Professional Documents
Culture Documents
Grant Thornton
Contents
#1 What is Enterprise Risk Management? #2 The Value Proposition Why do this? #3 ERM Best Practices International #4 An Example of ERM Methodology #5 Identify Risks #6 Analyze Risks #7 Evaluate Risks #8 ERM Organization #9 Where is the industry today? #10 Best Practices and Lessons Learned
Grant Thornton
Takes an entity-level portfolio view of risk A process, ongoing and flowing through an entity Effected by people at every level of the organization Applied in strategy setting Designed to identify potential events that, if they occur, will affect the entity Designed to help an organization manage risk within its risk appetite Provides reasonable assurance to an entity's management and board of directors as to accomplishment of business objectives
Grant Thornton
Develops a strategic, firm-wide approach to risk management and mitigation using all the available tools: derivatives, insurance, internal controls and strategic action Focuses management attention on the truly important risks risks with potential to significantly impact earnings or even endanger firm survival Integrates risk management into critical decision-making processes, such as strategic planning, to ensure a link between risk-adjusted performance measurement tools (e.g. Economic Capital RAROC) and strategic decision-making (i.e. Budget planning, Capex, M&A) Identifies the risks inherent in current strategy and business model before the competition to provide sustainable competitive advantage
Grant Thornton
Lowers cost of capital by reducing cash flow volatility and increases confidence of delivering financial outcomes Determines risk appetite of the firm in context of investor expectations
Financial resources and communicates this effectively to all shareholders (i.e. Board, investors, analysts, rating agencies)
Grant Thornton
AZ4360 and HB436 CoCo Combined Code King I and II Basel I and II
India
Clause 49
Grant Thornton
COSO-ERM Framework
Taken from "COSO - ERM Integrated Framework"
Reporting
Compliance Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information & Communication
Monitoring
Grant Thornton
Internal Environment
Taken from "COSO - ERM Integrated Framework"
Establishes a philosophy regarding risk management. It recognizes that unexpected as well as expected events may occur Establishes the entitys risk culture Considers all other aspects of how the organizations actions may affect its risk culture
Grant Thornton
Objective Setting
Taken from "COSO - ERM Integrated Framework"
Is applied when management considers risks strategy in the setting of objectives Forms the risk appetite of the entity a high-level view of how much risk management and the board are willing to accept
Risk tolerance, the acceptable level of variation around objectives, is aligned with risk appetite
Grant Thornton
10
Event Identification
Taken from "COSO - ERM Integrated Framework"
Differentiates risks and opportunities Events that may have a negative impact represent risks Events that may have a positive impact represent natural offsets (opportunities), which management channels back to strategy setting
Grant Thornton
11
Event Identification
Taken from "COSO - ERM Integrated Framework"
Involves identifying those incidents, occurring internally or externally, that could affect strategy and achievement of objectives Addresses how internal and external factors combine and interact to influence the risk profile.
Grant Thornton
12
Risk Assessment
Taken from "COSO - ERM Integrated Framework"
Allows an entity to understand the extent to which potential events might impact objectives Assesses risks from two perspectives: Likelihood Impact Is used to assess risks and is normally also used to measure the related objectives
Grant Thornton
13
Risk Assessment
Taken from "COSO - ERM Integrated Framework"
Employs a combination of both qualitative and quantitative risk assessment methodologies Relates time horizons to objective horizons Assesses risk on both an inherent and a residual basis
Grant Thornton
14
Risk Response
Taken from "COSO - ERM Integrated Framework"
Identifies and evaluates possible responses to risk Evaluates options in relation to entitys risk appetite, cost vs. benefit of potential risk responses, and degree to which a response will reduce impact and/or likelihood
Selects and executes response based on evaluation of the portfolio of risks and responses
Grant Thornton
15
Control Activities
Taken from "COSO - ERM Integrated Framework"
Policies and procedures that help ensure that the risk responses, as well as other entity directives, are carried out Occur throughout the organization, at all levels and at all functions Include application and general information technology controls
Grant Thornton
16
Management identifies, captures and communicates pertinent information in a form and timeframe that enables people to carry out their responsibilities Communication occurs in a broader sense, flowing down, across and up the organization
Grant Thornton
17
Monitoring
Taken from "COSO - ERM Integrated Framework"
Effectiveness of the other ERM components is monitored through: Ongoing monitoring activities Separate evaluations A combination of the two
Grant Thornton
18
Grant Thornton
19
Identify Risks
Analyze risks
Evaluate risks
Treat risks
Monitor risks
Identify/ interview risk process owners Identify risk universe/terms Identify key risk events Link risks to strategy ID processes/subprocesses Link risks to proc/sub.
