate Risks Against Risk Tolerances

Impact Likelihood Tolerance Analysis

1 Industry 6.6 4.0 Moderate • Industry changes would have moderate to high impact as the Company’s product may have to undergo significant changes.

• Technological changes are inherent with industry, hence ABC Company’s likelihood and tolerance are both moderate

8 Brand Equity

7.4 4.0 Low • Protecting ABC Company’s brand is paramount for future growth and success; hence high impact and low tolerance.

• High quality assurance and ongoing R&D result in low likelihood

12 Product Failure

7.8 3.8 Low • High quality products and performance are very important to the ABC Company; hence high impact and low tolerance.

• Company’s strong quality control helps keep likelihood low (good audit candidate)

23 Legal & Regulatory

6.6 3.4 Low • Changes in legal and regulations could have a moderately high impact on the company

• As these changes are infrequent, ABC Company is successful in managing these changes to low tolerance level

25 Health & Safety

6.4 3.2 Low • Considering the high value placed on employees, Company has a low tolerance to health & safety risks which could have a moderate impact

• The Company has an effective health & safety program, which has helped the likelihood of this risk remain low


Impact vs. Probability

Control

Share Mitigate & Control

Accept

High Risk

Medium Risk

Medium Risk

Low Risk

Low

High

High

IMPACT

PROBABILITY


Example: Call Center Risk Assessment

Low

High

High

IMPACT

PROBABILITY

High Risk

Medium Risk

Medium Risk

Low Risk

• Loss of phones• Loss of computers

• Credit risk• Customer has a long wait• Customer can’t get through• Customer can’t get answers

• Entry errors • Equipment obsolescence• Repeat calls for same problem

• Fraud• Lost transactions• Employee morale


Treat Risks

Accept

Reduce

Transfer

Avoid

Not Core Core Not

Manage ManageConsistent ExceedsHigh

Far Exceeds

Choices

Risk to Company Strategy

Management Believes It Can

Effectively Risk Impact to Company Tolerance


Monitor RisksRisk Monitoring Internal Audit Program

Reconfirm that controls are good in this area – analyze reports of safety issues.

• General counsel• HR

Low2.820.483.26.4Health & Safety

Discuss with general counsel pending regulatory changes.

• General counselLow3.422.443.46.6Legal & Regulatory

Review business controls over quality assurance process & ongoing R&D levels – KPI.

• Quality assurance• Distribution /

fwarranty & repairs• NPD

Low2.829.604.07.4Brand Equity

Review controls over quality control and analyze customer returns. Review controls over New Product Development.

• Production• Q&A• Customer Service• NPD

Low2.829.643.87.8Product Failure

Review business controls over strategy setting process. Ensure S, W, O, T have considered impact of industry/technology changes.

• Strategy• Mergers &

Acquisitions

Moderate4.026.404.06.6Industry

Ris

k

Impac

tLi

kelihood

Sig

nifi

cance

Lik

elihood

Tole

rance

Ris

k

Tre

atm

ent

Busi

ness

Pro

cess

es

IA P

rogra

m


Key Concepts in ERM Framework

• Sustainability

• Interconnectivity

• Transparency


#8 - ERM OrganizationTaken from IIA presentation "Applying COSO - ERM Integrated Framework"

ERM DirectorERM

Director

Vice President andChief Risk Officer

Vice President andChief Risk Officer

Corporate Credit Risk Manager

Corporate Credit Risk Manager

Insurance Risk Manager

Insurance Risk Manager

ERMManager

ERMManager

ERMManager

ERMManager

StaffStaff StaffStaffStaffStaff

FES Commodity

Risk Mg.Director

FES Commodity

Risk Mg.Director


Enterprise Risk ManagementBest Practices – For Internal Audit's Role

Core Internal Roles in Regard to ERM• Giving assurance on the risk management processes• Giving assurance that risks are correctly evaluated• Evaluating the reporting of key risks• Reviewing the management of key risks

Legitimate Internal Audit Roles with Safeguards• Facilitating identification and evaluation of risks• Coaching management in responding to risks• Coordinating ERM activities• Consolidated reporting on risks• Maintaining and developing the ERM framework• Championing establishment of ERM• Developing RM strategy for board approval

Roles Internal Audit Should Not Undertake• Setting the risk appetite• Imposing risk management processes• Management assurance on risks• Taking decisions on risk responses• Implementing risk responses on management's behalf• Accountability for risk management


Basic, Midpoint and Advanced ERM

Basic Elements of ERM: Identification, Infrastructure, and

Process

Midpoint Elements of ERM

Identification, Infrastructure, and

Process

Advanced ERM: Integration with

Corporate Practices

•Determine risk treatment strategies•Establish a business risk inventory•Align BU risks with objectives•Create common language for risks, control activities and monitoring efforts•Communicate expectations for risk taking to senior managers

•All the basic elements•Quantify key risks to best extent possible •Identify key metrics to report on risk•Create risk policy and procedure manual•Analyze risks' root cause and impact•Integrate effects of risk types

•All basic and midpoint•Strategic planning•Annual budget process•Stakeholder communications•Management scorecards•Remuneration


Where is the Industry Today?

• Pre 2003 – No external drivers for ERM

• Regulatory compliance for public companies is changing that


#9 - Where is the Industry Today?

Stats from a Mercer Oliver Wyman Survey on ERM

• 90% of companies getting ready to implement ERM

• Only 11% have completed the implementation• 35% have formally trained executives and

business line managers to assess the probability of various types of risk

• 55% don't have a member of senior management with explicit responsibilities to manage risk


#10 - Best Practices and Lessons Learned

• Establish an ERM framework including a Risk Management Committee and Charter

• Identify a risk champion and make sure he/she has active support from the CEO

• Understand that ERM is a journey and not a project• Provide a holistic definition of business risk• Include consultants but do not let them drive ERM• Don’t underestimate the impact of existing culture• Don’t undersell ERM as a business risk assessment• Don’t implement ERM as a part time job• Don’t bite off more than you can initially chew – need to show tangible benefits

all along


Real Life Experiences

Documents

Feb 06 Steele Enterprise Risk Managementppt2004