Decide optimal option Assign responsibility Ensure resources available Bridge risk capability gaps Treat risks Analyze & evaluate residual risks Report
Methodology
Cost vs. benefit analysis (avoid, accept, mitigate, outsource) CSA External exports (e.g., actuaries)
Techniques
Techniques
CSA
Dashboards
Technology
Technology
Voting technology Risk repository software Templates Risk questionnaire List of people to interview Risk universe/terms Processes/sub-processes Risks linked to processes Risks linked to strategy
Deliverables
Strategy linked to risk appetite Overall ERM plan by year Report on existing risk capabilities Risk appetite statement/tolerancesestablished Risk management charter/Committee Establish common business language
Report an on-going risk monitoring Key metrics Tie into performance management system
Grant Thornton
20
Deliverables
Strategy
Expand customer base retail channels Expand product line-reading based product Foreign languages penetrate international markets
Risk Appetite
A. - Accepts consumption of capital for need and information technology projects - Will not accept impairment of reputation through significant quality defects - Will not accept any deaths from internal accidents B. C. D. E.
Related Objectives
A. B. C. D. E. Install customer service (reporting) information system Ensure quality assurance process Ensure internal accident rate is reduced by 10% (compliance)
Measure
A. B. C. Be recognized by educators and institutions as significant contributor to education in U.S. D. Ensure accident rate is reduced by 10% E. Grant Thornton A. B.
Target
A. B.
Tolerances-Acceptable Range
C. Ensure quality assurance process is 99% defect free D. Ensure accident rate is reduced by 10%
E.
21
4. 5.
Competitor Consumer preference Compliance Risks 20. Policies and procedures 21. Environmental 22. Contract 23. Legal and regulatory*
People Risks 24. Human Resources 25. Health and safety* 26. Authority 27. Integrity 28. Leadership/Empowerment 29. Communications 30. Culture 31. Performance incentive 32. Knowledge capital
Operations Risks
Treasury Risks 33. Cash flow/liquidity 34. Capital availability 35. Interest rate 36. Foreign exchange Financial Risks 40. Accounting 41. Budgeting 42. Taxation
Credit Risks 37. Credit capacity 38. Credit concentration 39. Credit default
Grant Thornton
Technological Risks 46. Systems infrastructure 47. Systems access 48. Systems availability 49. Data integrity 50. Date relevance
22
Operations Risks
Strategic Risks
Compliance Risks 23.Legal and regulatory failure to comply with federal, state or local regulations may result in fees, penalties, criminal or civil claims, or damage to the companys reputation Credit Risks
People Risks 25.Health and safety failure to protect health and safety of employees and third parties on company property, may result in claims, fees, low morale, or reduced productivity
Financial Risks
Operational Risks
Technological Risks
Grant Thornton
23
Grant Thornton
24
Industry X
Brand Equity
Product Failure
X X X
X X X X X
25
X X X
#6 - Analyze Risks
Assessment of Risks for Impact and Likelihood of Occurrence
Scales for Impact: 1 Not Significant Neither a strategic nor financial impact 3 Slightly Significant Relatively minor strategic and/or financial impact (one-weeks earnings) e.g., minor legal issues 5 Moderately Significant Noticeable challenges to achieving strategic objectives and/or financial targets (one-months earnings) e.g., serious breach of regulations with investigational authorities 7 Significant Difficult to achieve strategic objectives (possibly requiring a strategic change) and/or material financial impact (one-quarters earnings) e.g., major breach of regulation/major litigation 9 Highly Significant Strategic objectives cannot be achieved, resulting in significant financial impact (one-years earnings) and questions about future viability- e.g., significant prosecution and fines very significant litigation including class action lawsuits Scales for Likelihood (assess likelihood with and without mitigation): 1 Never - will not occur in specified time period (<5%) 3 Unlikely - not likely to occur in specified time period (<25%) 5 Possible may occur in specified time period (<50%) 7 Likely more likely than not to occur in specified time period (<50%) 9 Definitely Already occurring or almost certainly will occur in specified time period (>90%)
Grant Thornton
26
Scales for Tolerance: Very Low Tolerance Management is not willing to accept more than a nominal level of risk. Adverse risks are intolerable whatever benefits the activity will bring and risk reduction measures are essential whatever their cost. Moderate Tolerance Management will accept a moderate level of risk. Costs and benefits are taken into account and opportunities balanced against potential adverse consequences. Extremely High Tolerance Management will accept an extremely high level of risk. Positive or negative risks are negligible or so small that no risk treatment measures are needed.
Grant Thornton
27
Likelihood 4.0
Tolerance Moderate
Analysis Industry changes would have moderate to high impact as the Companys product may have to undergo significant changes. Technological changes are inherent with industry, hence ABC Companys likelihood and tolerance are both moderate Protecting ABC Companys brand is paramount for future growth and success; hence high impact and low tolerance. High quality assurance and ongoing R&D result in low likelihood High quality products and performance are very important to the ABC Company; hence high impact and low tolerance. Companys strong quality control helps keep likelihood low (good audit candidate) Changes in legal and regulations could have a moderately high impact on the company As these changes are infrequent, ABC Company is successful in managing these changes to low tolerance level Considering the high value placed on employees, Company has a low tolerance to health & safety risks which could have a moderate impact The Company has an effective health & safety program, which has helped the likelihood of this risk remain low
Brand Equity
7.4
4.0
Low
12
Product Failure
7.8
3.8
Low
23
6.6
3.4
Low
25
6.4
3.2
Low
Grant Thornton
28
High
I M P A C T Low
Grant Thornton
Medium Risk
High Risk
Accept
Control
PROBABILITY
High
29
High
Medium Risk
High Risk
I M P A C T Low
Credit risk Customer has a long wait Customer cant get through Customer cant get answers
Low Risk
Medium Risk
PROBABILITY
High
30
Grant Thornton
Treat Risks
High
Exceeds
Consistent
Grant Thornton
31
Industry
6.6
4.0
26.40
4.0
Moderate
Review business controls over strategy setting process. Ensure S, W, O, T have considered impact of industry/technology changes. Review controls over quality control and analyze customer returns. Review controls over New Product Development. Review business controls over quality assurance process & ongoing R&D levels KPI.
Product Failure
7.8
3.8
29.64
2.8
Low
Brand Equity
7.4
4.0
29.60
2.8
Low
6.6
3.4
22.44
3.4
Low
Discuss with general counsel pending regulatory changes. Reconfirm that controls are good in this area analyze reports of safety issues.
6.4
3.2
20.48
2.8
Low
General counsel HR
Grant Thornton
32
Sustainability Interconnectivity
Transparency
Grant Thornton
33
#8 - ERM Organization
Taken from IIA presentation "Applying COSO - ERM Integrated Framework"
ERM Director
ERM Manager
ERM Manager
Staff
Staff
Grant Thornton
34
Grant Thornton
35
Determine risk treatment strategies Establish a business risk inventory Align BU risks with objectives Create common language for risks, control activities and monitoring efforts Communicate expectations for risk taking to senior managers
All the basic elements Quantify key risks to best extent possible Identify key metrics to report on risk Create risk policy and procedure manual Analyze risks' root cause and impact Integrate effects of risk types
All basic and midpoint Strategic planning Annual budget process Stakeholder communications Management scorecards Remuneration
Grant Thornton
36
Pre 2003 No external drivers for ERM Regulatory compliance for public companies is changing that
Grant Thornton
37
90% of companies getting ready to implement ERM Only 11% have completed the implementation 35% have formally trained executives and business line managers to assess the probability of various types of risk 55% don't have a member of senior management with explicit responsibilities to manage risk
Grant Thornton
38
Establish an ERM framework including a Risk Management Committee and Charter Identify a risk champion and make sure he/she has active support from the CEO Understand that ERM is a journey and not a project Provide a holistic definition of business risk Include consultants but do not let them drive ERM Dont underestimate the impact of existing culture Dont undersell ERM as a business risk assessment Dont implement ERM as a part time job Dont bite off more than you can initially chew need to show tangible benefits all along
Grant Thornton
39
Grant Thornton
40